config settings were not being copied into proxy request context
x-ref:
"mod_proxy's “proxy.forwarded” option seems ignored when used with mod_auth."
https://redmine.lighttpd.net/issues/2902
Replace separators between folded header lines in-place using spaces
and then process the single header line.
(Reverts change which replaces folding whitespace with single space)
Acknowledgement: Or Peles of VDOO reference: VD-0871, VD-0872, VD-0873
(thx Or Peles)
- this fixes various use-after-free scenarios (reported by Or Peles of
VDOO): when parse_single_header stores pointers to header values in
con->request, those pointers are not updated if the header value is
reallocated when folded header lines are appended.
- also remove trailing white-space from folded lines
Provide means to encode redirect and rewrite backreference substitutions
%{encb64u:...} encode to base64url characters (no-padding)
%{decb64u:...} decode from base64url characters
support up to 19 regex saved matches ($1 - $9 and ${1} - ${19})
for use in replacement substitutions.
lighttpd config conditionals are still limited to 9 matches (%1 - %9)
Security: potential path traversal of a single directory above the alias
target with a specific mod_alias config where the alias which is matched
does not end in '/', but alias target filesystem path does end in '/'.
e.g. server.docroot = "/srv/www/host/HOSTNAME/docroot"
alias.url = ( "/img" => "/srv/www/hosts/HOSTNAME/images/" )
If a malicious URL "/img../" were passed, the request would be
for directory "/srv/www/hosts/HOSTNAME/images/../" which would resolve
to "/srv/www/hosts/HOSTNAME/". If mod_dirlisting were enabled, which
is not the default, this would result in listing the contents of the
directory above the alias. An attacker might also try to directly
access files anywhere under that path, which is one level above the
intended aliased path.
credit: Orange Tsai(@orange_8361) from DEVCORE
fix memleak in mod_fastcgi when FastCGI is used for both authentication
and response on the same request
(thx rschmid)
x-ref:
"Memory leak if two fcgi calls with one request (authentication and response)"
https://redmine.lighttpd.net/issues/2894
Provide means to encode redirect and rewrite backreference substitutions
In addition to $1 and %1, the following modifiers are now supported,
followed by the number for the backreference, e.g. ${esc:1}
${noesc:...} no escaping
${esc:...} escape all non-alphanumeric - . _ ~ incl double-escape %
${escape:...} escape all non-alphanumeric - . _ ~ incl double-escape %
${escnde:...} escape all non-alphanumeric - . _ ~ but no double-esc %
${tolower:...}
${toupper:...}
%{noesc:...}
%{esc:...}
%{escape:...}
%{escnde:...}
%{tolower:...}
%{toupper:...}
Provide means to substitute URI parts without needing a regex match
(and can be preceded by encoding modifier,
e.g. ${tolower:url.authority})
${url.scheme}
${url.authority}
${url.port}
${url.path}
${url.query}
${qsa} appends query string, if not empty
x-ref:
"[PATCH] mod_redirect: Add support for url-encoding backreferences, map %%n->%n, $$n->$n"
https://redmine.lighttpd.net/issues/443
"Need for URL encoding in mod_redirect and possibly mod_rewrite"
https://redmine.lighttpd.net/issues/911
handle CGI partial write of first response header
e.g. gSoap stdsoap2.c might inefficiently write "Status" to response
pipe and lighttpd might read that prior to the backend writing the
subsequent ": " which marks "Status:" as a response header.
x-ref:
https://redmine.lighttpd.net/boards/2/topics/8028
enable server.log-request-header-on-error when either
server.log-request-handling or server.log-request-header
are enabled in the global scope.
server.log-request-header-on-error is a global directive since it must
be set prior to parsing of request, and errors parsing request might
otherwise occur before lighttpd config conditions are parsed and set
(i.e. based on the parsed request headers)
x-ref:
"Log error if Host name is illegal (e.g. contains an underscore)"
https://redmine.lighttpd.net/issues/2885
Glenn Strauss
Stefan Bühler