Commit Graph

2019 Commits

Author SHA1 Message Date
Glenn Strauss 65efc2eda8 [mod_auth] support CRYPT-MD5-NTLM algorithm (fixes #1743)
(based on patch submitted in #1743)
(minimally tested using example in #1743 with password 'test')

  "[PATCH] Add support for CRYPT-MD5-NTLM"
2016-08-21 01:49:09 -04:00
Glenn Strauss 9e7083582d [mod_auth] include base.h for USE_OPENSSL def 2016-08-20 20:38:47 -04:00
Glenn Strauss 6ec66c4dce [core] better DragonFlyBSD support (fixes #2746)
(thx xenu)

  "[PATCH] better DragonFlyBSD support; fix crash"
2016-08-20 14:19:10 -04:00
Glenn Strauss b22269c2f3 [mod_auth] extensible interface for auth backends
Merge branch 'feature-auth-reorg' into gmaster
2016-08-20 13:43:27 -04:00
Glenn Strauss 4b3a91e64b [mod_auth] extensible interface for auth backends
create new, extensible interface for (additional) auth backends

attempt to handle HANDLER_WAIT_FOR_EVENT returned by auth backends
to allow for async auth backends (e.g. to mysql database)

separate auth backends from mod_auth and http_auth
  mod_authn_file.c htdigest, htpasswd, plain auth backends
  mod_authn_ldap.c ldap auth backend
add http_auth.c to common_sources for auth backend registration

(mod_authn_file could be three separate modules, but no need for now)
2016-08-20 13:42:08 -04:00
Glenn Strauss 3dcca966f4 [mod_auth] refactor out auth backend code
separate routines for each auth backend in http_auth.c,
move ldap backend init from mod_auth.c to http_auth.c
2016-08-18 10:18:14 -04:00
Glenn Strauss 81b2d1f020 [mod_auth] refactor out auth backend code
move basic and digest code into mod_auth.c,
and leave auth backend code in http_auth.c
2016-08-18 10:16:01 -04:00
Glenn Strauss 31250a9af8 [mod_auth] refactor out auth backend code
separate subroutines in http_auth.c
2016-08-14 13:15:08 -04:00
Glenn Strauss cb24958c01 [mod_auth] Digest auth fails after rewrite (fixes #2745)
(affects lighttpd 1.4.41)

  "HTTP digest + rewrite fails with: digest: auth failed: uri mismatch (1.4.41)"
2016-08-13 14:07:36 -04:00
Glenn Strauss cfa3d27fc3 [mod_dirlisting] js column sort for dirlist table (fixes #613, fixes #2315)
copied javascript from mod_status and from lighttpd2 mod_dirlist

modified and specialized for stable dirlist sorting by name

Partial implementation of Apache autoindex request query arguments
If query string is supplied, allow specifying initial column to sort
  ?C=N name (default)
  ?C=M last-modified, then by name
  ?C=S size, then by name
  ?C=T type, then by name
  ?C=D type, then by name
and O=[AD] can be added for descending or ascending order, e.g.
  ?C=N&O=D descending (default)
  ?C=N&O=A ascending

(While functional, no effort was made on js performance.
 Patches welcome)

New directive dir-listing.external-js for user to replace sorting js

Note: dir-listing.external-js or default js sorting is enabled only
if = "enable" (which is the default)

  "client-selectable directory list sorting"
2016-08-11 00:27:11 -04:00
Glenn Strauss 09a663b95b [mod_dirlisting] dirlist does not handle POST 2016-08-10 04:13:10 -04:00
Glenn Strauss 27f85dbdf4 [core] proxy,scgi omit shutdown() to backend (fixes #2743)
Due to the POLLHUP behavior triggered on *BSD/Darwin, the shutdown()
had previously been limited to local connections.  If interested in
squeezing the last bits of performance out of a machine, an admin
should configure local connections to be AF_UNIX instead of AF_INET
or AF_INET6 to localhost.  The reason the shutdown() was originally
added in mod_proxy and mod_scgi was to aggressively reduce the number
of potential sockets in TIME_WAIT held by lighttpd.
(See commit:923688d2 "drain backend socket/pipe bufs upon FDEVENT_HUP",
 done for reliability given the aforementioned *BSD/Darwin behavior.)
When using AF_UNIX, the TIME_WAIT issue does not exist, ergo, the
recommendation is to use AF_UNIX for local sockets, when available.
Using AF_UNIX sockets is a better solution to eliminate TIME_WAIT
than is TCP shutdown() half-close which, as we have seen, might not
be handled well by frameworks which are more complex than basic read
request, send response, and close.

