Commit Graph

2138 Commits

Author SHA1 Message Date
Glenn Strauss a69a803e35 [core] try AF_INET after AF_INET6 if use-ipv6
try AF_INET after AF_INET6 if server.use-ipv6 = "enable" and
getaddrinfo() fails EAI_ADDRFAMILY when hints.ai_family is AF_INET6.
(Prefer IPv6 instead of setting hinst.ai_family to AF_UNSPEC since
lighttpd only uses the first address returned)
2016-07-27 15:37:46 -04:00
Glenn Strauss a95aaa9de9 [TLS] read all available records from SSL_read()
read all available records from SSL_read(), even if larger than
MAX_READ_LIMIT, since the data is already in memory.  openssl is
configured with SSL_MODE_RELEASE_BUFFERS and will release openssl
buffers once records have been read.

Without reading available data, there was a chance that the connection
would hang waiting for a read event on the fd, even though all the
data had already been read from kernel socket buffers and was in openssl
memory waiting to be read with SSL_read().

(thx glen and avij)
2016-07-27 06:00:44 -04:00
Glenn Strauss bce293e4a7 [TLS] better handling of SSL_ERROR_WANT_READ/WRITE
2016-07-27 02:24:53 -04:00
Glenn Strauss 565dec2ff1 [core] consolidate duplicated response_end code 2016-07-26 16:48:20 -04:00
Glenn Strauss 38139fa1a9 [core] permit IPv6 address scope identifier
getaddrinfo() on permits a scope identifier to be part of the IPv6
address string, so permit this syntax in $SERVER["socket"] validation.

2016-07-25 01:01:10 -04:00
Glenn Strauss 9af58a9716 revert 1.4.40 swap of REQUEST_URI, REDIRECT_URI (fixes #2738)
reverts part of commit:dbdab5db which swapped REQUEST_URI, REDIRECT_URI

  "mediawiki redirect loop if REQUEST_URI not orig req in 1.4.40"


REQUEST_URI and REDIRECT_URI are not part of CGI standard environment.
The reason for their existence is that PATH_INFO in CGI environment may
be different from the path in the current request.  The main reason for
this potential difference is that the URI path is normalized to a path
in the filesystem and tested against the filesystem to determine which
part is SCRIPT_NAME and which part is PATH_INFO.  In case-insensitive
filesystems, the URI might be lowercased before testing against the
filesystem, leading to loss of case-sensitive submission in any
resulting PATH_INFO.  Also, duplicated slashes "///" and directory
references "/." and "/.." are removed, including prior path component in
the case of "/..".  This might be undesirable when the information after
the SCRIPT_NAME is virtual information and there target script needs the
virtual path preserved as-is.  In that case, the target script can
re-parse REQUEST_URI (or REDIRECT_URI, as appropriate) to obtain the
unmodified information from the URI.

con->request.uri is equivalent to con->request.orig_uri unless the
request has been internally rewritten (e.g. by mod_rewrite, mod_magnet,
others), in which case con->request.orig_uri is the request made by the
client, and con->request.uri is the current URI being processed.

Historical REQUEST_URI (environment variable) lighttpd inconsistencies
- mod_cml     set REQUEST_URI to con->request.orig_uri
- mod_cgi     set REQUEST_URI to con->request.orig_uri
- mod_fastcgi set REQUEST_URI to con->request.orig_uri
- mod_scgi    set REQUEST_URI to con->request.orig_uri

- mod_ssi     set            REQUEST_URI to current con->request.uri
- mod_magnet  set MAGNET_ENV_REQUEST_URI to current con->request.uri
              and MAGNET_ENV_REQUEST_ORIG_URI to con->request.orig_uri

Historical REDIRECT_URI (environment variable) previously set only in
mod_fastcgi and mod_scgi, and set to con->request.uri

Since lighttpd 1.4.40 provides REDIRECT_URI with con->request.orig_uri,
changes were made to REQUEST_URI for consistency, with the hope that
there would be little impact to existing configurations since the
request uri and original request uri are the same unless there has been
an internal redirect.  It turns out that various PHP frameworks use
REQUEST_URI and require that it be the original URI requested by client.

