(expect < 256 octets for DNS name)
Since limit is imposed, can use buffer_clear() instead of buffer_reset()
for con->uri.authority and con->server_name. (Also, con->uri.scheme is
limited to "http" and "https", so use buffer_clear() for it, too)
Replace separators between folded header lines in-place using spaces
and then process the single header line.
(Reverts change which replaces folding whitespace with single space)
Acknowledgement: Or Peles of VDOO reference: VD-0871, VD-0872, VD-0873
(thx Or Peles)
- this fixes various use-after-free scenarios (reported by Or Peles of
VDOO): when parse_single_header stores pointers to header values in
con->request, those pointers are not updated if the header value is
reallocated when folded header lines are appended.
- also remove trailing white-space from folded lines
server.http-parseopts = ( ... ) URL normalization options
Note: *not applied* to CONNECT method
Note: In a future release, URL normalization likely enabled by default
(normalize URL, reject control chars, remove . and .. path segments)
To prepare for this change, lighttpd.conf configurations should
explicitly select desired behavior by enabling or disabling:
server.http-parseopts = ( "url-normalize" => "enable", ... )
server.http-parseopts = ( "url-normalize" => "disable" )
x-ref:
"lighttpd ... compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data."
https://www.cvedetails.com/cve/CVE-2008-4359/
"Rewrite/redirect rules and URL encoding"
https://redmine.lighttpd.net/issues/1720
provide standard types in first.h instead of base.h
provide lighttpd types in base_decls.h instead of settings.h
reduce headers exposed by headers for core data structures
do not expose <pcre.h> or <stdlib.h> in headers
move stat_cache_entry to stat_cache.h
reduce use of "server.h" and "base.h" in headers
check that request-URI begins with '/', "http://", "https://",
or is OPTIONS * request, or else reject with 400 Bad Request unless
server.http-parseopt-header-strict = "disable" (default is enabled)
x-ref:
https://redmine.lighttpd.net/boards/3/topics/7637
permit LF to end header lines if
server.http-parseopt-header-strict = "disable"
(instead of requiring CR LF)
(makes it easy to use 'openssl s_client -connect <IP:port>' on unix)
(Note: care taken to minimize diff in this commit,
but header parsing code should be revisited and overhauled)
check case-insensitive scheme if full URI provided in request-line
RFC7230:
The scheme and host are case-insensitive and normally provided
in lowercase; all other components are compared in a case-sensitive
manner.
x-ref:
"https://redmine.lighttpd.net/boards/3/topics/7637"
support Transfer-Encoding: chunked request body in conjunction with
server.stream-request-body = 0
dynamic handlers will still return 411 Length Required if
server.stream-request-body = 1 or 2 (!= 0)
since CGI-like env requires CONTENT_LENGTH be set
(and mod_proxy currently sends HTTP/1.0 requests to backends,
and Content-Length recommended for robust interaction with backend)
x-ref:
"request: support Chunked Transfer Coding for HTTP PUT"
https://redmine.lighttpd.net/issues/2156
fix potential NULL pointer dereference in mod_deflate.c
remove logically dead code in connection-glue.c
add coverity annotations to see if some issues will be reclassified
buffer.c:itostr() undefined behavior taking modulus of negative number
additional minor code changes made to quiet other coverity warnings
(false positives)
fd leak in mod_dirlisting.c
use after free in error condition in mod_proxy.c
NULL pointer dereference in error message in chunk.c
additional minor code changes made to quiet other coverity warnings
Glenn Strauss
Stefan Bühler