move http_cgi_ssl_env() from response.c to http-header-glue.c
for symbol visibility on Mac OS X.
x-ref:
"Undefined symbols: _http_cgi_ssl_env"
https://redmine.lighttpd.net/issues/2757
mod_deflate performs prefix match of deflate.mimetypes against the
response Content-Type. Therefore "text/" will make all text/*
mimetypes. This commit permits admin to specify "text/*" in
deflate.mimetypes = ("text/*")
and mod_deflate will treat it as "text/". This is done only when the
'*' is the last char in the mimetype.
remove mod_authn_gssapi explicit dependency on -lresolv
This fixes build on FreeBSD when ./configure --with-krb5
(On systems that need libresolv, libkrb5 depends on libresolv)
Also remove obsolete hstrerror() references from build
setting or removing FD_CLOEXEC flag does not fail
Also the use in mod_fastcgi and mod_scgi is in child after fork().
If the fd already happens to be 0 (should not happen in current code)
and removing the FD_CLOEXEC flag fails, then the backend will fail
to start.
prefer RAND_pseudo_bytes() (openssl), arc4random() or jrand48(),
if available, over rand()
These are not necessarily cryptographically secure, but should be better
than rand()
initialized for mod_magnet and dynamic CGI-like handlers
(mod_cgi, mod_fastcgi, mod_scgi, mod_ssi) (*not* mod_proxy)
Note: in the future a config flag (does not yet exist) might be required
to activate initialization of these SSL_* env variables. This might
occur if there are requests to access these variables in mod_accesslog,
and/or if more SSL_* varables are created, which would be more work.
x-ref:
"pass protocol and cipher details to fcgi env"
https://redmine.lighttpd.net/issues/2511
consolidated from CGI, FastCGI, SCGI, SSI
Note: due to prior inconsistencies between the code in mod_cgi,
mod_fastcgi, mod_scgi, and mod_ssi, there are some minor behavior
changes.
CONTENT_LENGTH is now always set, even if 0
(though CONTENT_LENGTH is never set for FASTCGI_AUTHORIZER)
PATH_INFO is created only if present, not if empty.
(mod_fastcgi and mod_ssi previously set PATH_INFO="" (blank value))
PATH_TRANSLATED is now set if PATH_INFO is present
(previously missing from mod_cgi and mod_ssi)
mod_ssi now sets DOCUMENT_ROOT to con->physical.basedir, like others
(previously, mod_ssi set DOCUMENT_ROOT to con->physical.doc_root,
which matched con->physical.basedir unless mod_alias changed basedir)
mod_ssi now sets REQUEST_URI to con->request.orig_uri, like others
(previously, mod_ssi set REQUEST_URI to con->request.uri, which
matched con->request.orig_uri except after redirects, error docs)
limits total size per request of request headers submitted by client
default limit set to 8k (prior lighttpd <= 1.4.41 hard-coded 64k limit)
(similar to Apache directive LimitRequestFieldSize)
x-ref:
"limits the size of HTTP request header"
https://redmine.lighttpd.net/issues/2130
If auth.backend.ldap.filter begins with ',', then concatenate
uid=<username> with the 'filter' value to form the DN instead of using
ldap_search to query LDAP for the DN for the username, applying the
provided filter.
x-ref:
"Allow User-DN to be supplied in the configuration rather than searching"
https://redmine.lighttpd.net/issues/1248
ldap filter supports substitution of multiple '$', each with username
x-ref:
"auth.backend.ldap.filter: only one/first "$" replaced with Username"
https://redmine.lighttpd.net/issues/1508
HTTP Basic auth backends now do both authn and authz
in order to allow provide a means to extend backends to optionally
support group authz
x-ref:
"LDAP-Group support for HTTP-Authentication"
https://redmine.lighttpd.net/issues/1817
Configuring the protocol is controlled with new lighttpd.conf directive:
scgi.protocol = "scgi" # default
scgi.protocol = "uwsgi"
The uwsgi protocol differs from the SCGI protocol only in how the
request is encoded. The response from the backend is handled the
same way for both SCGI and uwsgi protocols.
x-ref: http://uwsgi-docs.readthedocs.io/en/latest/Protocol.html
fix potential NULL pointer dereference in mod_deflate.c
remove logically dead code in connection-glue.c
add coverity annotations to see if some issues will be reclassified
module status: experimental; more testing and review needed
Kerberos library calls have been preserved from original patch set
and should be reviewed.
module has been quickly tested with Basic auth (Use over TLS!)
SPNEGO -has not- been tested. Again, kerberos library calls have
been preserved from original patch set. YMMV. (Use over TLS!)
x-ref:
"Kerberos/GSSAPI Delegation Support"
https://redmine.lighttpd.net/issues/1899
Glenn Strauss