Commit Graph

2558 Commits

Author SHA1 Message Date
Glenn Strauss 81b7e8e2fb [mod_auth] constant time compare plain passwords
(digests have same length)
2018-03-11 00:28:56 -05:00
Glenn Strauss 7265c72b6c [autoconf] reduce minimum automake version to 1.13
Although removal of AM_PROG_CC_C_O in f107bac8 requires automake 1.14
to provide the same functionality in AC_PROG_CC, any widely used,
modern compiler supports cc -c -o.  Reducing the minimum required
automake version avoids the current need for Centos 7 maintainers
to patch in order to build binary packages.
2018-03-07 00:35:55 -05:00
Glenn Strauss 4a674224ab [core] re-enable overloaded backends w/ multi wkrs
re-enable overloaded backends when server.max-worker is non-zero

(thx jens-maus)

  "mod_proxy not re-enabling proxy with 1.4.48" (multiple workers)
2018-03-04 14:36:09 -05:00
Glenn Strauss fc7edb3946 [mod_extforward] CIDR support for trusted proxies (fixes #2860)
  "RFE: mod_extforward CIDR support"
2018-03-04 07:16:16 -05:00
Glenn Strauss cd2b51cb1a [core] fix CONNECT w strict header parsing enabled
fix CONNECT with strict header parsing enabled (default)
(or set server.http-parseopt-header-strict = "disabled")

  "ssh over https tunnel"
2018-02-26 00:44:14 -05:00
Glenn Strauss bd32f67046 [core] open additional fds O_CLOEXEC 2018-02-03 13:45:14 -05:00
Glenn Strauss b1df38ab6a [core] increase stat_cache abstraction
reduce dependency on struct connection
routines for getting/caching content_type and etag separate from stat
2018-02-02 23:28:38 -05:00
Glenn Strauss 2496c1af4c [core] pass array_get_element_klen() const array * 2018-02-02 06:22:33 -05:00
Glenn Strauss 6a6d32698e [core] fix path-info calculation in git master (fixes #2861)
(thx ReimuHakurei)

  "Regression: PHP URLs return 404 from lighttpd when they contain PATH_INFO ending in a trailing slash."
2018-02-02 06:10:24 -05:00
Glenn Strauss 978a3f8dad [core] add include sys/poll.h on Solaris (fixes #2859)
  "fdevent_solaris_port.c header missing on Solaris 10"
2018-01-22 19:54:15 -05:00
Glenn Strauss 58a1793964 [core] fix 32-bit compile POST w/ chunked request body (#2854)
(thx the_jk)

  "chunked transfer encoding in request body only works for tiny chunks"
2018-01-19 22:35:17 -05:00
Glenn Strauss 30fe3684f6 [mod_wstunnel] fix for frames larger than 64k (fixes #2858)
(thx rschmid)

  "Wrong websocket frametype if frame is longer then UINT16_MAX"
2018-01-19 22:20:35 -05:00
Glenn Strauss 1c594f0629 [doc] minor update to *outdated* doc
  "unknown config-key: auth.debug (ignored)"

github: closes #89
2018-01-19 22:20:16 -05:00
Glenn Strauss e6564641d8 [core] remove unused func 2018-01-19 22:13:58 -05:00
Glenn Strauss dc1675ea32 [core] fix POST with chunked request body (fixes #2854)
(thx the_jk)

  "chunked transfer encoding in request body only works for tiny chunks"
2018-01-13 22:53:19 -05:00
Glenn Strauss cb371557e5 [core] merge redirect/rewrite pattern substitution
merge redirect/rewrite pattern substitution function (share code)
2018-01-10 01:39:05 -05:00
Glenn Strauss a5a2654bd4 [core] code cleanup: separate physical path sub
code cleanup: separate subroutine to check physical path
2018-01-08 01:06:40 -05:00
Glenn Strauss d5f37803dd [mod_authn_ldap] auth with ldap referrals (fixes #2846)
use ldap_set_rebind_proc() to provide auth when rebinding following
ldap referrals (instead of rebinding anonymously for ldap referrals)

