Commit Graph

3660 Commits (c68a7b4552b49052b3876a3e41d772ab051a1d3c)

Author SHA1 Message Date
Glenn Strauss c68a7b4552 [tests] collect code for "die-at-end" tests 2020-12-18 20:36:30 -05:00
Glenn Strauss 0bff6d58bc [mod_wolfssl] compile with earlier wolfSSL vers
compatibility to compile with earlier wolfSSL versions

compile-tested back to wolfSSL tag v3.14.0-stable
configured with (possibly extra flags)
  ./configure --enable-opensslextra --enable-opensslall --enable-sni \
    --enable-lighty --enable-stunnel --enable-nginx --enable-haproxy

Functionality has not been tested!
Please consider using the latest stable release of wolfSSL.
2020-12-18 20:36:25 -05:00
Glenn Strauss 6cf92dffe3 [mod_wolfssl] use wolfSSL TLS version defines
now that mod_wolfssl is a standalone module, use wolfSSL TLS ver defines

(Increase compatibility of mod_wolfssl with wolfSSL versions prior to
 wolfSSL v4.2.0)
2020-12-17 21:09:59 -05:00
Glenn Strauss ae77d8ae6e - next is 1.4.58 2020-12-17 04:31:59 -05:00
Glenn Strauss 91250ee0bd [doc] NEWS 2020-12-17 04:03:25 -05:00
Glenn Strauss 881d05076a [core] attempt to quiet some coverity warnings 2020-12-17 04:01:34 -05:00
Glenn Strauss cabced1f9f [core] fix decoding chunked from backend (fixes #3049)
(thx flynn)

fix decoding chunked from backend

truncate response and error out if backend sends excess data
after chunked encoding

  "Too much content with HTTP/2.0"
2020-12-17 03:59:41 -05:00
Glenn Strauss eda12aee22 [core] fix crash printing trace if backend is down 2020-12-16 20:07:21 -05:00
Glenn Strauss 76faed9145 [multiple] replace fall through comment with attr
replace /* fall through */ comment with __attribute_fallthrough__ macro

Note: not adding attribute to code with external origins:
  xxhash.h (algo_xxhash.h)
so to avoid warnings, may need to compile with -Wno-implicit-fallthrough
2020-12-16 05:16:25 -05:00
Glenn Strauss fefdf7f097 [core] fix array_copy_array() sorted[]
fix array_copy_array() sorted[]
(current use appears to be only on value lists; not user-visible issue)

Some time back, sorted[] was a set of indexes into data[],
and therefore sorted[] could be copied when copying array.
Now that sorted[] is a list of pointers, the sorted[] list
must be rebuilt.  If copied, it continued to point to
(data_unset *) from the original src array, not the dst array.
2020-12-16 02:00:17 -05:00
Glenn Strauss 20b54fa918 [mod_authn_ldap, mod_vhostdb_ldap] default cafile
set default cafile at startup if cafile configured in global scope
2020-12-16 02:00:17 -05:00
Glenn Strauss 2565ad1b86 [mod_authn_ldap] fix crash (fixes #3048)
(thx mgottinger)

fix crash due to uninitialized memory during config parsing

  "Broken LDAP authentication on lighttpd 1.4.56"
2020-12-16 02:00:17 -05:00
Glenn Strauss fe5740d5e5 [mod_proxy] proxy.header = ("force-http10" => ...)
compatibility option to force HTTP/1.0 requests to mod_proxy backend
proxy.header += ("force-http10" => "disable")  (default)

If proxy.header is set (for any options), it overrides the global
server.feature-flags += ("proxy.force-http10" => "disable")
2020-12-16 02:00:17 -05:00
Glenn Strauss bbd958382e [core] reorder srv->config_context to match ndx (fixes #3047)
(thx altblue)

reorder dc->context_ndx to match srv->config_context->data[] index.
srv->config_context->data[] may have been re-ordered in configparser.y.
Since the dc->context_ndx (id) is reused by config_insert*() and by
plugins to index into srv->config_context->data[], reorder into the
order encountered during config file parsing for least surprise to
end-users writing config files.

