Commit Graph

3074 Commits (e2de4e581ec7a61fd9f5218f260d3890837e31a4)

Author SHA1 Message Date
Glenn Strauss 80d12919d1 [core] replace connection_set_state w/ assignment
replace connection_set_state() with simple assignment

(only connections.c and connections-glue.c should change con state)
2020-02-24 11:14:45 -05:00
Glenn Strauss be6964f415 [core] use func rc to indicate done reading header 2020-02-24 11:14:45 -05:00
Glenn Strauss 1334436394 [core] store struct server * in struct connection 2020-02-24 11:14:45 -05:00
Glenn Strauss 41944e3be8 [core] add User-Agent to http_header_e enum
recognize as common header

(minor performance enhancement)
2020-02-24 11:14:45 -05:00
Glenn Strauss 9858051d03 [core] remove srv->split_vals 2020-02-24 11:14:45 -05:00
Glenn Strauss bcd5288557 [mod_evhost] use local array to split values 2020-02-24 11:14:45 -05:00
Glenn Strauss 1b08c736ba [mod_flv_streaming] parse query string w/o copying 2020-02-24 11:14:45 -05:00
Glenn Strauss e2b4c309f6 [core] http_header_str_contains_token() 2020-02-24 11:14:45 -05:00
Glenn Strauss 6f803af03c [core] perf: request processing 2020-02-24 11:14:43 -05:00
Glenn Strauss 2230b08ef4 - next is 1.4.56 2020-01-31 22:27:44 -05:00
Glenn Strauss b1048b2349 [doc] NEWS 2020-01-31 21:46:34 -05:00
Glenn Strauss f37c16aadd [core] fix one-byte OOB read (underflow)
In some circumstances, if the character on the heap prior to the
beginning of the request is '\r', then it would be overwritten with '\0'

With default compiler flags, this does not appear to occur in practice
and we therefore believe it to be a low-probability vulnerability.

(thx Antonio Morales)

This issue was discovered and reported by GSL team member @
<>  (Antonio Morales)
2020-01-31 16:54:59 -05:00
raw 2c409321df [build] Fix build when using nested CMake
(FetchContent, ExternalProject_Add)

github: closes #102
2020-01-30 21:47:59 -05:00
Niclas Rosenvik 8c9b5480f3 [core] Solaris has getloadavg in sys/loadavg.h
SunOS/Solaris/Illumos has getloadavg declared in sys/loadavg.h .

github: closes #101
2020-01-30 21:47:59 -05:00
Elan Ruusamäe 15cdc313b5 [config] update /var/run -> /run for systemd
This gets rid of the warning:
> May 19 10:56:32 buster systemd[1]: /lib/systemd/system/lighttpd.service:6:
> PIDFile= references path below legacy directory /var/run/,
> updating /var/run/ → /run/;
> please update the unit file accordingly.

- a2d1fb882c
- Filesystem Hierarchy Standard 3.0 (FHS 3.0)

github: closes #100
2020-01-30 21:47:36 -05:00
Glenn Strauss 12aa0f4c91 [core] save errno before logging if execve() fails
2020-01-26 00:41:06 -05:00
Glenn Strauss fb74bb7514 [core] do not accept() > server.max-connections 2020-01-26 00:41:05 -05:00
Glenn Strauss 8bddac9263 [mod_auth] close connection after bad password
mitigation slows down brute force password attacks

  "Possible feature: authentication brute force hardening"
2020-01-26 00:41:05 -05:00
Glenn Strauss fce489b806 [core] fall back to accept() if accept4() EPERM (fixes #2998)
On some architectures, accept4() might result in EPERM depending
on Linux kernel and/or glibc support for accept4()

(thx alex-che)

  "accept4 returns EPERM instead of ENOSYS on some platforms"
2020-01-26 00:41:05 -05:00
Glenn Strauss 9cdfb48466 [core] preserve %2b and %2B in query string (fixes #2999)
normalize %2b or %2B in query string to %2B (uppercase hex),
and not to '+'

(thx int-e)

  "url-normalize-required expands %2B in query strings"
2020-01-26 00:41:05 -05:00
Glenn Strauss aaccb1bc5e [multiple] address coverity warnings 2020-01-26 00:41:05 -05:00
Glenn Strauss f4a5a09d96 [core] Oracle Solaris does not have POLLRDHUP
(IllumOS added support 5+ years ago)

