convert all log_error_write() to log_error() and pass (log_error_st *)
use con->errh in preference to srv->errh (even though currently same)
avoid passing (server *) when previously used only for logging (errh)
secdownload.path-segments = <number>
include only given number of path segments in hash digest calculation
secdownload.hash-querystr = "enable" | "disable"
include the query string in the hash digest calculation
x-ref:
"secdownload.path_elements support"
https://redmine.lighttpd.net/issues/646
"mod_secdownload option to include url GET parameters in md5"
https://redmine.lighttpd.net/issues/1904
issue warning at startup, instead of fatal error, if SHA used in
secdownload.algorithm = "..." but mod_secdownload was built without
SSL crypto. When lighttpd is built without openssl, this allows most
tests/* to be run and pass, except the ones in tests/mod-secdownload.t
which use "hmac-sha1" or "hmac-sha256".
(alternatively, could have made, used isolated tests/secdownload.conf)
also change passing of fixed-sized arrays: need to pass pointer to array
as otherwise size does not get enforced
From: Glenn Strauss <gstrauss@gluelogic.com>
git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@3135 152afb58-edef-0310-8abb-c4023f1b3aa9
Impact is probably low on most platforms, as it will probably overwrite
one byte of "HASH HA1" which isn't used afterwards anymore.
Reference: Fortify Open Review Project - lighttpd 1.4.39
ID 22708159 - Buffer Overflow: Off-by-One
From: Stefan Bühler <stbuehler@web.de>
git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@3096 152afb58-edef-0310-8abb-c4023f1b3aa9
Glenn Strauss
Mohammed Sadiq
Stefan Bühler