]>
Commit | Line | Data |
---|---|---|
bc81decf | 1 | # Revision 2815 |
902fac5f ER |
2 | Index: src/http_auth_digest.c |
3 | =================================================================== | |
4 | --- src/http_auth_digest.c (.../tags/lighttpd-1.4.29) | |
5 | +++ src/http_auth_digest.c (.../branches/lighttpd-1.4.x) | |
6 | @@ -1,26 +0,0 @@ | |
7 | -#include "buffer.h" | |
8 | - | |
9 | -#include "http_auth_digest.h" | |
10 | - | |
11 | -#include <string.h> | |
12 | - | |
13 | -#ifndef USE_OPENSSL | |
14 | -# include "md5.h" | |
15 | - | |
16 | -typedef li_MD5_CTX MD5_CTX; | |
17 | -#define MD5_Init li_MD5_Init | |
18 | -#define MD5_Update li_MD5_Update | |
19 | -#define MD5_Final li_MD5_Final | |
20 | - | |
21 | -#endif | |
22 | - | |
23 | -void CvtHex(IN HASH Bin, OUT HASHHEX Hex) { | |
24 | - unsigned short i; | |
25 | - | |
26 | - for (i = 0; i < HASHLEN; i++) { | |
27 | - Hex[i*2] = int2hex((Bin[i] >> 4) & 0xf); | |
28 | - Hex[i*2+1] = int2hex(Bin[i] & 0xf); | |
29 | - } | |
30 | - Hex[HASHHEXLEN] = '\0'; | |
31 | -} | |
32 | - | |
33 | Index: src/http_auth_digest.h | |
34 | =================================================================== | |
35 | --- src/http_auth_digest.h (.../tags/lighttpd-1.4.29) | |
36 | +++ src/http_auth_digest.h (.../branches/lighttpd-1.4.x) | |
37 | @@ -1,24 +0,0 @@ | |
38 | -#ifndef _DIGCALC_H_ | |
39 | -#define _DIGCALC_H_ | |
40 | - | |
41 | -#ifdef HAVE_CONFIG_H | |
42 | -# include "config.h" | |
43 | -#endif | |
44 | - | |
45 | -#define HASHLEN 16 | |
46 | -typedef unsigned char HASH[HASHLEN]; | |
47 | -#define HASHHEXLEN 32 | |
48 | -typedef char HASHHEX[HASHHEXLEN+1]; | |
49 | -#ifdef USE_OPENSSL | |
50 | -#define IN const | |
51 | -#else | |
52 | -#define IN | |
53 | -#endif | |
54 | -#define OUT | |
55 | - | |
56 | -void CvtHex( | |
57 | - IN HASH Bin, | |
58 | - OUT HASHHEX Hex | |
59 | - ); | |
60 | - | |
61 | -#endif | |
62 | Index: src/network_write.c | |
63 | =================================================================== | |
64 | --- src/network_write.c (.../tags/lighttpd-1.4.29) | |
65 | +++ src/network_write.c (.../branches/lighttpd-1.4.x) | |
66 | @@ -24,17 +24,16 @@ | |
67 | # include <sys/resource.h> | |
68 | #endif | |
69 | ||
70 | -int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq) { | |
71 | +int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { | |
72 | chunk *c; | |
73 | - size_t chunks_written = 0; | |
74 | ||
75 | - for(c = cq->first; c; c = c->next) { | |
76 | + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { | |
77 | int chunk_finished = 0; | |
78 | ||
79 | switch(c->type) { | |
80 | case MEM_CHUNK: { | |
81 | char * offset; | |
82 | - size_t toSend; | |
83 | + off_t toSend; | |
84 | ssize_t r; | |
85 | ||
86 | if (c->mem->used == 0) { | |
87 | @@ -44,6 +43,8 @@ | |
88 | ||
89 | offset = c->mem->ptr + c->offset; | |
90 | toSend = c->mem->used - 1 - c->offset; | |
91 | + if (toSend > max_bytes) toSend = max_bytes; | |
92 | + | |
93 | #ifdef __WIN32 | |
94 | if ((r = send(fd, offset, toSend, 0)) < 0) { | |
95 | /* no error handling for windows... */ | |
96 | @@ -72,6 +73,7 @@ | |
97 | ||
98 | c->offset += r; | |
99 | cq->bytes_out += r; | |
100 | + max_bytes -= r; | |
101 | ||
102 | if (c->offset == (off_t)c->mem->used - 1) { | |
103 | chunk_finished = 1; | |
104 | @@ -85,7 +87,7 @@ | |
105 | #endif | |
106 | ssize_t r; | |
107 | off_t offset; | |
108 | - size_t toSend; | |
109 | + off_t toSend; | |
110 | stat_cache_entry *sce = NULL; | |
111 | int ifd; | |
112 | ||
113 | @@ -98,6 +100,8 @@ | |
114 | offset = c->file.start + c->offset; | |
115 | toSend = c->file.length - c->offset; | |
116 | ||
117 | + if (toSend > max_bytes) toSend = max_bytes; | |
118 | + | |
119 | if (offset > sce->st.st_size) { | |
120 | log_error_write(srv, __FILE__, __LINE__, "sb", "file was shrinked:", c->file.name); | |
121 | ||
122 | @@ -181,6 +185,7 @@ | |
123 | ||
124 | c->offset += r; | |
125 | cq->bytes_out += r; | |
126 | + max_bytes -= r; | |
127 | ||
128 | if (c->offset == c->file.length) { | |
129 | chunk_finished = 1; | |
130 | @@ -200,11 +205,9 @@ | |
131 | ||
132 | break; | |
133 | } | |
134 | - | |
135 | - chunks_written++; | |
136 | } | |
137 | ||
138 | - return chunks_written; | |
139 | + return 0; | |
140 | } | |
141 | ||
142 | #if 0 | |
143 | Index: src/mod_secure_download.c | |
144 | =================================================================== | |
145 | --- src/mod_secure_download.c (.../tags/lighttpd-1.4.29) | |
146 | +++ src/mod_secure_download.c (.../branches/lighttpd-1.4.x) | |
147 | @@ -8,18 +8,8 @@ | |
148 | #include <stdlib.h> | |
149 | #include <string.h> | |
150 | ||
151 | -#ifdef USE_OPENSSL | |
152 | -# include <openssl/md5.h> | |
153 | -#else | |
154 | -# include "md5.h" | |
155 | +#include "md5.h" | |
156 | ||
157 | -typedef li_MD5_CTX MD5_CTX; | |
158 | -#define MD5_Init li_MD5_Init | |
159 | -#define MD5_Update li_MD5_Update | |
160 | -#define MD5_Final li_MD5_Final | |
161 | - | |
162 | -#endif | |
163 | - | |
164 | #define HASHLEN 16 | |
165 | typedef unsigned char HASH[HASHLEN]; | |
166 | #define HASHHEXLEN 32 | |
167 | @@ -200,7 +190,7 @@ | |
168 | ||
169 | URIHANDLER_FUNC(mod_secdownload_uri_handler) { | |
170 | plugin_data *p = p_d; | |
171 | - MD5_CTX Md5Ctx; | |
172 | + li_MD5_CTX Md5Ctx; | |
173 | HASH HA1; | |
174 | const char *rel_uri, *ts_str, *md5_str; | |
175 | time_t ts = 0; | |
176 | @@ -266,9 +256,9 @@ | |
177 | buffer_append_string(p->md5, rel_uri); | |
178 | buffer_append_string_len(p->md5, ts_str, 8); | |
179 | ||
180 | - MD5_Init(&Md5Ctx); | |
181 | - MD5_Update(&Md5Ctx, (unsigned char *)p->md5->ptr, p->md5->used - 1); | |
182 | - MD5_Final(HA1, &Md5Ctx); | |
183 | + li_MD5_Init(&Md5Ctx); | |
184 | + li_MD5_Update(&Md5Ctx, (unsigned char *)p->md5->ptr, p->md5->used - 1); | |
185 | + li_MD5_Final(HA1, &Md5Ctx); | |
186 | ||
187 | buffer_copy_string_hex(p->md5, (char *)HA1, 16); | |
188 | ||
189 | Index: src/base.h | |
190 | =================================================================== | |
191 | --- src/base.h (.../tags/lighttpd-1.4.29) | |
192 | +++ src/base.h (.../branches/lighttpd-1.4.x) | |
193 | @@ -277,6 +277,7 @@ | |
194 | buffer *ssl_cipher_list; | |
195 | buffer *ssl_dh_file; | |
