Lighttpd

2016-02-18

06:38 Bug #2717: heap-use-after-free in lighttpd on broken config

Testing with the config attached to this ticket still causes a crash at shutdown when freeing srv->config_context arr... gstrauss

06:01 Bug #2717: heap-use-after-free in lighttpd on broken config

Created pull request https://github.com/lighttpd/lighttpd1.4/pull/23
Perhaps a new ticket, with lower priority, sh... gstrauss

2016-02-17

18:27 Bug #2717: heap-use-after-free in lighttpd on broken config

buffer_caseless_compare() should probably check if (len == 1) (indicating that one of the strings is empty, e.g. ""),... gstrauss

17:47 Bug #2717: heap-use-after-free in lighttpd on broken config

Something which causes a program crash should, of course, be fixed.
However, why do you think this warrants a CVE?... gstrauss

07:05 Feature #914 (Wontfix): Selective enabling of fastcgi

stbuehler

05:26 Feature #914: Selective enabling of fastcgi

Please close. Submitter indicated desired actions possible with existing config directives. gstrauss

2016-02-16

17:59 Bug #2717 (Fixed): heap-use-after-free in lighttpd on broken config

Hi,
I'd like to report a security vulnerability in lighttpd and assign a CVE number for it.
The vulnerability ... alaamub

08:42 Bug #727 (Invalid): Another syslog newline issue.

Actually @mod_accesslog@ has its own logging functions, but they too send each line as a separate @syslog()@ call (pi... stbuehler

08:22 Bug #398 (Fixed): should mod_compress create compress.cache-dir if non-existant?

stbuehler

04:12 Bug #398: should mod_compress create compress.cache-dir if non-existant?

Please mark fixed. Fixed in 2008... gstrauss

08:16 Bug #68 (Wontfix): CGIs don't work with linux-rtsig

stbuehler

03:37 Bug #68: CGIs don't work with linux-rtsig

Please withdraw. linux-rtsig support was removed from lighttpd 1.4.x in 2010:... gstrauss

04:01 Bug #222: ssi virtual include uses wrong path

untested, but would using con->physical.basedir instead of con->physical.doc_root work?... gstrauss

2016-02-15

18:09 Feature #967: request-queue-limit option for mod_fastcgi

Very old ticket marked high priority.
At first glance, it still seems like a good idea to add an option limiting t... gstrauss

06:29 Bug #1585: mod_compress will append etags header even if etags is disabled

This is a very old ticket and yet is marked High Priority.
Without wading into the arguments, I'd like to provide ... gstrauss

06:22 Bug #727: Another syslog newline issue.

This is a very old ticket which is marked High Priority.
This is unlikely to still be an issue since the current l... gstrauss

06:11 Bug #987: error:network_freebsd_sendfile.c.175

This is a very old ticket, but is marked High Priority.
On some systems, some filesystems support sendfile() and s... gstrauss

05:23 Bug #2593: Patches in doc for mod_proxy is in-compatible with 1.4.35

I believe this ticket is referring to the "Enhancements" section at the bottom of https://redmine.lighttpd.net/projec... gstrauss

2016-02-14

22:57 Feature #2426: lighty on minix

Hi,
gstrauss wrote:
> A quick glance at https://github.com/minix3/minix and it appears to have implementations fo... awelzel

12:16 Bug #2595 (Invalid): (mod_cgi.c.1312) cleaning up CGI: process died with signal 6

#2302 hopefully improves logging; but it won't make go the problem away, as it probably isn't a lighty bug. stbuehler

11:15 Bug #2302 (Fixed): sloppy error handling in mod_cgi to affect binaries

Applied in changeset r3079. stbuehler

11:08 Bug #2302: sloppy error handling in mod_cgi to affect binaries

Ignoring NULL-pointers is not the solution; if there is a good reason in a single case to expect a NULL-pointer, then... stbuehler

11:11 Revision f23a24a2: [mod_cgi] issue trace and exit if execve() fails (closes #2302)

(replace SEGFAULT if execve() fails)
From: Glenn Strauss <gstrauss@gluelogic.com>
git-svn-id: svn://svn.lighttpd.ne... gstrauss

11:11 Revision 3079 (svn): [mod_cgi] issue trace and exit if execve() fails (closes #2302)

(replace SEGFAULT if execve() fails)
From: Glenn Strauss <gstrauss@gluelogic.com> stbuehler

10:56 Revision 36a266ec: fix links to online docs in template config files

From: fbrosson <fbrosson@users.noreply.github.com>
git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4... fbrosson

10:56 Revision 3078 (svn): fix links to online docs in template config files

From: fbrosson <fbrosson@users.noreply.github.com> stbuehler

10:55 Bug #2460 (Fixed): (mod_cgi.c.1041) chdir failed: no such file or directory index.php

