Commit Graph

2073 Commits (609e9a5050a0399eec690789ba0bb374ce3708c6)

Author SHA1 Message Date
Glenn Strauss 609e9a5050 silence warnings from clang ccc-analyzer 2016-10-16 01:34:40 -04:00
Glenn Strauss 1e129cce45 ignore return value from fcntl() FD_CLOEXEC
setting or removing FD_CLOEXEC flag does not fail

Also the use in mod_fastcgi and mod_scgi is in child after fork().
If the fd already happens to be 0 (should not happen in current code)
and removing the FD_CLOEXEC flag fails, then the backend will fail
to start.
2016-10-15 23:28:09 -04:00
Glenn Strauss 9173d9aa7d [mod_cgi] fix pipe_cloexec() when no O_CLOEXEC 2016-10-15 23:28:09 -04:00
Glenn Strauss 7f4e156e5f [core] rand.[ch] to use better RNGs when available
prefer RAND_pseudo_bytes() (openssl), arc4random() or jrand48(),
if available, over rand()

These are not necessarily cryptographically secure, but should be better
than rand()
2016-10-15 23:28:09 -04:00
Glenn Strauss b8b38f3067 [TLS] set SSL_PROTOCOL, SSL_CIPHER* (fixes #2511)
initialized for mod_magnet and dynamic CGI-like handlers
(mod_cgi, mod_fastcgi, mod_scgi, mod_ssi) (*not* mod_proxy)

Note: in the future a config flag (does not yet exist) might be required
to activate initialization of these SSL_* env variables.  This might
occur if there are requests to access these variables in mod_accesslog,
and/or if more SSL_* varables are created, which would be more work.

  "pass protocol and cipher details to fcgi env"
2016-10-11 05:24:39 -04:00
Glenn Strauss 6155d7d9bb [TLS] set SSL_CLIENT_VERIFY w/ client cert (#1288, #2693)
(enabled with lighttpd.conf: ssl.verifyclient.activate = "enable")

  "SSL Client Certificate validation."
2016-10-11 05:16:34 -04:00
Glenn Strauss daab6f5cd5 [TLS] set SSL_CLIENT_M_SERIAL w/ client cert SN (fixes #2268)
  "Set serial number of the client certificate into environment"
2016-10-11 01:23:20 -04:00
Glenn Strauss d3ac5667a5 [TLS] replace env entries in https_add_ssl_entries
do not (incorrectly) extend SSL_* con->environment entry values
after url.rewrite occurs
2016-10-10 21:13:02 -04:00
Glenn Strauss 7fa5bfc938 consistent, shared code to create CGI env
consolidated from CGI, FastCGI, SCGI, SSI

Note: due to prior inconsistencies between the code in mod_cgi,
mod_fastcgi, mod_scgi, and mod_ssi, there are some minor behavior

CONTENT_LENGTH is now always set, even if 0
  (though CONTENT_LENGTH is never set for FASTCGI_AUTHORIZER)
PATH_INFO is created only if present, not if empty.
  (mod_fastcgi and mod_ssi previously set PATH_INFO="" (blank value))
PATH_TRANSLATED is now set if PATH_INFO is present
  (previously missing from mod_cgi and mod_ssi)

mod_ssi now sets DOCUMENT_ROOT to con->physical.basedir, like others
  (previously, mod_ssi set DOCUMENT_ROOT to con->physical.doc_root,
   which matched con->physical.basedir unless mod_alias changed basedir)
mod_ssi now sets REQUEST_URI to con->request.orig_uri, like others
  (previously, mod_ssi set REQUEST_URI to con->request.uri, which
   matched con->request.orig_uri except after redirects, error docs)
2016-10-10 13:37:36 -04:00
Glenn Strauss 81ce160d83 silence warnings from clang ccc-analyzer 2016-10-09 19:19:37 -04:00
Glenn Strauss ce24523b59 [core] restrict where config "else" clauses occur (#1268)
(improve validation)

  "condition should be optional in "else" clause in configuration file"
2016-10-09 09:20:37 -04:00
Glenn Strauss 79fb75709b [core] optional condition in config "else" clause (fixes #1268)
  "condition should be optional in "else" clause in configuration file"
2016-10-09 08:06:41 -04:00
Glenn Strauss 1018ff9922 [core] server.max-request-field-size (fixes #2130)
limits total size per request of request headers submitted by client

default limit set to 8k (prior lighttpd <= 1.4.41 hard-coded 64k limit)

(similar to Apache directive LimitRequestFieldSize)

  "limits the size of HTTP request header"
2016-10-06 00:18:07 -04:00
Glenn Strauss 2bea4fcb16 [core] make server.max-request-size scopeable (#1901)
  "make server.max-request-size scopeable"
2016-10-05 23:53:24 -04:00
Glenn Strauss 145ddc2ee7 [mod_mysql_vhost] support multiple '?' replacement (fixes #2163)
support multiple '?' replacement with escaped URI authority