Therefore, this change is being reverted, and lighttpd will set
REQUEST_URI to con->request.orig_uri in mod_cgi, mod_fastcgi, mod_scgi
as was done in lighttpd 1.4.39 and earlier.  Similarly, REDIRECT_URI
also has the prior behavior in mod_fastcgi and mod_scgi, and added to

A future release of lighttpd might change mod_ssi to be consistent with
the other modules in setting REQUEST_URI to con->request.orig_uri and to
add REDIRECT_URI, when an internal redirect has occurred.
2016-07-23 02:13:41 -04:00
Glenn Strauss ed340897a2 do not set REDIRECT_URI in mod_magnet, mod_rewrite (#2738)
reverts commit:b473220d

  "mediawiki redirect loop if REQUEST_URI not orig req in 1.4.40"
2016-07-23 01:35:13 -04:00
Glenn Strauss b43fc006be [mod_status] show keep-alive status w/ text output (fixes #2740)
  "mod_status with "?auto" modifier not showing keep-alive (k) status
on Scoreboard"
  "server-status - additional stats - keepalive"
2016-07-21 11:19:06 -04:00
Glenn Strauss cd33554b74 [core] $HTTP["remoteip"] must handle IPv6 w/o []
[core] $HTTP["remoteip"] must handle IPv6 w/o [] (existing behavior)
This was inadvertently broken in lighttpd 1.4.40 when IP address
normalization was added.

In $HTTP["remoteip"], IPv6 is now accepted with or without '[]'.
http_request_host_normalize() expects IPv6 with '[]', and config
processing at runtime expects COMP_HTTP_REMOTE_IP compared without '[]',
so '[]' is stripped (internally) after normalization
2016-07-21 01:42:35 -04:00
Glenn Strauss cb468d333c [core] stay in CON_STATE_CLOSE until done with req
Do not switch to CON_STATE_ERROR upon idle timeout if already in
CON_STATE_CLOSE.  Changing to CON_STATE_ERROR might keep resetting
con->close_timeout_ts if repeated calls to shutdown() succeed.
2016-07-20 05:43:39 -04:00
Glenn Strauss 78c79ead4a [core] avoid spurious trace and error abort
HANDLER_COMEBACK and HANDLER_ERROR are valid return values
from dynamic fdevent handlers.  Do not abort if HANDLER_ERROR
is returned.
2016-07-19 17:29:14 -04:00
Glenn Strauss 1ebc83f11f [build_cmake] clock_gettime() -lrt w/ glibc < 2.17 (fixes #2737)
clock_gettime() needs -lrt with glibc < 2.17,
and possibly other platforms

This commit contains fixes for CMake and SCONS
See also commit:4d920466 which updated for same

  "1.4.40 compiling issuses on Debian Wheezy"
2016-07-19 04:03:14 -04:00
Glenn Strauss 779c133c16 [security] do not emit HTTP_PROXY to CGI env
Strip bogus "Proxy" header before creating subprocess environment.
(mod_cgi, mod_fastcgi, mod_scgi, mod_ssi, mod_proxy)

Do not emit HTTP_PROXY to subprocess environment.
Some executables use HTTP_PROXY to configure outgoing proxy.

This is not a lighttpd security issue per se, but this change to
lighttpd adds a layer of defense to protect backend processes which
might be vulnerable due to blindly using this untrusted environment
variable.  The HTTP_PROXY environment variable should not be trusted
by a program running in a CGI-like environment.

Mitigation in lighttpd <= 1.4.40 is to reject requests w/ Proxy header:

* Create "/path/to/deny-proxy.lua", read-only to lighttpd, with content:
  if (lighty.request["Proxy"] == nil) then return 0 else return 403 end
* Modify lighttpd.conf to load mod_magnet and run lua code
    server.modules += ( "mod_magnet" )
    magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" )

CGI web servers assign Proxy header values from client requests to
internal HTTP_PROXY environment variables
httpoxy: A CGI application vulnerability
2016-07-19 01:22:33 -04:00
Glenn Strauss d506f4a569 minor: spelling changes in some comments/messages 2016-07-18 23:26:38 -04:00
Glenn Strauss 4d920466f7 [autobuild] clock_gettime() -lrt with glibc < 2.17
clock_gettime() needs -lrt with glibc < 2.17,
and possibly other platforms

