Commit Graph

1906 Commits

Author SHA1 Message Date
Glenn Strauss e8dd8fdb53 [config] normalize IP strings in lighttpd.conf
normalize IP strings in lighttpd.conf conditionals:
  $SERVER["socket"], $HTTP["remoteip"], and $HTTP["host"]
2016-05-19 19:15:47 -04:00
Glenn Strauss b47494d4cd [config] opts for http header parsing strictness (fixes #551, fixes #1086, fixes #1184, fixes #2143, #2258, #2281, fixes #946, fixes #1330, fixes #602, #1016)
server.http-parseopt-header-strict  = "enable"
server.http-parseopt-host-strict    = "enable"  (implies host-normalize)
server.http-parseopt-host-normalize = "disable"

defaults retain current behavior, which is strict header parsing
and strict host parsing, with enhancement to normalize IPv4 address
and port number strings.

For lighttpd tests, these need to be enabled (and are by default)
For marginally faster HTTP header parsing for benchmarks, disable these.

To allow
  - underscores in hostname
  - hypen ('-') at beginning of hostname
  - all-numeric TLDs
  server.http-parseopt-host-strict    = "disable"

  "lighttpd doesn't allow underscores in host names"
  "hyphen in hostname"
  "a numeric tld"
  "Numeric tld's"
  "Bad Request"
  "400 Bad Request when using Numeric TLDs"

To allow a variety of numerical formats to be converted to IP addresses
  server.http-parseopt-host-strict    = "disable"
  server.http-parseopt-host-normalize = "enable"

  "URL encoding leads to "400 - Bad Request""
  "400 Bad Request when using IP's numeric value ("ip2long()")"

To allow most 8-bit and 7-bit chars in headers
  server.http-parseopt-header-strict  = "disable"  (not recommended)

  "Russian letters not alowed?"
  "header Content-Disposition with russian '?' (CP1251, ascii code 255) causes error"
2016-05-19 19:15:13 -04:00
Glenn Strauss b29c8efcb9 [mod_fastcgi] no chunked response w/ X-Sendfile (fixes #2733)
  "X-LIGHTTPD-send-file return 0 bytes"
2016-05-18 00:47:23 -04:00
Glenn Strauss c55cf3df10 [mod_cgi,mod_scgi] X-Sendfile sets file_started (fixes #2733)
  "X-LIGHTTPD-send-file return 0 bytes"
2016-05-18 00:05:34 -04:00
Glenn Strauss fde843f63e [mod_ssi] fix parse of tag across buf boundary (fixes #2732)
thx fbrosson

  "char copied to wrong place in SSI output"
2016-05-17 15:33:27 -04:00
Glenn Strauss a8c51b0cbe [core] wrap IPv6 literal in "[]" in redirect URL 2016-05-16 19:50:53 -04:00
Glenn Strauss a5fcfee6fc [mod_ssi] more flexible quoting (fixes #1768)
allow double-quotes, single-quotes or no quote on SSI param values

remove use of PCRE from mod_ssi

fix misspelling of 'unknow' to be 'unknown'

  "mod_ssi doesn't accept single quotes"
2016-05-14 05:50:37 -04:00
Glenn Strauss abfb9d9e2d [mod_ssi] add PCRE_* options to constrain regex 2016-05-14 01:17:52 -04:00
Glenn Strauss ede4d17913 [mod_ssi] include relative to alias,userdir (fixes #222)
adjust paths relative to changes made by mod_alias and mod_userdir

Note: this still works only for direct file inclusion.
lighttpd mod_ssi does not perform an "internal subrequest" for the
virtual path, so things like virtual include of CGI are not supported

  "ssi virtual include uses wrong path"
2016-05-14 01:17:52 -04:00
Glenn Strauss df146a7724 [mod_ssi] fix SSI statement parser
bug introduced in 8e3c6bf7 when statement parser was replaced
2016-05-14 01:17:52 -04:00
Glenn Strauss 45021708bf [mod_accesslog] report aborted con state with %X (fixes #1890)
(compatibility with Apache

  "%X in accesslog.format not working as expected"
2016-05-14 01:17:52 -04:00
Glenn Strauss 427acbf034 [build] enhancements for cross-compiling (fixes #2276)
  "libpcre - specify directory"
2016-05-14 01:17:52 -04:00
Glenn Strauss 0cd7f2dda8 [mod_evasive] 302 redirect option if limit reached (fixes #2199)
  "[mod_evasive] redirect if maximum connections exceeded"
2016-05-13 20:49:33 -04:00
Glenn Strauss bd66026fc2 [config] support include file glob (fixes #1221)
  "support *(wild card character) within include directive"
2016-05-13 20:49:31 -04:00
Glenn Strauss 1cd31ae2cc adjustments for openssl 1.1.0 pre-release 2016-05-11 00:58:26 -04:00
Glenn Strauss 239c7e3026 [doc] NEWS 2016-05-10 22:33:44 -04:00
Glenn Strauss a9568d0ad6 check close() return code after writing to file 2016-05-10 22:33:44 -04:00
Glenn Strauss 29e7468d46 [mod_auth] preserve WWW-Authenticate for error docs (fixes #2730)
fixes auth broken by 9973fdb0:
  [core] reset response headers, write_queue for error docs

  "http auth does not send WWW-Authenticate header in git rev 598cdd0"
2016-05-10 22:33:44 -04:00
Glenn Strauss 98acff0ea0 [core] add default modules while processing server config
(instead of doing separately, before processing server config)
2016-05-10 22:32:03 -04:00
Glenn Strauss edbe157245 [core] simplify config merge of array lists 2016-05-10 22:32:03 -04:00
Glenn Strauss 969456f3fa [core] fix config merge of array lists 2016-05-10 22:32:03 -04:00
Glenn Strauss 83d896d095 static build instructions using SCons or make 2016-05-10 22:32:03 -04:00
Glenn Strauss 598cdd0e5e [core] fix IPv6 address + port parsing (#2204) 2016-05-07 23:08:53 -04:00
Glenn Strauss 1ca52fdce3 build with libressl
libressl defines SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 as 0x0
  (thx Christian Heckendorf)

libressl matches ERR_remove_thread_state() signature from openssl 1.0.2
  (libressl pretends that libressl is openssl version 2.0.0,
   but openssl 1.1.0 changes signature of ERR_remove_thread_state())

libressl does not yet provide compatibility interfaces for the new
  prototypes introduced in openssl 1.1.0, including
  DH_set0_pqg() and DH_set_length()

remove OPENSSL_NO_KRB5 from build config (added in 5fab991b in 2005)
  (define USE_OPENSSL_KERBEROS if required)
  (Note: OPENSSL_NO_KRB5 removed in openssl 1.1.0)
2016-05-07 12:50:41 -04:00
Glenn Strauss 873eaf3f4a minor: fix compiler warning for extra ';' 2016-05-07 02:46:49 -04:00
Glenn Strauss ccb1f02b83 clean up oneshot_fd resource upon startup error 2016-05-07 01:47:19 -04:00
Glenn Strauss c6edb24803 fix typo in new cgi.x-sendfile directives 2016-05-07 01:18:34 -04:00
Glenn Strauss 299173a3b5 reset response headers, write_queue for error docs 2016-05-02 23:51:58 -04:00
Glenn Strauss 01ec2c458c [doc] NEWS 2016-05-02 23:51:50 -04:00
Glenn Strauss 9b14e017c8 [mod_webdav] improve PROPFIND,PROPPATCH; map COPY/MOVE Destination
map COPY/MOVE Destination to aliases

Merge branch 'bug-1787-webdav-alias-destination' into master

github: closes #61
2016-05-02 23:49:49 -04:00
Glenn Strauss 80bb42266e [mod_webdav] improve PROPFIND,PROPPATCH (#1818, #1953)
fix "allprop" propfind request to report all 'live' properties
add "supportedlock" 'live' property, if ./configure --with-webdav-locks
report collections (directory) paths with trailing slash ('/') on path
redirect operations on collections without trailing slash ('/') to URI
  with trailing slash ('/')

fix PROPPATCH to work properly and eliminate PROPPATCH memory leak
fix property update after MOVE
move CREATE TABLE statements *before* any prepare statements to avoid
  invalidating the prepare statements when the tables are first created
  **thx Uranus Zhou for the explanation:

  "Improve DAV support to be able to handle git as a client"
  "add RFC-compliant LOCK support to mod_webdav"  (still not compliant)

Note: this has not been tested whether or not mod_webdav works with git
The (highly) recommended method to support git via HTTP is to use
git-http-backend via CGI.  gitolite and gitosis provide other good
alternative ways to access git.

