Commit Graph

2644 Commits

Author SHA1 Message Date
Glenn Strauss d61f33817c [multiple] code reuse: employ array_match_*() 2018-09-23 18:01:58 -04:00
Glenn Strauss 863dff6191 [mod_skeleton] review and simplify 2018-09-23 18:01:58 -04:00
Glenn Strauss e6741acd4e [core] code reuse array_match_*() routines 2018-09-23 18:01:58 -04:00
Glenn Strauss 6b887f35e3 [mod_auth] send 401 for mismatch HTTP auth scheme (fixes #2906)
  "Lighttpd responds with 400 not 401"
2018-09-23 18:01:58 -04:00
Glenn Strauss 4992c4de10 [mod_fastcgi,mod_scgi] error on oversized request (fixes #2905)
regression in lighttpd 1.4.49 and lighttpd 1.4.50

(thx slawomir.pryczek)

  "oversized fcgi requests should fail gracefully"
2018-09-23 18:01:58 -04:00
Glenn Strauss a458c2e731 [mod_proxy,mod_wstunnel] copy full plugin_config (fixes #2903)
  "gw backend redesign"
2018-09-23 18:01:58 -04:00
Glenn Strauss 5045a9e833 [core] fastcgi.h link to Open Market License (OML) (fixes #2901)
  "License terms of fastcgi.h"
2018-09-23 18:01:58 -04:00
Glenn Strauss 2eabe1636c [mod_rewrite] fix url.rewrite-repeat and url.rewrite-if-not-file (fixes #2908)
regression in lighttpd 1.4.50

  "mod_rewrite now throws error ENDLESS LOOP IN rewrite-rule DETECTED"
2018-09-23 18:01:58 -04:00
Glenn Strauss eebc1b0eec [mod_proxy] fix proxy.forwarded and proxy.replace-http-host (fixes #2902)
config settings were not being copied into proxy request context

  "mod_proxy's “proxy.forwarded” option seems ignored when used with mod_auth."
2018-09-23 18:01:58 -04:00
Glenn Strauss 9725299587 [core] code reuse with http_response_body_clear()
code reuse with http_response_body_clear()
rename con->response.transfer_encoding to con->response.send_chunked
2018-09-23 18:01:58 -04:00
Glenn Strauss 3dd3cde902 [core] abstraction layer for HTTP header manip
convert existing calls to manip request/response headers
convert existing calls to manip environment array (often header-related)
2018-09-23 18:01:58 -04:00
Glenn Strauss c8159ee5f6 [core] http_request_parse_reqline() separate func
http_request_parse_reqline() separate func from http_request_parse()
600+ line http_request_parse() is now two routines with ~300 lines each
2018-09-16 05:18:05 -04:00
Glenn Strauss 28d6015b45 [core] simplify parsing hdr key whitespace then : 2018-09-16 05:18:05 -04:00
Glenn Strauss a7c27c9f99 [core] code reuse with array_insert_key_value()
code reuse with array_insert_key_value() and related array manipulation
2018-09-16 05:18:05 -04:00
Glenn Strauss a90526374f [core] abstraction to insert/modify response hdrs
consistent use of abstraction to insert/modify response headers
2018-09-16 05:18:05 -04:00
Glenn Strauss 9d3cbaa74c [core] parse header line strings before copying 2018-09-16 05:18:05 -04:00
Glenn Strauss ad27206608 [core] redo HTTP header line folding
Replace separators between folded header lines in-place using spaces
and then process the single header line.

(Reverts change which replaces folding whitespace with single space)

