sys-time.h - localtime_r,gmtime_r macros if needed
provide rudimentary localtime_r() and gmtime_r() if not present
(wraps localtime() and gmtime() funtions, but are not thread-safe since
they do not take a lock around access to localtime() and gmtime())
(import from one of my development branches from 2015)
(thx flynn)
fix large memory usage for large file downloads from dynamic backends
reuse or release large memory chunks
x-ref:
"Memory Growth with PUT and full buffered streams"
https://redmine.lighttpd.net/issues/3033
- rewrite fcgi-responder as standalone app
fcgi-responder is now a minimal, standalone FastCGI server for tests
- remove dependency on fcgi-devel package
- merge fcgi-auth into fcgi-responder
compatibility to compile with earlier wolfSSL versions
compile-tested back to wolfSSL tag v3.14.0-stable
configured with (possibly extra flags)
./configure --enable-opensslextra --enable-opensslall --enable-sni \
--enable-lighty --enable-stunnel --enable-nginx --enable-haproxy
Functionality has not been tested!
Please consider using the latest stable release of wolfSSL.
now that mod_wolfssl is a standalone module, use wolfSSL TLS ver defines
(Increase compatibility of mod_wolfssl with wolfSSL versions prior to
wolfSSL v4.2.0)
(thx flynn)
fix decoding chunked from backend
truncate response and error out if backend sends excess data
after chunked encoding
x-ref:
"Too much content with HTTP/2.0"
https://redmine.lighttpd.net/issues/3049
replace /* fall through */ comment with __attribute_fallthrough__ macro
Note: not adding attribute to code with external origins:
xxhash.h (algo_xxhash.h)
ls-hpack/lshpack.c
so to avoid warnings, may need to compile with -Wno-implicit-fallthrough
fix array_copy_array() sorted[]
(current use appears to be only on value lists; not user-visible issue)
Some time back, sorted[] was a set of indexes into data[],
and therefore sorted[] could be copied when copying array.
Now that sorted[] is a list of pointers, the sorted[] list
must be rebuilt. If copied, it continued to point to
(data_unset *) from the original src array, not the dst array.
(thx mgottinger)
fix crash due to uninitialized memory during config parsing
x-ref:
"Broken LDAP authentication on lighttpd 1.4.56"
https://redmine.lighttpd.net/issues/3048
compatibility option to force HTTP/1.0 requests to mod_proxy backend
proxy.header += ("force-http10" => "disable") (default)
If proxy.header is set (for any options), it overrides the global
server.feature-flags += ("proxy.force-http10" => "disable")
(thx altblue)
reorder dc->context_ndx to match srv->config_context->data[] index.
srv->config_context->data[] may have been re-ordered in configparser.y.
Since the dc->context_ndx (id) is reused by config_insert*() and by
plugins to index into srv->config_context->data[], reorder into the
order encountered during config file parsing for least surprise to
end-users writing config files.
x-ref:
"mismatched nested config conditions in lighttpd 1.4.56"
https://redmine.lighttpd.net/issues/3047
(thx flynn)
track chunked encoding state when parsing backend response
x-ref:
"Failure on second request in http proxy backend"
https://redmine.lighttpd.net/issues/3046
reject excess data after chunked encoding when parsing backend response
x-ref:
"Failure on second request in http proxy backend"
https://redmine.lighttpd.net/issues/3046
(thx flynn)
To reduce log noise, skip warning trace reporting error on backend
socket if the connection has been upgraded, e.g. to websockets
x-ref:
"Socket errors after update to version 1.4.56"
https://redmine.lighttpd.net/issues/3044
(thx flynn)
When the backend sends Transfer-Encoding: chunked (which is HTTP/1.1,
not HTTP/1.0) and the client is HTTP/1.1, then lighttpd will transfer
the chunked encoding as it is sent from the backend without excess data
copying involved in decoding and then re-encoding. The bug is that if
the first data chunk (or chunks) is partially received at the same time
as the response headers, then the chunked encoding got corrupted.
x-ref:
"Socket errors after update to version 1.4.56"
https://redmine.lighttpd.net/issues/3044
add complex preproc logic for SNI detection
- HAVE_SNI is not sufficient
- HAVE_LIGHTY is not sufficient (in wolfssl <= 4.5.0)
Instead, use more complex logic wrapping calls to SNI_Callback()
in wolfssl.
x-ref:
"[lighttpd] -mod-wolfssl inhibited by missing library functionality"
https://github.com/openwrt/packages/issues/14142
"put all SNI code behind simpler preprocessor directive HAVE_SNI"
https://github.com/wolfSSL/wolfssl/pull/3538
remove ancient preprocessor logic which might define OPENSSL_NO_TLSEXT
The logic was added to base.h in https://redmine.lighttpd.net/issues/386
some 13 years ago, and today might cause more harm than good with other
TLS libraries which provide some level of openssl-compatiblity layer,
e.g. BoringSSL and LibreSSL
If building with an ancient version of openssl and building without
support for TLS extensions, then be sure that OPENSSL_NO_TLSEXT is
defined. (Alternatively, please consider using modern versions of
security libraries for better security.)
read() on inotify fd does not return partial records,
and the info from the kernel can be trusted. Still add a sanity check.
If initialization of inotify fails, server will subsequently exit,
so memory leak reported by coverity is insignificant.