  "1.4.40/41 mod_proxy, mod_scgi may trigger POLLHUP on *BSD,Darwin"
2016-08-07 13:09:21 -04:00
Glenn Strauss 7e2090b96b [core] do not enter handler twice after read body
do not enter handler a second time in connection_state_machine()
after read body completes if dynamic handler is still waiting for event
2016-08-07 07:35:47 -04:00
Glenn Strauss 666b9fd726 [core] enforce wait for POLLWR after EINPROGRESS (fixes #2744)
mod_fastcgi, mod_scgi, and mod_proxy must enforce wait for POLLWR
after EINPROGRESS or else getsockopt(fd, SOL_SOCKET, SO_ERROR, ...)
may succeed even though socket connection is not yet established,
and subsequent writev() will fail ENOTCONN.

(thx pkubaj)

 "1.4.40/41 writev failed: Socket is not connected (fastcgi,scgi,proxy)"
2016-08-07 00:42:58 -04:00
Glenn Strauss 4bc06bfc0b [core] check if client half-closed TCP if POLLHUP (#2743)
Check if client half-closed TCP connection if POLLHUP is received.
This more robustly handles if client called shutdown(fd, SHUT_WR).

This patch reverts commit:ab05eb7c which should now be handled properly.
(Time will tell.)

  "1.4.40/41 mod_proxy, mod_scgi may trigger POLLHUP on *BSD,Darwin"
2016-08-06 04:28:45 -04:00
Glenn Strauss 1de652f40b [mod_proxy,mod_scgi] shutdown remote only if local (#2743)
shutdown(fd, SHUT_WR) after sending request to proxy or SCGI
only if remote is local and platform is not *BSD or Darwin.

The reason this fix is special-casing *BSD and Darwin is that the Single
Unix Specification and POSIX.1-2013 clearly specify that POLLHUP event
should be returned by poll only when the stream is no longer writable.
A half-closed socket that is still writable clearly does not match that
condition, yet that is what I am seeing on Darwin (El Capitan), and
presumably what others are seeing on *BSD, from which Apple originally
inherited the Darwin TCP stack.

Single Unix Specification (SUSv2) from 1997
(yes, that is nearly 20 years ago):

    The device has been disconnected. This event and POLLOUT are
    mutually exclusive; a stream can never be writable if a hangup has
    occurred. However, this event and POLLIN, POLLRDNORM, POLLRDBAND or
    POLLPRI are not mutually exclusive. This flag is only valid in the
    revents bitmask; it is ignored in the events member.

Updated version of The Open Group Base Specifications Issue 7
(published in 2013):

    A device has been disconnected, or a pipe or FIFO has been closed
    by the last process that had it open for writing. Once set, the
    hangup state of a FIFO shall persist until some process opens the
    FIFO for writing or until all read-only file descriptors for the
    FIFO are closed.  This event and POLLOUT are mutually-exclusive;
    a stream can never be writable if a hangup has occurred. However,
    this event and POLLIN, POLLRDNORM, POLLRDBAND, or POLLPRI are not
    mutually-exclusive. This flag is only valid in the revents bitmask;
    it shall be ignored in the events member.

  "1.4.40/41 mod_proxy, mod_scgi may trigger POLLHUP on *BSD,Darwin"
2016-08-06 02:24:54 -04:00
Glenn Strauss 156bea3859 [TLS] SSL_shutdown() only if handshake finished
avoid noise in logs due to calling SSL_shutdown() on a connection
that has not yet completed TLS handshake
2016-08-02 22:32:28 -04:00
Glenn Strauss ccd817d3c9 - next is 1.4.42 2016-07-31 08:40:41 -04:00
Glenn Strauss 29fa805695 [doc] NEWS 2016-07-31 02:41:20 -04:00
Glenn Strauss fbae795dfa [cmake] set cmake_minimum_required to 2.8.2
CHECK_SYMBOL_EXISTS() is available in CMake >= 2.8.0
Clang is supported in CMake >= 2.8.2
2016-07-31 02:28:58 -04:00
Stefan Bühler 46b0e01217 [cmake] enable warnings for GCC and Clang
Also set -Wno-cast-align for lemon; lemon is only the parser generator, either
it crashes or it works.
2016-07-30 23:42:57 -04:00
Stefan Bühler f7b3745552 [cmake] always define _GNU_SOURCE
first.h only defines _GNU_SOURCE if no config.h is present.
2016-07-30 14:20:52 +02:00
Glenn Strauss 5863d05ec1 [security] encode quoting chars in HTML and XML
(affects mod_dirlisting, mod_ssi, mod_status)
2016-07-30 04:11:21 -04:00
Glenn Strauss 375022a1d1 fix buffer.c comments to match encoded_chars_*
fix buffer.c comments to match encoded_chars_* changes made in 3943de28
2016-07-30 04:02:21 -04:00
Glenn Strauss ebf3af8b12 [core] fix buffer_copy_string_hex() assert (fixes #2742)
fix buffer_copy_string_hex() passing incorrect length to li_tohex()