Applied in changeset r3077. stbuehler

10:54 Revision 665cc39b: [mod_cgi] edge case chdir "/" when docroot "/" (fixes #2460)

From: Glenn Strauss <gstrauss@gluelogic.com>
git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@307... gstrauss

10:54 Revision 3077 (svn): [mod_cgi] edge case chdir "/" when docroot "/" (fixes #2460)

From: Glenn Strauss <gstrauss@gluelogic.com> stbuehler

10:45 Bug #2711 (Fixed): Cronolog Broken pipe

Applied in changeset r3076. stbuehler

10:44 Revision 5cc061bf: [core] do not send SIGHUP to process group unless server.max-workers is used (fixes #2711)

do not propagate sighup if 0 == server.max-workers; reduce impact of
sighup on child processes, such as piped loggers... gstrauss

10:44 Revision 3076 (svn): [core] do not send SIGHUP to process group unless server.max-workers is used (fixes #2711)

do not propagate sighup if 0 == server.max-workers; reduce impact of
sighup on child processes, such as piped loggers... stbuehler

2016-02-13

18:21 Bug #2595: (mod_cgi.c.1312) cleaning up CGI: process died with signal 6

Try using ... gstrauss

13:47 Bug #2329: connection was dropped after accept()

Is the problem in this ticket still reproducible in FreeBSD 10?
mod_fastcgi is checking connect()ing socket for wr... gstrauss

13:35 Bug #2316: FreeBSD fastcgi broken: connection was dropped after accept()

Related ticket: https://redmine.lighttpd.net/issues/2329 gstrauss

12:56 Bug #2332: PATH variable in environment emptied when running a perl script via mod_cgi

I believe it is intentional that mod_cgi constructs a CGI environment without any implicit inheritance from the light... gstrauss

11:20 Bug #1903: lighttpd should send 403 instead of 404 if dir listing is disabled

In 1.4.x latest, if nothing handles the request, including not handled by mod_indexfile and mod_dirlisting, then 403 ... gstrauss

11:06 Bug #1902: lighttpd can leak connections

1.5.x branch has been abandoned. Please withdraw ticket. gstrauss

11:04 Bug #1925: lighttpd returns invalid chunked encoding for 204 responses

1.5.x branch has been abandoned. Please mark ticket fixed. gstrauss

11:03 Feature #2129: add support for pipe logging for server.errorlog

1.5.x branch has been abandoned. Please withdraw ticket. gstrauss

10:55 Bug #2598: Semantics of else clause looks strange

Submitted pull request https://github.com/lighttpd/lighttpd1.4/pull/22 with patch to fix root cause.
Please consid... gstrauss

10:44 Bug #2277 (Wontfix): network.c does not compile on Solaris

stbuehler

09:24 Bug #2277: network.c does not compile on Solaris

That was the whole patch.
Probably ok to withdraw this ticket. Any modern OS supporting IPv6 should support IPV6_... gstrauss

08:48 Bug #2277: network.c does not compile on Solaris

@IPV6_V6ONLY@ has been defined in 2003; supporting IPv6 without @IPV6_V6ONLY@ seems not necessary to me.
If due to... stbuehler

06:36 Bug #2277: network.c does not compile on Solaris

https://github.com/lighttpd/lighttpd1.4/pull/20 gstrauss

10:42 Bug #2124 (Missing Feedback): mod_userdir does not treat %7E as ~

gstrauss wrote:
> Please mark fixed.
So far there was no bug I could reproduce, so there was no fix. Closing as "... stbuehler

09:56 Bug #2124: mod_userdir does not treat %7E as ~

Please mark fixed. gstrauss

10:41 Bug #2131: max-request-size comparing mistake

gstrauss wrote:
> 1.5.x branch has been abandoned. Please withdraw ticket.
As long as the target version is 1.5.0... stbuehler

10:29 Bug #2131: max-request-size comparing mistake

lighttpd 1.4 request.c contains the following (after checking srv->srvconf.max_request_size is non-zero)... gstrauss

10:39 Bug #2120 (Missing Feedback): lighttpd freezes under flood

stbuehler

10:03 Bug #2120: lighttpd freezes under flood

@scub: I realize this was a long time ago, but we need a little more information in order to try to reproduce this. ... gstrauss

09:40 Bug #2302: sloppy error handling in mod_cgi to affect binaries

con->srv_socket is set soon after accept() and so it should never be NULL in mod_cgi. Is this reproducible in 1.4.x ... gstrauss

08:57 Feature #2142: stat_cache increase

While patch is trivial, the question remains "should this be done here?" I think the answer is no. There are better... gstrauss

08:56 Bug #2186 (Fixed): lack of output when lighttpd fails to start

stbuehler

08:30 Bug #2186: lack of output when lighttpd fails to start

Please close ticket.
Unable to reproduce problem with current version of trunk.
When I ... gstrauss

08:51 Bug #2264 (Missing Feedback): Connections are not being accepted

stbuehler

07:33 Bug #2264: Connections are not being accepted

Please withdraw. Old ticket is missing follow-up info from problem reporter.
If still an issue with latest FreeBS... gstrauss

08:51 Bug #2344 (Wontfix): HEAD requests for 0 byte files do not return the Content-Length header

It would have been nice to be able to distinguish between "not generated" (no Content-Length header) and "explicitly ... stbuehler

07:22 Bug #2344: HEAD requests for 0 byte files do not return the Content-Length header

Probably can withdraw this request.
As stbuehler noted, Content-Length response header is not required for HTTP HE... gstrauss

08:43 Feature #2141: Magnet enhancement

The hashme implementation is incorrect. To correct it, please use (unsigned char *)... gstrauss

08:39 Bug #2132: piped accesslog is disorder when server.max-worker>1

This is correct in 1.4.x latest.
1.5.x branch has been abandoned. Please withdraw ticket. gstrauss

05:29 Bug #2589: 40MB-100MB Quicktimes take minutes to load (CentOS, lighttpd 1.4.35, Chrome)

Thank you for taking up the cause, gstrauss, and thank you for the direction. It may take me a few days to get back i... AteYourLembas

2016-02-12

22:25 Feature #2474: Option to map send-file file-not-found error to normal 404

https://github.com/lighttpd/lighttpd1.4/pull/19
I slightly modified Olaf's patch to retain the error trace when st... gstrauss

21:01 Feature #2474: Option to map send-file file-not-found error to normal 404

I'm fine with replacing 502 with 404 in this case, I don't see a good reason to add an option for it; adding an optio... stbuehler

03:54 Feature #2474: Option to map send-file file-not-found error to normal 404

If a FastCGI application returned X-Sendfile (or related) and the file does not exist on the local server running lig... gstrauss

21:49 Feature #2666: handle filesystems without mmap() support

Agreed, the title "handle filesystems without mmap() support" is not addressed generically by https://redmine.lighttp... gstrauss

20:46 Feature #2666: handle filesystems without mmap() support

while #2715 might solve problems with some file systems, it certainly is not a generic fix for missing mmap() support. stbuehler

01:33 Feature #2666: handle filesystems without mmap() support

This issue might be the same as in https://redmine.lighttpd.net/issues/2715 for which a patch has been committed to t... gstrauss

21:09 Bug #2598: Semantics of else clause looks strange

I probably should look into this soon... but I don't want to rush it. stbuehler

11:11 Bug #2598: Semantics of else clause looks strange

Updated patch. It is incorrect to re-evaluate if "one of prev set me to FALSE", so keep that code.... gstrauss

10:07 Bug #2598: Semantics of else clause looks strange

I can understand hesitation to wade into the less-than-friendly condition caching code, but Gwenlliana did a fair amo... gstrauss

21:05 Feature #2383: mod_alias: use alias directory as doc-root too

IIRC the intention was that the backend gets a "physical base directory" as docroot to search for application specifi... stbuehler

04:57 Feature #2383: mod_alias: use alias directory as doc-root too

It seems some context from IRC did not make it into the issue description. What was/is the intent? gstrauss

21:03 Bug #2421 (Duplicate): lighttpd 1.4.31 is not compatible with lua 5.2.1

stbuehler

04:53 Bug #2421: lighttpd 1.4.31 is not compatible with lua 5.2.1

I believe this will be fixed in the upcoming 1.4.40 release.
See also https://redmine.lighttpd.net/issues/2674 gstrauss

05:31 Feature #2426: lighty on minix

A quick glance at https://github.com/minix3/minix and it appears to have implementations for mmap() and setrlimit() (... gstrauss

04:36 Bug #2460: (mod_cgi.c.1041) chdir failed: no such file or directory index.php

The attached lighttpd.conf contains... gstrauss

03:36 Bug #2522: Missing authentication when using mod_index

Reiterating what @stbuehler said:
>auth.require matches urls, but index-files.names is about the physical file name ... gstrauss

02:44 Bug #2589: 40MB-100MB Quicktimes take minutes to load (CentOS, lighttpd 1.4.35, Chrome)

I realize this is old, but on the off-chance you could provide more info, I am curious about this issue and would lik... gstrauss

01:52 Bug #2595: (mod_cgi.c.1312) cleaning up CGI: process died with signal 6

For testing purposes, have you tried replacing the compiled cpp "Hello World" project with a shell script? It is pos... gstrauss

01:40 Feature #2642: add option for "fail on warning"

This might be obtainable with lighttpd config test mode:... gstrauss