Project

General

Profile

Bug #2892

Segmentation fault with invalid lighttpd.conf syntax

Added by nti 5 months ago. Updated 3 months ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
mod_redirect
Target version:
Start date:
2018-06-19
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:

Description

This code (to handle lets encrypt inquiries on http and redirect everything else to https) crashes lighty with a segmentation fault:

   $HTTP["host"] =~ "(domain.tld|www.domain.tld)"   {
   alias.url += ("/.well-known/acme-challenge/" => "/var/www/letsencrypt/.well-known/acme-challenge/")
   $HTTP["url"] !~ "^/\.well-known/acme-challenge/" {
      url.redirect-code = 301
      url.redirect = (".*" => "https://%0$0")
      }
   }

Its seems to be the combination of "$HTTP["url"] !~ " and the "%X" placeholder (%0 or %1 I've tested)

For because this works:

   $HTTP["host"] =~ "(domain.tld|www.domain.tld)"   {
   alias.url += ("/.well-known/acme-challenge/" => "/var/www/letsencrypt/.well-known/acme-challenge/")
   $HTTP["url"] !~ "^/\.well-known/acme-challenge/" {
      url.redirect-code = 301
      url.redirect = (".*" => "https://domain.tld/$0")
      }
   }

And also this works:

   $HTTP["host"] =~ "(domain.tld|www.domain.tld)"   {
   alias.url += ("/.well-known/acme-challenge/" => "/var/www/letsencrypt/.well-known/acme-challenge/")
      url.redirect-code = 301
      url.redirect = (".*" => "https://%0$0")
   }

lighttpd -v
lighttpd/1.4.49 (ssl) - a light and fast webserver

Associated revisions

Revision f4f13745 (diff)
Added by gstrauss 3 months ago

[mod_redirect,mod_rewrite] fix segfault w/ invalid syntax (fixes #2892)

(thx nti)

x-ref:
"Segmentation fault with invalid lighttpd.conf syntax"
https://redmine.lighttpd.net/issues/2892

History

#1

Updated by nti 5 months ago

My modules:

server.modules              = (
                               "mod_redirect",
                               "mod_rewrite",
                               "mod_alias",
                               "mod_access",
                               "mod_auth",
                               "mod_status",
                               "mod_setenv",
                               "mod_fastcgi",
                               "mod_simple_vhost",
                               "mod_cgi",
                               "mod_compress",
                               "mod_openssl",
                               "mod_secdownload",
                               "mod_flv_streaming",
                               "mod_rrdtool",
                               "mod_accesslog" )
#2

Updated by gstrauss 5 months ago

  • Status changed from New to Patch Pending
  • Target version changed from 1.4.x to 1.4.50

The syntax on which it crashes is not valid. %0 is for the condition immediately wrapping the url.redirect, and a regex '!~' does not capture. Still, it should not crash.

The bug is in keyvalue.c line 296 in a cast for comparison of signed and unsigned values, since cache->patterncount can be -1

-            if (num < (size_t)cache->patterncount) {
+            if ((int)num < cache->patterncount) {

#3

Updated by nti 5 months ago

Thanks a lot. But %1 also crashs:

   $HTTP["host"] =~ "(domain.tld |www.domain.tld)"       {
   alias.url += ("/.well-known/acme-challenge/" => "/var/www/letsencrypt/.well-known/acme-challenge/")
   $HTTP["url"] !~ "^/\.well-known/acme-challenge/" {
     url.redirect-code = 301
     url.redirect = ( "^/(.*)" => "https://%1:443/$1" )
    }
#4

Updated by gstrauss 5 months ago

  • Subject changed from Segmentation fault to Segmentation fault with invalid lighttpd.conf syntax

It is also invalid syntax with regex '!~', it crashes for the same reason, and it is fixed by the same patch.
Your syntax is INVALID. Please see the documentation. Docs_ModRedirect

I think this syntax, which works in lighttpd 1.4.40 and later, will do what you're trying to do:

$HTTP["scheme"] == "http" {
  $HTTP["host"] =~ "(domain.tld |www.domain.tld)"       {
    url.redirect-code = 301
    url.redirect = ( "^/\.well-known/acme-challenge/" => "", # instead of (nonsensical) redirect loop, this matched url will not be modified
                     "^(.*)" => "https://%0$0" )
    alias.url += ("/.well-known/acme-challenge/" => "/var/www/letsencrypt/.well-known/acme-challenge/")
  }
}
else $HTTP["scheme"] == "https" {
  $HTTP["host"] =~ "(domain.tld |www.domain.tld)"       {
    alias.url += ("/.well-known/acme-challenge/" => "/var/www/letsencrypt/.well-known/acme-challenge/")
  }
}

The upcoming lighttpd 1.4.50 aims to add some syntactic sugar to make some of this even simpler.

#5

Updated by gstrauss 3 months ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom