Commit Graph

3743 Commits

Author SHA1 Message Date
Glenn Strauss 167513c840 [core] track chunked encoding state from backend (fixes #3046)
(thx flynn)

track chunked encoding state when parsing backend response

  "Failure on second request in http proxy backend"
2020-12-14 19:59:08 -05:00
Glenn Strauss 3230c6ef17 [core] reject excess data after chunked encoding (#3046)
reject excess data after chunked encoding when parsing backend response

  "Failure on second request in http proxy backend"
2020-12-14 19:55:00 -05:00
Glenn Strauss 163cb8be28 [core] fix chunked decoding from backend (fixes #3044)
(thx flynn)

  "Socket errors after update to version 1.4.56"
2020-12-14 12:34:49 -05:00
Glenn Strauss 4933a2259b [core] warn if mod_authn_file needed in conf
warn if mod_authn_file is not listed in lighttpd.conf, but is needed
2020-12-13 06:01:51 -05:00
Glenn Strauss a360eafc8b [mod_nss] portability fix
check if NSS supports TLSv1.3 ciphers
(very old versions do not, and admins should consider upgrading NSS)
2020-12-10 13:04:39 -05:00
Glenn Strauss 1d73fc2329 [core] portability fix if st_mtime not defined 2020-12-09 17:39:43 -05:00
Glenn Strauss 8a2f9c1173 [TLS] POSIX sh compat (fixes #3043)
(thx flynn)  (patch from flynn)

  " not POSIX compatible"
2020-12-09 17:07:43 -05:00
Glenn Strauss de29a37771 [core] skip some trace if backend Upgrade (#3044)
(thx flynn)

To reduce log noise, skip warning trace reporting error on backend
socket if the connection has been upgraded, e.g. to websockets

  "Socket errors after update to version 1.4.56"
2020-12-09 17:07:43 -05:00
Glenn Strauss 1d9cab1bc3 [core] always set file.fd = -1 on FILE_CHUNK reset (fixes #3044)
(thx flynn)

  "Socket errors after update to version 1.4.56"
2020-12-09 17:07:37 -05:00
Glenn Strauss d15e2286f2 [core] fix handling chunked response from backend (fixes #3044)
(thx flynn)

When the backend sends Transfer-Encoding: chunked (which is HTTP/1.1,
not HTTP/1.0) and the client is HTTP/1.1, then lighttpd will transfer
the chunked encoding as it is sent from the backend without excess data
copying involved in decoding and then re-encoding. The bug is that if
the first data chunk (or chunks) is partially received at the same time
as the response headers, then the chunked encoding got corrupted.

  "Socket errors after update to version 1.4.56"
2020-12-09 02:59:36 -05:00
Glenn Strauss adf7aea0e1 [core] wrap a macro value with parens
(code review)
2020-12-08 15:17:11 -05:00
Glenn Strauss a43420ba07 [mod_wolfssl] add complex preproc logic for SNI
add complex preproc logic for SNI detection
- HAVE_SNI is not sufficient
- HAVE_LIGHTY is not sufficient (in wolfssl <= 4.5.0)
Instead, use more complex logic wrapping calls to SNI_Callback()
in wolfssl.

  "[lighttpd] -mod-wolfssl inhibited by missing library functionality"
  "put all SNI code behind simpler preprocessor directive HAVE_SNI"
2020-12-06 22:50:49 -05:00
Glenn Strauss 083b3fb992 [core] SHA512_Init, SHA512_Update, SHA512_Final 2020-12-06 19:59:24 -05:00
Glenn Strauss aa3cabae3b [mod_openssl] remove ancient preprocessor logic
remove ancient preprocessor logic which might define OPENSSL_NO_TLSEXT

The logic was added to base.h in
some 13 years ago, and today might cause more harm than good with other
TLS libraries which provide some level of openssl-compatiblity layer,
e.g. BoringSSL and LibreSSL

If building with an ancient version of openssl and building without
support for TLS extensions, then be sure that OPENSSL_NO_TLSEXT is
defined.  (Alternatively, please consider using modern versions of
security libraries for better security.)
2020-12-06 02:08:06 -05:00
Glenn Strauss a27e55b2dd [core] add missing mod_wolfssl to ssl compat list
add missing mod_wolfssl to ssl compat module list