  "mismatched nested config conditions in lighttpd 1.4.56"
2020-12-16 02:00:17 -05:00
Glenn Strauss b467ba1bbf [core] enhance config parsing debugging (#3047)
enhance config parsing debugging to add condition string

  "mismatched nested config conditions in lighttpd 1.4.56"
2020-12-16 02:00:17 -05:00
Glenn Strauss 903024d711 [core] track Content-Length from backend (fixes #3046)
track Content-Length from backend in r->resp_body_scratchpad

  "Failure on second request in http proxy backend"
2020-12-16 02:00:17 -05:00
Glenn Strauss e9309ae6e6 [core] li_restricted_strtoint64()
(make public for reuse)
2020-12-15 22:31:08 -05:00
Glenn Strauss 167513c840 [core] track chunked encoding state from backend (fixes #3046)
(thx flynn)

track chunked encoding state when parsing backend response

  "Failure on second request in http proxy backend"
2020-12-14 19:59:08 -05:00
Glenn Strauss 3230c6ef17 [core] reject excess data after chunked encoding (#3046)
reject excess data after chunked encoding when parsing backend response

  "Failure on second request in http proxy backend"
2020-12-14 19:55:00 -05:00
Glenn Strauss 163cb8be28 [core] fix chunked decoding from backend (fixes #3044)
(thx flynn)

  "Socket errors after update to version 1.4.56"
2020-12-14 12:34:49 -05:00
Glenn Strauss 4933a2259b [core] warn if mod_authn_file needed in conf
warn if mod_authn_file is not listed in lighttpd.conf, but is needed
2020-12-13 06:01:51 -05:00
Glenn Strauss a360eafc8b [mod_nss] portability fix
check if NSS supports TLSv1.3 ciphers
(very old versions do not, and admins should consider upgrading NSS)
2020-12-10 13:04:39 -05:00
Glenn Strauss 1d73fc2329 [core] portability fix if st_mtime not defined 2020-12-09 17:39:43 -05:00
Glenn Strauss 8a2f9c1173 [TLS] POSIX sh compat (fixes #3043)
(thx flynn)  (patch from flynn)

  " not POSIX compatible"
2020-12-09 17:07:43 -05:00
Glenn Strauss de29a37771 [core] skip some trace if backend Upgrade (#3044)
(thx flynn)

To reduce log noise, skip warning trace reporting error on backend
socket if the connection has been upgraded, e.g. to websockets

  "Socket errors after update to version 1.4.56"
2020-12-09 17:07:43 -05:00
Glenn Strauss 1d9cab1bc3 [core] always set file.fd = -1 on FILE_CHUNK reset (fixes #3044)
(thx flynn)

  "Socket errors after update to version 1.4.56"
2020-12-09 17:07:37 -05:00
Glenn Strauss d15e2286f2 [core] fix handling chunked response from backend (fixes #3044)
(thx flynn)

When the backend sends Transfer-Encoding: chunked (which is HTTP/1.1,
not HTTP/1.0) and the client is HTTP/1.1, then lighttpd will transfer
the chunked encoding as it is sent from the backend without excess data
copying involved in decoding and then re-encoding. The bug is that if
the first data chunk (or chunks) is partially received at the same time
as the response headers, then the chunked encoding got corrupted.

  "Socket errors after update to version 1.4.56"
2020-12-09 02:59:36 -05:00
Glenn Strauss adf7aea0e1 [core] wrap a macro value with parens
(code review)
2020-12-08 15:17:11 -05:00
Glenn Strauss a43420ba07 [mod_wolfssl] add complex preproc logic for SNI
add complex preproc logic for SNI detection
- HAVE_SNI is not sufficient
- HAVE_LIGHTY is not sufficient (in wolfssl <= 4.5.0)
Instead, use more complex logic wrapping calls to SNI_Callback()
in wolfssl.

  "[lighttpd] -mod-wolfssl inhibited by missing library functionality"
  "put all SNI code behind simpler preprocessor directive HAVE_SNI"
2020-12-06 22:50:49 -05:00
Glenn Strauss 083b3fb992 [core] SHA512_Init, SHA512_Update, SHA512_Final 2020-12-06 19:59:24 -05:00
Glenn Strauss aa3cabae3b [mod_openssl] remove ancient preprocessor logic
remove ancient preprocessor logic which might define OPENSSL_NO_TLSEXT

The logic was added to base.h in
some 13 years ago, and today might cause more harm than good with other
TLS libraries which provide some level of openssl-compatiblity layer,
e.g. BoringSSL and LibreSSL

If building with an ancient version of openssl and building without
support for TLS extensions, then be sure that OPENSSL_NO_TLSEXT is
defined.  (Alternatively, please consider using modern versions of
security libraries for better security.)
2020-12-06 02:08:06 -05:00
Glenn Strauss a27e55b2dd [core] add missing mod_wolfssl to ssl compat list
add missing mod_wolfssl to ssl compat module list

