mark funcs cold if seldom used or used only at startup config processing
mark most data_config_* funcs cold
data_*_copy()
data_*_insert_dup()
data_*_print()
data_*_reset()
array_reset()
mark array_get_index() as hot, rewrite to be pure and return sorted pos
mark routines as pure, as appropriate
mark routines as cold if used only at startup for config processing
mark params const, as appropriate
array_get_buf_ptr() for modifiable value buffer after insert into array
uint32_t used and size members instead of size_t
remove a->unique_ndx member; simply add to end of array for value lists
remove du->is_index_key member; simply check buffer_is_empty(du->key)
array_insert_key_value() used to be a hint that lookup could be skipped,
but the state from array_get_index() is now saved and reused internally,
so the distinction is no longer needed. Use array_set_key_value().
inline connection_read_header() into connection_handle_read_state()
(The large stack usage prevents the compiler from inlining the routine,
but if we enter connection_handle_read_state(), then we are going to
be running connection_read_header(), so put them together)
In some circumstances, if the character on the heap prior to the
beginning of the request is '\r', then it would be overwritten with '\0'
With default compiler flags, this does not appear to occur in practice
and we therefore believe it to be a low-probability vulnerability.
(thx Antonio Morales)
This issue was discovered and reported by GSL team member @
<https://github.com/antonio-morales>antonio-morales
<https://github.com/antonio-morales> (Antonio Morales)
On some architectures, accept4() might result in EPERM depending
on Linux kernel and/or glibc support for accept4()
(thx alex-che)
x-ref:
"accept4 returns EPERM instead of ENOSYS on some platforms"
https://redmine.lighttpd.net/issues/2998
normalize %2b or %2B in query string to %2B (uppercase hex),
and not to '+'
(thx int-e)
x-ref:
"url-normalize-required expands %2B in query strings"
https://redmine.lighttpd.net/issues/2999
reject requests with both Transfer-Encoding and Content-Length
as recommended in RFC 7230 Section 3.3.3.
strict header parsing is enabled by default in lighttpd. However,
if explicitly disabled in lighttpd.conf, lighttpd will continue to
accept Transfer-Encoding and Content-Length in the same request,
and will ignore (and remove) Content-Length before passing to backend.
UNSAFE: server.http-parseopts = ( "header-strict" => "disable" )
This is NOT RECOMMENDED since doing so disables other protections
provided by lighttpd strict http header parsing.
RFC7230 Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
3.3.3. Message Body Length
[...]
If a message is received with both a Transfer-Encoding and a
Content-Length header field, the Transfer-Encoding overrides the
Content-Length. Such a message might indicate an attempt to
perform request smuggling (Section 9.5) or response splitting
(Section 9.4) and ought to be handled as an error. A sender MUST
remove the received Content-Length field prior to forwarding such
a message downstream.
x-ref:
stricter request header parsing
https://redmine.lighttpd.net/issues/2985
reject whitespace following request header field-name and before colon
Such whitespace is forbidden in RFC 7230 Section 3.2.4.
strict header parsing is enabled by default in lighttpd. However,
if explicitly disabled in lighttpd.conf, lighttpd will continue to
accept (and re-format) such field-names before passing to any backend.
UNSAFE: server.http-parseopts = ( "header-strict" => "disable" )
This is NOT RECOMMENDED since doing so disables other protections
provided by lighttpd strict http header parsing.
(thx fedormixalich)
x-ref:
stricter request header parsing
https://redmine.lighttpd.net/issues/2985
getaddrinfo() should return non-empty result list (res)
or else should return EAI_NONAME or some other error
(musl C library does not check for NULL argument to freeaddrinfo())
x-ref:
"Segmentation fault in mod_extforward with libmusl"
https://redmine.lighttpd.net/issues/2984
build postgres modules with $(PGSQL_CFLAGS) in Makefile.am
x-ref:
"pg_config is deprecated to build postgres client applications"
https://redmine.lighttpd.net/issues/2965
lighttpd requires a strict match between the request URI and the uri=
auth-param provided in the Authenticate header. lighttpd does not
attempt to determine if different URIs are semantically equivalent.
This commit removes a condition which permitted an Authenticate header
with a uri= containing a query-string to be used with the request-uri
which did not contain any query-string. The condition was likely added
in the original implementation which operated on lighttpd request.uri
instead of the correct request.orig_uri (original URI sent to lighttpd).
.