Acknowledgement: Or Peles of VDOO  reference: VD-0871, VD-0872, VD-0873
(thx Or Peles)
2018-09-16 05:18:05 -04:00
Stefan Bühler e0260a411d [buffer] fix duplicate assert and comment
this originates from ad3e93ea9 for no apparent reason
2018-08-26 18:52:22 +02:00
Stefan Bühler 3be0707839 [core] replace folding whitespace with a single space
- previously the leading whitespace from folded lines was kept
- also ignore lines without any data
2018-08-26 18:52:22 +02:00
Stefan Bühler df8e4f9561 [core,security] process headers after combining folded headers
- this fixes various use-after-free scenarios (reported by Or Peles of
  VDOO): when parse_single_header stores pointers to header values in
  con->request, those pointers are not updated if the header value is
  reallocated when folded header lines are appended.
- also remove trailing white-space from folded lines
2018-08-26 18:44:46 +02:00
Stefan Bühler a2cc330fb4 [core] header parsing: use goto for error handling
- disable keep-alive for all failures
- default to 400 for status
2018-08-25 13:13:24 +02:00
Stefan Bühler 725d951247 [core] explicitly return 0 instead of constant result 2018-08-25 12:43:03 +02:00
Stefan Bühler ed0054c2d3 [core] split parsing header line into separate function 2018-08-25 12:35:23 +02:00
Glenn Strauss a9e131fa37 - next is 1.4.51 2018-08-13 00:43:56 -04:00
Glenn Strauss a2114a1c9b [doc] NEWS 2018-08-12 22:27:02 -04:00
Glenn Strauss 8c35064583 [core] extend server.http-parseopts
"header-strict" => "enable"
  restrict chars permitted in HTTP request headers
    (overrides server.http-parseopt-header-strict)
"host-strict" => "enable"
  restrict chars permitted in HTTP request Host header
    (overrides server.http-parseopt-host-strict)
"host-normalize" => "enable"
  normalize HTTP Host header
    (overrides server.http-parseopt-host-normalize)
2018-08-12 22:20:26 -04:00
Glenn Strauss ebd9517639 [core] quell insignificant coverity warning 2018-08-12 15:43:03 -04:00
Glenn Strauss c791877f13 [build] add missing file for test_burl
add missing file for test_burl for cmake and meson builds
2018-08-12 15:28:34 -04:00
Glenn Strauss 82dcb34c73 [core] workaround Coverity cov-build bug with gcc7
workaround Coverity cov-build bug with gcc 7
where Coverity does not support _Floatx typedefs
2018-08-12 15:17:11 -04:00
Glenn Strauss c4d743bb4d mod_sockproxy - socket forwarding
2018-08-12 14:43:22 -04:00
Glenn Strauss 7c8cc6f7c5 [core] option to propagate TCP FIN to backend host
(experimental support for mod_sockproxy)

"tcp-fin-propagate" = "enable" for each host in *.server backend defs
2018-08-12 14:43:22 -04:00
Glenn Strauss bbf01a3a6c [core] reset var if FAMMonitorDirectory() fails
do not read fam_dir->version if FAMMonitorDirectory() fails
2018-08-12 14:43:22 -04:00
Glenn Strauss d161f53de0 [core] security: use-after-free invalid Range req
(thx Marcus Wengelin)
2018-08-12 14:43:22 -04:00
Glenn Strauss 1de1746925 [mod_rewrite] require rewrite result to begin '/' 2018-08-12 14:43:22 -04:00
Glenn Strauss f832b71180 [mod_redirect,mod_rewrite] base64url encoding opt
Provide means to encode redirect and rewrite backreference substitutions

  %{encb64u:...} encode to base64url characters (no-padding)
  %{decb64u:...} decode from base64url characters
2018-08-12 14:43:22 -04:00
Glenn Strauss 5868b8ca12 [core] add missing includes to quiet compiler warn
add missing system includes to quiet compiler warnings on Mac OS X
2018-08-12 14:43:22 -04:00
Glenn Strauss ba5026aa7a [mod_redirect,mod_rewrite] support up to 19 match
support up to 19 regex saved matches ($1 - $9 and ${1} - ${19})
for use in replacement substitutions.

lighttpd config conditionals are still limited to 9 matches (%1 - %9)
2018-08-12 14:43:22 -04:00
Glenn Strauss 769289b954 [core] POLLRDHUP handling for transparent proxying 2018-08-12 14:43:22 -04:00
Glenn Strauss 77d31d8584 [mod_wstunnel] quiet 32-bit compiler warnings 2018-08-12 14:43:22 -04:00
Glenn Strauss 2105dae0f9 [mod_alias] security: potential path traversal with specific configs
Security: potential path traversal of a single directory above the alias
target with a specific mod_alias config where the alias which is matched
does not end in '/', but alias target filesystem path does end in '/'.