  "Multiple use of '?' in mysql-vhost.sql"
2016-10-05 05:54:01 -04:00
Glenn Strauss d3cb9c8ced quiet coverity warning 2016-10-04 07:18:30 -04:00
Glenn Strauss 28d1213470 [mod_auth] fix printing of IP in error trace 2016-10-04 05:03:15 -04:00
Glenn Strauss 0f38b391dc DragonFlyBSD defines __DragonFly__ (#2746)
DragonFlyBSD defines __DragonFly__, not __DragonflyBSD__

(thx xenu)

  "[PATCH] better DragonFlyBSD support; fix crash"
2016-10-04 05:03:15 -04:00
Glenn Strauss ebbd639029 [cmake] build mod_authn_gssapi if WITH_KRB5 2016-10-04 05:03:15 -04:00
Glenn Strauss 06cb0c3024 [autobuild] update module/feature report
update module/feature report at end of ./configure run
2016-10-04 05:03:15 -04:00
Glenn Strauss 8b282db1d1 [mod_auth] permit specifying ldap DN; skip search (fixes #1248)
If auth.backend.ldap.filter begins with ',', then concatenate
uid=<username> with the 'filter' value to form the DN instead of using
ldap_search to query LDAP for the DN for the username, applying the
provided filter.

  "Allow User-DN to be supplied in the configuration rather than searching"
2016-10-04 05:03:15 -04:00
Glenn Strauss 59c753bf9f [mod_auth] ldap filter subst user for multiple '$' (fixes #1508)
ldap filter supports substitution of multiple '$', each with username

  "auth.backend.ldap.filter: only one/first "$" replaced with Username"
2016-09-28 16:57:43 -04:00
Glenn Strauss a401c9469a [mod_auth] HTTP Basic auth backends also do authz (#1817)
HTTP Basic auth backends now do both authn and authz
in order to allow provide a means to extend backends to optionally
support group authz

  "LDAP-Group support for HTTP-Authentication"
2016-09-28 06:36:38 -04:00
Glenn Strauss d4f812550c [mod_auth] refactor LDAP code into smaller funcs
better handling and freeing of resources
replace deprecated LDAP routines
2016-09-28 04:24:46 -04:00
Glenn Strauss a661944d7e [mod_scgi] add uwsgi protocol support
Configuring the protocol is controlled with new lighttpd.conf directive:
  scgi.protocol = "scgi"   # default
  scgi.protocol = "uwsgi"

The uwsgi protocol differs from the SCGI protocol only in how the
request is encoded.  The response from the backend is handled the
same way for both SCGI and uwsgi protocols.

2016-09-25 02:05:56 -04:00
Glenn Strauss 93afda9c8e performance: use Linux extended syscalls and flags
reduce syscalls on Linux using extended syscalls and flags,
e.g. accept4(), pipe2(), O_CLOEXEC, SOCK_CLOEXEC, SOCK_NONBLOCK

github: closes #2
2016-09-24 02:23:49 -04:00
Glenn Strauss 8047c2f448 fix errors detected by Coverity Scan
fix potential NULL pointer dereference in mod_deflate.c
remove logically dead code in connection-glue.c
add coverity annotations to see if some issues will be reclassified
2016-09-23 09:09:57 -04:00
Glenn Strauss d2b7c7bad2 remove excess initializers (fix compiler warnings) 2016-09-23 04:23:25 -04:00
Glenn Strauss ed3065cfb2 [CMake] fix clang -Wcast-align warnings in lemon.c 2016-09-23 02:24:23 -04:00
Glenn Strauss 177f5509bd [SCons] define with_geoip for SCons build 2016-09-23 01:15:52 -04:00
Glenn Strauss 9e6524fef5 [SCons] fix syntax error in SConstruct 2016-09-23 01:05:58 -04:00
Glenn Strauss 4ba57b2f67 [SCons] define with_krb5 for SCons build 2016-09-23 00:58:43 -04:00
Glenn Strauss e9ee22c204 [autobuild] skip two new tests if no fcgi-auth 2016-09-23 00:58:41 -04:00
Glenn Strauss 8576341df3 silence warnings from clang ccc-analyzer
rewrite some (generally correct) code for clang ccc-analyzer to be
able to recognize the patterns instead of issuing spurious warnings.
2016-09-23 00:27:43 -04:00
Glenn Strauss 1c1a63786e [mod_auth] mod_authn_gssapi Kerberos auth backend (fixes #1899)
module status: experimental; more testing and review needed

Kerberos library calls have been preserved from original patch set
and should be reviewed.

module has been quickly tested with Basic auth (Use over TLS!)

SPNEGO -has not- been tested.  Again, kerberos library calls have
been preserved from original patch set.  YMMV. (Use over TLS!)

