Lighttpd

2016-02-20

09:20 Bug #2593: Patches in doc for mod_proxy is in-compatible with 1.4.35

If patches in the wiki would be recommended I would have applied them upstream. stbuehler

2016-02-19

21:29 Bug #2593: Patches in doc for mod_proxy is in-compatible with 1.4.35

If i understand you replies correctly, the patch'es are not fit for the purpose.
Could you possible comment the docu... omegasteffy

16:38 Bug #2593 (Invalid): Patches in doc for mod_proxy is in-compatible with 1.4.35

3rd-party patches are not supported. Integrating DNS-Lookups into the event loop is rather non-trivial and not going ... stbuehler

17:08 Bug #2707 (Invalid): mod_auth ldap auth requires binding as the root of LDAP

You will need some "anon" user which is allowed to search for the actual user; there is no need for this user to be "... stbuehler

16:53 Feature #2142 (Wontfix): stat_cache increase

Also given the stat-cache is cleared after 2 seconds anyway this patch is broken anyway. stbuehler

16:49 Bug #1903 (Missing Feedback): lighttpd should send 403 instead of 404 if dir listing is disabled

Please provide an example config + file tree if this is still a problem. stbuehler

16:48 Bug #2332 (Invalid): PATH variable in environment emptied when running a perl script via mod_cgi

Mithaldu wrote:
> ... or provide a way to do so via the config.
You did so yourself in the meantime. stbuehler

16:39 Feature #2426 (Invalid): lighty on minix

stbuehler

16:36 Bug #987 (Wontfix): error:network_freebsd_sendfile.c.175

Fallback on syscalls sounds unnecessary expensive, I don't think we should support this. stbuehler

16:31 Bug #1585 (Wontfix): mod_compress will append etags header even if etags is disabled

Unless someone provides a clean patch (moving the option into the "global" config, where the etag flags already are, ... stbuehler

15:50 Bug #2717 (Fixed): heap-use-after-free in lighttpd on broken config

Applied in changeset r3080. stbuehler

14:39 Bug #2717: heap-use-after-free in lighttpd on broken config

This is certainly not a security issue. stbuehler

15:49 Revision 431559e5: [configparser] don't continue after parse error (fixes #2717)

only use values in reduce actions when the config is still valid
(ctx->ok).
From: Stefan Bühler <stbuehler@web.de>
... stbuehler

15:49 Revision 3080 (svn): [configparser] don't continue after parse error (fixes #2717)

only use values in reduce actions when the config is still valid
(ctx->ok).
From: Stefan Bühler <stbuehler@web.de> stbuehler

2016-02-18

06:38 Bug #2717: heap-use-after-free in lighttpd on broken config

Testing with the config attached to this ticket still causes a crash at shutdown when freeing srv->config_context arr... gstrauss

06:01 Bug #2717: heap-use-after-free in lighttpd on broken config

Created pull request https://github.com/lighttpd/lighttpd1.4/pull/23
Perhaps a new ticket, with lower priority, sh... gstrauss

2016-02-17

18:27 Bug #2717: heap-use-after-free in lighttpd on broken config

buffer_caseless_compare() should probably check if (len == 1) (indicating that one of the strings is empty, e.g. ""),... gstrauss

17:47 Bug #2717: heap-use-after-free in lighttpd on broken config

Something which causes a program crash should, of course, be fixed.
However, why do you think this warrants a CVE?... gstrauss

07:05 Feature #914 (Wontfix): Selective enabling of fastcgi

stbuehler

05:26 Feature #914: Selective enabling of fastcgi

Please close. Submitter indicated desired actions possible with existing config directives. gstrauss

2016-02-16

17:59 Bug #2717 (Fixed): heap-use-after-free in lighttpd on broken config

Hi,
I'd like to report a security vulnerability in lighttpd and assign a CVE number for it.
The vulnerability ... alaamub

08:42 Bug #727 (Invalid): Another syslog newline issue.

Actually @mod_accesslog@ has its own logging functions, but they too send each line as a separate @syslog()@ call (pi... stbuehler

08:22 Bug #398 (Fixed): should mod_compress create compress.cache-dir if non-existant?

stbuehler

04:12 Bug #398: should mod_compress create compress.cache-dir if non-existant?

