Commit Graph

7 Commits (8c7f1dfb035e19f34249ba1c692ef6dda3b03a15)

Author SHA1 Message Date
Glenn Strauss 3dd3cde902 [core] abstraction layer for HTTP header manip
http_header.[ch]
convert existing calls to manip request/response headers
convert existing calls to manip environment array (often header-related)
2018-09-23 18:01:58 -04:00
Glenn Strauss ad27206608 [core] redo HTTP header line folding
Replace separators between folded header lines in-place using spaces
and then process the single header line.

(Reverts change which replaces folding whitespace with single space)

Acknowledgement: Or Peles of VDOO  reference: VD-0871, VD-0872, VD-0873
(thx Or Peles)
2018-09-16 05:18:05 -04:00
Stefan Bühler 3be0707839 [core] replace folding whitespace with a single space
- previously the leading whitespace from folded lines was kept
- also ignore lines without any data
2018-08-26 18:52:22 +02:00
Glenn Strauss d161f53de0 [core] security: use-after-free invalid Range req
(thx Marcus Wengelin)
2018-08-12 14:43:22 -04:00
Glenn Strauss 5868b8ca12 [core] add missing includes to quiet compiler warn
add missing system includes to quiet compiler warnings on Mac OS X
2018-08-12 14:43:22 -04:00
Glenn Strauss 3eb7902e10 [core] server.http-parseopts URL normalization opt (fixes #1720)
server.http-parseopts = ( ... ) URL normalization options

Note: *not applied* to CONNECT method

Note: In a future release, URL normalization likely enabled by default
  (normalize URL, reject control chars, remove . and .. path segments)
  To prepare for this change, lighttpd.conf configurations should
  explicitly select desired behavior by enabling or disabling:
    server.http-parseopts = ( "url-normalize" => "enable", ... )
    server.http-parseopts = ( "url-normalize" => "disable" )

x-ref:
  "lighttpd ... compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data."
  https://www.cvedetails.com/cve/CVE-2008-4359/
  "Rewrite/redirect rules and URL encoding"
  https://redmine.lighttpd.net/issues/1720
2018-08-12 14:43:22 -04:00
Glenn Strauss 6ccccaaa38 [tests] move src/test_*.c to src/t/ 2018-08-05 03:44:15 -04:00