196 | buffer *ssl_ec_curve; | |
197 | + unsigned short ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */ | |
198 | unsigned short ssl_use_sslv2; | |
199 | unsigned short ssl_use_sslv3; | |
200 | unsigned short ssl_verifyclient; | |
201 | @@ -284,6 +285,7 @@ | |
202 | unsigned short ssl_verifyclient_depth; | |
203 | buffer *ssl_verifyclient_username; | |
204 | unsigned short ssl_verifyclient_export_cert; | |
205 | + unsigned short ssl_disable_client_renegotiation; | |
206 | ||
207 | unsigned short use_ipv6, set_v6only; /* set_v6only is only a temporary option */ | |
208 | unsigned short defer_accept; | |
209 | @@ -437,6 +439,7 @@ | |
210 | # ifndef OPENSSL_NO_TLSEXT | |
211 | buffer *tlsext_server_name; | |
212 | # endif | |
213 | + unsigned int renegotiations; /* count of SSL_CB_HANDSHAKE_START */ | |
214 | #endif | |
215 | /* etag handling */ | |
216 | etag_flags_t etag_flags; | |
217 | @@ -647,11 +650,9 @@ | |
218 | ||
219 | fdevent_handler_t event_handler; | |
220 | ||
221 | - int (* network_backend_write)(struct server *srv, connection *con, int fd, chunkqueue *cq); | |
222 | - int (* network_backend_read)(struct server *srv, connection *con, int fd, chunkqueue *cq); | |
223 | + int (* network_backend_write)(struct server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); | |
224 | #ifdef USE_OPENSSL | |
225 | - int (* network_ssl_backend_write)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq); | |
226 | - int (* network_ssl_backend_read)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq); | |
227 | + int (* network_ssl_backend_write)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes); | |
228 | #endif | |
229 | ||
230 | uid_t uid; | |
4ae864ca ER |
231 | Index: src/connections.c |
232 | =================================================================== | |
902fac5f | 233 | --- src/connections.c (.../tags/lighttpd-1.4.29) |
4ae864ca | 234 | +++ src/connections.c (.../branches/lighttpd-1.4.x) |
902fac5f | 235 | @@ -223,6 +223,12 @@ |
4ae864ca | 236 | |
902fac5f | 237 | len = SSL_read(con->ssl, b->ptr + read_offset, toread); |
4ae864ca | 238 | |
902fac5f ER |
239 | + if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { |
240 | + connection_set_state(srv, con, CON_STATE_ERROR); | |
241 | + log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); | |
242 | + return -1; | |
243 | + } | |
4ae864ca | 244 | + |
902fac5f ER |
245 | if (len > 0) { |
246 | if (b->used > 0) b->used--; | |
247 | b->used += len; | |
248 | @@ -445,6 +451,7 @@ | |
249 | default: | |
250 | switch(con->http_status) { | |
251 | case 400: /* bad request */ | |
252 | + case 401: /* authorization required */ | |
253 | case 414: /* overload request header */ | |
254 | case 505: /* unknown protocol */ | |
255 | case 207: /* this was webdav */ | |
256 | @@ -617,8 +624,9 @@ | |
257 | } | |
258 | ||
259 | static int connection_handle_write(server *srv, connection *con) { | |
260 | - switch(network_write_chunkqueue(srv, con, con->write_queue)) { | |
261 | + switch(network_write_chunkqueue(srv, con, con->write_queue, MAX_WRITE_LIMIT)) { | |
262 | case 0: | |
263 | + con->write_request_ts = srv->cur_ts; | |
264 | if (con->file_finished) { | |
265 | connection_set_state(srv, con, CON_STATE_RESPONSE_END); | |
266 | joblist_append(srv, con); | |
267 | @@ -635,6 +643,7 @@ | |
268 | joblist_append(srv, con); | |
269 | break; | |
270 | case 1: | |
271 | + con->write_request_ts = srv->cur_ts; | |
272 | con->is_writable = 0; | |
273 | ||
274 | /* not finished yet -> WRITE */ | |
275 | @@ -1251,8 +1260,6 @@ | |
276 | log_error_write(srv, __FILE__, __LINE__, "ds", | |
277 | con->fd, | |
278 | "handle write failed."); | |
279 | - } else if (con->state == CON_STATE_WRITE) { | |
280 | - con->write_request_ts = srv->cur_ts; | |
281 | } | |
282 | } | |
283 | ||
284 | @@ -1352,6 +1359,7 @@ | |
285 | return NULL; | |
286 | } | |
287 | ||
288 | + con->renegotiations = 0; | |
289 | #ifndef OPENSSL_NO_TLSEXT | |
290 | SSL_set_app_data(con->ssl, con); | |
291 | #endif | |
292 | @@ -1667,8 +1675,6 @@ | |
293 | con->fd, | |
294 | "handle write failed."); | |
295 | connection_set_state(srv, con, CON_STATE_ERROR); | |
296 | - } else if (con->state == CON_STATE_WRITE) { | |
297 | - con->write_request_ts = srv->cur_ts; | |
298 | } | |
299 | } | |
300 | ||
301 | Index: src/mod_staticfile.c | |
302 | =================================================================== | |
303 | --- src/mod_staticfile.c (.../tags/lighttpd-1.4.29) | |
304 | +++ src/mod_staticfile.c (.../branches/lighttpd-1.4.x) | |
305 | @@ -26,6 +26,7 @@ | |
306 | typedef struct { | |
307 | array *exclude_ext; | |
308 | unsigned short etags_used; | |
309 | + unsigned short disable_pathinfo; | |
310 | } plugin_config; | |
311 | ||
312 | typedef struct { | |
313 | @@ -84,6 +85,7 @@ | |
314 | config_values_t cv[] = { | |
315 | { "static-file.exclude-extensions", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 0 */ | |
316 | { "static-file.etags", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 1 */ | |
317 | + { "static-file.disable-pathinfo", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 2 */ | |
318 | { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET } | |
319 | }; | |
320 | ||
321 | @@ -97,9 +99,11 @@ | |
322 | s = calloc(1, sizeof(plugin_config)); | |
323 | s->exclude_ext = array_init(); | |
324 | s->etags_used = 1; | |
325 | + s->disable_pathinfo = 0; | |
326 | ||
327 | cv[0].destination = s->exclude_ext; | |
328 | cv[1].destination = &(s->etags_used); | |
329 | + cv[2].destination = &(s->disable_pathinfo); | |
330 | ||
331 | p->config_storage[i] = s; | |
332 | ||
333 | @@ -119,6 +123,7 @@ | |
334 | ||
335 | PATCH(exclude_ext); | |
336 | PATCH(etags_used); | |
337 | + PATCH(disable_pathinfo); | |
4ae864ca | 338 | |
902fac5f ER |
339 | /* skip the first, the global context */ |
340 | for (i = 1; i < srv->config_context->used; i++) { | |
341 | @@ -136,7 +141,9 @@ | |
342 | PATCH(exclude_ext); | |
343 | } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("static-file.etags"))) { | |
344 | PATCH(etags_used); | |
345 | - } | |
346 | + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("static-file.disable-pathinfo"))) { | |
347 | + PATCH(disable_pathinfo); | |
348 | + } | |