  "[lighttpd] -mod-wolfssl fails (requires dependency on -mod-openssl?)"
2020-12-05 11:19:03 -05:00
Glenn Strauss ce1d45ed82 [build] fix SCons build when building all TLS mods 2020-12-05 02:30:15 -05:00
Glenn Strauss 3579c32295 [core] prefer inet_aton() over inet_addr() 2020-12-05 02:18:58 -05:00
Glenn Strauss 233a218ab3 [build] fix when building all TLS mods
  "[lighttpd] -mod-openssl fails"
  "[lighttpd] -mod-wolfssl fails"
2020-12-03 17:16:52 -05:00
Glenn Strauss f8369910ff [core] setsockopt IPV6_V6ONLY if server.v4mapped
always setsockopt IPV6_V6ONLY on IPv6 addrs if server.v4mapped
is configured
2020-12-02 17:46:21 -05:00
Glenn Strauss b9bdca9b8a [mod_webdav] define _ATFILE_SOURCE if AT_FDCWD 2020-12-01 17:08:19 -05:00
Glenn Strauss 2d55953e75 [core] allow keep-alives in one-shot mode (#3042)
  "lighttpd on demand"
2020-11-30 19:32:23 -05:00
Glenn Strauss f279ae7d50 [core] quiet start/shutdown trace in one-shot mode 2020-11-30 19:31:54 -05:00
Glenn Strauss 716e4d7a5d [core] fix lighttpd -1 one-shot with pipes 2020-11-30 19:31:05 -05:00
Glenn Strauss ba995e9ec9 [core] handle U+00A0 in config parser
treat U+00A0 (c2 a0) "NO-BREAK SPACE" as whitespace between tokens

2020-11-30 11:19:55 -05:00
Glenn Strauss ab5ae94509 [mod_webdav] compile fix for Mac OSX/11 2020-11-30 01:38:08 -05:00
Glenn Strauss 01d49a283d [core] attempt to quiet some coverity warnings
read() on inotify fd does not return partial records,
and the info from the kernel can be trusted.  Still add a sanity check.

If initialization of inotify fails, server will subsequently exit,
so memory leak reported by coverity is insignificant.
2020-11-29 20:04:19 -05:00
Glenn Strauss afa6595a7b - next is 1.4.57 2020-11-29 19:15:06 -05:00
Glenn Strauss b8e011d230 [doc] NEWS 2020-11-29 16:31:14 -05:00
Glenn Strauss ae228cadb5 [mod_webdav] workaround for gvfs dir redir bug
workaround for gvfs dir redir bug

fix for unhandled live properties

(thx montvid)

  "lighttpd webdav does not work with Nemo, Nautilus gvfs"
2020-11-29 12:20:00 -05:00
Glenn Strauss 025f2d0dad [core] server.v4mapped option
For IPv6 listen addresses:
server.v4mapped = "disable" results in IPV6_V6ONLY socket opt set to 0
server.v4mapped = "enable"  results in IPV6_V6ONLY socket opt set to 1

server.v4mapped has an effect only if explicitly set in lighttpd.conf.
If not set, the socket option is inherited from kernel defaults, which
may vary on different OS.

server.v4mapped takes priority over server.set_v6only

server.set_v6only behavior is inconsistent and depreacted.
server.set_v6only behavior differs from server.v4mapped in that
server.set_v6only = "enable" will cause the IPV6_V6ONLY socket
option to be set to 1 for IPv6 listening sockets configured via
$SERVER["socket"] in lighttpd.conf, is enabled by default, and
has no effect if set to "disable"

