Commit Graph

2002 Commits

Author SHA1 Message Date
Glenn Strauss ccd817d3c9 - next is 1.4.42 2016-07-31 08:40:41 -04:00
Glenn Strauss 29fa805695 [doc] NEWS 2016-07-31 02:41:20 -04:00
Glenn Strauss fbae795dfa [cmake] set cmake_minimum_required to 2.8.2
CHECK_SYMBOL_EXISTS() is available in CMake >= 2.8.0
Clang is supported in CMake >= 2.8.2
2016-07-31 02:28:58 -04:00
Stefan Bühler 46b0e01217 [cmake] enable warnings for GCC and Clang
Also set -Wno-cast-align for lemon; lemon is only the parser generator, either
it crashes or it works.
2016-07-30 23:42:57 -04:00
Stefan Bühler f7b3745552 [cmake] always define _GNU_SOURCE
first.h only defines _GNU_SOURCE if no config.h is present.
2016-07-30 14:20:52 +02:00
Glenn Strauss 5863d05ec1 [security] encode quoting chars in HTML and XML
(affects mod_dirlisting, mod_ssi, mod_status)
2016-07-30 04:11:21 -04:00
Glenn Strauss 375022a1d1 fix buffer.c comments to match encoded_chars_*
fix buffer.c comments to match encoded_chars_* changes made in 3943de28
2016-07-30 04:02:21 -04:00
Glenn Strauss ebf3af8b12 [core] fix buffer_copy_string_hex() assert (fixes #2742)
fix buffer_copy_string_hex() passing incorrect length to li_tohex()

(thx Isibaar)

  "Assert wrongly triggered in buffer_copy_string_hex()"
2016-07-30 02:48:20 -04:00
Glenn Strauss acd5e450b5 [security] disable stat_cache if !follow-symlink (fixes #2724)
disable stat_cache if server.follow-symlink = "disable"
if server.stat-cache-engine = "simple".  Caching is still enabled
for server.stat-cache-engine = "fam" since the FAM notification is
almost immediate, however there is still a small race condition.

NOTE: server.follow-symlink = "disable" implementation still has
time-of-check versus time-of-use (ToC-ToU) race conditions and
its use is *not recommended* except to discourage symlinking.
It *does not* prevent symlinking by a determined attacker with
the ability to create files on the server.

server.stat-cache-engine = "disable" can also be used to discourage
symlinking, and also does not eliminate ToC-ToU race conditions.

While more modern systems might use openat() and other *at() routines
to eliminate the ToC-ToU race conditions, this is not currently
implemented in lighttpd.  Besides, for systems needing such
protections against actors able to modify local files, it would be
better to set up multiple lighttpd servers running in separate user
contexts with filesystem permissions preventing access, rather than
giving a single lighttpd server running under a single lighttpd user
access to files across security boundaries, and trying to prevent
access by lighttpd user if a file is a symlink.

Note that there are performance implications to setting either of
  server.follow-symlink = "disable"
  server.stat-cache-engine = "disable"
since stat cache normally reduces filesystem overhead for
frequently-accessed files.

  "security: stat cache *very large* race condition if caching when
follow_symlink disabled"
2016-07-30 02:10:44 -04:00
Glenn Strauss 558bfc4e1e [security] ensure gid != 0 if server.username set (fixes #2725)
server.username can not be root or 0.
server.groupname can not be root or 0.

If server.username is set, previous behavior might retain gid 0
if server.groupname was not set.

New behavior calls setgid() on server.username primary gid, and
then initgroups on server.username if server.username is set but
server.groupname is not set.