(thx Isibaar)

  "Assert wrongly triggered in buffer_copy_string_hex()"
2016-07-30 02:48:20 -04:00
Glenn Strauss acd5e450b5 [security] disable stat_cache if !follow-symlink (fixes #2724)
disable stat_cache if server.follow-symlink = "disable"
if server.stat-cache-engine = "simple".  Caching is still enabled
for server.stat-cache-engine = "fam" since the FAM notification is
almost immediate, however there is still a small race condition.

NOTE: server.follow-symlink = "disable" implementation still has
time-of-check versus time-of-use (ToC-ToU) race conditions and
its use is *not recommended* except to discourage symlinking.
It *does not* prevent symlinking by a determined attacker with
the ability to create files on the server.

server.stat-cache-engine = "disable" can also be used to discourage
symlinking, and also does not eliminate ToC-ToU race conditions.

While more modern systems might use openat() and other *at() routines
to eliminate the ToC-ToU race conditions, this is not currently
implemented in lighttpd.  Besides, for systems needing such
protections against actors able to modify local files, it would be
better to set up multiple lighttpd servers running in separate user
contexts with filesystem permissions preventing access, rather than
giving a single lighttpd server running under a single lighttpd user
access to files across security boundaries, and trying to prevent
access by lighttpd user if a file is a symlink.

Note that there are performance implications to setting either of
  server.follow-symlink = "disable"
  server.stat-cache-engine = "disable"
since stat cache normally reduces filesystem overhead for
frequently-accessed files.

  "security: stat cache *very large* race condition if caching when
follow_symlink disabled"
2016-07-30 02:10:44 -04:00
Glenn Strauss 558bfc4e1e [security] ensure gid != 0 if server.username set (fixes #2725)
server.username can not be root or 0.
server.groupname can not be root or 0.

If server.username is set, previous behavior might retain gid 0
if server.groupname was not set.

New behavior calls setgid() on server.username primary gid, and
then initgroups on server.username if server.username is set but
server.groupname is not set.

  "server.groupname not required with server.username"
2016-07-30 02:10:01 -04:00
Glenn Strauss f7410da5d2 [core] set chunkqueue tempdirs at startup /var/tmp
If server.upload-dirs is not configured, then attempt to use TMPDIR
from the environment, if set, or else use /var/tmp which is not often
a tmpfs, unlike /tmp.  Warn at startup if tempdirs are not present.
2016-07-29 15:01:46 -04:00
Glenn Strauss ad6d41896e [core] check if EAI_ADDRFAMILY is defined
(EAI_ADDRFAMILY is not available on FreeBSD)
2016-07-29 12:48:00 -04:00
Glenn Strauss c8e647ad31 [core] set chunkqueue tempdirs at startup
If server.upload-dirs is not configured, then attempt to use TMPDIR
from the environment, if set, or else use /tmp.  Warn at startup if
tempdirs are not present.
2016-07-28 03:57:52 -04:00
Glenn Strauss a62bff9866 [core] fix result copy from getaddrinfo()
(thx avij)
2016-07-27 22:26:32 -04:00
Glenn Strauss a69a803e35 [core] try AF_INET after AF_INET6 if use-ipv6
try AF_INET after AF_INET6 if server.use-ipv6 = "enable" and
getaddrinfo() fails EAI_ADDRFAMILY when hints.ai_family is AF_INET6.
(Prefer IPv6 instead of setting hinst.ai_family to AF_UNSPEC since
lighttpd only uses the first address returned)
2016-07-27 15:37:46 -04:00
Glenn Strauss a95aaa9de9 [TLS] read all available records from SSL_read()
read all available records from SSL_read(), even if larger than
MAX_READ_LIMIT, since the data is already in memory.  openssl is
configured with SSL_MODE_RELEASE_BUFFERS and will release openssl
buffers once records have been read.

