send Connection: close if it is known that request body has not finished
being read and will not finish being read
x-ref:
"Suboptimal keep-alive handling when request body is not read"
https://redmine.lighttpd.net/issues/2924
reduce initial buffer size if large POST to backend stored in temp files
regression in lighttpd 1.4.52
(thx rgenoud)
x-ref:
"[regression] lighttpd gets killed after uploading a big file"
https://redmine.lighttpd.net/issues/2922
After 4 seconds, send kill() every second while waiting for child to exit.
Send host->kill_signal for next 4 seconds, then send SIGTERM (usually same
as host->kill_signal) for following 8 seconds, and finally send SIGKILL
each second after that, until the child process dies.
github: closes #94
fix possible NULL pointer dereference when query string not present
and no previous query strings processed by that specific connection
instance
regression in lighttpd 1.4.51 (mod_flv_streaming)
regression in lighttpd 1.4.52 (mod_cml)
workaround for mod_flv_streaming:
url.rewrite-once = ( "\.flv$" => "${url.path}?" )
(similar workaround for mod_cml)
(thx fab)
x-ref:
"segfault with mod_flv_streaming"
https://redmine.lighttpd.net/boards/2/topics/8404
validate UTF-8 in url-decoded paths obtained elsewhere than from request
(burl_normalize(), if enabled with server.http-parseopts, checks url for
overlong encodings of ASCII chars in the HTTP request-line)
buffer_simplify_path() no longer prepends '/' if '/' is missing.
Callers must check for leading '/' depending on use, such as in
concatenation with others paths, or direct use accessing filesystem
Note: lighttpd 1.4.50 provides the server.http-parseopts directive.
Recommended settings unless specific use requires looser settings:
server.http-parseopts = (
"header-strict" => "enable",
"host-strict" => "enable",
"host-normalize" => "enable",
"url-normalize" => "enable",
"url-normalize-unreserved" => "enable",
"url-normalize-required" => "enable",
"url-ctrls-reject" => "enable",
"url-path-2f-decode" => "enable",
"url-path-dotseg-remove" => "enable",
"url-query-20-plus" => "enable"
)
x-ref:
https://digi.ninja/blog/lighttpd_rewrite_bypass.php
As noted in the link above, mod_access should be preferred instead
of mod_rewrite for access controls to URLs.
(expect < 256 octets for DNS name)
Since limit is imposed, can use buffer_clear() instead of buffer_reset()
for con->uri.authority and con->server_name. (Also, con->uri.scheme is
limited to "http" and "https", so use buffer_clear() for it, too)