  "LDAP authentication vs. AD: problems with referrals"
2018-01-07 12:50:30 -05:00
Glenn Strauss ec9e6abcb3 [core] check for path-info forward down path
check for path-info forward down path rather than back from end of path
2018-01-06 22:23:51 -05:00
Glenn Strauss 76b9b1fa46 [mod_openssl] elliptic curve auto selection (fixes #2833)
elliptic curve auto selection where available
openssl v1.0.2 - SSL_CTX_set_ecdh_auto()
openssl v1.1.0 - ECDH support always enabled

  "Using X25519 Key exchange"

  "SSL_CTX_set_ecdh_auto is undefined for newer openssl's"
  It has been removed from OpenSSL 1.1.0.
  Here is the relevant CHANGES entry:
  *) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
     always enabled now.  If you want to disable the support you should
     exclude it using the list of supported ciphers. This also means
     that the "-no_ecdhe" option has been removed from s_server.
     [Kurt Roeckx]
2018-01-06 20:15:09 -05:00
Glenn Strauss f90ccdef51 [mod_openssl] minor code cleanup; reduce var scope
('git show -u -b -w <commit-sha>' to see minimal changes)
2018-01-06 19:05:26 -05:00
Glenn Strauss b9df146b3c [core] non-blocking write() to piped loggers
If pipe fills and would block, then discard remaining write.
Do not block lighttpd if the logger blocks, such as if disk fills up.
2018-01-02 21:01:41 -05:00
Glenn Strauss e8226c11cb [core] do not reparse request if async cb
do not reparse request if async callback, e.g. for mod_auth
2018-01-01 17:06:05 -05:00
Glenn Strauss b28f03b5a4 [core] warn if mod_indexfile after dynamic handler
mod_indexfile should be listed in server.modules
prior to dynamic handlers

2018-01-01 07:32:52 -05:00
Glenn Strauss 37f9b60d5e [mod_authn_ldap] fix mem leak when ldap auth fails (fixes #2849)
thx, codehero

  "Linux OOM kills lighttpd when using mod_authn_ldap"
2017-12-21 17:44:23 -05:00
Glenn Strauss d4083effab [core] fix base64 decode when char is unsigned (fixes #2848)
thx, codehero

  "buffer_append_base64_decode() broken on compilers where char is assumed unsigned"
2017-12-21 17:41:17 -05:00
Glenn Strauss 0c95ed370f [core] report to stderr if errorlog path ENOENT (fixes #2847)
  "handling permissions at startup"
2017-12-11 22:17:00 -05:00
Glenn Strauss 84b5064dc4 [core] discard from socket using recv MSG_TRUNC
discard from socket using recv MSG_TRUNC on Linux TCP SOCK_STREAM socket

Currently, lighttpd supports only TCP SOCK_STREAM.  If UDP SOCK_DGRAM
were to be supported in the future, then socket type will need to be
stored so that MSG_TRUNC is used appropriately for the desired effect.

To find out socket type on arbitrary socket fd:
  getsockopt(..., SOL_SOCKET, SO_TYPE, ...)
but better to store it with each listening socket.
2017-12-11 21:35:31 -05:00
Glenn Strauss e4ed2ed4ae [mod_compress,mod_deflate] try mmap MAP_PRIVATE
try mmap MAP_PRIVATE if mmap MAP_SHARED fails with errno == EINVAL
Some file systems such as jffs2 and btrfs might not support MAP_SHARED
2017-12-09 20:22:29 -05:00
Glenn Strauss bed3779617 [core] fix segfault if tempdirs fill up (fixes #2843)
(thx wolfram)

  "lighttpd segfault if /var/tmp is full"
2017-11-26 17:03:07 -05:00
Glenn Strauss d3b0eb8264 [mod_deflate] fix deflate of file > 2MB w/o mmap
fix deflate of file > 2MB when lighttpd is built without mmap support
2017-11-26 12:40:34 -05:00
Glenn Strauss 3770df2387 [mod_proxy] basic support for HTTP CONNECT method (#2060)
For security reasons, this supports only specific, pre-configured
target backends and not arbitrary CONNECT targets.