349 | } | |
350 | } | |
351 | ||
352 | @@ -350,7 +357,6 @@ | |
353 | URIHANDLER_FUNC(mod_staticfile_subrequest) { | |
354 | plugin_data *p = p_d; | |
355 | size_t k; | |
356 | - int s_len; | |
357 | stat_cache_entry *sce = NULL; | |
358 | buffer *mtime = NULL; | |
359 | data_string *ds; | |
360 | @@ -376,7 +382,12 @@ | |
361 | ||
362 | mod_staticfile_patch_connection(srv, con, p); | |
363 | ||
364 | - s_len = con->uri.path->used - 1; | |
365 | + if (p->conf.disable_pathinfo && 0 != con->request.pathinfo->used) { | |
366 | + if (con->conf.log_request_handling) { | |
367 | + log_error_write(srv, __FILE__, __LINE__, "s", "-- NOT handling file as static file, pathinfo forbidden"); | |
368 | + } | |
369 | + return HANDLER_GO_ON; | |
370 | + } | |
371 | ||
372 | /* ignore certain extensions */ | |
373 | for (k = 0; k < p->conf.exclude_ext->used; k++) { | |
6422e148 AM |
374 | Index: src/network.c |
375 | =================================================================== | |
902fac5f | 376 | --- src/network.c (.../tags/lighttpd-1.4.29) |
6422e148 | 377 | +++ src/network.c (.../branches/lighttpd-1.4.x) |
902fac5f ER |
378 | @@ -27,6 +27,19 @@ |
379 | # include <openssl/rand.h> | |
380 | #endif | |
4ae864ca | 381 | |
902fac5f ER |
382 | +#ifdef USE_OPENSSL |
383 | +static void ssl_info_callback(const SSL *ssl, int where, int ret) { | |
384 | + UNUSED(ret); | |
4ae864ca | 385 | + |
902fac5f ER |
386 | + if (0 != (where & SSL_CB_HANDSHAKE_START)) { |
387 | + connection *con = SSL_get_app_data(ssl); | |
388 | + ++con->renegotiations; | |
389 | + } else if (0 != (where & SSL_CB_HANDSHAKE_DONE)) { | |
390 | + ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; | |
391 | + } | |
392 | +} | |
393 | +#endif | |
394 | + | |
395 | static handler_t network_server_handle_fdevent(server *srv, void *context, int revents) { | |
396 | server_socket *srv_socket = (server_socket *)context; | |
397 | connection *con; | |
398 | @@ -480,9 +493,11 @@ | |
399 | network_backend_t backend; | |
400 | ||
401 | #if OPENSSL_VERSION_NUMBER >= 0x0090800fL | |
402 | +#ifndef OPENSSL_NO_ECDH | |
403 | EC_KEY *ecdh; | |
404 | int nid; | |
405 | #endif | |
406 | +#endif | |
407 | ||
408 | #ifdef USE_OPENSSL | |
409 | DH *dh; | |
410 | @@ -553,6 +568,11 @@ | |
411 | /* load SSL certificates */ | |
412 | for (i = 0; i < srv->config_context->used; i++) { | |
413 | specific_config *s = srv->config_storage[i]; | |
414 | +#ifndef SSL_OP_NO_COMPRESSION | |
415 | +# define SSL_OP_NO_COMPRESSION 0 | |
416 | +#endif | |
417 | + long ssloptions = | |
418 | + SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_COMPRESSION; | |
419 | ||
420 | if (buffer_is_empty(s->ssl_pemfile)) continue; | |
4ae864ca | 421 | |
902fac5f ER |
422 | @@ -586,6 +606,9 @@ |
423 | return -1; | |
424 | } | |
6422e148 | 425 | |
902fac5f ER |
426 | + SSL_CTX_set_options(s->ssl_ctx, ssloptions); |
427 | + SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback); | |
428 | + | |
6422e148 AM |
429 | if (!s->ssl_use_sslv2) { |
430 | /* disable SSLv2 */ | |
902fac5f ER |
431 | if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) { |
432 | @@ -611,6 +634,10 @@ | |
6422e148 | 433 | ERR_error_string(ERR_get_error(), NULL)); |
9d2ca5f8 | 434 | return -1; |
902fac5f ER |
435 | } |
436 | + | |
437 | + if (s->ssl_honor_cipher_order) { | |
438 | + SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | |
439 | + } | |
440 | } | |
4ae864ca | 441 | |
902fac5f ER |
442 | /* Support for Diffie-Hellman key exchange */ |
443 | @@ -847,7 +874,7 @@ | |
444 | return 0; | |
445 | } | |
446 | ||
447 | -int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq) { | |
448 | +int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq, off_t max_bytes) { | |
449 | int ret = -1; | |
450 | off_t written = 0; | |
451 | #ifdef TCP_CORK | |
452 | @@ -855,16 +882,34 @@ | |
453 | #endif | |
454 | server_socket *srv_socket = con->srv_socket; | |
455 | ||
456 | - if (con->conf.global_kbytes_per_second && | |
457 | - *(con->conf.global_bytes_per_second_cnt_ptr) > con->conf.global_kbytes_per_second * 1024) { | |
458 | - /* we reached the global traffic limit */ | |
459 | + if (con->conf.global_kbytes_per_second) { | |
460 | + off_t limit = con->conf.global_kbytes_per_second * 1024 - *(con->conf.global_bytes_per_second_cnt_ptr); | |
461 | + if (limit <= 0) { | |
462 | + /* we reached the global traffic limit */ | |
463 | ||
464 | - con->traffic_limit_reached = 1; | |
465 | - joblist_append(srv, con); | |
466 | + con->traffic_limit_reached = 1; | |
467 | + joblist_append(srv, con); | |
468 | ||
469 | - return 1; | |
470 | + return 1; | |
471 | + } else { | |
472 | + if (max_bytes > limit) max_bytes = limit; | |
473 | + } | |
4ae864ca ER |
474 | } |
475 | ||
902fac5f ER |
476 | + if (con->conf.kbytes_per_second) { |
477 | + off_t limit = con->conf.kbytes_per_second * 1024 - con->bytes_written_cur_second; | |
478 | + if (limit <= 0) { | |
479 | + /* we reached the traffic limit */ | |
480 | + | |
481 | + con->traffic_limit_reached = 1; | |
482 | + joblist_append(srv, con); | |
483 | + | |
484 | + return 1; | |
485 | + } else { | |
486 | + if (max_bytes > limit) max_bytes = limit; | |
487 | + } | |
4ae864ca ER |
488 | + } |
489 | + | |
902fac5f ER |
490 | written = cq->bytes_out; |
491 | ||
492 | #ifdef TCP_CORK | |
493 | @@ -879,10 +924,10 @@ | |
494 | ||
495 | if (srv_socket->is_ssl) { | |
496 | #ifdef USE_OPENSSL | |
497 | - ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq); | |
498 | + ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq, max_bytes); | |
499 | #endif | |
500 | } else { | |
501 | - ret = srv->network_backend_write(srv, con, con->fd, cq); | |
502 | + ret = srv->network_backend_write(srv, con, con->fd, cq, max_bytes); | |
503 | } | |
504 | ||
505 | if (ret >= 0) { | |
506 | @@ -903,12 +948,5 @@ | |
507 | ||
508 | *(con->conf.global_bytes_per_second_cnt_ptr) += written; | |
509 | ||
510 | - if (con->conf.kbytes_per_second && | |
511 | - (con->bytes_written_cur_second > con->conf.kbytes_per_second * 1024)) { | |
512 | - /* we reached the traffic limit */ | |
513 | - | |
514 | - con->traffic_limit_reached = 1; | |
515 | - joblist_append(srv, con); | |
516 | - } | |
517 | return ret; | |
4ae864ca | 518 | } |