For IPv6 listen addresses:
server.v4mapped = "disable" results in IPV6_V6ONLY socket opt set to 0
server.v4mapped = "enable" results in IPV6_V6ONLY socket opt set to 1
server.v4mapped has an effect only if explicitly set in lighttpd.conf.
If not set, the socket option is inherited from kernel defaults, which
may vary on different OS.
server.v4mapped takes priority over server.set_v6only
server.set_v6only behavior is inconsistent and depreacted.
server.set_v6only behavior differs from server.v4mapped in that
server.set_v6only = "enable" will cause the IPV6_V6ONLY socket
option to be set to 1 for IPv6 listening sockets configured via
$SERVER["socket"] in lighttpd.conf, is enabled by default, and
has no effect if set to "disable"
Note: IPv4-mapped addresses may bring potential security issues,
depending on the situation. For example, lighttpd does not attempt
to match IPv4 addresses with IPv4-mapped addresses. Other writings:
https://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02.html
quiet more request parse errors unless debug enabled with
debug.log-request-header-on-error = "enable"
x-ref:
"invalid character in URI -> 400 config?"
https://redmine.lighttpd.net/boards/2/topics/9512
more consistent use of shared code config_plugin_value_tobool()
(thx tow-conf)
x-ref:
"The on/off keywords in boolean configuration options is inconsistent, which might be misleading and error-prone."
https://redmine.lighttpd.net/issues/3036
When server.stream-request-body = 0 (the default), the entire request
body is collected before engaging the backend. For backends which
require data framing, this could lead to growth in memory use as large
requests were framed all at once.
Prefer to retain large request bodies in temporary files on disk and
frame in portions as write queue to backend drains below a threshold.
x-ref:
"Memory Growth with PUT and full buffered streams"
https://redmine.lighttpd.net/issues/3033
(bug on master branch)
With lighttpd defaults, including fully buffering request body, and
if request body > 1 MB, then multiple temporary files are used and
might not have open fd in chunkqueue. This would result in failure
to send request body to CGI. (bug commited to master branch 1 month ago)
This alternative approach attempts to work around error:
invalid application of 'sizeof' to incomplete type 'struct kevent'
seen in continuous integration (CI) autoconf build on FreeBSD VM
disable server.graceful-restart-bg on OpenBSD and NetBSD
kqueue is not inherited across fork, and OpenBSD and NetBSD do not
implement rfork() (implemented on FreeBSD and DragonFly)
lighttpd has not implemented rebuilding the kqueues after fork,
so server.graceful-restart-bg is disabled on OpenBSD and NetBSD.
Note: there have always been limitations with lighttpd stat_cache.[ch]
using FAM/gamin on *BSD via kqueue() as lighttpd stat_cache.[ch] only
monitors directories. This kqueue() implementation also only monitors
directories and has limitations.
lighttpd stat_cache.[ch] is notified about additions and removals of
files within a monitored directory but might not be notified of changes
such as timestamps (touch), ownership, or even changes in contents
(e.g. if a file is edited through a hard link)
server.stat-cache-engine = "disable" should be used when files should
not be cached. Full stop. Similarly, "disable" is recommended if files
change frequently. If using server.stat-cache-engine with any engine,
there are caching effects and tradeoffs.
On *BSD and using kqueue() on directories, any change detected clears
the stat_cache of all entries in that directory, since monitoring only
the directory does not indicate which file was added or removed. This
is not efficient for directories containing frequently changed files.
Update: NSS developer explains:
"The way that we currently operate is to tie the session key encryption
to the server public key. Which only works if you have an RSA key
configured"
https://bugzilla.mozilla.org/show_bug.cgi?id=1673254
include wolfssl/options.h crypto lib config
after selecting crypto lib to use
wolfSSL does not prefix its defines with a wolfSSL-specific namespace
(so we would like to avoid unnecessarily polluting preproc namespace)
This commit further isolates wolfSSL after split from mod_openssl.
Cleans up some preprocessor logic that was put in place when using
the wolfSSL compatibility layer for openssl, before creating a
dedicated mod_wolfssl.
workaround fragile code in wolfssl/wolfcrypto/types.h
Including header blows up compile in 32-bit when lighttpd meson build
in OpenWRT on a 32-bit platform generates lighttpd config.h containing
define of SIZEOF_LONG, but not SIZEOF_LONG_LONG, and the wolfssl types.h
flubs and fails to choose an enum value used by a macro that is unused
by most consumers of the wolfssl header.
disabled by default, but can be enabled
(session tickets should be preferred)
applies to mod_openssl, mod_wolfssl, mod_nss
session cache is not currently implemented in mod_mbedtls or mod_gnutls
(not (yet?) an end-user option in the build system)
(If extended to build system, build system should also unset CRYPTO_LIB)
If WITHOUT_LIB_CRYPTO is defined in sys-crypto.h, then non-TLS modules
will have access to MD5() and SHA1() built with lighttpd (algo_md5.[ch]
and algo_sha1.[ch]), but not to other message digest algorithms.
As of this commit, this affects only mod_secdownload with SHA256 digest
and mod_auth* modules using HTTP Digest Auth with digest=SHA-256, which
is not currently well-supported by client browers (besides Opera)
Glenn Strauss