e.g. server.docroot = "/srv/www/host/HOSTNAME/docroot"
     alias.url = ( "/img" => "/srv/www/hosts/HOSTNAME/images/" )

If a malicious URL "/img../" were passed, the request would be
for directory "/srv/www/hosts/HOSTNAME/images/../" which would resolve
to "/srv/www/hosts/HOSTNAME/".  If mod_dirlisting were enabled, which
is not the default, this would result in listing the contents of the
directory above the alias.  An attacker might also try to directly
access files anywhere under that path, which is one level above the
intended aliased path.

credit: Orange Tsai(@orange_8361) from DEVCORE
2018-08-12 14:43:22 -04:00
Glenn Strauss eb429c9c19 [mod_fastcgi] fix memleak with FastCGI auth,resp (fixes #2894)
fix memleak in mod_fastcgi when FastCGI is used for both authentication
and response on the same request

(thx rschmid)

  "Memory leak if two fcgi calls with one request (authentication and response)"
2018-08-12 14:43:22 -04:00
Glenn Strauss f4f13745c8 [mod_redirect,mod_rewrite] fix segfault w/ invalid syntax (fixes #2892)
(thx nti)

  "Segmentation fault with invalid lighttpd.conf syntax"
2018-08-12 14:43:22 -04:00
Glenn Strauss 255269d799 [mod_redirect,mod_rewrite] encoding options (fixes #443, fixes #911)
Provide means to encode redirect and rewrite backreference substitutions
  In addition to $1 and %1, the following modifiers are now supported,
  followed by the number for the backreference, e.g. ${esc:1}

  ${noesc:...}  no escaping
  ${esc:...}    escape all non-alphanumeric - . _ ~ incl double-escape %
  ${escape:...} escape all non-alphanumeric - . _ ~ incl double-escape %
  ${escnde:...} escape all non-alphanumeric - . _ ~  but no double-esc %


Provide means to substitute URI parts without needing a regex match
  (and can be preceded by encoding modifier,
     e.g. ${tolower:url.authority})


  ${qsa}        appends query string, if not empty

  "[PATCH] mod_redirect: Add support for url-encoding backreferences, map %%n->%n, $$n->$n"
  "Need for URL encoding in mod_redirect and possibly mod_rewrite"
2018-08-12 14:43:22 -04:00
Glenn Strauss 37900d24b3 [mod_redirect,mod_rewrite] pass request URI info 2018-08-12 14:43:22 -04:00
Glenn Strauss 1f6befbd66 [mod_cgi] handle CGI partial response header write
handle CGI partial write of first response header

e.g. gSoap stdsoap2.c might inefficiently write "Status" to response
pipe and lighttpd might read that prior to the backend writing the
subsequent ": " which marks "Status:" as a response header.

2018-08-12 14:43:22 -04:00
Glenn Strauss 2e385a1a53 [core] fix buffer_to_upper()
fix buffer_to_upper() and case-insensitive filesystem detection
2018-08-12 14:43:22 -04:00
Glenn Strauss 1c68589c67 [mod_redirect,mod_rewrite] short-circuit earlier
short-circuit earlier if there are no rules to be matched
2018-08-12 14:43:22 -04:00
Glenn Strauss bad1cfe059 [core] debug server.log-request-header-on-error
enable server.log-request-header-on-error when either
server.log-request-handling or server.log-request-header
are enabled in the global scope.

server.log-request-header-on-error is a global directive since it must
be set prior to parsing of request, and errors parsing request might
otherwise occur before lighttpd config conditions are parsed and set
(i.e. based on the parsed request headers)

  "Log error if Host name is illegal (e.g. contains an underscore)"
2018-08-12 14:43:22 -04:00
Glenn Strauss a8aa39c699 [core] remove some duplicative code in log.c 2018-08-12 14:43:22 -04:00
Glenn Strauss 6ebd289788 [core] inline some buffer.[ch] routines 2018-08-12 14:43:22 -04:00