This patch does result in more WebDAV 'Litmus' tests passing, even
though mod_webdav still pretends to implement "If" conditional locking,
granting locks to all requestors and not strictly enforcing locks.
2016-05-02 23:48:31 -04:00
Glenn Strauss e0115208ec [mod_webdav] map COPY/MOVE Destination to aliases (fixes #1787)
attempt to remap COPY/MOVE Destination to aliased physical paths
by finding common URI prefix between request URI and Destination
and finding how that part of the request URI was mapped to a
physical path.

This will work if the aliased physical path is above the webdav root.
It is not a good idea to remap physical paths within a webdav root.

Note: webdav paths and webdav properties are managed by mod_webdav,
      so do not modify paths externally or else undefined behavior
      or corruption may occur

  "Bug in mod_webdav when using aliases and MOVE command"
2016-05-02 23:48:31 -04:00
Glenn Strauss 3dc67b3004 [mod_status] add JSON output option (fixed #2432)
  "Adding JSON Output support to mod_status (patch)"
2016-05-02 23:45:18 -04:00
Glenn Strauss 4059dcd60e [mod_fastcgi,mod_scgi] IPv6 support (fixes #2372)
(similar to mod_proxy issue

  "mod_*cgi and ipv6 address"
  "mod_proxy + ipv6"

github: closes #60
2016-05-02 15:34:56 -04:00
Glenn Strauss 89379011df lighttpd run modes for idle timeout, one-shot
lighttpd -i <secs> shutdown after idle time limit (fixes #2696)
lighttpd -1 handles single request on stdin socket (fixes #1584)

Merge branch 'feature-2696-idle-shutdown' into master

github: closes #43
2016-05-02 15:29:58 -04:00
Glenn Strauss 1812f5541a [core] lighttpd -1 handles single request on stdin socket (fixes #1584)
(e.g. when called from xinetd)

Note: lighttpd is designed as a high performance, long-running server,
not a one-shot executable.  This one-shot mode of operation has not been
tuned for performance.  lighttpd server start-up and initialization aims
for correctness, not speed.  If using this one-shot mode as part of fork
and exec from xinetd, then performance is already not of high concern.

  "support for xinetd"
2016-05-02 15:29:33 -04:00
Glenn Strauss 6c35e38fe1 [network] separate addr trans from socket creation
separate addr translation from socket creation in network_server_init()
2016-05-02 15:29:33 -04:00
Glenn Strauss 06b87dee34 [core] cmd line opt to shutdown after idle time limit (fixes #2696)
-i <secs>  graceful shutdown after <secs> of inactivity

Option might be used with applications such as git instaweb.
While git instaweb does have command line options of its own
to [start,stop,restart], some may find it convenient to configure
git instaweb to start lighttpd with a default idle time limit,
after which lighttpd will gracefully shut itself down without
any further action from the user.

  "[PATCH] support -i <secs> idle timeout option"
  original request and patch submitted by mackyle.  thx.
2016-05-02 15:29:17 -04:00
Glenn Strauss a0a7b9fbf5 [mod_ssi, mod_cml] set DOCUMENT_ROOT to basedir (fixes #2383)
fixes inconsistency w/ mod_fastcgi, mod_scgi, mod_cgi change in adc97e5b

  "mod_alias: use alias directory as doc-root too"
  "mod_userdir doesn't set environment variable DOCUMENT_ROOT"
2016-05-02 14:31:36 -04:00
Glenn Strauss 0f7c068010 [doc] NEWS 2016-04-28 13:39:57 -04:00
Glenn Strauss 7841bab0ec [doc] add mimetype.use-xattr to
  "Migrate to definition of xattr mimetype"
2016-04-28 13:29:31 -04:00
Glenn Strauss 4edb65cfa1 [core] preserve PATH_INFO case on case-insensitive fs (fixes #406)
attempt to preserve PATH_INFO case even when the
URI is mapped onto a case-insensitive file system.

