When the output of include_shell calls include_shell itself,
that second invocation must not truncate the buffer used for the
outer include_shell.
This might sound like a pathological setup in itself, but with
e.g. debian's include-conf-enabled.pl, which outputs a list of
include statements for all files in /etc/lighttpd/conf-enabled,
if any of the *.conf files in that directory invokes include_shell,
the parsing of the rest of the files in that directory is effectively
aborted.
This fixes a regression since commit
a46bc4f5de in such setups.
github: closes #95
equivalent to prior code, but more direct (legibile in code) to look up
empty string than to walk array. Might be marginally faster to walk
array when the list is short, but the lookup is also fairly quick in
that case, too.
send Connection: close if it is known that request body has not finished
being read and will not finish being read
x-ref:
"Suboptimal keep-alive handling when request body is not read"
https://redmine.lighttpd.net/issues/2924
reduce initial buffer size if large POST to backend stored in temp files
regression in lighttpd 1.4.52
(thx rgenoud)
x-ref:
"[regression] lighttpd gets killed after uploading a big file"
https://redmine.lighttpd.net/issues/2922
After 4 seconds, send kill() every second while waiting for child to exit.
Send host->kill_signal for next 4 seconds, then send SIGTERM (usually same
as host->kill_signal) for following 8 seconds, and finally send SIGKILL
each second after that, until the child process dies.
github: closes #94
fix possible NULL pointer dereference when query string not present
and no previous query strings processed by that specific connection
instance
regression in lighttpd 1.4.51 (mod_flv_streaming)
regression in lighttpd 1.4.52 (mod_cml)
workaround for mod_flv_streaming:
url.rewrite-once = ( "\.flv$" => "${url.path}?" )
(similar workaround for mod_cml)
(thx fab)
x-ref:
"segfault with mod_flv_streaming"
https://redmine.lighttpd.net/boards/2/topics/8404
validate UTF-8 in url-decoded paths obtained elsewhere than from request
(burl_normalize(), if enabled with server.http-parseopts, checks url for
overlong encodings of ASCII chars in the HTTP request-line)
buffer_simplify_path() no longer prepends '/' if '/' is missing.
Callers must check for leading '/' depending on use, such as in
concatenation with others paths, or direct use accessing filesystem
Note: lighttpd 1.4.50 provides the server.http-parseopts directive.
Recommended settings unless specific use requires looser settings:
server.http-parseopts = (
"header-strict" => "enable",
"host-strict" => "enable",
"host-normalize" => "enable",
"url-normalize" => "enable",
"url-normalize-unreserved" => "enable",
"url-normalize-required" => "enable",
"url-ctrls-reject" => "enable",
"url-path-2f-decode" => "enable",
"url-path-dotseg-remove" => "enable",
"url-query-20-plus" => "enable"
)
x-ref:
https://digi.ninja/blog/lighttpd_rewrite_bypass.php
As noted in the link above, mod_access should be preferred instead
of mod_rewrite for access controls to URLs.
Martin Storsjö
