RFC 7231 forbids partial PUT. However, historical versions of
lighttpd mod_webdav did provide this (mis-)feature. Therefore,
provide *deprecated* unsafe partial PUT support for compatibility
with historical lighttpd mod_webdav (prior to mod_webdav rewrite),
but require new config option to enable this compatible behavior:
webdav.opts = ( "deprecated-unsafe-partial-put" => "enable" )
The partial PUT support implemented by historical lighttpd mod_webdav
makes no effort to account for shrinkage or growth of range replaced.
The request body is splat into the *existing* file at the offset
provided which is quite unsafe and can cause corruption in data sent
to concurrent download requests.
Use of this (mis-)feature is discouraged, and support may be removed
in the future, without any further notice.
(occurred 3 years ago on experimental branch, and now ported forward)
robustness and performance improvements, including atomic updates on
individual files (e.g. for PUT, COPY, MOVE)
exclusive locks are fully supported
shared locks are partly supported
x-ref:
"add RFC-compliant LOCK support to mod_webdav"
https://redmine.lighttpd.net/issues/1818
fdevent_open_cloexec() opens files O_BINARY for consistency,
and with O_NONBLOCK, so that the server will not block if the
target file to open is a fifo.
reduce code duplication in list resizing
realloc() of NULL ptr has behavior similar to malloc()
Note that if initial size == 0, then code used to adjust size
must be += x to ensure the size is non-zero for reallocation.
(Multiplying 0 * x, e.g. power-2 resizing, will result in 0.)
validate UTF-8 in url-decoded paths obtained elsewhere than from request
(burl_normalize(), if enabled with server.http-parseopts, checks url for
overlong encodings of ASCII chars in the HTTP request-line)
buffer_simplify_path() no longer prepends '/' if '/' is missing.
Callers must check for leading '/' depending on use, such as in
concatenation with others paths, or direct use accessing filesystem
Note: lighttpd 1.4.50 provides the server.http-parseopts directive.
Recommended settings unless specific use requires looser settings:
server.http-parseopts = (
"header-strict" => "enable",
"host-strict" => "enable",
"host-normalize" => "enable",
"url-normalize" => "enable",
"url-normalize-unreserved" => "enable",
"url-normalize-required" => "enable",
"url-ctrls-reject" => "enable",
"url-path-2f-decode" => "enable",
"url-path-dotseg-remove" => "enable",
"url-query-20-plus" => "enable"
)
x-ref:
https://digi.ninja/blog/lighttpd_rewrite_bypass.php
As noted in the link above, mod_access should be preferred instead
of mod_rewrite for access controls to URLs.
quickly clear buffer instead of buffer_string_set_length(b, 0) or
buffer_reset(b). Avoids free() of large buffers about to be reused,
or buffers that are module-scoped, persistent, and reused.
(buffer_reset() should still be used with buffers in connection *con
when the data in the buffers is supplied by external, untrusted source)
provide standard types in first.h instead of base.h
provide lighttpd types in base_decls.h instead of settings.h
reduce headers exposed by headers for core data structures
do not expose <pcre.h> or <stdlib.h> in headers
move stat_cache_entry to stat_cache.h
reduce use of "server.h" and "base.h" in headers
fix crash in mod_webdav_subrequest_handler_huge()
when stat_cache_get_entry() returns HANDLER_ERROR
but errno is not ENOENT
x-ref:
"fix crash in mod_webdav_subrequest_handler_huge()"
https://github.com/lighttpd/lighttpd1.4/pull/86
github: closes #86
check HAVE_UUID for -luuid in order to detect more pedantic cases,
e.g. when -luuid is not installed under Cygwin, even if devel headers
are present (<uuid/uuid.h>)
PROPFIND getetag attr must match Etag response header from GET request
For consistency, make similar change in mod_ssi.
(thx ethoms)
x-ref:
"mod_webdav: Etag in response differs between PROPFIND and GET"
https://redmine.lighttpd.net/boards/3/topics/7473
silence compiler warnings if HAVE_FORK is not set
However, if HAVE_FORK is not set, then -Werror was probably passed to
./configure, which is currently a mistake. lighttpd can successfully
compiles src/ with -Werror on many platforms, but ./configure tests
should not be run with -Werror. [gstrauss]
github: closes #81
x-ref:
"Fix warnings"
https://github.com/lighttpd/lighttpd1.4/pull/81
shared code to get mimetype string via longest extension match
(attempts to match file basename, then longest ext, then "")
Note: this is a behavior change from simple suffix match
if there are 16 or more entries in mimetypes.assign
Set server.stream-request-body = 1 or server.stream-request-body = 2
to have lighttpd connect to backend (CGI, FastCGI, SCGI, proxy)
immediately after parsing request headers, and to stream request body
as it arrives.
default: buffer entire request body before connecting to backend,
in order to avoid tying up (limited) backend resources which are often
implemented using libraries which wait for entire request body before
proceeding.
x-ref:
"Reimplement upload (POST) handling to match apache/zeus/thttpd/boa functionality"
https://redmine.lighttpd.net/issues/376
yangfl