  "ssh over https tunnel"
2017-11-25 19:01:16 -05:00
Glenn Strauss d5d0258362 [core] support POLLRDHUP, where available (#2743)
  "mod_cgi, lighty not killing CGI if connection in the other end is closed"
  "1.4.40/41 mod_proxy, mod_scgi may trigger POLLHUP on *BSD,Darwin"
2017-11-19 12:01:09 -05:00
Glenn Strauss 9f02df2d39 [mod_accesslog] %{canonical,local,remote}p (fixes #2840)
  "accesslog.format remote_port"
2017-11-17 22:19:40 -05:00
Glenn Strauss e7f5e24aeb [core] adjust offset if response header blank line
When backend returns an invalid response header which is exactly a
blank line (\n or \r\n), adjust the offset so as not to discard the
first character following, which is probably intended to be the
beginning of the response body.
2017-11-15 06:36:58 -05:00
Glenn Strauss de937f47f8 - next is 1.4.49 2017-11-12 00:53:51 -05:00
Glenn Strauss 2c7d70eddb [doc] NEWS 2017-11-11 11:13:39 -05:00
Glenn Strauss d4cdaab15b [doc] fix doc/config/conf.d/fastcgi.conf example
  "Lighttpd not starting up with default fastcgi config"
2017-11-09 22:16:22 -05:00
Stefan Bühler d102a7113f [scons] fix various python2/3 incompatibilities 2017-11-08 00:02:54 -05:00
Glenn Strauss 2728572af3 [core] fix dup typedef compiler warning 2017-11-07 08:52:55 -05:00
Glenn Strauss 06d108855d [mod_openssl] quiet trace from TCP probes (#2784)
  "huge amount of "SSL: -1 5 0 Success" messages"
2017-11-06 21:39:00 -05:00
Glenn Strauss d61714dd0d [mod_authn_sasl] SASL auth (new) (fixes #2275)

HTTP Basic authentication using saslauthd

server.modules += ( "mod_auth" )
server.modules += ( "mod_authn_sasl" )
auth.backend = "sasl"
auth.backend.sasl.opts = ( "pwcheck_method" => "saslauthd" ) # default

  "SASL auth like libapache2-mod-authn-sasl"
2017-11-05 20:11:07 -05:00
Glenn Strauss fdc4c324c4 [mod_authn_ldap] replace use of deprecated funcs
replace use of deprecated funcs
2017-11-05 18:50:25 -05:00
Glenn Strauss 5a5ce3dc75 [doc] NEWS - fix improper format line breaks 2017-11-05 00:36:16 -04:00
Glenn Strauss c09acbeb8a [mod_openssl] ssl.openssl.ssl-conf-cmd (fixes #2758)
(similar to Apache mod_ssl SSLOpenSSLConfCmd directive)


This new directive is for use with OpenSSL only, and is not currently
available in LibreSSL.

lighttpd takes "file commands" not "command line commands" as
openssl SSL_CONF_cmd() appears to permit only one mode at a time.

lighttpd processes this directive after all other ssl.* directives
have been applied for the $SERVER["socket"] scope.

  "Option to disable TLS session tickets"
  "Allow to selectively disable TLS 1.0, 1.1 and 1.2 versions"

github: closes #84
2017-11-04 21:45:33 -04:00
Glenn Strauss 1a22ca87f9 [mod_openssl] allow specifying server cert chain (fixes #2692)
  "allow setting explicit SSL server certificate chain"

github: closes #62
2017-11-04 17:01:32 -04:00
Glenn Strauss 35ecd4dd9d [mod_openssl] more pedantic check of return values
more pedantic check of return values for openssl interfaces

(and minor adjustment of whitespace)

2017-11-04 17:01:01 -04:00
Glenn Strauss da6b2dc1b6 [core] quiet coverity false positive 2017-11-03 23:51:37 -04:00
Glenn Strauss a9d1c46fb9 [build] fix link of test_configfile.c 2017-11-03 23:34:49 -04:00
Glenn Strauss d6e184aca9 [mod_cgi] quiet trace if mod_cgi sends SIGTERM (fixes #2838)
(spurious trace began in lighttpd 1.4.46)

  ".47 always kills git-http-backend"
2017-11-03 23:04:22 -04:00