Please mark fixed. Fixed in 2008... gstrauss

08:16 Bug #68 (Wontfix): CGIs don't work with linux-rtsig

stbuehler

03:37 Bug #68: CGIs don't work with linux-rtsig

Please withdraw. linux-rtsig support was removed from lighttpd 1.4.x in 2010:... gstrauss

04:01 Bug #222: ssi virtual include uses wrong path

untested, but would using con->physical.basedir instead of con->physical.doc_root work?... gstrauss

2016-02-15

18:09 Feature #967: request-queue-limit option for mod_fastcgi

Very old ticket marked high priority.
At first glance, it still seems like a good idea to add an option limiting t... gstrauss

06:29 Bug #1585: mod_compress will append etags header even if etags is disabled

This is a very old ticket and yet is marked High Priority.
Without wading into the arguments, I'd like to provide ... gstrauss

06:22 Bug #727: Another syslog newline issue.

This is a very old ticket which is marked High Priority.
This is unlikely to still be an issue since the current l... gstrauss

06:11 Bug #987: error:network_freebsd_sendfile.c.175

This is a very old ticket, but is marked High Priority.
On some systems, some filesystems support sendfile() and s... gstrauss

05:23 Bug #2593: Patches in doc for mod_proxy is in-compatible with 1.4.35

I believe this ticket is referring to the "Enhancements" section at the bottom of https://redmine.lighttpd.net/projec... gstrauss

2016-02-14

22:57 Feature #2426: lighty on minix

Hi,
gstrauss wrote:
> A quick glance at https://github.com/minix3/minix and it appears to have implementations fo... awelzel

12:16 Bug #2595 (Invalid): (mod_cgi.c.1312) cleaning up CGI: process died with signal 6

#2302 hopefully improves logging; but it won't make go the problem away, as it probably isn't a lighty bug. stbuehler

11:15 Bug #2302 (Fixed): sloppy error handling in mod_cgi to affect binaries

Applied in changeset r3079. stbuehler

11:08 Bug #2302: sloppy error handling in mod_cgi to affect binaries

Ignoring NULL-pointers is not the solution; if there is a good reason in a single case to expect a NULL-pointer, then... stbuehler

11:11 Revision f23a24a2: [mod_cgi] issue trace and exit if execve() fails (closes #2302)

(replace SEGFAULT if execve() fails)
From: Glenn Strauss <gstrauss@gluelogic.com>
git-svn-id: svn://svn.lighttpd.ne... gstrauss

11:11 Revision 3079 (svn): [mod_cgi] issue trace and exit if execve() fails (closes #2302)

(replace SEGFAULT if execve() fails)
From: Glenn Strauss <gstrauss@gluelogic.com> stbuehler

10:56 Revision 36a266ec: fix links to online docs in template config files

From: fbrosson <fbrosson@users.noreply.github.com>
git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4... fbrosson

10:56 Revision 3078 (svn): fix links to online docs in template config files

From: fbrosson <fbrosson@users.noreply.github.com> stbuehler

10:55 Bug #2460 (Fixed): (mod_cgi.c.1041) chdir failed: no such file or directory index.php

Applied in changeset r3077. stbuehler

10:54 Revision 665cc39b: [mod_cgi] edge case chdir "/" when docroot "/" (fixes #2460)

From: Glenn Strauss <gstrauss@gluelogic.com>
git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@307... gstrauss

10:54 Revision 3077 (svn): [mod_cgi] edge case chdir "/" when docroot "/" (fixes #2460)

From: Glenn Strauss <gstrauss@gluelogic.com> stbuehler

10:45 Bug #2711 (Fixed): Cronolog Broken pipe

Applied in changeset r3076. stbuehler

10:44 Revision 5cc061bf: [core] do not send SIGHUP to process group unless server.max-workers is used (fixes #2711)

do not propagate sighup if 0 == server.max-workers; reduce impact of
sighup on child processes, such as piped loggers... gstrauss

10:44 Revision 3076 (svn): [core] do not send SIGHUP to process group unless server.max-workers is used (fixes #2711)

do not propagate sighup if 0 == server.max-workers; reduce impact of
sighup on child processes, such as piped loggers... stbuehler