  "Kerberos/GSSAPI Delegation Support"
2016-09-22 23:15:38 -04:00
Glenn Strauss 7ba06c71a6 [mod_auth] structured data, register auth schemes
- parse auth.* directives into structured data during config processing
- register auth schemes (basic, digest, extern, ...) for extensibility
- remove auth.debug directive
2016-09-22 19:54:57 -04:00
Glenn Strauss 381aaae363 remove unused array type TYPE_COUNT data_count
(unused type, and very similar to TYPE_INTEGER data_integer,
 differing only in initial value and how dup inserts are merged)
2016-09-22 19:54:57 -04:00
Glenn Strauss 2b7e7fb0b2 [mod_deflate] fix longjmp clobber compiler warning
(workaround to avoid compiler warnings with and without --enable-mmap)
2016-09-22 19:53:27 -04:00
Glenn Strauss 20a2a0d2e3 remove unused sys-mmap.h from stat_cache.c 2016-09-22 13:36:31 -04:00
Glenn Strauss 2af88b2357 [autobuild] test_configfile might need vector.c (fixes #2752)
needed to build on Solaris using Oracle Solaris Studio (thx petrs)

  "vector_realloc missing when linking test_configfile"
2016-09-22 13:36:31 -04:00
Glenn Strauss cb1a3c6299 backport mod_deflate to lighttpd 1.4 (fixes #1824, fixes #2753)
lots of fixes and improvements

limitations: see comments at top of mod_deflate.c

missing functionality: encode streaming response
  (module currently requires response be collected before being sent)

potential functionality: addition of compressed file cache would
  allow mod_deflate to fully supplant mod_compress in lighttpd 1.4.x

  "Adding mod_deflate to 1.4.xx"
  "mod_deflate backport compile error if ENABLE_MMAP not defined"

github: closes #67
2016-09-22 13:36:04 -04:00
Glenn Strauss 7b7350ee19 [mod_fastcgi] allow authorizer, responder for same path/ext (#321)
allow authorizer and responder to be configured for same path or ext

  "mod_fastcgi authorizers cannot protect fastcgi responders"
2016-09-19 20:12:28 -04:00
Glenn Strauss dc91e40657 dynamic handlers store debug flag in handler_ctx
(for persistence across multiple re-entries into routines upon
 receiving fdevent)

(setting module debug flag in global scope is still recommended
 since there are places where p->conf.debug is checked since
 handler_ctx might not be available at all points)
2016-09-19 20:02:02 -04:00
Christoph Kreutzer 7ef569b204 [tests] test coverage for issues (#321, #322)
FastCGI Authorizer support with FastCGI Responders

  "mod_fastcgi authorizers cannot protect fastcgi responders"

  "FastCGI Authorizer support for Variable-name variable passing"
2016-09-19 20:02:02 -04:00
Glenn Strauss 2dcfe1733e [mod_fastcgi] Authorizer support with Responder (fixes #321, fixes #322)
import Variable-* from FastCGI authorizer response into con->environment
restart request after FastCGI authorizer if no fastcgi.server docroot

(thx Christoph Kreutzer for initial patch attempt)

  "mod_fastcgi authorizers cannot protect fastcgi responders"

  "FastCGI Authorizer support for Variable-name variable passing"

github: closes #70
2016-09-19 20:02:02 -04:00
Glenn Strauss 5dfe21acc9 [mod_geoip] add to default build (fixes #2705, fixes #2101, fixes #2092, fixes #2025, fixes #1962, fixes #1938)
(add to default build to reduce distributor package maintenance)

  "broken module API since 1.4.38"
  "lighttpd-1.4.24 fails to compile with mod_geoip.c"
  "unsafe sprintfs mod_geoip"
  "mod_geoip crashes lighttpd 1.5.x on FreeBSD 7.2 AMD64"
  "lighttpd 1.4 crashes on FreeBSD 7.0 AMD64 when mod_geoip compiled in"
2016-09-13 02:49:00 -04:00
Glenn Strauss ab935a2b96 [mod_uploadprogress] add to default build
(module is distributed in Gentoo)
(add to default build to reduce distributor package maintenance)
2016-09-12 02:53:11 -04:00
Glenn Strauss b9f245f263 [mod_cgi] permit CGI exec of unreadable files (fixes #2374)
CGI target might be executable (+x), but not readable (-r)

  "lighttpd-1.4.29 cannot execute unreadable CGIs"
2016-09-11 11:44:02 -04:00
Glenn Strauss ae91578895 [mod_auth] mod_authn_mysql.c MySQL auth backend (fixes #752, fixes #1845)
(automatically load mod_authn_mysql with mod_auth for compatibility with
 existing config usage via patches in various distros, e.g. FreeBSD)

  "mySQL auth"
  "MySQL Digest Authentication"
2016-09-11 10:59:05 -04:00
Glenn Strauss 17b2a38721 [mod_auth] remove empty mod_auth.h 2016-09-09 22:31:46 -04:00