HTTP Digest Access Authentication
https://www.rfc-editor.org/rfc/rfc7616.txt
3.4.6. Various Considerations
The authenticating server MUST assure that the resource designated by
the "uri" parameter is the same as the resource specified in the
Request-Line; if they are not, the server SHOULD return a 400 Bad
Request error. (Since this may be a symptom of an attack, server
implementers may want to consider logging such errors.) The purpose
of duplicating information from the request URL in this field is to
deal with the possibility that an intermediate proxy may alter the
client's Request-Line. This altered (but presumably semantically
equivalent) request would not result in the same digest as that
calculated by the client.
x-ref:
"HTTP Digest Access Authentication"
https://www.rfc-editor.org/rfc/rfc7616.txt
"HTTP digest authentication not compatible with some clients"
https://redmine.lighttpd.net/issues/2974
https://www.rfc-editor.org/rfc/rfc7616.txt
3.3. The WWW-Authenticate Response Header Field
...
For historical reasons, a sender MUST only generate the quoted string
syntax values for the following parameters: realm, domain, nonce,
opaque, and qop.
For historical reasons, a sender MUST NOT generate the quoted string
syntax values for the following parameters: stale and algorithm.
employ volatile, which might matter with some compilers (or might not)
explicitly check that string lengths match
(or else might match string where last char of short string matches
repeated chars in longer string)
specialized buffer_eq_icase_ssn func replace strncasecmp()
in cases where string lengths are not known to be at least
as large as the len being compared case-insensitively.
(Separate commit in case any future changes modify the
implementation to be unsafe for shorter strings, where
strncasecmp() would stop at '\0' in either string)
specialized buffer_eq_icase_ssn func replace strncasecmp()
in cases where string lengths are known to be at least as
large as the len being compared case-insensitively
ldap_set_option LDAP_OPT_RESTART to handle EINTR on SIGCHLD from CGI
(ldap uses poll(), which is not restartable with sigaction SA_RESTART)
x-ref:
"mod_authn_ldap/mod_cgi race condition, "Can't contact LDAP server""
https://redmine.lighttpd.net/issues/2940
code reuse, simplification, and inlining
remove excess calls to chunkqueue_remove_finished_chunks()
(it may still be possible for there to be an empty chunk in chunkqueue
if nothing were written to a temporary file (need to verify this), so
preserve some calls to chunkqueue_remove_finished_chunks() for now)
sys/event.h does not compile standalone, so check_include_files() fails
Add compiler flags -include sys/types.h so that the compile check passes
This allows cmake builds on FreeBSD to detect and use kqueue.
improve FAM monitoring to use reference counting in internal cache
revalidate entries upon use after 16 sec to recover from missed events
(see comments in commit for more details about limitations)
do not open file in stat_cache_get_entry()
no longer stat() followed by open() and close() just for stat()
callers should open() file to validate readability (and then reuse fd)
RFC 7231 forbids partial PUT. However, historical versions of
lighttpd mod_webdav did provide this (mis-)feature. Therefore,
provide *deprecated* unsafe partial PUT support for compatibility
with historical lighttpd mod_webdav (prior to mod_webdav rewrite),
but require new config option to enable this compatible behavior:
webdav.opts = ( "deprecated-unsafe-partial-put" => "enable" )
The partial PUT support implemented by historical lighttpd mod_webdav
makes no effort to account for shrinkage or growth of range replaced.
The request body is splat into the *existing* file at the offset
provided which is quite unsafe and can cause corruption in data sent
to concurrent download requests.
Use of this (mis-)feature is discouraged, and support may be removed
in the future, without any further notice.
200 for OPTIONS /non-existent/path HTTP/1.1 when a module,
such as mod_webdav, has set Allow response header
x-ref:
"OPTIONS should return 2xx status for non-existent resources if Allow is set"
https://redmine.lighttpd.net/issues/2939
(occurred 3 years ago on experimental branch, and now ported forward)
robustness and performance improvements, including atomic updates on
individual files (e.g. for PUT, COPY, MOVE)
exclusive locks are fully supported
shared locks are partly supported
x-ref:
"add RFC-compliant LOCK support to mod_webdav"
https://redmine.lighttpd.net/issues/1818
fdevent_open_cloexec() opens files O_BINARY for consistency,
and with O_NONBLOCK, so that the server will not block if the
target file to open is a fifo.
fix abort in server.http-parseopts with url-path-2f-decode enabled
(thx stze)
x-ref:
"Security - SIGABRT during GET request handling with url-path-2f-decode enabled"
https://redmine.lighttpd.net/issues/2945
Niclas Rosenvik
