Commit Graph

304 Commits

Author SHA1 Message Date
Glenn Strauss e2bd776f8f [tests] disable secdownload HMAC tests for NSS
NSS crypto lib does not expose interfaces to HMAC funcs
2021-05-07 16:39:52 -04:00
Glenn Strauss cc35c03c3c [core] RFC 7233 Range handling for non-streaming
RFC 7233 Range handling for all non-streaming responses,
including (non-streaming) dynamic responses

(previously Range responses handled only for static files)
2021-03-02 10:14:25 -05:00
Glenn Strauss dc4ff14c1f [tests] remove stray option in test lighttpd.conf 2021-02-05 19:40:22 -05:00
Glenn Strauss 5b1b9f7824 [tests] use ephemeral ports in tests
avoid spurious test failures due to conflicts with ports in use by
other processes, which might occur when tests use hard-coded ports
2021-01-05 12:52:11 -05:00
Glenn Strauss 5ec5e124c1 [tests] consolidate some tests/ content 2020-12-27 21:39:04 -05:00
Glenn Strauss db0cd76618 [build] add GNUMAKEFLAGS=--no-print-directory
quiet some automake noise during build
(can use 'make -s' to quiet more)

In doc/ and tests/docroot/, add GNUMAKEFLAGS=--no-print-directory -s
2020-12-27 21:37:28 -05:00
Glenn Strauss 0c6a6d06c6 [tests] OpenBSD crypt() support limited to bcrypt
OpenBSD crypt() does not support (insecure) crypt-des or crypt-md5

(The password used in the tests and lighttpd.htpasswd is crypt-des.
 Something else could be used so that the tests can execute,
 though that something might be different on different platforms.)
2020-12-26 03:47:41 -05:00
Glenn Strauss 91e94f4875 [tests] load required modules in alt .conf tests
load only required modules in alt .conf tests
2020-12-24 23:39:52 -05:00
Glenn Strauss d228b06655 [tests] slight speed up checking for server ready
make connection attempt every 10ms instead of every 20ms
2020-12-24 23:09:23 -05:00
Glenn Strauss 122094e3e3 [multiple] employ http_date.h, sys-time.h
- replace use of strptime() w/ implementation specialized for HTTP dates
- use thread-safe gmtime_r(), localtime_r() (replace localtime, gmtime)
2020-12-24 16:13:20 -05:00
Glenn Strauss b598bb53f9 [tests] remove FastCGI test dependency on PHP 2020-12-23 03:50:13 -05:00
Glenn Strauss fc01b820ec [tests] remove FastCGI test dependency on libfcgi
- rewrite fcgi-responder as standalone app
  fcgi-responder is now a minimal, standalone FastCGI server for tests
- remove dependency on fcgi-devel package
- merge fcgi-auth into fcgi-responder
2020-12-23 03:49:43 -05:00
Glenn Strauss c68a7b4552 [tests] collect code for "die-at-end" tests 2020-12-18 20:36:30 -05:00
Glenn Strauss 213373948a [tests] allow LIGHTTPD_EXE_PATH override
allow LIGHTTPD_EXE_PATH override to be able to run source tree tests/*.t
against installed executable, e.g. LIGHTTPD_EXE_PATH=/usr/sbin/lighttpd

Beware that tests might not pass or might not be supported if the target
executable is not the same version as that of the source tree

(Possible use for this override is by Debian autopkgtests)
2020-11-09 05:07:05 -05:00
Glenn Strauss 2576b2c3d0 [tests] OpenBSD crypt() support limited to bcrypt
OpenBSD crypt() does not support (insecure) crypt-des or crypt-md5
2020-10-26 11:45:48 -04:00
Glenn Strauss a363383a92 [tests] detect multiple SSL/TLS/crypto providers 2020-10-19 21:40:14 -04:00
Glenn Strauss dc51e9d61c [tests] simulate slow, small packets more quickly
simulate slow, small packets more quickly
1ms between chars is plenty slow; 100ms is excessive

2020-10-19 21:40:14 -04:00
Glenn Strauss 96abd9cfb8 [core] coalesce nearby ranges in Range requests
Range requests must be HTTP/1.1 or later (not HTTP/1.0)
2020-10-19 21:40:14 -04:00
Glenn Strauss 1d9709b8ab [core] update HTTP status codes list from IANA 2020-10-11 12:19:26 -04:00
Glenn Strauss 140c0fb8f4 [doc] update README and INSTALL
also add tests/README with some testing notes
2020-10-11 12:19:26 -04:00
Glenn Strauss a3af9833c6 [core] fix crash on master if blank line request
(bug on master branch; never released)

(thx avij)

fix crash on master if blank line precedes HTTP/1.1 keep-alive request

header parsing code previously made assumptions that request was
HTTP/1.0 or HTTP/1.1, where a request-line was required, and which
would error out elsewhere if request-line was missing.  The parsing
code also previously looked for "\r\n\r\n" to end headers.