  "server.groupname not required with server.username"
2016-07-30 02:10:01 -04:00
Glenn Strauss f7410da5d2 [core] set chunkqueue tempdirs at startup /var/tmp
If server.upload-dirs is not configured, then attempt to use TMPDIR
from the environment, if set, or else use /var/tmp which is not often
a tmpfs, unlike /tmp.  Warn at startup if tempdirs are not present.
2016-07-29 15:01:46 -04:00
Glenn Strauss ad6d41896e [core] check if EAI_ADDRFAMILY is defined
(EAI_ADDRFAMILY is not available on FreeBSD)
2016-07-29 12:48:00 -04:00
Glenn Strauss c8e647ad31 [core] set chunkqueue tempdirs at startup
If server.upload-dirs is not configured, then attempt to use TMPDIR
from the environment, if set, or else use /tmp.  Warn at startup if
tempdirs are not present.
2016-07-28 03:57:52 -04:00
Glenn Strauss a62bff9866 [core] fix result copy from getaddrinfo()
(thx avij)
2016-07-27 22:26:32 -04:00
Glenn Strauss a69a803e35 [core] try AF_INET after AF_INET6 if use-ipv6
try AF_INET after AF_INET6 if server.use-ipv6 = "enable" and
getaddrinfo() fails EAI_ADDRFAMILY when hints.ai_family is AF_INET6.
(Prefer IPv6 instead of setting hinst.ai_family to AF_UNSPEC since
lighttpd only uses the first address returned)
2016-07-27 15:37:46 -04:00
Glenn Strauss a95aaa9de9 [TLS] read all available records from SSL_read()
read all available records from SSL_read(), even if larger than
MAX_READ_LIMIT, since the data is already in memory.  openssl is
configured with SSL_MODE_RELEASE_BUFFERS and will release openssl
buffers once records have been read.

Without reading available data, there was a chance that the connection
would hang waiting for a read event on the fd, even though all the
data had already been read from kernel socket buffers and was in openssl
memory waiting to be read with SSL_read().

(thx glen and avij)
2016-07-27 06:00:44 -04:00
Glenn Strauss bce293e4a7 [TLS] better handling of SSL_ERROR_WANT_READ/WRITE
2016-07-27 02:24:53 -04:00
Glenn Strauss 565dec2ff1 [core] consolidate duplicated response_end code 2016-07-26 16:48:20 -04:00
Glenn Strauss 38139fa1a9 [core] permit IPv6 address scope identifier
getaddrinfo() on permits a scope identifier to be part of the IPv6
address string, so permit this syntax in $SERVER["socket"] validation.

2016-07-25 01:01:10 -04:00
Glenn Strauss 9af58a9716 revert 1.4.40 swap of REQUEST_URI, REDIRECT_URI (fixes #2738)
reverts part of commit:dbdab5db which swapped REQUEST_URI, REDIRECT_URI

  "mediawiki redirect loop if REQUEST_URI not orig req in 1.4.40"


REQUEST_URI and REDIRECT_URI are not part of CGI standard environment.
The reason for their existence is that PATH_INFO in CGI environment may
be different from the path in the current request.  The main reason for
this potential difference is that the URI path is normalized to a path
in the filesystem and tested against the filesystem to determine which
part is SCRIPT_NAME and which part is PATH_INFO.  In case-insensitive
filesystems, the URI might be lowercased before testing against the
filesystem, leading to loss of case-sensitive submission in any
resulting PATH_INFO.  Also, duplicated slashes "///" and directory
references "/." and "/.." are removed, including prior path component in
the case of "/..".  This might be undesirable when the information after
the SCRIPT_NAME is virtual information and there target script needs the
virtual path preserved as-is.  In that case, the target script can
re-parse REQUEST_URI (or REDIRECT_URI, as appropriate) to obtain the
unmodified information from the URI.

con->request.uri is equivalent to con->request.orig_uri unless the
request has been internally rewritten (e.g. by mod_rewrite, mod_magnet,
others), in which case con->request.orig_uri is the request made by the
client, and con->request.uri is the current URI being processed.

Historical REQUEST_URI (environment variable) lighttpd inconsistencies
- mod_cml     set REQUEST_URI to con->request.orig_uri
- mod_cgi     set REQUEST_URI to con->request.orig_uri
- mod_fastcgi set REQUEST_URI to con->request.orig_uri
- mod_scgi    set REQUEST_URI to con->request.orig_uri

- mod_ssi     set            REQUEST_URI to current con->request.uri
- mod_magnet  set MAGNET_ENV_REQUEST_URI to current con->request.uri
              and MAGNET_ENV_REQUEST_ORIG_URI to con->request.orig_uri

Historical REDIRECT_URI (environment variable) previously set only in
mod_fastcgi and mod_scgi, and set to con->request.uri

Since lighttpd 1.4.40 provides REDIRECT_URI with con->request.orig_uri,
changes were made to REQUEST_URI for consistency, with the hope that
there would be little impact to existing configurations since the
request uri and original request uri are the same unless there has been
an internal redirect.  It turns out that various PHP frameworks use
REQUEST_URI and require that it be the original URI requested by client.