On systems without clock_gettime (-cough- Mac OSX -cough-),
use gettimeofday() (deprecated in POSIX.1-2008) which is slightly
lower precision, but reasonably fast in execution.  References:
2016-07-18 23:24:42 -04:00
Glenn Strauss a3ec906ef9 [core] #include <sys/filio.h> for FIONREAD (fixes #2726)
illumos (OpenIndiana) gets FIONREAD from <sys/filio.h>

  "lighttpd 1.4.40 compilation fails on illumos (OpenIndiana)"
2016-07-18 04:40:57 -04:00
fbrosson 72abc87b40 [autobuild] move inet_pton detection later
HAVE_INET_PTON was probably not being defined on Solaris.

While at it, also add detection for accept() in libnetwork for Haiku.

github: closes #68
2016-07-18 00:30:27 -04:00
Glenn Strauss 9c49dc9a5c workaround clang compiler warning 2016-07-17 23:21:50 -04:00
Glenn Strauss acad2c903a fix some warnings reported by cppcheck
fix some warnings reported by cppcheck and
change mod_skeleton.c to use buffer_string_length()
2016-07-17 16:13:31 -04:00
Glenn Strauss 393dfd8cb9 [mod_ssi] fix #config sizefmt="bytes" 2016-07-17 14:54:03 -04:00
Glenn Strauss adf91591fc [doc] update memcache references to memcached 2016-07-17 00:30:24 -04:00
Glenn Strauss 00cc4d7c0e [mod_auth] fix Digest auth to be better than Basic (fixes #1844)
Make Digest authentication more compliant with RFC.

Excerpt from Section 5.13:
    The bottom line is that any compliant implementation will be
    relatively weak by cryptographic standards, but any compliant
    implementation will be far superior to Basic Authentication.

  "Serious security problem in Digest Authentication"
2016-07-16 23:25:53 -04:00
Glenn Strauss 052a049f29 [build] allow AUTHOR, KEYID overrides to packdist 2016-07-16 23:23:24 -04:00
Glenn Strauss 2cdc017fb9 [config] inherit server.use-ipv6 and server.set-v6only (fixes #678)
inherit server.use-ipv6 and server.set-v6only from global scope
into $SERVER["socket"] blocks

(This potential behavior change was announced with lighttpd 1.4.40)

  "$SERVER["socket"] to bind to IPv6 by default"
2016-07-16 16:15:19 -04:00
Glenn Strauss e9c9f42564 remove long-deprecated, non-functional config opts 2016-07-16 16:11:51 -04:00
Glenn Strauss 8f8fa606ca - next is 1.4.41 2016-07-16 07:58:40 -04:00
Glenn Strauss 268c5582b2 [doc] NEWS 2016-07-15 20:02:17 -04:00
Glenn Strauss ee708db9fd [doc] add self to AUTHORS (discussed w/ stbuehler) 2016-07-15 20:00:59 -04:00
Glenn Strauss a83bae5bd2 update lighttpd -h 2016-07-15 19:47:58 -04:00
Glenn Strauss 8861c2bb54 [mod_cgi] handle local redirect response (fixes #2108)
RFC3875 CGI 1.1 specification section 6.2.2 Local Redirect Response

  "CGI local redirect not implemented correctly"
2016-07-14 16:31:08 -04:00
Glenn Strauss bcddcf8b0e [tests] remove some tests duplicated in mod-cgi.t 2016-07-14 13:21:43 -04:00
Glenn Strauss 86cd135b25 [core] fdevent_libev: workaround compiler warning
workaround compiler warning w/ gcc -Wstrict-aliasing=2 -fstrict-aliasing
2016-07-13 16:06:58 -04:00
Glenn Strauss bd8b58cea5 [core] fdevent_libev: update use of ev_timer 2016-07-13 14:10:59 -04:00
Glenn Strauss ce7d040bf3 [mod_access] new directive url.access-allow (fixes #1421)
url.access-allow is list of allowed url suffixes (e.g. file extensions)
If url.access-allow has been set, then deny any URL that does not match
the explicitly listed suffixes.