902fac5f ER |
519 | Index: src/network.h |
520 | =================================================================== | |
521 | --- src/network.h (.../tags/lighttpd-1.4.29) | |
522 | +++ src/network.h (.../branches/lighttpd-1.4.x) | |
523 | @@ -3,7 +3,7 @@ | |
524 | ||
525 | #include "server.h" | |
526 | ||
527 | -int network_write_chunkqueue(server *srv, connection *con, chunkqueue *c); | |
528 | +int network_write_chunkqueue(server *srv, connection *con, chunkqueue *c, off_t max_bytes); | |
529 | ||
530 | int network_init(server *srv); | |
531 | int network_close(server *srv); | |
532 | Index: src/configfile.c | |
533 | =================================================================== | |
534 | --- src/configfile.c (.../tags/lighttpd-1.4.29) | |
535 | +++ src/configfile.c (.../branches/lighttpd-1.4.x) | |
536 | @@ -105,6 +105,8 @@ | |
537 | { "ssl.use-sslv3", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 62 */ | |
538 | { "ssl.dh-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 63 */ | |
539 | { "ssl.ec-curve", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 64 */ | |
540 | + { "ssl.disable-client-renegotiation", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },/* 65 */ | |
541 | + { "ssl.honor-cipher-order", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 66 */ | |
542 | ||
543 | { "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET }, | |
544 | { "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET }, | |
545 | @@ -176,6 +178,7 @@ | |
546 | s->max_write_idle = 360; | |
547 | s->use_xattr = 0; | |
548 | s->is_ssl = 0; | |
549 | + s->ssl_honor_cipher_order = 1; | |
550 | s->ssl_use_sslv2 = 0; | |
551 | s->ssl_use_sslv3 = 1; | |
552 | s->use_ipv6 = 0; | |
553 | @@ -199,6 +202,7 @@ | |
554 | s->ssl_verifyclient_username = buffer_init(); | |
555 | s->ssl_verifyclient_depth = 9; | |
556 | s->ssl_verifyclient_export_cert = 0; | |
557 | + s->ssl_disable_client_renegotiation = 1; | |
558 | ||
559 | cv[2].destination = s->errorfile_prefix; | |
4ae864ca | 560 | |
902fac5f ER |
561 | @@ -245,6 +249,8 @@ |
562 | cv[62].destination = &(s->ssl_use_sslv3); | |
563 | cv[63].destination = s->ssl_dh_file; | |
564 | cv[64].destination = s->ssl_ec_curve; | |
bc81decf | 565 | + cv[66].destination = &(s->ssl_honor_cipher_order); |
902fac5f ER |
566 | + |
567 | cv[49].destination = &(s->etag_use_inode); | |
568 | cv[50].destination = &(s->etag_use_mtime); | |
569 | cv[51].destination = &(s->etag_use_size); | |
570 | @@ -255,6 +261,7 @@ | |
571 | cv[58].destination = &(s->ssl_verifyclient_depth); | |
572 | cv[59].destination = s->ssl_verifyclient_username; | |
573 | cv[60].destination = &(s->ssl_verifyclient_export_cert); | |
574 | + cv[65].destination = &(s->ssl_disable_client_renegotiation); | |
575 | ||
576 | srv->config_storage[i] = s; | |
577 | ||
578 | @@ -335,6 +342,7 @@ | |
579 | PATCH(ssl_cipher_list); | |
580 | PATCH(ssl_dh_file); | |
581 | PATCH(ssl_ec_curve); | |
582 | + PATCH(ssl_honor_cipher_order); | |
583 | PATCH(ssl_use_sslv2); | |
584 | PATCH(ssl_use_sslv3); | |
585 | PATCH(etag_use_inode); | |
586 | @@ -346,6 +354,7 @@ | |
587 | PATCH(ssl_verifyclient_depth); | |
588 | PATCH(ssl_verifyclient_username); | |
589 | PATCH(ssl_verifyclient_export_cert); | |
590 | + PATCH(ssl_disable_client_renegotiation); | |
4ae864ca | 591 | |
902fac5f ER |
592 | return 0; |
593 | } | |
594 | @@ -400,6 +409,8 @@ | |
595 | #endif | |
596 | } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) { | |
597 | PATCH(ssl_ca_file); | |
598 | + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) { | |
599 | + PATCH(ssl_honor_cipher_order); | |
600 | } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) { | |
601 | PATCH(ssl_use_sslv2); | |
602 | } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv3"))) { | |
603 | @@ -454,6 +465,8 @@ | |
604 | PATCH(ssl_verifyclient_username); | |
605 | } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.exportcert"))) { | |
606 | PATCH(ssl_verifyclient_export_cert); | |
607 | + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.disable-client-renegotiation"))) { | |
608 | + PATCH(ssl_disable_client_renegotiation); | |
609 | } | |
4ae864ca | 610 | } |
902fac5f ER |
611 | } |
612 | Index: src/mod_scgi.c | |
613 | =================================================================== | |
614 | --- src/mod_scgi.c (.../tags/lighttpd-1.4.29) | |
615 | +++ src/mod_scgi.c (.../branches/lighttpd-1.4.x) | |
616 | @@ -2296,7 +2296,7 @@ | |
4ae864ca | 617 | |
902fac5f ER |
618 | /* fall through */ |
619 | case FCGI_STATE_WRITE: | |
620 | - ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb); | |
621 | + ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT); | |
4ae864ca | 622 | |
902fac5f ER |
623 | chunkqueue_remove_finished_chunks(hctx->wb); |
624 | ||
625 | Index: src/request.c | |
626 | =================================================================== | |
627 | --- src/request.c (.../tags/lighttpd-1.4.29) | |
628 | +++ src/request.c (.../branches/lighttpd-1.4.x) | |
629 | @@ -49,7 +49,7 @@ | |
630 | if (++colon_cnt > 7) { | |
631 | return -1; | |
632 | } | |
633 | - } else if (!light_isxdigit(*c)) { | |
634 | + } else if (!light_isxdigit(*c) && '.' != *c) { | |
635 | return -1; | |
636 | } | |
4ae864ca | 637 | } |
902fac5f ER |
638 | Index: src/network_backends.h |
639 | =================================================================== | |
640 | --- src/network_backends.h (.../tags/lighttpd-1.4.29) | |
641 | +++ src/network_backends.h (.../branches/lighttpd-1.4.x) | |
642 | @@ -47,18 +47,18 @@ | |
643 | #include "base.h" | |
4ae864ca | 644 | |
902fac5f ER |
645 | /* return values: |
646 | - * >= 0 : chunks completed | |
647 | + * >= 0 : no error | |
648 | * -1 : error (on our side) | |
649 | * -2 : remote close | |
650 | */ | |
651 | ||
652 | -int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq); | |
653 | -int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq); | |
654 | -int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq); | |
655 | -int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq); | |
656 | -int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq); | |
657 | +int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); | |
