lighty labs

Today

GS 02:59 Lighttpd Bug #3309: [HTTP Response Smuggling] Invalid backend Content-Length is forwarded to clients

Put another way, any vulnerable scenario requires a vulnerable client (Ruby Net::HTTP), and that is sufficient by itself. The client is vulnerable due to improper coding of the client to reject the invalid Content-Length. If the client... gstrauss

GS 02:51 Lighttpd Bug #3309: [HTTP Response Smuggling] Invalid backend Content-Length is forwarded to clients

As I noted above, if a client fails to reject the invalid (RFC violation) Content-Length, then a CVE should be issued to the client. In your example, that would be Ruby Net::HTTP. Ruby Net::HTTP fails to reject invalid Content-Length a... gstrauss

TY 02:23 Lighttpd Bug #3309: [HTTP Response Smuggling] Invalid backend Content-Length is forwarded to clients

gstrauss wrote in #note-7:
> I would like to also note that your attack vector also requires the target client to violate the RFC specification by accepting that invalid @Content-Length@. Are you aware of any such clients which support... type5afee

GS 00:12 Lighttpd Revision 33de4c63: [core] propagate backend errs for h2 to RST_STREAM

e.g. an incomplete response from FastCGI or incomplete chunked encoding
(Transfer-Encoding: chunked) will result in lighttpd mod_h2 sending the
data received for the response (up to that point), and then sending
HTTP/2 RST_STREAM frame t... gstrauss

2026-06-09

GS 16:39 Lighttpd Revision c6fe3e8a: [mod_wstunnel] optimize unmasking client payload

gstrauss

GS 03:56 Lighttpd Revision 654f5907: [mod_wstunnel] stricter RFC 6455 compliance

stricter handling of continuation frames
stricter compliance sending CLOSE frames before closing connection gstrauss

GS 01:52 Lighttpd Revision 80b73b83: [mod_wstunnel] reduce handler_ctx struct size

remove log_error_st *errh gstrauss

GS 01:41 Lighttpd Revision f862af92: [cmake] fix typos for mbedtls, tfpsacrypto libs

gstrauss

GS 01:13 Lighttpd Revision 5e861cfd: [mod_wstunnel] adjust parsing extended frame lens

parse unsigned short earlier when bytes are known to be available gstrauss

2026-06-08

GS 14:32 Lighttpd Revision e0bb41ac: [mod_wstunnel] disable hybi-00; obsolete

gstrauss

GS 13:38 Lighttpd Bug #3309: [HTTP Response Smuggling] Invalid backend Content-Length is forwarded to clients

I would like to also note that your attack vector also requires the target client to violate the RFC specification by accepting that invalid @Content-Length@. Are you aware of any such clients which support multiple requests on an HTTP/... gstrauss

GS 13:32 Lighttpd Bug #3309: [HTTP Response Smuggling] Invalid backend Content-Length is forwarded to clients

> I would like to ask whether this vulnerability will be assigned a CVE?
I do not believe a CVE is indicated here. While this is a bug in lighttpd conformance to the RFC, lighttpd is not a generic proxy to untrusted targets on the in... gstrauss

TY 08:14 Lighttpd Bug #3309: [HTTP Response Smuggling] Invalid backend Content-Length is forwarded to clients

gstrauss wrote in #note-4:
> Applied in changeset commit:7db9162b89d8d4a75e2311242f6bd806591b72b4.
, I would like to ask whether this vulnerability will be assigned a CVE? type5afee

GS 13:12 Lighttpd Bug #3308: Unbounded file descriptor accumulation in stat_cache_entry->fd under concurrent small-file serving causes EMFILE

> We've deployed your EMFILE stat_cache recovery patch on a StarlingX STD lab (8 nodes, lighttpd serving ostree repos with server.max-fds = 16384).
You should be able to answer most of your questions by testing your 6-node system with a... gstrauss

SV 12:49 Lighttpd Bug #3308: Unbounded file descriptor accumulation in stat_cache_entry->fd under concurrent small-file serving causes EMFILE

gstrauss wrote in #note-13:
> [...]
Apologies for the delayed response on testing your patch.
We've deployed your EMFILE stat_cache recovery patch on a StarlingX STD lab (8 nodes, lighttpd serving ostree repos with server.max-fd... svanka

2026-06-07

GS 17:41 Lighttpd Revision 73825840: [doc] update doc/initscripts.txt

gstrauss

GS 16:44 Lighttpd Revision 06a1b996: [core] adjust trace for server.max-connections

gstrauss

GS 14:40 Lighttpd Bug #3300 (Fixed): mod_proxy map-urlpath rewrites redirects to external domains

Applied in changeset commit:991dfd9066d9ef69d556f476feceb57b01deb8f9. gstrauss

GS 14:40 Lighttpd Bug #3308 (Fixed): Unbounded file descriptor accumulation in stat_cache_entry->fd under concurrent small-file serving causes EMFILE

Applied in changeset commit:965cf6c99bb27467ba19be7cf0d0936fd81a37cd. gstrauss

GS 14:40 Lighttpd Bug #3309 (Fixed): [HTTP Response Smuggling] Invalid backend Content-Length is forwarded to clients

Applied in changeset commit:7db9162b89d8d4a75e2311242f6bd806591b72b4. gstrauss

GS 14:40 Lighttpd Feature #3304 (Fixed): Host selection for sockproxy via SNI

Applied in changeset commit:6104d5155b4e4a071c09503507171bf2c24740ef. gstrauss

GS 14:36 Lighttpd Bug #3310 (Fixed): build error against nettle 4

Already fixed in lighttpd git master
commit commit:de7bc3f29af2917dfaceabafb571d0d57fa08eb8 gstrauss

AM 14:32 Lighttpd Bug #3310 (Fixed): build error against nettle 4

lighttpd 1.4.82 fails to build against nettle 4.0 with: ametzler

GS 02:47 Lighttpd Revision 6f200c9d: [core] use tempfiles for HTTP/1.1 upgraded backend

use tempfiles for reqbody_queue for HTTP/1.1 upgraded requests to
backends, e.g. mod_wstunnel. The backend may be slow reading the
request body.
x-ref:
https://github.com/lighttpd/lighttpd1.4/pull/158#issuecomment-4607528050 gstrauss

GS 02:47 Lighttpd Revision 18013313: [multiple] limit queue size to slow backends

For modules which process the reqbody_queue into backend write queue,
limit the queue size to handle case where backend is slow reading input.
(As an alternative to limiting backend write queue, modules could
process reqbody_queue and ... gstrauss

GS 02:47 Lighttpd Revision d26eee6d: [ci] remove wolfssl from CI on Debian/Ubuntu

remove wolfssl from CI on Debian/Ubuntu; Debian plans to remove wolfssl
from Forky due to the package being unmaintained for so long
wolfssl remains enabled in CI builds on MacOS, FreeBSD, and NetBSD
x-ref:
[wolfssl] Keep out of test... gstrauss

02:47 Lighttpd Revision 6f9df3da: [mod_wstunnel] RFC 6455 §5 compliance

Tighten frame validation in recv_rfc_6455() to reject malformed input
rather than silently accepting it:
- Reject 64-bit payload length with the MSB set (RFC 6455 §5.2).
- Reject Ping/Pong/Close payloads longer than 125 bytes (RFC 6455 ... Christopher Meng

GS 02:47 Lighttpd Revision 17fcf555: [core] reduce struct gw_plugin_config size

gstrauss

GS 02:47 Lighttpd Revision 02cb696a: [mod_wstunnel] code size reduction

- collect data before processing (rather than per-byte processing)
- reduce struct sizes
- combine debugging statements gstrauss