When the output of include_shell calls include_shell itself,
that second invocation must not truncate the buffer used for the
outer include_shell.
This might sound like a pathological setup in itself, but with
e.g. debian's include-conf-enabled.pl, which outputs a list of
include statements for all files in /etc/lighttpd/conf-enabled,
if any of the *.conf files in that directory invokes include_shell,
the parsing of the rest of the files in that directory is effectively
aborted.
This fixes a regression since commit
a46bc4f5de in such setups.
github: closes #95
quickly clear buffer instead of buffer_string_set_length(b, 0) or
buffer_reset(b). Avoids free() of large buffers about to be reused,
or buffers that are module-scoped, persistent, and reused.
(buffer_reset() should still be used with buffers in connection *con
when the data in the buffers is supplied by external, untrusted source)
server.chunkqueue-chunk-sz = 4096 (default)
Can be configured any integral value greater than 0.
Value is rounded up to next 1024 if not an even multiple of 1k.
Sites with large request or response headers may benefit from
an 8k or 16k chunk size. Embedded systems might choose to minimize
memory use by using a 1k chunk size.
controls whether default and compatibility modules are loaded,
including default modules mod_indexfile, mod_staticfile, mod_dirlisting
and if mod_authn* modules are loaded when mod_auth in server.modules
and if mod_openssl is loaded when ssl. directives are seen
default: server.compat-module-load = "enable"
(preserve existing behavior)
recommended config: explicitly load desired modules in desired order
enable server.log-request-header-on-error when either
server.log-request-handling or server.log-request-header
are enabled in the global scope.
server.log-request-header-on-error is a global directive since it must
be set prior to parsing of request, and errors parsing request might
otherwise occur before lighttpd config conditions are parsed and set
(i.e. based on the parsed request headers)
x-ref:
"Log error if Host name is illegal (e.g. contains an underscore)"
https://redmine.lighttpd.net/issues/2885
server.http-parseopts = ( ... ) URL normalization options
Note: *not applied* to CONNECT method
Note: In a future release, URL normalization likely enabled by default
(normalize URL, reject control chars, remove . and .. path segments)
To prepare for this change, lighttpd.conf configurations should
explicitly select desired behavior by enabling or disabling:
server.http-parseopts = ( "url-normalize" => "enable", ... )
server.http-parseopts = ( "url-normalize" => "disable" )
x-ref:
"lighttpd ... compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data."
https://www.cvedetails.com/cve/CVE-2008-4359/
"Rewrite/redirect rules and URL encoding"
https://redmine.lighttpd.net/issues/1720
provide standard types in first.h instead of base.h
provide lighttpd types in base_decls.h instead of settings.h
reduce headers exposed by headers for core data structures
do not expose <pcre.h> or <stdlib.h> in headers
move stat_cache_entry to stat_cache.h
reduce use of "server.h" and "base.h" in headers
server.socket-perms = "0770" to set perms on unix domain socket
on which lighttpd listens for requests, e.g. $SERVER["socket"] == "..."
x-ref:
"Feature request: add server config for setting permissions on Unix domain socket"
https://redmine.lighttpd.net/issues/656
median webpage in today's day and age contains 75-100 requests per page
so increasing the default server.max-keep-alive-requests in lighttpd
from 16 is more than warranted
x-ref:
"set server.max-keep-alive-requests = 100"
https://redmine.lighttpd.net/issues/2205
fix crash for invalid syntax in config file for server.modules
x-ref:
"Missing array entry type check in config_insert (configfile.c), SIGSEGV"
https://redmine.lighttpd.net/issues/2810
More specific checks on contents of array lists. Each module using
lists now does better checking on the types of values in the list
(strings, integers, arrays/lists)
This helps prevent misconfiguration of things like cgi.assign,
fastcgi.server, and scgi.server, where source code might be
served as static files if parenthesis are misplaced.
x-ref:
https://redmine.lighttpd.net/boards/2/topics/6571
new directive server.error-intercept = [ "enable" | "disable" ]
to intercept 4xx and 5xx responses from dynamic handlers
(e.g. CGI, FastCGI, SCGI, proxy)
Intercepted HTTP error status are then handled by one of
server.error-handler
server.error-handler-404
server.errorfile-prefix
(if configured)
Do not use server.error-intercept with locations handled by mod_webdav!
x-ref:
"would like something similar to nginx proxy_intercept_errors"
https://redmine.lighttpd.net/issues/974
large code move, but minimal changes made to code (besides whitespace),
so that code builds
next: need to isolate openssl data structures and config parsing
new directive ssl.read-ahead = "enable"/"disable" to control
SSL_CTX_set_read_ahead(). Default "enable". The "disable" setting
is intended for use on low memory systems with a slow CPU which is
unable to keep up with decryption of large request bodies.
x-ref:
"larger memory usage for file uploads via SSL on embedded system"
https://redmine.lighttpd.net/issues/2778
warn if mod_authn_ldap is not listed in server.modules in lighttpd.conf
but auth.backend = "ldap" is in lighttpd.conf
warn if mod_authn_mysql is not listed in server.modules in lighttpd.conf
but auth.backend = "mysql" is in lighttpd.conf
A future release of lighttpd 1.4.x will cease automatically loading
these modules. After that, lighttpd will fail to start up if
auth.backend requires one of these modules and the module is not loaded.
(The purpose of this change is to remove from the lighttpd core server
the dependencies on LDAP or MariaDB libraries.)
warn if mod_authn_ldap is not listed in server.modules in lighttpd.conf
but auth.backend = "ldap" is in lighttpd.conf
warn if mod_authn_mysql is not listed in server.modules in lighttpd.conf
but auth.backend = "mysql" is in lighttpd.conf
A future release of lighttpd 1.4.x will cease automatically loading
these modules. After that, lighttpd will fail to start up if
auth.backend requires one of these modules and the module is not loaded.
(The purpose of this change is to remove from the lighttpd core server
the dependencies on LDAP or MariaDB libraries.)
limits total size per request of request headers submitted by client
default limit set to 8k (prior lighttpd <= 1.4.41 hard-coded 64k limit)
(similar to Apache directive LimitRequestFieldSize)
x-ref:
"limits the size of HTTP request header"
https://redmine.lighttpd.net/issues/2130
create new, extensible interface for (additional) auth backends
attempt to handle HANDLER_WAIT_FOR_EVENT returned by auth backends
to allow for async auth backends (e.g. to mysql database)
separate auth backends from mod_auth and http_auth
mod_authn_file.c htdigest, htpasswd, plain auth backends
mod_authn_ldap.c ldap auth backend
add http_auth.c to common_sources for auth backend registration
(mod_authn_file could be three separate modules, but no need for now)
If server.upload-dirs is not configured, then attempt to use TMPDIR
from the environment, if set, or else use /var/tmp which is not often
a tmpfs, unlike /tmp. Warn at startup if tempdirs are not present.
If server.upload-dirs is not configured, then attempt to use TMPDIR
from the environment, if set, or else use /tmp. Warn at startup if
tempdirs are not present.
Martin Storsjö