AgeCommit message (Collapse)AuthorFilesLines
2019-09-11[build] PGSQL_CFLAGS with pkg-config for postgres (#2965)HEADmasterGlenn Strauss1-2/+2
build postgres modules with $(PGSQL_CFLAGS) in x-ref: "pg_config is deprecated to build postgres client applications"
2019-09-11[build] PGSQL_CFLAGS with pkg-config for postgres (#2965)Glenn Strauss1-4/+4
x-ref: "pg_config is deprecated to build postgres client applications"
2019-09-08[mod_auth] http_auth_const_time_memeq() (#2975, #2976)Glenn Strauss5-3/+29
use constant time comparison when comparing digests (mitigation for brute-force timing attacks against digests generated using the same nonce) x-ref: "Digest auth nonces are not validated" "safe_memcmp new function proposal"
2019-09-08[mod_auth] http_auth_const_time_memeq_pad()Glenn Strauss3-3/+5
rename http_auth_const_time_memeq() to http_auth_const_time_memeq_pad() for constant time padded comparison of strings of potentially different length
2019-09-08[mod_auth] Authentication-Info: nextnonce=...Glenn Strauss1-1/+33
send Authentication-Info nextnonce when nonce is approaching expiration
2019-09-08[mod_auth] require digest uri= match original URIGlenn Strauss1-3/+1
lighttpd requires a strict match between the request URI and the uri= auth-param provided in the Authenticate header. lighttpd does not attempt to determine if different URIs are semantically equivalent. This commit removes a condition which permitted an Authenticate header with a uri= containing a query-string to be used with the request-uri which did not contain any query-string. The condition was likely added in the original implementation which operated on lighttpd request.uri instead of the correct request.orig_uri (original URI sent to lighttpd). . HTTP Digest Access Authentication 3.4.6. Various Considerations The authenticating server MUST assure that the resource designated by the "uri" parameter is the same as the resource specified in the Request-Line; if they are not, the server SHOULD return a 400 Bad Request error. (Since this may be a symptom of an attack, server implementers may want to consider logging such errors.) The purpose of duplicating information from the request URL in this field is to deal with the possibility that an intermediate proxy may alter the client's Request-Line. This altered (but presumably semantically equivalent) request would not result in the same digest as that calculated by the client. x-ref: "HTTP Digest Access Authentication" "HTTP digest authentication not compatible with some clients"
2019-09-08[mod_auth] do not use quoted-string for algorithmGlenn Strauss1-2/+2 3.3. The WWW-Authenticate Response Header Field ... For historical reasons, a sender MUST only generate the quoted string syntax values for the following parameters: realm, domain, nonce, opaque, and qop. For historical reasons, a sender MUST NOT generate the quoted string syntax values for the following parameters: stale and algorithm.
2019-09-08[mod_webdav] fix file uploads > 128M (fixes #2970)Glenn Strauss1-1/+4
(thx Gundersanne) x-ref: "mod_webdav writes to fd=-1 when uploading large files (1000M)"
2019-09-08[mod_authn_gssapi] option to store delegated creds (fixes #2967)Glenn Strauss1-1/+11
default enabled for backwards compatibility; disable in future (thx lameventanas) x-ref: "mod_authn_gssapi requires delegation?"
2019-09-07[mod_authn_gssapi] 500 if fail to delegate creds (#2967)Glenn Strauss1-10/+22
x-ref: "mod_authn_gssapi requires delegation?"
2019-09-07[build] prefer pkg-config for postgres (fixes #2965)Glenn Strauss1-9/+15
x-ref: "pg_config is deprecated to build postgres client applications"
2019-09-07[mod_auth] http_auth_const_time_memeq improvementGlenn Strauss1-3/+14
employ volatile, which might matter with some compilers (or might not) explicitly check that string lengths match (or else might match string where last char of short string matches repeated chars in longer string)
2019-09-07[core] disable stat_cache FAM if FAM conn closedGlenn Strauss1-2/+6
x-ref: "Lighttpd Stopping suddenly, no apparent reason on the logfile"
2019-09-07[core] retry on some fdevent set/del temporary errGlenn Strauss2-12/+62
2019-09-07[mod_deflate] fix choose encoding parse error (fixes #2981)Glenn Strauss1-1/+1
regression in mod_deflate in lighttpd 1.4.54 (thx ocin) x-ref: "mod_deflate_choose_encoding() parse error"
2019-09-07[core] issue config error for invalid ':' (fixes #2980)Glenn Strauss1-0/+7
x-ref: "Embedded vim command line in conf file with no comment (#) hangs server"