Without reading available data, there was a chance that the connection
would hang waiting for a read event on the fd, even though all the
data had already been read from kernel socket buffers and was in openssl
memory waiting to be read with SSL_read().

(thx glen and avij)
2016-07-27 06:00:44 -04:00
Glenn Strauss bce293e4a7 [TLS] better handling of SSL_ERROR_WANT_READ/WRITE
2016-07-27 02:24:53 -04:00
Glenn Strauss 565dec2ff1 [core] consolidate duplicated response_end code 2016-07-26 16:48:20 -04:00
Glenn Strauss 38139fa1a9 [core] permit IPv6 address scope identifier
getaddrinfo() on permits a scope identifier to be part of the IPv6
address string, so permit this syntax in $SERVER["socket"] validation.

2016-07-25 01:01:10 -04:00
Glenn Strauss 9af58a9716 revert 1.4.40 swap of REQUEST_URI, REDIRECT_URI (fixes #2738)
reverts part of commit:dbdab5db which swapped REQUEST_URI, REDIRECT_URI

  "mediawiki redirect loop if REQUEST_URI not orig req in 1.4.40"


REQUEST_URI and REDIRECT_URI are not part of CGI standard environment.
The reason for their existence is that PATH_INFO in CGI environment may
be different from the path in the current request.  The main reason for
this potential difference is that the URI path is normalized to a path
in the filesystem and tested against the filesystem to determine which
part is SCRIPT_NAME and which part is PATH_INFO.  In case-insensitive
filesystems, the URI might be lowercased before testing against the
filesystem, leading to loss of case-sensitive submission in any
resulting PATH_INFO.  Also, duplicated slashes "///" and directory
references "/." and "/.." are removed, including prior path component in
the case of "/..".  This might be undesirable when the information after
the SCRIPT_NAME is virtual information and there target script needs the
virtual path preserved as-is.  In that case, the target script can
re-parse REQUEST_URI (or REDIRECT_URI, as appropriate) to obtain the
unmodified information from the URI.

con->request.uri is equivalent to con->request.orig_uri unless the
request has been internally rewritten (e.g. by mod_rewrite, mod_magnet,
others), in which case con->request.orig_uri is the request made by the
client, and con->request.uri is the current URI being processed.

Historical REQUEST_URI (environment variable) lighttpd inconsistencies
- mod_cml     set REQUEST_URI to con->request.orig_uri
- mod_cgi     set REQUEST_URI to con->request.orig_uri
- mod_fastcgi set REQUEST_URI to con->request.orig_uri
- mod_scgi    set REQUEST_URI to con->request.orig_uri

- mod_ssi     set            REQUEST_URI to current con->request.uri
- mod_magnet  set MAGNET_ENV_REQUEST_URI to current con->request.uri
              and MAGNET_ENV_REQUEST_ORIG_URI to con->request.orig_uri

Historical REDIRECT_URI (environment variable) previously set only in
mod_fastcgi and mod_scgi, and set to con->request.uri

Since lighttpd 1.4.40 provides REDIRECT_URI with con->request.orig_uri,
changes were made to REQUEST_URI for consistency, with the hope that
there would be little impact to existing configurations since the
request uri and original request uri are the same unless there has been
an internal redirect.  It turns out that various PHP frameworks use
REQUEST_URI and require that it be the original URI requested by client.

Therefore, this change is being reverted, and lighttpd will set
REQUEST_URI to con->request.orig_uri in mod_cgi, mod_fastcgi, mod_scgi
as was done in lighttpd 1.4.39 and earlier.  Similarly, REDIRECT_URI
also has the prior behavior in mod_fastcgi and mod_scgi, and added to

A future release of lighttpd might change mod_ssi to be consistent with
the other modules in setting REQUEST_URI to con->request.orig_uri and to
add REDIRECT_URI, when an internal redirect has occurred.
2016-07-23 02:13:41 -04:00
Glenn Strauss ed340897a2 do not set REDIRECT_URI in mod_magnet, mod_rewrite (#2738)
reverts commit:b473220d

  "mediawiki redirect loop if REQUEST_URI not orig req in 1.4.40"
2016-07-23 01:35:13 -04:00
Glenn Strauss b43fc006be [mod_status] show keep-alive status w/ text output (fixes #2740)
  "mod_status with "?auto" modifier not showing keep-alive (k) status
on Scoreboard"
  "server-status - additional stats - keepalive"
2016-07-21 11:19:06 -04:00
Glenn Strauss cd33554b74 [core] $HTTP["remoteip"] must handle IPv6 w/o []
[core] $HTTP["remoteip"] must handle IPv6 w/o [] (existing behavior)
This was inadvertently broken in lighttpd 1.4.40 when IP address
normalization was added.