658 | +int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); | |
659 | +int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); | |
660 | +int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); | |
661 | +int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); | |
662 | #ifdef USE_OPENSSL | |
663 | -int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq); | |
664 | +int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes); | |
665 | #endif | |
666 | ||
667 | #endif | |
668 | Index: src/SConscript | |
669 | =================================================================== | |
670 | --- src/SConscript (.../tags/lighttpd-1.4.29) | |
671 | +++ src/SConscript (.../branches/lighttpd-1.4.x) | |
672 | @@ -12,7 +12,8 @@ | |
673 | data_integer.c md5.c data_fastcgi.c \ | |
674 | fdevent_select.c fdevent_libev.c \ | |
675 | fdevent_poll.c fdevent_linux_sysepoll.c \ | |
676 | - fdevent_solaris_devpoll.c fdevent_freebsd_kqueue.c \ | |
677 | + fdevent_solaris_devpoll.c fdevent_solaris_port.c \ | |
678 | + fdevent_freebsd_kqueue.c \ | |
679 | data_config.c bitset.c \ | |
680 | inet_ntop_cache.c crc32.c \ | |
681 | connections-glue.c \ | |
682 | @@ -62,7 +63,7 @@ | |
683 | 'mod_redirect' : { 'src' : [ 'mod_redirect.c' ], 'lib' : [ env['LIBPCRE'] ] }, | |
684 | 'mod_rewrite' : { 'src' : [ 'mod_rewrite.c' ], 'lib' : [ env['LIBPCRE'] ] }, | |
685 | 'mod_auth' : { | |
686 | - 'src' : [ 'mod_auth.c', 'http_auth_digest.c', 'http_auth.c' ], | |
687 | + 'src' : [ 'mod_auth.c', 'http_auth.c' ], | |
688 | 'lib' : [ env['LIBCRYPT'], env['LIBLDAP'], env['LIBLBER'] ] }, | |
689 | 'mod_webdav' : { 'src' : [ 'mod_webdav.c' ], 'lib' : [ env['LIBXML2'], env['LIBSQLITE3'], env['LIBUUID'] ] }, | |
690 | 'mod_mysql_vhost' : { 'src' : [ 'mod_mysql_vhost.c' ], 'lib' : [ env['LIBMYSQL'] ] }, | |
691 | Index: src/mod_cml_funcs.c | |
692 | =================================================================== | |
693 | --- src/mod_cml_funcs.c (.../tags/lighttpd-1.4.29) | |
694 | +++ src/mod_cml_funcs.c (.../branches/lighttpd-1.4.x) | |
695 | @@ -17,18 +17,8 @@ | |
696 | #include <dirent.h> | |
697 | #include <stdio.h> | |
4ae864ca | 698 | |
902fac5f ER |
699 | -#ifdef USE_OPENSSL |
700 | -# include <openssl/md5.h> | |
701 | -#else | |
702 | -# include "md5.h" | |
703 | +#include "md5.h" | |
4ae864ca | 704 | |
902fac5f ER |
705 | -typedef li_MD5_CTX MD5_CTX; |
706 | -#define MD5_Init li_MD5_Init | |
707 | -#define MD5_Update li_MD5_Update | |
708 | -#define MD5_Final li_MD5_Final | |
709 | - | |
710 | -#endif | |
711 | - | |
712 | #define HASHLEN 16 | |
713 | typedef unsigned char HASH[HASHLEN]; | |
714 | #define HASHHEXLEN 32 | |
715 | @@ -43,7 +33,7 @@ | |
716 | #ifdef HAVE_LUA_H | |
717 | ||
718 | int f_crypto_md5(lua_State *L) { | |
719 | - MD5_CTX Md5Ctx; | |
720 | + li_MD5_CTX Md5Ctx; | |
721 | HASH HA1; | |
722 | buffer b; | |
723 | char hex[33]; | |
724 | @@ -63,9 +53,9 @@ | |
725 | lua_error(L); | |
4ae864ca | 726 | } |
902fac5f ER |
727 | |
728 | - MD5_Init(&Md5Ctx); | |
729 | - MD5_Update(&Md5Ctx, (unsigned char *)lua_tostring(L, 1), lua_strlen(L, 1)); | |
730 | - MD5_Final(HA1, &Md5Ctx); | |
731 | + li_MD5_Init(&Md5Ctx); | |
732 | + li_MD5_Update(&Md5Ctx, (unsigned char *)lua_tostring(L, 1), lua_strlen(L, 1)); | |
733 | + li_MD5_Final(HA1, &Md5Ctx); | |
734 | ||
735 | buffer_copy_string_hex(&b, (char *)HA1, 16); | |
736 | ||
737 | Index: src/mod_userdir.c | |
738 | =================================================================== | |
739 | --- src/mod_userdir.c (.../tags/lighttpd-1.4.29) | |
740 | +++ src/mod_userdir.c (.../branches/lighttpd-1.4.x) | |
741 | @@ -166,7 +166,6 @@ | |
742 | ||
743 | URIHANDLER_FUNC(mod_userdir_docroot_handler) { | |
744 | plugin_data *p = p_d; | |
745 | - int uri_len; | |
746 | size_t k; | |
747 | char *rel_url; | |
748 | #ifdef HAVE_PWD_H | |
749 | @@ -182,8 +181,6 @@ | |
750 | */ | |
751 | if (p->conf.path->used == 0) return HANDLER_GO_ON; | |
752 | ||
753 | - uri_len = con->uri.path->used - 1; | |
754 | - | |
755 | /* /~user/foo.html -> /home/user/public_html/foo.html */ | |
756 | ||
757 | if (con->uri.path->ptr[0] != '/' || | |
758 | Index: src/mod_proxy.c | |
759 | =================================================================== | |
760 | --- src/mod_proxy.c (.../tags/lighttpd-1.4.29) | |
761 | +++ src/mod_proxy.c (.../branches/lighttpd-1.4.x) | |
762 | @@ -825,7 +825,7 @@ | |
763 | ||
764 | /* fall through */ | |
765 | case PROXY_STATE_WRITE:; | |
766 | - ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb); | |
767 | + ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT); | |
768 | ||
769 | chunkqueue_remove_finished_chunks(hctx->wb); | |
770 | ||
4ae864ca ER |
771 | Index: src/Makefile.am |
772 | =================================================================== | |
902fac5f | 773 | --- src/Makefile.am (.../tags/lighttpd-1.4.29) |
4ae864ca | 774 | +++ src/Makefile.am (.../branches/lighttpd-1.4.x) |
902fac5f ER |
775 | @@ -241,7 +241,7 @@ |
776 | mod_compress_la_LIBADD = $(Z_LIB) $(BZ_LIB) $(common_libadd) | |
777 | ||
778 | lib_LTLIBRARIES += mod_auth.la | |
779 | -mod_auth_la_SOURCES = mod_auth.c http_auth_digest.c http_auth.c | |
780 | +mod_auth_la_SOURCES = mod_auth.c http_auth.c | |
781 | mod_auth_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined | |
782 | mod_auth_la_LIBADD = $(CRYPT_LIB) $(LDAP_LIB) $(LBER_LIB) $(common_libadd) | |
783 | ||
784 | @@ -268,7 +268,7 @@ | |
785 | ||
786 | hdr = server.h buffer.h network.h log.h keyvalue.h \ | |
787 | response.h request.h fastcgi.h chunk.h \ | |
788 | - settings.h http_chunk.h http_auth_digest.h \ | |
789 | + settings.h http_chunk.h \ | |
790 | md5.h http_auth.h stream.h \ | |
791 | fdevent.h connections.h base.h stat_cache.h \ | |
792 | plugin.h mod_auth.h \ | |
793 | Index: src/network_writev.c | |
794 | =================================================================== | |
795 | --- src/network_writev.c (.../tags/lighttpd-1.4.29) | |
796 | +++ src/network_writev.c (.../branches/lighttpd-1.4.x) | |
797 | @@ -30,17 +30,16 @@ | |
798 | #define LOCAL_BUFFERING 1 | |
799 | #endif | |
800 | ||
801 | -int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq) { | |
802 | +int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { | |
803 | chunk *c; | |
804 | - size_t chunks_written = 0; | |
805 | ||
806 | - for(c = cq->first; c; c = c->next) { | |
807 | + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { | |
808 | int chunk_finished = 0; | |
809 | ||
810 | switch(c->type) { | |
811 | case MEM_CHUNK: { | |
812 | char * offset; | |
813 | - size_t toSend; | |
814 | + off_t toSend; | |
815 | ssize_t r; | |
816 | ||
817 | size_t num_chunks, i; | |
818 | @@ -65,12 +64,10 @@ | |
819 | #error "sysconf() doesnt return _SC_IOV_MAX ..., check the output of 'man writev' for the EINVAL error and send the output to jan@kneschke.de" | |
820 | #endif | |
821 | ||
822 | - /* we can't send more then SSIZE_MAX bytes in one chunk */ | |
823 | - | |
824 | /* build writev list | |
825 | * | |
826 | * 1. limit: num_chunks < max_chunks | |
827 | - * 2. limit: num_bytes < SSIZE_MAX | |
828 | + * 2. limit: num_bytes < max_bytes | |
829 | */ | |
830 | for (num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < max_chunks; num_chunks++, tc = tc->next); | |
831 | ||
832 | @@ -87,9 +84,9 @@ | |
833 | chunks[i].iov_base = offset; | |
834 | ||
835 | /* protect the return value of writev() */ | |
836 | - if (toSend > SSIZE_MAX || | |
837 | - num_bytes + toSend > SSIZE_MAX) { | |
838 | - chunks[i].iov_len = SSIZE_MAX - num_bytes; | |
839 | + if (toSend > max_bytes || | |
840 | + (off_t) num_bytes + toSend > max_bytes) { | |
841 | + chunks[i].iov_len = max_bytes - num_bytes; | |
842 | ||
843 | num_chunks = i + 1; | |
844 | break; | |
845 | @@ -121,6 +118,7 @@ | |
846 | } | |
847 | ||
848 | cq->bytes_out += r; | |
849 | + max_bytes -= r; | |
850 | ||
851 | /* check which chunks have been written */ | |
852 | ||
853 | @@ -132,11 +130,10 @@ | |
854 | ||
855 | if (chunk_finished) { | |
856 | /* skip the chunks from further touches */ | |
857 | - chunks_written++; | |
858 | c = c->next; | |
859 | } else { | |
860 | /* chunks_written + c = c->next is done in the for()*/ | |
861 | - chunk_finished++; | |
862 | + chunk_finished = 1; | |
4ae864ca | 863 | } |
902fac5f ER |
864 | } else { |
865 | /* partially written */ | |
866 | @@ -284,6 +281,8 @@ | |
867 | assert(toSend < 0); | |
868 | } | |
869 | ||
870 | + if (toSend > max_bytes) toSend = max_bytes; | |
871 | + | |
872 | #ifdef LOCAL_BUFFERING | |
873 | start = c->mem->ptr; | |
874 | #else | |
875 | @@ -309,6 +308,7 @@ | |
876 | ||
877 | c->offset += r; | |
878 | cq->bytes_out += r; | |
879 | + max_bytes -= r; | |
880 | ||
881 | if (c->offset == c->file.length) { | |
882 | chunk_finished = 1; | |
883 | @@ -334,11 +334,9 @@ | |
884 | ||
885 | break; | |
886 | } | |
887 | - | |
888 | - chunks_written++; | |
889 | } | |
890 | ||
891 | - return chunks_written; | |
892 | + return 0; | |
893 | } | |
4ae864ca | 894 | |
902fac5f ER |
895 | #endif |
896 | Index: src/network_freebsd_sendfile.c | |
897 | =================================================================== | |
898 | --- src/network_freebsd_sendfile.c (.../tags/lighttpd-1.4.29) | |
899 | +++ src/network_freebsd_sendfile.c (.../branches/lighttpd-1.4.x) | |
900 | @@ -31,17 +31,16 @@ | |
901 | # endif | |
902 | #endif | |
903 | ||
904 | -int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq) { | |
905 | +int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { | |
906 | chunk *c; | |
907 | - size_t chunks_written = 0; | |
908 | ||
909 | - for(c = cq->first; c; c = c->next, chunks_written++) { | |
910 | + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { | |
911 | int chunk_finished = 0; | |
912 | ||
913 | switch(c->type) { | |
914 | case MEM_CHUNK: { | |
915 | char * offset; | |
916 | - size_t toSend; | |
917 | + off_t toSend; | |
918 | ssize_t r; | |
919 | ||
920 | size_t num_chunks, i; | |
921 | @@ -49,12 +48,10 @@ | |
922 | chunk *tc; | |
923 | size_t num_bytes = 0; | |
924 | ||
925 | - /* we can't send more then SSIZE_MAX bytes in one chunk */ | |
926 | - | |
927 | /* build writev list | |
928 | * | |
929 | * 1. limit: num_chunks < UIO_MAXIOV | |
930 | - * 2. limit: num_bytes < SSIZE_MAX | |
931 | + * 2. limit: num_bytes < max_bytes | |
932 | */ | |
933 | for(num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < UIO_MAXIOV; num_chunks++, tc = tc->next); | |
934 | ||
935 | @@ -69,9 +66,9 @@ | |
936 | chunks[i].iov_base = offset; | |
937 | ||
938 | /* protect the return value of writev() */ | |
939 | - if (toSend > SSIZE_MAX || | |
940 | - num_bytes + toSend > SSIZE_MAX) { | |
941 | - chunks[i].iov_len = SSIZE_MAX - num_bytes; | |
942 | + if (toSend > max_bytes || | |
943 | + (off_t) num_bytes + toSend > max_bytes) { | |
944 | + chunks[i].iov_len = max_bytes - num_bytes; | |
945 | ||
946 | num_chunks = i + 1; | |
947 | break; | |
948 | @@ -105,6 +102,7 @@ | |
949 | ||
950 | /* check which chunks have been written */ | |
951 | cq->bytes_out += r; | |
952 | + max_bytes -= r; | |
953 | ||
954 | for(i = 0, tc = c; i < num_chunks; i++, tc = tc->next) { | |
955 | if (r >= (ssize_t)chunks[i].iov_len) { | |
956 | @@ -114,11 +112,10 @@ | |
957 | ||
958 | if (chunk_finished) { | |
959 | /* skip the chunks from further touches */ | |
960 | - chunks_written++; | |
961 | c = c->next; | |
962 | } else { | |
963 | /* chunks_written + c = c->next is done in the for()*/ | |
964 | - chunk_finished++; | |
965 | + chunk_finished = 1; | |
4ae864ca | 966 | } |
902fac5f ER |
967 | } else { |
968 | /* partially written */ | |
969 | @@ -134,7 +131,7 @@ | |
970 | } | |
971 | case FILE_CHUNK: { | |
972 | off_t offset, r; | |
973 | - size_t toSend; | |
974 | + off_t toSend; | |
975 | stat_cache_entry *sce = NULL; | |
976 | ||
977 | if (HANDLER_ERROR == stat_cache_get_entry(srv, con, c->file.name, &sce)) { | |
978 | @@ -144,9 +141,8 @@ | |
979 | } | |
980 | ||
981 | offset = c->file.start + c->offset; | |
982 | - /* limit the toSend to 2^31-1 bytes in a chunk */ | |
983 | - toSend = c->file.length - c->offset > ((1 << 30) - 1) ? | |
984 | - ((1 << 30) - 1) : c->file.length - c->offset; | |
985 | + toSend = c->file.length - c->offset; | |
986 | + if (toSend > max_bytes) toSend = max_bytes; | |
987 | ||
988 | if (-1 == c->file.fd) { | |
989 | if (-1 == (c->file.fd = open(c->file.name->ptr, O_RDONLY))) { | |
990 | @@ -197,6 +193,7 @@ | |
991 | ||
992 | c->offset += r; | |