The header offset parsing code was modified and invalidated the above
assumptions, now looking only for blank line "\r\n", but the calling
code had not properly been updated.  (until this patch)
2020-10-11 12:19:26 -04:00
Glenn Strauss 8e2cf55250 [core] redirect to dir using relative-path
Location response header is permitted to use relative-path in
RFC 7231 Section 7.1.2. Location

Prefer relative path in redirection for the benefit of reverse proxies
and CDNs.  Doing so also avoids potentially disclosing internal schemes
and server names which client might not be able to directly reach.

To restore prior behavior of sending a fully-qualified absolute URI:
server.feature-flags += ("absolute-dir-redirect" => "enable")

2020-10-11 11:43:06 -04:00
Stefan Bühler 5515bb2a08 scons: fix check environment
if os.environ is a special class the scons.Environment Clone() doesn't
work properly.

show builddir in so we can actually see it works.
2020-08-02 20:05:33 +02:00
Glenn Strauss de9e2f9881 [tests] mod_compress -> mod_deflate 2020-08-02 06:46:22 -04:00
Glenn Strauss 8dd33a72dd [mod_deflate] mod_deflate subsumes mod_compress
translate config server.modules "mod_compress" to "mod_deflate"
accept compress.* directives, but issue DEPRECATED warning trace

mod_deflate differences from mod_compress:
- mod_compress compress.filetype was exact match; deflate.mimetypes is
  prefix match (behavior change might compress longer mimetype matches,
  which are likely of similar type and compressability)
- mod_compress always sent entire (compressed) file for Range request
  mod_deflate will stream compress range result (not stored in cache)
- mod_compress would short-circuit request with 403 Forbidden error
  if request file did not exist (stat() failed) (This behavior was
  unfriendly to other handlers)
- mod_compress compress.cache-dir layout differs from deflate.cache-dir
  layout; file cache should be cleared (or renamed) when migrating from
  mod_compress to mod_deflate
- mod_deflate does not issue Vary: Accept-Encoding if request does not
  contain Accept-Encoding.  The identity response can be cache by
  proxies and served to clients.  Historically, some proxies disabled
  caching if any Vary: response was seen.  If the Vary header is
  desirable, mod_deflate code which checks for Accept-Encoding and
  compression type can be moved down a few lines to be below the
  setting of the Vary response header.
2020-08-02 06:46:22 -04:00
Glenn Strauss c75fd15d7a [build] remove tests/mod-userdir.t from builds
(replaced with src/t/test_mod_userdir.c)
2020-07-10 03:29:42 -04:00
Glenn Strauss c18f442a63 [multiple] add summaries to top of some modules 2020-07-08 22:51:31 -04:00
Glenn Strauss af836b94d3 [tests] fix skip count in mod-fastcgi w/o php-cgi
(fix test skip count when php-cgi is not available)
2020-07-08 19:54:30 -04:00
Glenn Strauss c8a1cba0c1 [tests] t/test_mod_userdir
create t/test_mod_userdir to replace sparse tests in tests/mod-userdir.t
remove tests/mod-userdir.t
2020-07-08 19:54:29 -04:00
Glenn Strauss 362ccedc41 [mod_indexfile] use config_plugin_values_init() 2020-05-23 17:59:29 -04:00
Glenn Strauss fa4ab19275 [core] reduce use of struct parse_header_state 2020-02-24 11:15:32 -05:00
Glenn Strauss 61f85d14ee [core] reject WS following header field-name (fixes #2985)
reject whitespace following request header field-name and before colon
Such whitespace is forbidden in RFC 7230 Section 3.2.4.

strict header parsing is enabled by default in lighttpd.  However,
if explicitly disabled in lighttpd.conf, lighttpd will continue to
accept (and re-format) such field-names before passing to any backend.
  UNSAFE: server.http-parseopts = ( "header-strict" => "disable" )
  This is NOT RECOMMENDED since doing so disables other protections
  provided by lighttpd strict http header parsing.