(thx japc)

  "access_allow directive for lighttpd"
2016-07-13 04:12:08 -04:00
Glenn Strauss 5e76b284df [mod_accesslog] %a %A %C %D %k %{}t %{}T (fixes #1145, fixes #1415, fixes #2081)
add support for additional commonly-used accesslog format flags

  "mod_accesslog cookie field support %{VARNAME}C"
  "access_log : %D time used in ms (not supported)"
  "%{format}t support"
2016-07-12 23:03:16 -04:00
Glenn Strauss a714f4f720 fix gcc 6.1.1 compiler warn misleading-indentation 2016-07-12 20:19:32 -04:00
Glenn Strauss c1af146a6e [mod_fastcgi,mod_scgi] check for spawning on same unix socket (#319)
error out if duplicated unix socket path and different bin-path is
used by lighttpd to start the backend.  This is an error.
Updates commits 97556d99 and b67ff2aa

  "Should warn if two FastCGI servers point to same socket file"
2016-07-10 17:24:39 -04:00
Glenn Strauss b67ff2aaca [mod_fastcgi,mod_scgi] check for spawning on same unix socket (#319)
silently use same 'host' if unix socket path is duplicated
(instead of erroring out).  Updates commit 97556d99

(It is possible for use of += in config to result in duplicated
 fastcgi.server and scgi.server entries)

  "Should warn if two FastCGI servers point to same socket file"
2016-07-10 15:08:28 -04:00
Glenn Strauss fe02be7e34 [core] make server.max-request-size scopeable (fixes #1901)
  "make server.max-request-size scopeable"
2016-07-09 11:01:13 -04:00
Glenn Strauss 3d98e0b61a [mod_uploadprogress] fix mem leak (#1858)
fix memory leak
reduce code redundancy
convert code to use newer buffer.h APIs
proper cleanup if upload cancelled or client disconnected
change "starting" message to "not in progress" if upload not in progress
2016-07-07 14:16:46 -04:00
Glenn Strauss 1cb30900f3 [core] remove assert in fdevent_unregister()
assumptions changed: fdn->events can be 0 with server streaming
request and/or response.
2016-07-07 12:47:13 -04:00
Glenn Strauss 53d906968b [autobuild] CMake check for struct tm tm_gmtoff (fixes #2014)
  "cmake scripts don't HAVE_STRUCT_TM_GMTOFF -> wrong timezone"
2016-07-06 14:00:07 -04:00
Glenn Strauss dd1ae42770 [mod_webdav] fix proppatch mem leak, other fixes (#fixes 1334, #fixes 2000)
  "mod_webdav returns Not Implemented when DELETE fails on permissions error"
  "webdav: Define resourcetype for resources other than collections"
2016-07-05 23:22:41 -04:00
Glenn Strauss 28841bfc3d [core] fix server.max-request-size to be precise (fixes #2131)
(previously would allow up to 1k data above configured limit)

  "max-request-size comparing mistake"
2016-07-05 16:34:04 -04:00
Glenn Strauss d6c60ebbff [TLS] fix return value checks during cert init
openssl interfaces typically return 1 to indicate success,
with varying return values to indicate failure
(sometimes 0, sometimes 'not 1')

(thx mackyle)
2016-07-05 01:36:57 -04:00
Glenn Strauss 340e9aefa0 [core] fix s6_addr type-punned compiler warning
(older gcc compilers)
2016-07-02 14:26:51 -04:00
Glenn Strauss d147673d40 [tests] remove dependency on is no longer shipped as part of Perl core distribution
(and is easily replaced)
2016-07-02 13:47:22 -04:00
Glenn Strauss c489dd6cc4 [cygwin] minor: fix compiler warning 2016-07-02 02:17:39 -04:00
Glenn Strauss c916b2fc11 [build] add $(ATTR_LIB) to liblightcomp_la_LIBADD
(for cygwin)
2016-06-30 22:33:54 -04:00
Glenn Strauss 5ce7b2df5c [core] add declarations to fdevent.h (#2373)
(follow-up to 79bcfab0)

  "FreeBSD build with libev broken"
2016-06-29 21:12:21 -04:00