993 | cq->bytes_out += r; | |
994 | + max_bytes -= r; | |
995 | ||
996 | if (c->offset == c->file.length) { | |
997 | chunk_finished = 1; | |
998 | @@ -218,7 +215,7 @@ | |
999 | } | |
1000 | } | |
1001 | ||
1002 | - return chunks_written; | |
1003 | + return 0; | |
1004 | } | |
1005 | ||
1006 | #endif | |
1007 | Index: src/network_openssl.c | |
1008 | =================================================================== | |
1009 | --- src/network_openssl.c (.../tags/lighttpd-1.4.29) | |
1010 | +++ src/network_openssl.c (.../branches/lighttpd-1.4.x) | |
1011 | @@ -27,10 +27,9 @@ | |
1012 | # include <openssl/ssl.h> | |
1013 | # include <openssl/err.h> | |
1014 | ||
1015 | -int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq) { | |
1016 | +int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes) { | |
1017 | int ssl_r; | |
1018 | chunk *c; | |
1019 | - size_t chunks_written = 0; | |
1020 | ||
1021 | /* this is a 64k sendbuffer | |
1022 | * | |
1023 | @@ -59,13 +58,13 @@ | |
1024 | SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN); | |
1025 | } | |
1026 | ||
1027 | - for(c = cq->first; c; c = c->next) { | |
1028 | + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { | |
1029 | int chunk_finished = 0; | |
1030 | ||
1031 | switch(c->type) { | |
1032 | case MEM_CHUNK: { | |
1033 | char * offset; | |
1034 | - size_t toSend; | |
1035 | + off_t toSend; | |
1036 | ssize_t r; | |
1037 | ||
1038 | if (c->mem->used == 0 || c->mem->used == 1) { | |
1039 | @@ -75,6 +74,7 @@ | |
1040 | ||
1041 | offset = c->mem->ptr + c->offset; | |
1042 | toSend = c->mem->used - 1 - c->offset; | |
1043 | + if (toSend > max_bytes) toSend = max_bytes; | |
1044 | ||
1045 | /** | |
1046 | * SSL_write man-page | |
1047 | @@ -87,7 +87,14 @@ | |
1048 | */ | |
1049 | ||
1050 | ERR_clear_error(); | |
1051 | - if ((r = SSL_write(ssl, offset, toSend)) <= 0) { | |
1052 | + r = SSL_write(ssl, offset, toSend); | |
1053 | + | |
1054 | + if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { | |
1055 | + log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); | |
1056 | + return -1; | |
1057 | + } | |
1058 | + | |
1059 | + if (r <= 0) { | |
1060 | unsigned long err; | |
1061 | ||
1062 | switch ((ssl_r = SSL_get_error(ssl, r))) { | |
1063 | @@ -139,6 +146,7 @@ | |
1064 | } else { | |
1065 | c->offset += r; | |
1066 | cq->bytes_out += r; | |
1067 | + max_bytes -= r; | |
1068 | } | |
1069 | ||
1070 | if (c->offset == (off_t)c->mem->used - 1) { | |
1071 | @@ -168,6 +176,7 @@ | |
1072 | do { | |
1073 | off_t offset = c->file.start + c->offset; | |
1074 | off_t toSend = c->file.length - c->offset; | |
1075 | + if (toSend > max_bytes) toSend = max_bytes; | |
1076 | ||
1077 | if (toSend > LOCAL_SEND_BUFSIZE) toSend = LOCAL_SEND_BUFSIZE; | |
1078 | ||
1079 | @@ -190,7 +199,14 @@ | |
1080 | close(ifd); | |
1081 | ||
1082 | ERR_clear_error(); | |
1083 | - if ((r = SSL_write(ssl, s, toSend)) <= 0) { | |
1084 | + r = SSL_write(ssl, s, toSend); | |
1085 | + | |
1086 | + if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { | |
1087 | + log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); | |
1088 | + return -1; | |
1089 | + } | |
1090 | + | |
1091 | + if (r <= 0) { | |
1092 | unsigned long err; | |
1093 | ||
1094 | switch ((ssl_r = SSL_get_error(ssl, r))) { | |
bc81decf | 1095 | @@ -243,12 +259,13 @@ |
902fac5f ER |
1096 | } else { |
1097 | c->offset += r; | |
1098 | cq->bytes_out += r; | |
1099 | + max_bytes -= r; | |
1100 | } | |
1101 | ||
1102 | if (c->offset == c->file.length) { | |
bc81decf ER |
1103 | chunk_finished = 1; |
1104 | } | |
1105 | - } while(!chunk_finished && !write_wait); | |
1106 | + } while (!chunk_finished && !write_wait && max_bytes > 0); | |
1107 | ||
1108 | break; | |
1109 | } | |
902fac5f ER |
1110 | @@ -263,11 +280,9 @@ |
1111 | ||
1112 | break; | |
1113 | } | |
1114 | - | |
1115 | - chunks_written++; | |
1116 | } | |
1117 | ||
1118 | - return chunks_written; | |
1119 | + return 0; | |
1120 | } | |
1121 | #endif | |
1122 | ||
1123 | Index: src/http_auth.c | |
1124 | =================================================================== | |
1125 | --- src/http_auth.c (.../tags/lighttpd-1.4.29) | |
1126 | +++ src/http_auth.c (.../branches/lighttpd-1.4.x) | |
1127 | @@ -1,7 +1,6 @@ | |
1128 | #include "server.h" | |
1129 | #include "log.h" | |
1130 | #include "http_auth.h" | |
1131 | -#include "http_auth_digest.h" | |
1132 | #include "inet_ntop_cache.h" | |
1133 | #include "stream.h" | |
1134 | ||
1135 | @@ -28,18 +27,23 @@ | |
1136 | #include <unistd.h> | |
1137 | #include <ctype.h> | |
1138 | ||
1139 | -#ifdef USE_OPENSSL | |
1140 | -# include <openssl/md5.h> | |
1141 | -#else | |
1142 | -# include "md5.h" | |
1143 | +#include "md5.h" | |
1144 | ||
1145 | -typedef li_MD5_CTX MD5_CTX; | |
1146 | -#define MD5_Init li_MD5_Init | |
1147 | -#define MD5_Update li_MD5_Update | |
1148 | -#define MD5_Final li_MD5_Final | |
1149 | +#define HASHLEN 16 | |
1150 | +#define HASHHEXLEN 32 | |
1151 | +typedef unsigned char HASH[HASHLEN]; | |
1152 | +typedef char HASHHEX[HASHHEXLEN+1]; | |
1153 | ||
1154 | -#endif | |
1155 | +static void CvtHex(const HASH Bin, char Hex[33]) { | |
1156 | + unsigned short i; | |
1157 | ||
1158 | + for (i = 0; i < 16; i++) { | |
1159 | + Hex[i*2] = int2hex((Bin[i] >> 4) & 0xf); | |
1160 | + Hex[i*2+1] = int2hex(Bin[i] & 0xf); | |
1161 | + } | |
1162 | + Hex[32] = '\0'; | |
1163 | +} | |
1164 | + | |
1165 | /** | |
1166 | * the $apr1$ handling is taken from apache 1.3.x | |
1167 | */ | |
1168 | @@ -95,7 +99,7 @@ | |
1169 | ch = in[0]; | |
1170 | /* run through the whole string, converting as we go */ | |
1171 | for (i = 0; i < in_len; i++) { | |
1172 | - ch = in[i]; | |
1173 | + ch = (unsigned char) in[i]; | |
1174 | ||
1175 | if (ch == '\0') break; | |
1176 | ||
1177 | @@ -435,7 +439,7 @@ | |
1178 | ||
1179 | static void to64(char *s, unsigned long v, int n) | |
1180 | { | |
1181 | - static unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */ | |
1182 | + static const unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */ | |
1183 | "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; | |
1184 | ||
1185 | while (--n >= 0) { | |
1186 | @@ -455,7 +459,7 @@ | |
1187 | const char *sp, *ep; | |