NTFS (Windows) is case-insensitive (even though it is case-preserving)
HFS+ (Mac OS X) can be formatted to be case-insensitive

  "... PATH_INFO ... improperly converted to lowercase"
2016-04-28 13:23:29 -04:00
Glenn Strauss 0fb91b026e minor: add missing #include <errno.h>
(needed by connections-glue.c when not building with openssl)
2016-04-28 13:20:34 -04:00
Glenn Strauss c46f0ce027 [core] fallback to write if sendfile not supported (fixes #471, #987)
  "sendfile backends do not fall back to write/writev if they are not supported by the kernel"

github: closes #58
2016-04-28 13:14:39 -04:00
Glenn Strauss b47c393e26 [mod_auth] skip blank lines and comment lines (fixes #2327)
  "Ignore comments and empty lines in ht{digest,passwd} files"
2016-04-28 13:13:43 -04:00
Glenn Strauss 8e3c6bf754 fallback to lseek()/read() if mmap() fails (#fixes 2666)
fallback to lseek()/read() if mmap() fails (#fixes 2666)
e.g. when mmap() is used on lighttpd-controlled temporary files
used POST request body (mod_cgi) and PUT file upload (mod_webdav)

replace use of stream_open() on potentially untrusted files
(protect against SIGBUS if a file is modified while map is read)
Note: stream.[ch] may be removed in a future release
For now, stream.[ch] will read entire file into memory if mmap fails
and so it should only be used on trusted files, e.g. config files.

http_auth basic and digest files are typically small and so buffered
stdio fopen(), fgets(), fclose() will likely be approximately as fast
as mmap.

mod_dirlisting header and readme files are typically small and so
open(), read(), close() will typically be approximately as fast as mmap

mod_ssi will likely be much faster, now buffering SSI page construction
rather than a potentially huge number of file open() calls, one for each
tiny chunk of text between SSI directives.

mod_webdav COPY and MOVE may be slower due to removal of mmap, but are
now more resilient to partial writes.

  "handle filesystems without mmap() support"
  "WebDAV upload-> mmap failed: operation not permitted"
  "Lighttpd 1.4.20 Crash (SIGBUS in mod_compress)"
  "Crash SIGBUS"

github: closes #57
2016-04-28 13:13:36 -04:00
Glenn Strauss c9b56735b8 [mod_compress] use mmap and trap SIGBUS (#2666, fixes #1879)
use mmap and trap SIGBUS in mod_compress
(if lighttpd build with --enable-mmap)

mod_compress has not used mmap since Feb 2012 (see #2391)

  "Lighttpd 1.4.20 Crash (SIGBUS in mod_compress)"
  "Crash SIGBUS"
  "handle filesystems without mmap() support"

github: closes #56
2016-04-28 13:11:15 -04:00
Glenn Strauss 3b6fd58fd9 [mod_webdav] lseek,read if fs can not mmap (#2666, fixes #962)
For uploaded files or other request body, fall back to
lseek(),read() if filesystem does not support mmap()

(mmap(), if supported, is utilized regardless of --enable-mmap
 since request body is either in memory or stored in temporary
 files controlled by lighttpd)

  "WebDAV upload-> mmap failed: operation not permitted"
  "handle filesystems without mmap() support"

github: closes #55
2016-04-28 13:10:35 -04:00
Glenn Strauss c380d22729 [mod_cgi,mod_fastcgi,mod_scgi] X-Sendfile features
[core] http_response_send_file() shared code (#2017)
[mod_fastcgi] use http_response_xsendfile()
  (fixes #799, fixes #851, fixes #2017, fixes #2076)
[mod_scgi] X-Sendfile feature (fixes #2253)
[mod_cgi] X-Sendfile feature (fixes #2313)

Merge branch 'feature-2017-http_response_send_file' into master

github: closes #59
2016-04-28 12:58:58 -04:00
Glenn Strauss 1f23ba9adf [mod_cgi] X-Sendfile feature (fixes #2313)
handle X-Sendfile with http_response_xsendfile() if
  cgi.x-sendfile = "enable"

  "X-sendfile support for mod_cgi"
2016-04-27 23:10:24 -04:00