[core] add comment to ck_memeq_const_time()

add comment to ck_memeq_const_time() with some implementation details
[mod_webdav] ignore PROPFIND Depth for files
2021-10-16 02:05:19 -04:00 · 2021-10-16 01:58:37 -04:00 · 2021-10-16 01:58:37 -04:00 · 2021-10-16 01:57:50 -04:00 · 2021-10-14 16:16:36 -04:00 · 2021-10-12 22:21:42 -04:00
9 changed files with 45 additions and 24 deletions
--- a/1
+++ b/1
@ -141,6 +141,7 @@ required packages to run test harness ::
  perl-HTTP-Message
  perl-IO-HTML
  perl-LWP-MediaTypes
+  perl-Test-Harness
  perl-Tie-Function
  perl-TimeDate

--- a/src/ck.c
+++ b/src/ck.c
@ -270,6 +270,11 @@ ck_memeq_const_time (const void *a, const size_t alen, const void *b, const size
    /* rounds to next multiple of 64 to avoid potentially leaking exact
     * string lengths when subject to high precision timing attacks
     */
+    /* Note: implementation detail
+     * each string is expected to have a valid char one byte after len,
+     * i.e. a[alen] and b[blen], and which must match if the strings match.
+     * (In most use cases, this char is end of string '\0').
+     */
    /* Note: some libs provide similar funcs but might not obscure length, e.g.
     * OpenSSL:
     *   int CRYPTO_memcmp(const void * in_a, const void * in_b, size_t len)
--- a/src/fdlog.h
+++ b/src/fdlog.h
@ -5,12 +5,12 @@
 #include "base_decls.h"
 #include "buffer.h"

-typedef struct fdlog_st {
+struct fdlog_st {
    enum { FDLOG_FILE, FDLOG_FD, FDLOG_SYSLOG, FDLOG_PIPE } mode;
    int fd;
    buffer b;
    const char *fn;
-} fdlog_st;
+};

 __attribute_cold__
 __attribute_returns_nonnull__
--- a/src/h2.c
+++ b/src/h2.c
@ -1742,6 +1742,7 @@ h2_init_con (request_st * const restrict h2r, connection * const restrict con, c
    con->read_idle_ts = log_monotonic_secs;
    con->keep_alive_idle = h2r->conf.max_keep_alive_idle;

+    /*(h2r->h2_rwin must match value assigned in h2_init_stream())*/
    h2r->h2_rwin = 65535;                 /* h2 connection recv window */
    h2r->h2_swin = 65535;                 /* h2 connection send window */
    /* settings sent from peer */         /* initial values */
@ -2552,7 +2553,7 @@ h2_init_stream (request_st * const h2r, connection * const con)
    /* XXX: TODO: assign default priority, etc.
     *      Perhaps store stream id and priority in separate table */
    h2c->r[h2c->rused++] = r;
-    r->h2_rwin = h2c->s_initial_window_size;
+    r->h2_rwin = 65535; /* must keep in sync with h2_init_con() */
    r->h2_swin = h2c->s_initial_window_size;
    r->http_version = HTTP_VERSION_2;

--- a/src/mod_ajp13.c
+++ b/src/mod_ajp13.c
@ -845,6 +845,21 @@ ajp13_recv_parse (request_st * const r, struct http_response_opts_t * const opts
                    r->conf.stream_response_body &=
                      ~(FDEVENT_STREAM_RESPONSE|FDEVENT_STREAM_RESPONSE_BUFMIN);
                }
+              #if 0
+                else if ((r->conf.stream_response_body &
+                           (FDEVENT_STREAM_RESPONSE|FDEVENT_STREAM_RESPONSE_BUFMIN))
+                         && (   r->http_status == 204
+                             || r->http_status == 205
+                             || r->http_status == 304
+                             || r->http_method == HTTP_METHOD_HEAD)) {
+                    /* disable streaming to wait for backend protocol to signal
+                     * end of response (prevent http_response_write_prepare()
+                     * from short-circuiting and finishing responses without
+                     * response body) */
+                    r->conf.stream_response_body &=
+                      ~(FDEVENT_STREAM_RESPONSE|FDEVENT_STREAM_RESPONSE_BUFMIN);
+                }
+              #endif
            }
            else {
                log_error(errh, __FILE__, __LINE__,
--- a/src/mod_auth.c
+++ b/src/mod_auth.c
@ -63,7 +63,7 @@ http_auth_cache_entry_init (const struct http_auth_require_t * const require, co
     *(store pointer to http_auth_require_t, which is persistent
     * and will be different for each realm + permissions combo)*/
    http_auth_cache_entry * const ae =
-      malloc(sizeof(http_auth_cache_entry) + ulen + pwlen);
+      malloc(sizeof(http_auth_cache_entry) + ulen + pwlen+1);
    force_assert(ae);
    ae->require = require;
    ae->ctime = log_monotonic_secs;
@ -74,6 +74,7 @@ http_auth_cache_entry_init (const struct http_auth_require_t * const require, co
    ae->pwdigest = ae->username + ulen;
    memcpy(ae->username, username, ulen);
    memcpy(ae->pwdigest, pw, pwlen);
+    ae->pwdigest[pwlen] = '\0';
    return ae;
 }

--- a/src/mod_extforward.c
+++ b/src/mod_extforward.c
@ -43,28 +43,13 @@
 *       config. However "all" has effect only on connecting IP, as the
 *       X-Forwarded-For header can not be trusted.
 *
- * Note: The effect of this module is variable on $HTTP["remotip"] directives and
+ * Note: The effect of this module is variable on $HTTP["remoteip"] directives and
 *       other module's remote ip dependent actions.
 *  Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP.
 *  Things done in between these two moments will match on the real client's IP.
 *  The moment things are done by a module depends on in which hook it does things and within the same hook
 *  on whether they are before/after us in the module loading order
 *  (order in the server.modules directive in the config file).
- *
- * Tested behaviours:
- *
- *  mod_access: Will match on the real client.
- *
- *  mod_accesslog:
- *   In order to see the "real" ip address in access log ,
- *   you'll have to load mod_extforward after mod_accesslog.
- *   like this:
- *
- *    server.modules  = (
- *       .....
- *       mod_accesslog,
- *       mod_extforward
- *    )
 */


