summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGlenn Strauss <gstrauss@gluelogic.com>2019-05-04 17:36:31 -0400
committerGlenn Strauss <gstrauss@gluelogic.com>2019-05-04 17:48:04 -0400
commit1cf68f79eb1d57b279c906ee1e04c233c0bca615 (patch)
treea9a6397ef57d574217cc587220a166a8068fea37
parent49e9f0acdcd68bb9b7e4b30b41a95cb5b8c8b811 (diff)
downloadlighttpd1.4-1cf68f79eb1d57b279c906ee1e04c233c0bca615.tar.gz
lighttpd1.4-1cf68f79eb1d57b279c906ee1e04c233c0bca615.zip
[core] behavior change: stricter URL normalization
behavior change: stricter URL normalization Prior behavior can be obtained by configuring lighttpd.conf with: server.http-parseopts = (“url-normalize” => “disable” ) although this is not recommended. This behavior change was pre-announced with the releases of lighttpd 1.4.52 (2018.11.28) lighttpd 1.4.53 (2019.01.27) The recommended settings are: server.http-parseopts = ( "header-strict" => "enable", "host-strict" => "enable", "host-normalize" => "enable", "url-normalize" => "enable", "url-normalize-unreserved" => "enable", "url-normalize-required" => "enable", "url-ctrls-reject" => "enable", "url-path-2f-decode" => "enable", "url-path-backslash-trans" => "enable", "url-path-dotseg-remove" => "enable", "url-query-20-plus" => "enable" ) The lighttpd defaults with this commit are slightly less strict: server.http-parseopts = ( "header-strict" => "enable", "host-strict" => "enable", "host-normalize" => "enable", "url-normalize" => "enable", "url-normalize-unreserved" => "enable", #"url-normalize-required" => "enable", "url-ctrls-reject" => "enable", "url-path-2f-decode" => "enable", #"url-path-backslash-trans" => "enable", "url-path-dotseg-remove" => "enable", #"url-query-20-plus" => "enable" )
-rw-r--r--src/server.c4
-rwxr-xr-xtests/core-request.t2
-rwxr-xr-xtests/mod-proxy.t2
3 files changed, 2 insertions, 6 deletions
diff --git a/src/server.c b/src/server.c
index 4da7b5fb..b7086b07 100644
--- a/src/server.c
+++ b/src/server.c
@@ -289,15 +289,11 @@ static server *server_init(void) {
srv->srvconf.http_header_strict = 1;
srv->srvconf.http_host_strict = 1; /*(implies http_host_normalize)*/
srv->srvconf.http_host_normalize = 0;
- #if 0
srv->srvconf.http_url_normalize = HTTP_PARSEOPT_URL_NORMALIZE
| HTTP_PARSEOPT_URL_NORMALIZE_UNRESERVED
| HTTP_PARSEOPT_URL_NORMALIZE_CTRLS_REJECT
- | HTTP_PARSEOPT_URL_NORMALIZE_PATH_BACKSLASH_TRANS
| HTTP_PARSEOPT_URL_NORMALIZE_PATH_2F_DECODE
| HTTP_PARSEOPT_URL_NORMALIZE_PATH_DOTSEG_REMOVE;
- #endif
- srv->srvconf.http_url_normalize = 0; /* temporary; change in future */
srv->srvconf.high_precision_timestamps = 0;
srv->srvconf.max_request_field_size = 8192;
srv->srvconf.loadavg[0] = 0.0;
diff --git a/tests/core-request.t b/tests/core-request.t
index 6de62f85..1418fb25 100755
--- a/tests/core-request.t
+++ b/tests/core-request.t
@@ -54,7 +54,7 @@ $t->{REQUEST} = ( <<EOF
GET /index.html%00 HTTP/1.0
EOF
);
-$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ];
+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 400 } ];
ok($tf->handle_http($t) == 0, 'URL-encoding, %00');
$t->{REQUEST} = ( <<EOF
diff --git a/tests/mod-proxy.t b/tests/mod-proxy.t
index d3c18214..50cd1424 100755
--- a/tests/mod-proxy.t
+++ b/tests/mod-proxy.t
@@ -51,7 +51,7 @@ GET /rewrite/all/some+test%3axxx%20with%20space HTTP/1.0
Host: www.example.org
EOF
);
- $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'HTTP-Content' => '/some+test%3axxx%20with%20space' } ];
+ $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'HTTP-Content' => '/some+test%3Axxx%20with%20space' } ];
ok($tf_proxy->handle_http($t) == 0, 'rewrited urls work with encoded path');
ok($tf_proxy->stop_proc == 0, "Stopping lighttpd proxy");