2020-01-26 00:41:05 -05:00
Glenn Strauss 330c39c694 [mod_accesslog] parse multiple cookies (fixes #2986)
(thx xoneca)

  "Cookie format specifier is broken"
2020-01-26 00:41:05 -05:00
Glenn Strauss fa8856757c [mod_openssl] reject invalid ALPN 2020-01-26 00:41:05 -05:00
Glenn Strauss 66624b375b [core] reject Transfer-Encoding + Content-Length (#2985)
reject requests with both Transfer-Encoding and Content-Length
as recommended in RFC 7230 Section 3.3.3.

strict header parsing is enabled by default in lighttpd.  However,
if explicitly disabled in lighttpd.conf, lighttpd will continue to
accept Transfer-Encoding and Content-Length in the same request,
and will ignore (and remove) Content-Length before passing to backend.
  UNSAFE: server.http-parseopts = ( "header-strict" => "disable" )
  This is NOT RECOMMENDED since doing so disables other protections
  provided by lighttpd strict http header parsing.

RFC7230 Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
  3.3.3.  Message Body Length
  If a message is received with both a Transfer-Encoding and a
  Content-Length header field, the Transfer-Encoding overrides the
  Content-Length.  Such a message might indicate an attempt to
  perform request smuggling (Section 9.5) or response splitting
  (Section 9.4) and ought to be handled as an error.  A sender MUST
  remove the received Content-Length field prior to forwarding such
  a message downstream.

  stricter request header parsing
2020-01-26 00:41:04 -05:00
Glenn Strauss 61f85d14ee [core] reject WS following header field-name (fixes #2985)
reject whitespace following request header field-name and before colon
Such whitespace is forbidden in RFC 7230 Section 3.2.4.

strict header parsing is enabled by default in lighttpd.  However,
if explicitly disabled in lighttpd.conf, lighttpd will continue to
accept (and re-format) such field-names before passing to any backend.
  UNSAFE: server.http-parseopts = ( "header-strict" => "disable" )
  This is NOT RECOMMENDED since doing so disables other protections
  provided by lighttpd strict http header parsing.

(thx fedormixalich)

  stricter request header parsing
2020-01-26 00:40:20 -05:00
Glenn Strauss 851728c6a1 [core] avoid freeaddrinfo() on NULL ptr (fixes #2984)
getaddrinfo() should return non-empty result list (res)
or else should return EAI_NONAME or some other error

(musl C library does not check for NULL argument to freeaddrinfo())

  "Segmentation fault in mod_extforward with libmusl"
2020-01-26 00:14:28 -05:00
Glenn Strauss 5c3f439bcf [build] PGSQL_CFLAGS with pkg-config for postgres (#2965)
build postgres modules with $(PGSQL_CFLAGS) in

  "pg_config is deprecated to build postgres client applications"
2019-09-11 02:15:06 -04:00
Glenn Strauss e790203a75 [build] PGSQL_CFLAGS with pkg-config for postgres (#2965)
  "pg_config is deprecated to build postgres client applications"
2019-09-11 02:04:44 -04:00
Glenn Strauss 0e749c1c84 [mod_auth] http_auth_const_time_memeq() (#2975, #2976)
use constant time comparison when comparing digests

(mitigation for brute-force timing attacks against digests
 generated using the same nonce)

  "Digest auth nonces are not validated"
  "safe_memcmp new function proposal"
2019-09-08 18:26:58 -04:00
Glenn Strauss 89dfbf14a5 [mod_auth] http_auth_const_time_memeq_pad()
rename http_auth_const_time_memeq() to http_auth_const_time_memeq_pad()
for constant time padded comparison of strings of potentially different
2019-09-08 18:25:39 -04:00
Glenn Strauss 6ad325c659 [mod_auth] Authentication-Info: nextnonce=...
send Authentication-Info nextnonce when nonce is approaching expiration
2019-09-08 18:22:10 -04:00
Glenn Strauss c81bd354b2 [mod_auth] require digest uri= match original URI
lighttpd requires a strict match between the request URI and the uri=
auth-param provided in the Authenticate header.  lighttpd does not
attempt to determine if different URIs are semantically equivalent.

This commit removes a condition which permitted an Authenticate header
with a uri= containing a query-string to be used with the request-uri
which did not contain any query-string.  The condition was likely added
in the original implementation which operated on lighttpd request.uri
instead of the correct request.orig_uri (original URI sent to lighttpd).