@ -1218,7 +1203,6 @@ int mod_extforward_plugin_init(plugin *p) {
 	p->handle_connection_accept = mod_extforward_handle_con_accept;
 	p->handle_uri_raw = mod_extforward_uri_handler;
 	p->handle_request_env = mod_extforward_handle_request_env;
-	p->handle_request_done = mod_extforward_restore;
 	p->handle_request_reset = mod_extforward_restore;
 	p->handle_connection_close = mod_extforward_handle_con_close;
 	p->set_defaults  = mod_extforward_set_defaults;
--- a/src/mod_fastcgi.c
+++ b/src/mod_fastcgi.c
@ -452,6 +452,21 @@ static handler_t fcgi_recv_parse(request_st * const r, struct http_response_opts
 					r->conf.stream_response_body &=
 					  ~(FDEVENT_STREAM_RESPONSE|FDEVENT_STREAM_RESPONSE_BUFMIN);
 				}
+			  #if 0
+				else if ((r->conf.stream_response_body &
+				           (FDEVENT_STREAM_RESPONSE|FDEVENT_STREAM_RESPONSE_BUFMIN))
+				         && (   r->http_status == 204
+				             || r->http_status == 205
+				             || r->http_status == 304
+				             || r->http_method == HTTP_METHOD_HEAD)) {
+					/* disable streaming to wait for backend protocol to signal
+					 * end of response (prevent http_response_write_prepare()
+					 * from short-circuiting and finishing responses without
+					 * response body) */
+					r->conf.stream_response_body &=
+					  ~(FDEVENT_STREAM_RESPONSE|FDEVENT_STREAM_RESPONSE_BUFMIN);
+				}
+			  #endif
 			} else if (hctx->send_content_body) {
 				if (0 != mod_fastcgi_transfer_cqlen(r, hctx->rb, packet.len - packet.padding)) {
 					/* error writing to tempfile;
--- a/src/mod_webdav.c
+++ b/src/mod_webdav.c
@ -4014,9 +4014,8 @@ mod_webdav_propfind (request_st * const r, const plugin_config * const pconf)
        http_status_set_error(r, 403);
        return HANDLER_FINISHED;
    }
-    else if (0 != pb.depth) {
-        http_status_set_error(r, 403);
-        return HANDLER_FINISHED;
+    else {
+        pb.depth = 0;
    }

    pb.proplist.ptr  = NULL;
Author	SHA1	Message	Date
Glenn Strauss	69c2b2b207	[core] add comment to ck_memeq_const_time() add comment to ck_memeq_const_time() with some implementation details	2021-10-16 02:05:19 -04:00
Glenn Strauss	cf5644e0c2	[mod_webdav] ignore PROPFIND Depth for files (thx meeb5) ignore PROPFIND "Depth" request header for files (non-collections) RFC4918 10.2. Depth Header "If a resource does not have internal members, then the Depth header MUST be ignored." x-ref: "Webdav + rclone backup" https://redmine.lighttpd.net/boards/2/topics/10081	2021-10-16 01:58:37 -04:00
Glenn Strauss	8d13233b69	[mod_ajp13,mod_fastcgi] comment: no response body add comment for handling of streaming with no response body add commented-out code to disable streaming to wait for backend protocol to signal end of response (prevent http_response_write_prepare() from short-circuiting and finishing responses without response body) x-ref: "FastCGI premature socket close with response streaming and 204 status" https://redmine.lighttpd.net/boards/2/topics/10066	2021-10-16 01:58:37 -04:00
Glenn Strauss	b1d1202af8	[mod_auth] fix Basic auth passwd cache (fixes #3112 ) (thx manfred) Basic auth passwd cache might fail to match when it should have matched (false negative) when comparing an uninitialized byte. That bug "fails closed" and does not use the cache when it could. This patch allows for proper match in the cache when it should match. x-ref: https://redmine.lighttpd.net/issues/3112 "mod_auth cache password doesn't match"	2021-10-16 01:57:50 -04:00
Glenn Strauss	f5b5537ef1	[core] fix HTTP/2 upload > 64k w/ max-request-size (fixes #3108 ) fix HTTP/2 upload > 64k with server.max-request-size > 0 (regression present only in lighttpd 1.4.60) (thx SM) x-ref: "File upload is broken after upgrade from 1.4.59 to 1.4.60" https://redmine.lighttpd.net/issues/3108	2021-10-14 16:16:36 -04:00
Glenn Strauss	0e093d66ba	[mod_extforward] keep remote IP thru request reset preserve remote IP until request reset (historical IP restore in request_done hook was obsoleted by commit `fea5bdc8` in which request plugin context was split from connection plugin context, and by much older commits which ensured that request_reset hook was always run) x-ref: "Remote address behind reverse proxy not logged" https://redmine.lighttpd.net/boards/2/topics/10041	2021-10-12 22:21:42 -04:00
Glenn Strauss	16f16dbfd5	[doc] update INSTALL	2021-10-12 16:13:51 -04:00
Glenn Strauss	a5581b0319	[core] avoid repeated typedef for fdlog_st x-ref: "Lighttpd 1.4.60 make error typedef fdlog_st redefinition" https://redmine.lighttpd.net/boards/3/topics/10043	2021-10-12 11:12:34 -04:00