In $HTTP["remoteip"], IPv6 is now accepted with or without '[]'.
http_request_host_normalize() expects IPv6 with '[]', and config
processing at runtime expects COMP_HTTP_REMOTE_IP compared without '[]',
so '[]' is stripped (internally) after normalization
2016-07-21 01:42:35 -04:00
Glenn Strauss cb468d333c [core] stay in CON_STATE_CLOSE until done with req
Do not switch to CON_STATE_ERROR upon idle timeout if already in
CON_STATE_CLOSE.  Changing to CON_STATE_ERROR might keep resetting
con->close_timeout_ts if repeated calls to shutdown() succeed.
2016-07-20 05:43:39 -04:00
Glenn Strauss 78c79ead4a [core] avoid spurious trace and error abort
HANDLER_COMEBACK and HANDLER_ERROR are valid return values
from dynamic fdevent handlers.  Do not abort if HANDLER_ERROR
is returned.
2016-07-19 17:29:14 -04:00
Glenn Strauss 1ebc83f11f [build_cmake] clock_gettime() -lrt w/ glibc < 2.17 (fixes #2737)
clock_gettime() needs -lrt with glibc < 2.17,
and possibly other platforms

This commit contains fixes for CMake and SCONS
See also commit:4d920466 which updated for same

  "1.4.40 compiling issuses on Debian Wheezy"
2016-07-19 04:03:14 -04:00
Glenn Strauss 779c133c16 [security] do not emit HTTP_PROXY to CGI env
Strip bogus "Proxy" header before creating subprocess environment.
(mod_cgi, mod_fastcgi, mod_scgi, mod_ssi, mod_proxy)

Do not emit HTTP_PROXY to subprocess environment.
Some executables use HTTP_PROXY to configure outgoing proxy.

This is not a lighttpd security issue per se, but this change to
lighttpd adds a layer of defense to protect backend processes which
might be vulnerable due to blindly using this untrusted environment
variable.  The HTTP_PROXY environment variable should not be trusted
by a program running in a CGI-like environment.

Mitigation in lighttpd <= 1.4.40 is to reject requests w/ Proxy header:

* Create "/path/to/deny-proxy.lua", read-only to lighttpd, with content:
  if (lighty.request["Proxy"] == nil) then return 0 else return 403 end
* Modify lighttpd.conf to load mod_magnet and run lua code
    server.modules += ( "mod_magnet" )
    magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" )

CGI web servers assign Proxy header values from client requests to
internal HTTP_PROXY environment variables
httpoxy: A CGI application vulnerability
2016-07-19 01:22:33 -04:00
Glenn Strauss d506f4a569 minor: spelling changes in some comments/messages 2016-07-18 23:26:38 -04:00
Glenn Strauss 4d920466f7 [autobuild] clock_gettime() -lrt with glibc < 2.17
clock_gettime() needs -lrt with glibc < 2.17,
and possibly other platforms

On systems without clock_gettime (-cough- Mac OSX -cough-),
use gettimeofday() (deprecated in POSIX.1-2008) which is slightly
lower precision, but reasonably fast in execution.  References:
2016-07-18 23:24:42 -04:00
Glenn Strauss a3ec906ef9 [core] #include <sys/filio.h> for FIONREAD (fixes #2726)
illumos (OpenIndiana) gets FIONREAD from <sys/filio.h>

  "lighttpd 1.4.40 compilation fails on illumos (OpenIndiana)"
2016-07-18 04:40:57 -04:00
fbrosson 72abc87b40 [autobuild] move inet_pton detection later
HAVE_INET_PTON was probably not being defined on Solaris.

While at it, also add detection for accept() in libnetwork for Haiku.

github: closes #68
2016-07-18 00:30:27 -04:00
Glenn Strauss 9c49dc9a5c workaround clang compiler warning 2016-07-17 23:21:50 -04:00
Glenn Strauss acad2c903a fix some warnings reported by cppcheck
fix some warnings reported by cppcheck and
change mod_skeleton.c to use buffer_string_length()
2016-07-17 16:13:31 -04:00