2019-09-07[core] move con state handling to connections*.cGlenn Strauss4-133/+141
move maint code from server.c to connections.c
2019-09-07[core] fdevent_poll() is effective periodic timerGlenn Strauss1-3/+6
document that USE_ALARM in server.c is not used
2019-09-07[core] improve http_headers[] data struct packingGlenn Strauss1-29/+30
2019-08-23[cmake]: enable CMAKE_POSITION_INDEPENDENT_CODE by defaultStefan Bühler1-0/+3
2019-08-22Also use explicit_memset (NetBSD) with cmake, scons and mesonStefan Bühler4-1/+4
2019-08-22Use explicit_memset from NetBSD if available for safe_memclear (fixes #2971)Stefan Bühler2-1/+4
2019-06-25[core] allocate unix socket paths with SUN_LEN()+1 (fixes #2962)Glenn Strauss1-3/+2
(thx lighthouse2) x-ref: "SUN_LEN in sock_addr.c (1.4.53, 1.4.54)"
2019-06-06[core] correct __attribute_pure__ syntaxGlenn Strauss1-2/+2
2019-06-06[core] use buffer_eq_icase_ssn funcGlenn Strauss7-13/+11
specialized buffer_eq_icase_ssn func replace strncasecmp() in cases where string lengths are not known to be at least as large as the len being compared case-insensitively. (Separate commit in case any future changes modify the implementation to be unsafe for shorter strings, where strncasecmp() would stop at '\0' in either string)
2019-06-06[core] use buffer_eq_icase_ssn funcGlenn Strauss6-16/+17
specialized buffer_eq_icase_ssn func replace strncasecmp() in cases where string lengths are known to be at least as large as the len being compared case-insensitively
2019-06-06[core] cold func http_response_omit_header()Glenn Strauss1-17/+29
2019-06-06[mod_webdav] fix startup crash w/ multiple conds (fixes #2958)Glenn Strauss1-2/+2
(thx flynn) x-ref: "lighttpd 1.4.54 segfaults on start in mod_webdav"
2019-06-06[core] mark some more funcs w/ __attribute_pure__Glenn Strauss2-4/+23
2019-06-06[multiple] replace strcasecmp() on short stringsGlenn Strauss3-8/+12
2019-06-06[core] use buffer_eq_icase* funcsGlenn Strauss4-20/+20
specialized buffer_eq_icase* funcs replace buffer_caseless_compare()
2019-06-06[core] mark some more funcs w/ __attribute_pure__Glenn Strauss2-0/+3
2019-06-06[core] specialized buffer_eq_*() for short stringsGlenn Strauss2-22/+47
specialized buffer_eq_*() funcs for use with short strings, e.g. case-insensitive comparison for equality
2019-06-06[core] array-specialized buffer_caseless_compare()Glenn Strauss1-1/+19
specialize buffer_caseless_compare() for array.c
2019-06-06[core] __attribute_pure__Glenn Strauss1-0/+9
2019-06-06[core] fix compile error on Solaris (fixes #2959)Glenn Strauss1-1/+1
(thx pyhalov) x-ref: "Release 1.4.54 does not compile on an Open Solaris clone"
2019-05-27- next is 1.4.55Glenn Strauss4-4/+4
2019-05-27[doc] NEWSlighttpd-1.4.54Glenn Strauss1-0/+150
2019-05-27[mod_authn_ldap] ldap_set_option LDAP_OPT_RESTART (fixes #2940)Glenn Strauss2-0/+6
ldap_set_option LDAP_OPT_RESTART to handle EINTR on SIGCHLD from CGI (ldap uses poll(), which is not restartable with sigaction SA_RESTART) x-ref: "mod_authn_ldap/mod_cgi race condition, "Can't contact LDAP server""
2019-05-26[mod_maxminddb] MaxMind GeoIP2 supportGlenn Strauss8-0/+482
2019-05-18[core] adjust http_chunk read() retry loopGlenn Strauss1-1/+1
2019-05-14[mod_magnet] expose server addr (local IP) to luaGlenn Strauss1-0/+33
expose server addr (local IP) to lua via lighty.env["request.server-addr"] (read-only)
2019-05-13[core] use high precision stat timestamp on OS XGlenn Strauss1-0/+4
2019-05-13[tests] skip mod-secdownload HMAC-SHA1,HMAC-SHA256Glenn Strauss1-0/+11
skip mod-secdownload.t HMAC-SHA1, HMAC-SHA256 tests if crypto algorithms are not available (e.g. lighttpd build without openssl)
2019-05-13[tests] has_feature() helper funcGlenn Strauss1-0/+13
has_feature() helper func so that tests can be skipped if support is not present
2019-05-13[core] buffer_reset() should not be passed NULLGlenn Strauss1-6/+4
2019-05-13[core] chunkqueue perf: read small files into memGlenn Strauss3-6/+45
2019-05-13[core] chunkqueue perf: skip opening 0-length fileGlenn Strauss1-3/+11
2019-05-13[core] chunkqueue perf: specialized buffer.h funcsGlenn Strauss1-9/+20
2019-05-13[core] chunkqueue perf: code reuseGlenn Strauss5-99/+50
code reuse, simplification, and inlining remove excess calls to chunkqueue_remove_finished_chunks() (it may still be possible for there to be an empty chunk in chunkqueue if nothing were written to a temporary file (need to verify this), so preserve some calls to chunkqueue_remove_finished_chunks() for now)