(thx fedormixalich)

  stricter request header parsing
2020-01-26 00:40:20 -05:00
Glenn Strauss d5774fc6b3 [tests] skip mod-secdownload HMAC-SHA1,HMAC-SHA256
skip mod-secdownload.t HMAC-SHA1, HMAC-SHA256 tests if crypto algorithms
are not available (e.g. lighttpd build without openssl)
2019-05-13 21:01:57 -04:00
Glenn Strauss da6a94efbb [tests] has_feature() helper func
has_feature() helper func so that tests
can be skipped if support is not present
2019-05-13 21:01:57 -04:00
Glenn Strauss b0ae5fcbcd [core] support weak etags with If-None-Match
support weak etags with If-None-Match

(but require strong etags for Range requests)
2019-05-06 01:13:58 -04:00
Glenn Strauss 1cf68f79eb [core] behavior change: stricter URL normalization
behavior change: stricter URL normalization

Prior behavior can be obtained by configuring lighttpd.conf with:
      server.http-parseopts = (“url-normalize” => “disable” )
although this is not recommended.

This behavior change was pre-announced with the releases of
  lighttpd 1.4.52 (2018.11.28)
  lighttpd 1.4.53 (2019.01.27)

The recommended settings are:
      server.http-parseopts = (
        "header-strict"            => "enable",
        "host-strict"              => "enable",
        "host-normalize"           => "enable",
        "url-normalize"            => "enable",
        "url-normalize-unreserved" => "enable",
        "url-normalize-required"   => "enable",
        "url-ctrls-reject"         => "enable",
        "url-path-2f-decode"       => "enable",
        "url-path-backslash-trans" => "enable",
        "url-path-dotseg-remove"   => "enable",
        "url-query-20-plus"        => "enable"

The lighttpd defaults with this commit are slightly less strict:
      server.http-parseopts = (
        "header-strict"            => "enable",
        "host-strict"              => "enable",
        "host-normalize"           => "enable",
        "url-normalize"            => "enable",
        "url-normalize-unreserved" => "enable",
       #"url-normalize-required"   => "enable",
        "url-ctrls-reject"         => "enable",
        "url-path-2f-decode"       => "enable",
       #"url-path-backslash-trans" => "enable",
        "url-path-dotseg-remove"   => "enable",
       #"url-query-20-plus"        => "enable"
2019-05-04 17:48:04 -04:00
Glenn Strauss a1077d18cb [tests] more test config cleanup 2018-12-18 00:08:46 -05:00
Glenn Strauss 4e6ef76406 [tests] update skip count in mod-fastcgi.t 2018-12-11 00:23:49 -05:00
Glenn Strauss 07517ff30a [tests] some test config cleanup
including limiting use of php in tests to mod-fastcgi.t
2018-12-10 22:36:23 -05:00
Glenn Strauss f03e5e239d [tests] t/test_keyvalue
create t/test_keyvalue to replace sparse tests in
  tests/mod-redirect.t and tests/mod-rewrite.t
remove tests/mod-redirect.t and tests/mod-rewrite.t
2018-12-10 22:36:23 -05:00
Glenn Strauss 5a32d0f72a [mod_access] t/test_mod_access
create t/test_mod_access to test mod_access basic logic
remove tests/mod-access.t
2018-12-03 23:03:04 -05:00
Glenn Strauss 8aad091613 [mod_evhost] t/test_mod_evhost
create t/test_mod_evhost to test mod_evhost basic logic
remove tests/mod-evhost.t
2018-12-03 23:03:04 -05:00
Glenn Strauss b2a6239851 [mod_simple_vhost] t/test_mod_simple_vhost
create t/test_mod_simple_vhost to test mod_simple_vhost basic logic
remove tests/mod-simplevhost.t, which was not testing mod_simple_vhost
2018-12-03 23:03:04 -05:00
Glenn Strauss 90c30d5e90 [core] http_status_append() 2018-09-23 19:18:25 -04:00
Glenn Strauss d161f53de0 [core] security: use-after-free invalid Range req
(thx Marcus Wengelin)
2018-08-12 14:43:22 -04:00
Glenn Strauss 6ccccaaa38 [tests] move src/test_*.c to src/t/ 2018-08-05 03:44:15 -04:00
Glenn Strauss 1b62dc325c [tests] test_request unit tests
unit tests for request processing
collect existing request processing tests from Perl tests/*.t
(test_request.c runs *much* more quickly than Perl tests/*.t)
2018-08-05 03:44:15 -04:00
Glenn Strauss 1593190651 [core] buffer_append_string_encoded() uc hex
Use uc hex chars in buffer_append_string_encoded(), preferred in RFC3986

Preserve behavior using lc hex chars in buffer_append_string_c_escaped()
2018-08-05 03:44:15 -04:00
Glenn Strauss dc1675ea32 [core] fix POST with chunked request body (fixes #2854)
(thx the_jk)

  "chunked transfer encoding in request body only works for tiny chunks"
2018-01-13 22:53:19 -05:00
Stefan Bühler 16c4530e61 [meson] new build system
Needed to extend lemon to take an output path parameter.
2017-10-28 22:54:45 -04:00