Therefore, this change is being reverted, and lighttpd will set
REQUEST_URI to con->request.orig_uri in mod_cgi, mod_fastcgi, mod_scgi
as was done in lighttpd 1.4.39 and earlier.  Similarly, REDIRECT_URI
also has the prior behavior in mod_fastcgi and mod_scgi, and added to

A future release of lighttpd might change mod_ssi to be consistent with
the other modules in setting REQUEST_URI to con->request.orig_uri and to
add REDIRECT_URI, when an internal redirect has occurred.
2016-07-23 02:13:41 -04:00
Glenn Strauss ed340897a2 do not set REDIRECT_URI in mod_magnet, mod_rewrite (#2738)
reverts commit:b473220d

  "mediawiki redirect loop if REQUEST_URI not orig req in 1.4.40"
2016-07-23 01:35:13 -04:00
Glenn Strauss b43fc006be [mod_status] show keep-alive status w/ text output (fixes #2740)
  "mod_status with "?auto" modifier not showing keep-alive (k) status
on Scoreboard"
  "server-status - additional stats - keepalive"
2016-07-21 11:19:06 -04:00
Glenn Strauss cd33554b74 [core] $HTTP["remoteip"] must handle IPv6 w/o []
[core] $HTTP["remoteip"] must handle IPv6 w/o [] (existing behavior)
This was inadvertently broken in lighttpd 1.4.40 when IP address
normalization was added.

In $HTTP["remoteip"], IPv6 is now accepted with or without '[]'.
http_request_host_normalize() expects IPv6 with '[]', and config
processing at runtime expects COMP_HTTP_REMOTE_IP compared without '[]',
so '[]' is stripped (internally) after normalization
2016-07-21 01:42:35 -04:00
Glenn Strauss cb468d333c [core] stay in CON_STATE_CLOSE until done with req
Do not switch to CON_STATE_ERROR upon idle timeout if already in
CON_STATE_CLOSE.  Changing to CON_STATE_ERROR might keep resetting
con->close_timeout_ts if repeated calls to shutdown() succeed.
2016-07-20 05:43:39 -04:00
Glenn Strauss 78c79ead4a [core] avoid spurious trace and error abort
HANDLER_COMEBACK and HANDLER_ERROR are valid return values
from dynamic fdevent handlers.  Do not abort if HANDLER_ERROR
is returned.
2016-07-19 17:29:14 -04:00
Glenn Strauss 1ebc83f11f [build_cmake] clock_gettime() -lrt w/ glibc < 2.17 (fixes #2737)
clock_gettime() needs -lrt with glibc < 2.17,
and possibly other platforms

This commit contains fixes for CMake and SCONS
See also commit:4d920466 which updated for same

  "1.4.40 compiling issuses on Debian Wheezy"
2016-07-19 04:03:14 -04:00
Glenn Strauss 779c133c16 [security] do not emit HTTP_PROXY to CGI env
Strip bogus "Proxy" header before creating subprocess environment.
(mod_cgi, mod_fastcgi, mod_scgi, mod_ssi, mod_proxy)

Do not emit HTTP_PROXY to subprocess environment.
Some executables use HTTP_PROXY to configure outgoing proxy.

This is not a lighttpd security issue per se, but this change to
lighttpd adds a layer of defense to protect backend processes which
might be vulnerable due to blindly using this untrusted environment
variable.  The HTTP_PROXY environment variable should not be trusted
by a program running in a CGI-like environment.

Mitigation in lighttpd <= 1.4.40 is to reject requests w/ Proxy header:

* Create "/path/to/deny-proxy.lua", read-only to lighttpd, with content:
  if (lighty.request["Proxy"] == nil) then return 0 else return 403 end
* Modify lighttpd.conf to load mod_magnet and run lua code
    server.modules += ( "mod_magnet" )
    magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" )

CGI web servers assign Proxy header values from client requests to
internal HTTP_PROXY environment variables
httpoxy: A CGI application vulnerability
2016-07-19 01:22:33 -04:00
Glenn Strauss d506f4a569 minor: spelling changes in some comments/messages 2016-07-18 23:26:38 -04:00
Glenn Strauss 4d920466f7 [autobuild] clock_gettime() -lrt with glibc < 2.17
clock_gettime() needs -lrt with glibc < 2.17,
and possibly other platforms

On systems without clock_gettime (-cough- Mac OSX -cough-),
use gettimeofday() (deprecated in POSIX.1-2008) which is slightly
lower precision, but reasonably fast in execution.  References:
2016-07-18 23:24:42 -04:00
Glenn Strauss a3ec906ef9 [core] #include <sys/filio.h> for FIONREAD (fixes #2726)
illumos (OpenIndiana) gets FIONREAD from <sys/filio.h>

  "lighttpd 1.4.40 compilation fails on illumos (OpenIndiana)"
2016-07-18 04:40:57 -04:00
fbrosson 72abc87b40 [autobuild] move inet_pton detection later
HAVE_INET_PTON was probably not being defined on Solaris.