  "[lighttpd] -mod-wolfssl fails (requires dependency on -mod-openssl?)"
2020-12-05 11:19:03 -05:00
Glenn Strauss ce1d45ed82 [build] fix SCons build when building all TLS mods 2020-12-05 02:30:15 -05:00
Glenn Strauss 3579c32295 [core] prefer inet_aton() over inet_addr() 2020-12-05 02:18:58 -05:00
Glenn Strauss 233a218ab3 [build] fix when building all TLS mods
  "[lighttpd] -mod-openssl fails"
  "[lighttpd] -mod-wolfssl fails"
2020-12-03 17:16:52 -05:00
Glenn Strauss f8369910ff [core] setsockopt IPV6_V6ONLY if server.v4mapped
always setsockopt IPV6_V6ONLY on IPv6 addrs if server.v4mapped
is configured
2020-12-02 17:46:21 -05:00
Glenn Strauss b9bdca9b8a [mod_webdav] define _ATFILE_SOURCE if AT_FDCWD 2020-12-01 17:08:19 -05:00
Glenn Strauss 2d55953e75 [core] allow keep-alives in one-shot mode (#3042)
  "lighttpd on demand"
2020-11-30 19:32:23 -05:00
Glenn Strauss f279ae7d50 [core] quiet start/shutdown trace in one-shot mode 2020-11-30 19:31:54 -05:00
Glenn Strauss 716e4d7a5d [core] fix lighttpd -1 one-shot with pipes 2020-11-30 19:31:05 -05:00
Glenn Strauss ba995e9ec9 [core] handle U+00A0 in config parser
treat U+00A0 (c2 a0) "NO-BREAK SPACE" as whitespace between tokens

2020-11-30 11:19:55 -05:00
Glenn Strauss ab5ae94509 [mod_webdav] compile fix for Mac OSX/11 2020-11-30 01:38:08 -05:00
Glenn Strauss 01d49a283d [core] attempt to quiet some coverity warnings
read() on inotify fd does not return partial records,
and the info from the kernel can be trusted.  Still add a sanity check.

If initialization of inotify fails, server will subsequently exit,
so memory leak reported by coverity is insignificant.
2020-11-29 20:04:19 -05:00
Glenn Strauss afa6595a7b - next is 1.4.57 2020-11-29 19:15:06 -05:00
Glenn Strauss b8e011d230 [doc] NEWS 2020-11-29 16:31:14 -05:00
Glenn Strauss ae228cadb5 [mod_webdav] workaround for gvfs dir redir bug
workaround for gvfs dir redir bug

fix for unhandled live properties

(thx montvid)

  "lighttpd webdav does not work with Nemo, Nautilus gvfs"
2020-11-29 12:20:00 -05:00
Glenn Strauss 025f2d0dad [core] server.v4mapped option
For IPv6 listen addresses:
server.v4mapped = "disable" results in IPV6_V6ONLY socket opt set to 0
server.v4mapped = "enable"  results in IPV6_V6ONLY socket opt set to 1

server.v4mapped has an effect only if explicitly set in lighttpd.conf.
If not set, the socket option is inherited from kernel defaults, which
may vary on different OS.

server.v4mapped takes priority over server.set_v6only

server.set_v6only behavior is inconsistent and depreacted.
server.set_v6only behavior differs from server.v4mapped in that
server.set_v6only = "enable" will cause the IPV6_V6ONLY socket
option to be set to 1 for IPv6 listening sockets configured via
$SERVER["socket"] in lighttpd.conf, is enabled by default, and
has no effect if set to "disable"

Note: IPv4-mapped addresses may bring potential security issues,
depending on the situation.  For example, lighttpd does not attempt
to match IPv4 addresses with IPv4-mapped addresses.  Other writings:
2020-11-29 09:13:19 -05:00
Glenn Strauss a0ad558006 [mod_status] add additional HTML-encoding 2020-11-27 19:39:59 -05:00
Glenn Strauss 54922d61af [mod_fastcgi] move src/fastcgi.h into src/compat/ 2020-11-27 08:12:21 -05:00
Glenn Strauss 88433270c6 [mod_webdav] fallbacks if _ATFILE_SOURCE not avail
Note: filesystem access race conditions exist without _ATFILE_SOURCE
2020-11-27 08:12:21 -05:00