Lighttpd

2020-10-20

22:28 Feature #2813 (Fixed): Support for HTTP/2 protocol

HTTP/2 support has been merged to lighttpd 1.4 master branch gstrauss

20:53 Revision 8f7019ad: [core] fix fd sharing when splitting file chunk

(bug on master branch; never released)
fix fd sharing in chunkqueue_steal_partial_file_chunk() gstrauss

20:22 Revision 0f82722f: [core] silence coverity warnings (another try)

gstrauss

20:04 Revision fb7e5a78: [core] silence coverity warnings in ls-hpack

The code originates from https://github.com/litespeedtech/ls-hpack
and is explicitly documented as not needing to be ... gstrauss

19:29 Revision af04e0b0: [core] silence coverity warnings (false positives)

gstrauss

18:10 Bug #3023 (Fixed): Segfault with mod_auth & htpasswd (lighttpd.conf misconfig)

Applied in changeset commit:cf0098eac8a12a8dfd700285a659af4639788a91. gstrauss

15:51 Revision 1b74c508: [core] always lseek() with shared fd

always lseek() with shared fd; remove optim to skip with offset = 0 gstrauss

15:51 Revision 019c5138: [multiple] use http_chunk_append_file_ref()

use http_chunk_append_file_ref() and http_chunk_append_file_ref_range()
reduce resource usage (number of fds open) b... gstrauss

15:51 Revision 9078cc4c: [core] http_chunk_append_file_ref_range()

http_chunk_append_file_ref() and http_chunk_append_file_ref_range()
to take stat_cache_entry ref and append FILE_CHUNK gstrauss

15:51 Revision 6be2bd35: [core] FILE_CHUNK can hold stat_cache_entry ref

gstrauss

15:51 Revision 7f8ab9dd: [core] stat_cache_entry reference counting

future: should probably create fd cache separate from stat_cache,
perhaps along w/ http-specific fields like ... gstrauss

15:51 Revision e057c541: [mod_deflate] use large mmap chunks to compress

use large chunks since server blocks while compressing, anyway
(mod_deflate is not recommended for large files) gstrauss

01:40 Revision fc6612d7: [core] minimize pause during graceful restart

minimize pause during graceful restart for server.max-worker = 0 case
The previous generation continues to accept ne... gstrauss

01:40 Revision d6f692f1: [core] config_plugin_value_to_int32()

gstrauss

01:40 Revision 3d8dcbdd: [mod_openssl] use newer openssl 3.0.0 func

replace X509_STORE_load_locations() with X509_STORE_load_file() gstrauss

01:40 Revision 1cc81b70: [mod_webdav] update defaults after worker_init

update defaults after worker_init for config options in global scope
(bug on master branch; never released) gstrauss

01:40 Revision f973b87c: [mod_webdav] add missing update to cq accounting

(bug on master branch; never released) gstrauss

01:40 Revision d71c1d47: [core] modify use of getrlimit() to not be fatal

modify use of getrlimit() to not be fatal if an error occurs
Some container configurations might cause getrlimit() a... gstrauss

01:40 Revision 3f1a12e5: [multiple] remove chunk file.start member

c->offset is now offset into file
c->file.length is end of octets to send (end pos + 1)
c->file.length - c->offset is... gstrauss

01:40 Revision d865d8c3: [TLS] ignore empty "CipherString" in ssl-conf-cmd

e.g. ssl.openssl.ssl-conf-cmd = ("CipherString" => "") gstrauss

01:40 Revision fe021118: [multiple] stat_cache_path_stat() for struct st

stat_cache_path_stat() for cached (struct st *) gstrauss

01:40 Revision a46f519e: [multiple] use NSS crypto if no other crypto avail

use NSS crypto if no other crypto avail, but NSS crypto is available
"NSS crypto support" is not included in tests/L... gstrauss

01:40 Revision bdb5fb26: [wolfssl] wolfSSL_CTX_set_mode differs from others

wolfSSL_CTX_set_mode() differs from openssl SSL_CTX_set_mode().
wolfSSL_CTX_set_mode() takes a single flag at a time ... gstrauss

01:40 Revision cf8cefce: [core] sys-crypto-md.h consistent interfaces

return values for sys-crypto-md.h interfaces
While some library implementations do not fail and have no return value... gstrauss

