lighttpd
/
lighttpd1.4
2
0
Fork 0
Code Issues Releases Wiki Activity
3,743 Commits 9 Branches 87 Tags 16 MiB
Commit Graph

6 Commits

Author SHA1 Message Date
Glenn Strauss 5d13b40824 [core] (const buffer *) in (struct burl_parts_t) 2020-02-24 11:15:32 -05:00
Glenn Strauss 8441c9e8e8 [core] config option to allow GET w/ request body 
server.http-parseopts = ( "method-get-body" = "enable" )
 2019-03-07 00:32:17 -05:00
Glenn Strauss f832b71180 [mod_redirect,mod_rewrite] base64url encoding opt 
Provide means to encode redirect and rewrite backreference substitutions

  %{encb64u:...} encode to base64url characters (no-padding)
  %{decb64u:...} decode from base64url characters
 2018-08-12 14:43:22 -04:00
Glenn Strauss 255269d799 [mod_redirect,mod_rewrite] encoding options (fixes #443, fixes #911) 
Provide means to encode redirect and rewrite backreference substitutions
  In addition to $1 and %1, the following modifiers are now supported,
  followed by the number for the backreference, e.g. ${esc:1}

  ${noesc:...}  no escaping
  ${esc:...}    escape all non-alphanumeric - . _ ~ incl double-escape %
  ${escape:...} escape all non-alphanumeric - . _ ~ incl double-escape %
  ${escnde:...} escape all non-alphanumeric - . _ ~  but no double-esc %
  ${tolower:...}
  ${toupper:...}

  %{noesc:...}
  %{esc:...}
  %{escape:...}
  %{escnde:...}
  %{tolower:...}
  %{toupper:...}

Provide means to substitute URI parts without needing a regex match
  (and can be preceded by encoding modifier,
     e.g. ${tolower:url.authority})

  ${url.scheme}
  ${url.authority}
  ${url.port}
  ${url.path}
  ${url.query}

  ${qsa}        appends query string, if not empty

x-ref:
  "[PATCH] mod_redirect: Add support for url-encoding backreferences, map %%n->%n, $$n->$n"
  https://redmine.lighttpd.net/issues/443
  "Need for URL encoding in mod_redirect and possibly mod_rewrite"
  https://redmine.lighttpd.net/issues/911
 2018-08-12 14:43:22 -04:00
Glenn Strauss 37900d24b3 [mod_redirect,mod_rewrite] pass request URI info 2018-08-12 14:43:22 -04:00
Glenn Strauss 3eb7902e10 [core] server.http-parseopts URL normalization opt (fixes #1720) 
server.http-parseopts = ( ... ) URL normalization options

Note: *not applied* to CONNECT method

Note: In a future release, URL normalization likely enabled by default
  (normalize URL, reject control chars, remove . and .. path segments)
  To prepare for this change, lighttpd.conf configurations should
  explicitly select desired behavior by enabling or disabling:
    server.http-parseopts = ( "url-normalize" => "enable", ... )
    server.http-parseopts = ( "url-normalize" => "disable" )

x-ref:
  "lighttpd ... compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data."
  https://www.cvedetails.com/cve/CVE-2008-4359/
  "Rewrite/redirect rules and URL encoding"
  https://redmine.lighttpd.net/issues/1720
 2018-08-12 14:43:22 -04:00