HTTP Digest Access Authentication

3.4.6.  Various Considerations

   The authenticating server MUST assure that the resource designated by
   the "uri" parameter is the same as the resource specified in the
   Request-Line; if they are not, the server SHOULD return a 400 Bad
   Request error.  (Since this may be a symptom of an attack, server
   implementers may want to consider logging such errors.)  The purpose
   of duplicating information from the request URL in this field is to
   deal with the possibility that an intermediate proxy may alter the
   client's Request-Line.  This altered (but presumably semantically
   equivalent) request would not result in the same digest as that
   calculated by the client.

  "HTTP Digest Access Authentication"
  "HTTP digest authentication not compatible with some clients"
2019-09-08 15:14:26 -04:00
Glenn Strauss 1799e4c3eb [mod_auth] do not use quoted-string for algorithm
3.3.  The WWW-Authenticate Response Header Field
   For historical reasons, a sender MUST only generate the quoted string
   syntax values for the following parameters: realm, domain, nonce,
   opaque, and qop.

   For historical reasons, a sender MUST NOT generate the quoted string
   syntax values for the following parameters: stale and algorithm.
2019-09-08 13:55:33 -04:00
Glenn Strauss 019efb0ed8 [mod_webdav] fix file uploads > 128M (fixes #2970)
(thx Gundersanne)

  "mod_webdav writes to fd=-1 when uploading large files (1000M)"
2019-09-08 02:15:15 -04:00
Glenn Strauss 3390642285 [mod_authn_gssapi] option to store delegated creds (fixes #2967)
default enabled for backwards compatibility; disable in future

(thx lameventanas)

  "mod_authn_gssapi requires delegation?"
2019-09-08 02:14:41 -04:00
Glenn Strauss e9440ecfdf [mod_authn_gssapi] 500 if fail to delegate creds (#2967)
  "mod_authn_gssapi requires delegation?"
2019-09-07 16:37:00 -04:00
Glenn Strauss 3eff9bac4e [build] prefer pkg-config for postgres (fixes #2965)
  "pg_config is deprecated to build postgres client applications"
2019-09-07 14:53:00 -04:00
Glenn Strauss ea6006944b [mod_auth] http_auth_const_time_memeq improvement
employ volatile, which might matter with some compilers (or might not)
explicitly check that string lengths match
  (or else might match string where last char of short string matches
   repeated chars in longer string)
2019-09-07 13:44:51 -04:00
Glenn Strauss 84fb334476 [core] disable stat_cache FAM if FAM conn closed
  "Lighttpd Stopping suddenly, no apparent reason on the logfile"
2019-09-07 12:23:20 -04:00
Glenn Strauss c6b46da2c9 [core] retry on some fdevent set/del temporary err 2019-09-07 12:22:04 -04:00
Glenn Strauss 2e7a3c0ac5 [mod_deflate] fix choose encoding parse error (fixes #2981)
regression in mod_deflate in lighttpd 1.4.54

(thx ocin)

  "mod_deflate_choose_encoding() parse error"
2019-09-07 12:08:10 -04:00
Glenn Strauss 06a395a93e [core] issue config error for invalid ':' (fixes #2980)
  "Embedded vim command line in conf file with no comment (#) hangs server"
2019-09-07 11:59:56 -04:00
Glenn Strauss 670b2086f8 [core] move con state handling to connections*.c
move maint code from server.c to connections.c
2019-09-07 11:57:26 -04:00
Glenn Strauss b1cc0856d2 [core] fdevent_poll() is effective periodic timer
document that USE_ALARM in server.c is not used
2019-09-07 11:57:26 -04:00
Glenn Strauss 5718a471b0 [core] improve http_headers[] data struct packing 2019-09-07 11:44:21 -04:00
Stefan Bühler 7e5dfc1a40 [cmake]: enable CMAKE_POSITION_INDEPENDENT_CODE by default 2019-08-23 13:33:17 +02:00
Stefan Bühler d7c0fc295f Also use explicit_memset (NetBSD) with cmake, scons and meson 2019-08-22 13:13:24 +02:00
Stefan Bühler 79760d935a Use explicit_memset from NetBSD if available for safe_memclear (fixes #2971) 2019-08-22 13:08:28 +02:00
Glenn Strauss 186ce8a2b1 [core] allocate unix socket paths with SUN_LEN()+1 (fixes #2962)
(thx lighthouse2)

  "SUN_LEN in sock_addr.c (1.4.53, 1.4.54)"
2019-06-25 00:39:24 -04:00