01:40 Revision a363383a: [tests] detect multiple SSL/TLS/crypto providers

gstrauss

01:40 Revision 7553ef7f: [multiple] openssl 3.0.0 digest interface migrate

provide implementations for conventional digest interfaces
but use the newer openssl digest interfaces under the hood... gstrauss

01:40 Revision e6a87a89: [mod_openssl] merge ssl_tlsext_ticket_key_cb impls

gstrauss

01:40 Revision cc6a76be: [mod_openssl] construct OSSL_PARAM on stack

gstrauss

01:40 Revision ebafd914: [mod_openssl] migrate ticket cb to openssl 3.0.0

migrate ticket cb to openssl 3.0.0 interface
SSL_CTX_set_tlsext_ticket_key_evp_cb() gstrauss

01:40 Revision e1bcdb5e: [multiple] ignore openssl 3.0.0 deprecation warns

quiet openssl 3.0.0 deprecation warnings for
low-level digest algorithm interfaces
future: migrate to openssl interf... gstrauss

01:40 Revision a3ccc46b: [mod_cgi] use splice() to send input to CGI

use splice(), if available (Linux), to send input from temp files to CGI gstrauss

01:40 Revision e18da93e: [core] reuse chunkqueue_compact_mem*()

gstrauss

01:40 Revision 9c25581d: [core] alloc optim reading file, sending chunked

avoid potential double-copy due to not enough space for final '\0'
in http_chunk_append_read_fd_range() if read size ... gstrauss

01:40 Revision 6d76f7ce: [core] fix chunkqueue_compact_mem w/ partial chunk

(bug on master branch; never released) gstrauss

01:40 Revision 8abbf621: [mod_fastcgi] decode chunked is cold code path

decode chunked from FastCGI backend is cold code path gstrauss

01:40 Revision dc51e9d6: [tests] simulate slow, small packets more quickly

simulate slow, small packets more quickly
1ms between chars is plenty slow; 100ms is excessive
fixup gstrauss

01:40 Revision 96abd9cf: [core] coalesce nearby ranges in Range requests

Range requests must be HTTP/1.1 or later (not HTTP/1.0) gstrauss

01:40 Revision 2f7839e8: [doc] comment out config disabling Range for .pdf

comment out lighttpd.conf config disabling Range requests for .pdf
bug in Adobe Acrobat Reader browser plugin dates ... gstrauss

01:40 Revision 66d1ec48: [core,mod_deflate] leverage cache of open fd

leverage simple cache of open file in stat_cache
(use stat_cache_get_entry_open())
future: reference count fd instea... gstrauss

01:40 Revision d8e5e21e: [core] stat_cache_get_entry_open()

simple interface to cache open file by extending struct stat_cache_entry
future: should probably create fd cache sep... gstrauss

2020-10-19

06:16 Feature #2813: Support for HTTP/2 protocol

h2spec is a conformance testing tool for HTTP/2 implementation.
https://github.com/summerwind/h2spec
Running h2spec ... gstrauss

2020-10-14

14:34 Bug #3028 (Fixed): Segfault / DoS (development branch; never released)

Confirmed fixed by testing with patch backported from a3af9833 (with slight modification for compatibility with tip o... gstrauss

14:09 Bug #3028: Segfault / DoS (development branch; never released)

Thank you for the report. If your tests were from a non-tagged point on the master branch, please provide the commit... gstrauss

10:01 Bug #3028 (Fixed): Segfault / DoS (development branch; never released)

During fuzzing we found a denial of service in lighttpd 1.4.56-devel.
Details for reproduction are attached.
<pre... bugs-syssec

02:31 Revision e9912607: [core] pass open fd to http_response_parse_range

gstrauss

02:31 Revision 6219b861: [core] http_response_parse_range() const file sz

gstrauss

02:31 Revision cd2ff420: [core] remove unused r->content_length

(was parsed Content-Length sent by backend)
(might add back in future along with stricter validation of field value) gstrauss

02:31 Revision 55e9f082: [core] limit num ranges in Range requests

parse Range header prior to constructing ranged response gstrauss

02:31 Revision 2dc3d5fa: [mod_gnutls] quiet CLOSE_NOTIFY after conn reset

do not log error after connection reset gstrauss

02:31 Revision 496cd8ff: [mod_mbedtls] quiet CLOSE_NOTIFY after conn reset

do not log error after connection reset gstrauss

02:31 Revision f846a392: [multiple] use stat_cache_path_isdir()

gstrauss

02:31 Revision 7d368cd7: [core] stat_cache_path_isdir()

gstrauss