convert all log_error_write() to log_error() and pass (log_error_st *)
use con->errh in preference to srv->errh (even though currently same)
avoid passing (server *) when previously used only for logging (errh)
config_setup_connection() is run when con struct is init'd and in
connection_reset(), after each request is processed. It also must be
called upon HANDLER_COMEBACK when the request needs to be re-parsed,
but it need not be run twice in common scenario without HANDLER_COMEBACK
even 2 billion is way larger than even extreme operating values
expected for the members in base.h
include some structs directly in struct server, rather than by ptr
specialized buffer_eq_icase_ssn func replace strncasecmp()
in cases where string lengths are known to be at least as
large as the len being compared case-insensitively
200 for OPTIONS /non-existent/path HTTP/1.1 when a module,
such as mod_webdav, has set Allow response header
x-ref:
"OPTIONS should return 2xx status for non-existent resources if Allow is set"
https://redmine.lighttpd.net/issues/2939
send Connection: close if it is known that request body has not finished
being read and will not finish being read
x-ref:
"Suboptimal keep-alive handling when request body is not read"
https://redmine.lighttpd.net/issues/2924
buffer_simplify_path() no longer prepends '/' if '/' is missing.
Callers must check for leading '/' depending on use, such as in
concatenation with others paths, or direct use accessing filesystem
Note: lighttpd 1.4.50 provides the server.http-parseopts directive.
Recommended settings unless specific use requires looser settings:
server.http-parseopts = (
"header-strict" => "enable",
"host-strict" => "enable",
"host-normalize" => "enable",
"url-normalize" => "enable",
"url-normalize-unreserved" => "enable",
"url-normalize-required" => "enable",
"url-ctrls-reject" => "enable",
"url-path-2f-decode" => "enable",
"url-path-dotseg-remove" => "enable",
"url-query-20-plus" => "enable"
)
x-ref:
https://digi.ninja/blog/lighttpd_rewrite_bypass.php
As noted in the link above, mod_access should be preferred instead
of mod_rewrite for access controls to URLs.
quickly clear buffer instead of buffer_string_set_length(b, 0) or
buffer_reset(b). Avoids free() of large buffers about to be reused,
or buffers that are module-scoped, persistent, and reused.
(buffer_reset() should still be used with buffers in connection *con
when the data in the buffers is supplied by external, untrusted source)
skip redundant calls to buffer_string_prepare_copy() when simply
clearing buffer is sufficient, e.g. when a blanked buffer is desired
before calling buffer_append_strftime(), which internally prepares
buffer for the resultant formatted string
server.http-parseopts = ( ... ) URL normalization options
Note: *not applied* to CONNECT method
Note: In a future release, URL normalization likely enabled by default
(normalize URL, reject control chars, remove . and .. path segments)
To prepare for this change, lighttpd.conf configurations should
explicitly select desired behavior by enabling or disabling:
server.http-parseopts = ( "url-normalize" => "enable", ... )
server.http-parseopts = ( "url-normalize" => "disable" )
x-ref:
"lighttpd ... compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data."
https://www.cvedetails.com/cve/CVE-2008-4359/
"Rewrite/redirect rules and URL encoding"
https://redmine.lighttpd.net/issues/1720
provide standard types in first.h instead of base.h
provide lighttpd types in base_decls.h instead of settings.h
reduce headers exposed by headers for core data structures
do not expose <pcre.h> or <stdlib.h> in headers
move stat_cache_entry to stat_cache.h
reduce use of "server.h" and "base.h" in headers
(thx ReimuHakurei)
x-ref:
"Regression: PHP URLs return 404 from lighttpd when they contain PATH_INFO ending in a trailing slash."
https://redmine.lighttpd.net/issues/2861