While at it, also add detection for accept() in libnetwork for Haiku.

github: closes #68
2016-07-18 00:30:27 -04:00
Glenn Strauss 9c49dc9a5c workaround clang compiler warning 2016-07-17 23:21:50 -04:00
Glenn Strauss acad2c903a fix some warnings reported by cppcheck
fix some warnings reported by cppcheck and
change mod_skeleton.c to use buffer_string_length()
2016-07-17 16:13:31 -04:00
Glenn Strauss 393dfd8cb9 [mod_ssi] fix #config sizefmt="bytes" 2016-07-17 14:54:03 -04:00
Glenn Strauss adf91591fc [doc] update memcache references to memcached 2016-07-17 00:30:24 -04:00
Glenn Strauss 00cc4d7c0e [mod_auth] fix Digest auth to be better than Basic (fixes #1844)
Make Digest authentication more compliant with RFC.

Excerpt from Section 5.13:
    The bottom line is that any compliant implementation will be
    relatively weak by cryptographic standards, but any compliant
    implementation will be far superior to Basic Authentication.

  "Serious security problem in Digest Authentication"
2016-07-16 23:25:53 -04:00
Glenn Strauss 052a049f29 [build] allow AUTHOR, KEYID overrides to packdist 2016-07-16 23:23:24 -04:00
Glenn Strauss 2cdc017fb9 [config] inherit server.use-ipv6 and server.set-v6only (fixes #678)
inherit server.use-ipv6 and server.set-v6only from global scope
into $SERVER["socket"] blocks

(This potential behavior change was announced with lighttpd 1.4.40)

  "$SERVER["socket"] to bind to IPv6 by default"
2016-07-16 16:15:19 -04:00
Glenn Strauss e9c9f42564 remove long-deprecated, non-functional config opts 2016-07-16 16:11:51 -04:00
Glenn Strauss 8f8fa606ca - next is 1.4.41 2016-07-16 07:58:40 -04:00
Glenn Strauss 268c5582b2 [doc] NEWS 2016-07-15 20:02:17 -04:00
Glenn Strauss ee708db9fd [doc] add self to AUTHORS (discussed w/ stbuehler) 2016-07-15 20:00:59 -04:00
Glenn Strauss a83bae5bd2 update lighttpd -h 2016-07-15 19:47:58 -04:00
Glenn Strauss 8861c2bb54 [mod_cgi] handle local redirect response (fixes #2108)
RFC3875 CGI 1.1 specification section 6.2.2 Local Redirect Response

  "CGI local redirect not implemented correctly"
2016-07-14 16:31:08 -04:00
Glenn Strauss bcddcf8b0e [tests] remove some tests duplicated in mod-cgi.t 2016-07-14 13:21:43 -04:00
Glenn Strauss 86cd135b25 [core] fdevent_libev: workaround compiler warning
workaround compiler warning w/ gcc -Wstrict-aliasing=2 -fstrict-aliasing
2016-07-13 16:06:58 -04:00
Glenn Strauss bd8b58cea5 [core] fdevent_libev: update use of ev_timer 2016-07-13 14:10:59 -04:00
Glenn Strauss ce7d040bf3 [mod_access] new directive url.access-allow (fixes #1421)
url.access-allow is list of allowed url suffixes (e.g. file extensions)
If url.access-allow has been set, then deny any URL that does not match
the explicitly listed suffixes.

(thx japc)

  "access_allow directive for lighttpd"
2016-07-13 04:12:08 -04:00
Glenn Strauss 5e76b284df [mod_accesslog] %a %A %C %D %k %{}t %{}T (fixes #1145, fixes #1415, fixes #2081)
add support for additional commonly-used accesslog format flags

  "mod_accesslog cookie field support %{VARNAME}C"
  "access_log : %D time used in ms (not supported)"
  "%{format}t support"
2016-07-12 23:03:16 -04:00
Glenn Strauss a714f4f720 fix gcc 6.1.1 compiler warn misleading-indentation 2016-07-12 20:19:32 -04:00