Note: IPv4-mapped addresses may bring potential security issues,
depending on the situation.  For example, lighttpd does not attempt
to match IPv4 addresses with IPv4-mapped addresses.  Other writings:
2020-11-29 09:13:19 -05:00
Glenn Strauss a0ad558006 [mod_status] add additional HTML-encoding 2020-11-27 19:39:59 -05:00
Glenn Strauss 54922d61af [mod_fastcgi] move src/fastcgi.h into src/compat/ 2020-11-27 08:12:21 -05:00
Glenn Strauss 88433270c6 [mod_webdav] fallbacks if _ATFILE_SOURCE not avail
Note: filesystem access race conditions exist without _ATFILE_SOURCE
2020-11-27 08:12:21 -05:00
Glenn Strauss 7a0d94cd6f [mod_webdav] pass full path to webdav_unlinkat()
so that path can be removed from stat_cache
2020-11-27 08:12:21 -05:00
Glenn Strauss 09faa72f2f [mod_flv_streaming] use stat_cache_get_entry_open 2020-11-27 08:12:21 -05:00
Glenn Strauss edfc5f394e [core] consolidate chunk size checks 2020-11-27 08:12:21 -05:00
Glenn Strauss 35fa47d802 [core] quiet more request parse errs unless debug
quiet more request parse errors unless debug enabled with
  debug.log-request-header-on-error = "enable"

  "invalid character in URI -> 400 config?"
2020-11-27 08:12:21 -05:00
Glenn Strauss 647222b35c [core] check for __builtin_expect() availability 2020-11-27 08:12:21 -05:00
Glenn Strauss 730c932e3c [multiple] more forgiving config str to boolean (fixes #3036)
more consistent use of shared code config_plugin_value_tobool()

(thx tow-conf)

  "The on/off keywords in boolean configuration options is inconsistent, which might be misleading and error-prone."
2020-11-16 01:39:14 -05:00
Glenn Strauss c42b280583 [core] fix bug when HTTP/2 frames span chunks
fix inverted logic when HTTP/2 frames span chunkqueue chunks
2020-11-13 17:00:01 -05:00
Glenn Strauss f2b33e7520 [multiple] add back-pressure gw data pump (fixes #3033)
When = 0 (the default), the entire request
body is collected before engaging the backend.  For backends which
require data framing, this could lead to growth in memory use as large
requests were framed all at once.

Prefer to retain large request bodies in temporary files on disk and
frame in portions as write queue to backend drains below a threshold.

  "Memory Growth with PUT and full buffered streams"
2020-11-12 17:19:31 -05:00
Glenn Strauss 45aa1aa880 [mod_cgi] ensure tmp file open() before splice()
(bug on master branch)

With lighttpd defaults, including fully buffering request body, and
if request body > 1 MB, then multiple temporary files are used and
might not have open fd in chunkqueue.  This would result in failure
to send request body to CGI. (bug commited to master branch 1 month ago)
2020-11-12 01:44:19 -05:00
Glenn Strauss fc19558f96 [mod_cgi] fix crash if initial write to CGI fails
(bug on master branch)
2020-11-12 01:43:26 -05:00
Glenn Strauss 78ec2b5b68 [core] filter out duplicate modules
filter out modules duplicated in server.modules list
2020-11-11 20:57:41 -05:00
Glenn Strauss c16c6a8f8f [mod_alias] validate given order, not sorted order
(bug on master branch)

  "Debian Bullseye/sid arm64 - lighttp broken after update"
2020-11-11 19:06:51 -05:00
Glenn Strauss 82273a947b [doc] update optional pkg dependencies in INSTALL 2020-11-11 03:16:03 -05:00
Glenn Strauss 5ec13918d3 [core] define SHA*_DIGEST_LENGTH macros if missing 2020-11-10 07:44:53 -05:00
Glenn Strauss 47aa6d4ac8 [core] http_response_buffer_append_authority()
make public func for benefit of external, third-party mod_authn_tkt
2020-11-10 06:10:27 -05:00
Glenn Strauss 291fd1e72e [core] accept "HTTP/2.0", "HTTP/3.0" from backends (#3031)
accept "HTTP/2.0" and "HTTP/3.0" NPH from naive non-proxy backends

(thx flynn)

  "uwsgi fails with HTTP/2"
2020-11-10 02:32:34 -05:00
Glenn Strauss 5e711068e4 [build] check for xxhash in more ways
pkg-config libxxhash.pc might not be provided with xxhash < 0.7.3

  "Update build-dep for xxhash [...]"
2020-11-09 20:26:30 -05:00