fix possible NULL pointer dereference when query string not present
and no previous query strings processed by that specific connection
instance
regression in lighttpd 1.4.51 (mod_flv_streaming)
regression in lighttpd 1.4.52 (mod_cml)
workaround for mod_flv_streaming:
url.rewrite-once = ( "\.flv$" => "${url.path}?" )
(similar workaround for mod_cml)
(thx fab)
x-ref:
"segfault with mod_flv_streaming"
https://redmine.lighttpd.net/boards/2/topics/8404
validate UTF-8 in url-decoded paths obtained elsewhere than from request
(burl_normalize(), if enabled with server.http-parseopts, checks url for
overlong encodings of ASCII chars in the HTTP request-line)
buffer_simplify_path() no longer prepends '/' if '/' is missing.
Callers must check for leading '/' depending on use, such as in
concatenation with others paths, or direct use accessing filesystem
Note: lighttpd 1.4.50 provides the server.http-parseopts directive.
Recommended settings unless specific use requires looser settings:
server.http-parseopts = (
"header-strict" => "enable",
"host-strict" => "enable",
"host-normalize" => "enable",
"url-normalize" => "enable",
"url-normalize-unreserved" => "enable",
"url-normalize-required" => "enable",
"url-ctrls-reject" => "enable",
"url-path-2f-decode" => "enable",
"url-path-dotseg-remove" => "enable",
"url-query-20-plus" => "enable"
)
x-ref:
https://digi.ninja/blog/lighttpd_rewrite_bypass.php
As noted in the link above, mod_access should be preferred instead
of mod_rewrite for access controls to URLs.
(expect < 256 octets for DNS name)
Since limit is imposed, can use buffer_clear() instead of buffer_reset()
for con->uri.authority and con->server_name. (Also, con->uri.scheme is
limited to "http" and "https", so use buffer_clear() for it, too)
quickly clear buffer instead of buffer_string_set_length(b, 0) or
buffer_reset(b). Avoids free() of large buffers about to be reused,
or buffers that are module-scoped, persistent, and reused.
(buffer_reset() should still be used with buffers in connection *con
when the data in the buffers is supplied by external, untrusted source)
separate reading header from connection_handle_read_state() into
connection_read_header() so that HTTP pipelined requests can skip
optimistic read()/recv()
server.chunkqueue-chunk-sz = 4096 (default)
Can be configured any integral value greater than 0.
Value is rounded up to next 1024 if not an even multiple of 1k.
Sites with large request or response headers may benefit from
an 8k or 16k chunk size. Embedded systems might choose to minimize
memory use by using a 1k chunk size.
controls whether default and compatibility modules are loaded,
including default modules mod_indexfile, mod_staticfile, mod_dirlisting
and if mod_authn* modules are loaded when mod_auth in server.modules
and if mod_openssl is loaded when ssl. directives are seen
default: server.compat-module-load = "enable"
(preserve existing behavior)
recommended config: explicitly load desired modules in desired order
fix bug resulting in status code being overwritten from 301 to 302 if
Location response header is returned by a backend which is not mod_proxy
(regression in lighttpd 1.4.51)
(thx shochodev)
x-ref:
"lighttpd is not obeying the http status code sent by our application (302 sent by lighttpd when 301 is sent by application)"
https://redmine.lighttpd.net/issues/2918
Glenn Strauss