1188 | unsigned char final[APR_MD5_DIGESTSIZE]; | |
1189 | ssize_t sl, pl, i; | |
1190 | - MD5_CTX ctx, ctx1; | |
1191 | + li_MD5_CTX ctx, ctx1; | |
1192 | unsigned long l; | |
1193 | ||
1194 | /* | |
1195 | @@ -487,33 +491,33 @@ | |
1196 | /* | |
1197 | * 'Time to make the doughnuts..' | |
1198 | */ | |
1199 | - MD5_Init(&ctx); | |
1200 | + li_MD5_Init(&ctx); | |
1201 | ||
1202 | /* | |
1203 | * The password first, since that is what is most unknown | |
1204 | */ | |
1205 | - MD5_Update(&ctx, pw, strlen(pw)); | |
1206 | + li_MD5_Update(&ctx, pw, strlen(pw)); | |
1207 | ||
1208 | /* | |
1209 | * Then our magic string | |
1210 | */ | |
1211 | - MD5_Update(&ctx, APR1_ID, strlen(APR1_ID)); | |
1212 | + li_MD5_Update(&ctx, APR1_ID, strlen(APR1_ID)); | |
1213 | ||
1214 | /* | |
1215 | * Then the raw salt | |
1216 | */ | |
1217 | - MD5_Update(&ctx, sp, sl); | |
1218 | + li_MD5_Update(&ctx, sp, sl); | |
1219 | ||
1220 | /* | |
1221 | * Then just as many characters of the MD5(pw, salt, pw) | |
1222 | */ | |
1223 | - MD5_Init(&ctx1); | |
1224 | - MD5_Update(&ctx1, pw, strlen(pw)); | |
1225 | - MD5_Update(&ctx1, sp, sl); | |
1226 | - MD5_Update(&ctx1, pw, strlen(pw)); | |
1227 | - MD5_Final(final, &ctx1); | |
1228 | + li_MD5_Init(&ctx1); | |
1229 | + li_MD5_Update(&ctx1, pw, strlen(pw)); | |
1230 | + li_MD5_Update(&ctx1, sp, sl); | |
1231 | + li_MD5_Update(&ctx1, pw, strlen(pw)); | |
1232 | + li_MD5_Final(final, &ctx1); | |
1233 | for (pl = strlen(pw); pl > 0; pl -= APR_MD5_DIGESTSIZE) { | |
1234 | - MD5_Update(&ctx, final, | |
1235 | + li_MD5_Update(&ctx, final, | |
1236 | (pl > APR_MD5_DIGESTSIZE) ? APR_MD5_DIGESTSIZE : pl); | |
1237 | } | |
1238 | ||
1239 | @@ -527,10 +531,10 @@ | |
1240 | */ | |
1241 | for (i = strlen(pw); i != 0; i >>= 1) { | |
1242 | if (i & 1) { | |
1243 | - MD5_Update(&ctx, final, 1); | |
1244 | + li_MD5_Update(&ctx, final, 1); | |
1245 | } | |
1246 | else { | |
1247 | - MD5_Update(&ctx, pw, 1); | |
1248 | + li_MD5_Update(&ctx, pw, 1); | |
1249 | } | |
1250 | } | |
1251 | ||
1252 | @@ -542,7 +546,7 @@ | |
1253 | strncat(passwd, sp, sl); | |
1254 | strcat(passwd, "$"); | |
1255 | ||
1256 | - MD5_Final(final, &ctx); | |
1257 | + li_MD5_Final(final, &ctx); | |
1258 | ||
1259 | /* | |
1260 | * And now, just to make sure things don't run too fast.. | |
1261 | @@ -550,28 +554,28 @@ | |
1262 | * need 30 seconds to build a 1000 entry dictionary... | |
1263 | */ | |
1264 | for (i = 0; i < 1000; i++) { | |
1265 | - MD5_Init(&ctx1); | |
1266 | + li_MD5_Init(&ctx1); | |
1267 | if (i & 1) { | |
1268 | - MD5_Update(&ctx1, pw, strlen(pw)); | |
1269 | + li_MD5_Update(&ctx1, pw, strlen(pw)); | |
1270 | } | |
1271 | else { | |
1272 | - MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); | |
1273 | + li_MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); | |
1274 | } | |
1275 | if (i % 3) { | |
1276 | - MD5_Update(&ctx1, sp, sl); | |
1277 | + li_MD5_Update(&ctx1, sp, sl); | |
1278 | } | |
1279 | ||
1280 | if (i % 7) { | |
1281 | - MD5_Update(&ctx1, pw, strlen(pw)); | |
1282 | + li_MD5_Update(&ctx1, pw, strlen(pw)); | |
1283 | } | |
1284 | ||
1285 | if (i & 1) { | |
1286 | - MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); | |
1287 | + li_MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); | |
1288 | } | |
1289 | else { | |
1290 | - MD5_Update(&ctx1, pw, strlen(pw)); | |
1291 | + li_MD5_Update(&ctx1, pw, strlen(pw)); | |
1292 | } | |
1293 | - MD5_Final(final,&ctx1); | |
1294 | + li_MD5_Final(final,&ctx1); | |
1295 | } | |
1296 | ||
1297 | p = passwd + strlen(passwd); | |
1298 | @@ -614,17 +618,17 @@ | |
1299 | * user:realm:md5(user:realm:password) | |
1300 | */ | |
1301 | ||
1302 | - MD5_CTX Md5Ctx; | |
1303 | + li_MD5_CTX Md5Ctx; | |
1304 | HASH HA1; | |
1305 | char a1[256]; | |
1306 | ||
1307 | - MD5_Init(&Md5Ctx); | |
1308 | - MD5_Update(&Md5Ctx, (unsigned char *)username->ptr, username->used - 1); | |
1309 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1310 | - MD5_Update(&Md5Ctx, (unsigned char *)realm->ptr, realm->used - 1); | |
1311 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1312 | - MD5_Update(&Md5Ctx, (unsigned char *)pw, strlen(pw)); | |
1313 | - MD5_Final(HA1, &Md5Ctx); | |
1314 | + li_MD5_Init(&Md5Ctx); | |
1315 | + li_MD5_Update(&Md5Ctx, (unsigned char *)username->ptr, username->used - 1); | |
1316 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1317 | + li_MD5_Update(&Md5Ctx, (unsigned char *)realm->ptr, realm->used - 1); | |
1318 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1319 | + li_MD5_Update(&Md5Ctx, (unsigned char *)pw, strlen(pw)); | |
1320 | + li_MD5_Final(HA1, &Md5Ctx); | |
1321 | ||
1322 | CvtHex(HA1, a1); | |
1323 | ||
1324 | @@ -930,7 +934,7 @@ | |
1325 | int i; | |
1326 | buffer *password, *b, *username_buf, *realm_buf; | |
1327 | ||
1328 | - MD5_CTX Md5Ctx; | |
1329 | + li_MD5_CTX Md5Ctx; | |
1330 | HASH HA1; | |
1331 | HASH HA2; | |
1332 | HASH RespHash; | |
1333 | @@ -1067,13 +1071,13 @@ | |
1334 | ||
1335 | if (p->conf.auth_backend == AUTH_BACKEND_PLAIN) { | |
1336 | /* generate password from plain-text */ | |
1337 | - MD5_Init(&Md5Ctx); | |
1338 | - MD5_Update(&Md5Ctx, (unsigned char *)username, strlen(username)); | |
1339 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1340 | - MD5_Update(&Md5Ctx, (unsigned char *)realm, strlen(realm)); | |
1341 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1342 | - MD5_Update(&Md5Ctx, (unsigned char *)password->ptr, password->used - 1); | |
1343 | - MD5_Final(HA1, &Md5Ctx); | |
1344 | + li_MD5_Init(&Md5Ctx); | |
1345 | + li_MD5_Update(&Md5Ctx, (unsigned char *)username, strlen(username)); | |
1346 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1347 | + li_MD5_Update(&Md5Ctx, (unsigned char *)realm, strlen(realm)); | |
1348 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1349 | + li_MD5_Update(&Md5Ctx, (unsigned char *)password->ptr, password->used - 1); | |
1350 | + li_MD5_Final(HA1, &Md5Ctx); | |
1351 | } else if (p->conf.auth_backend == AUTH_BACKEND_HTDIGEST) { | |
1352 | /* HA1 */ | |
1353 | /* transform the 32-byte-hex-md5 to a 16-byte-md5 */ | |
1354 | @@ -1090,45 +1094,45 @@ | |
1355 | ||
1356 | if (algorithm && | |
1357 | strcasecmp(algorithm, "md5-sess") == 0) { | |
1358 | - MD5_Init(&Md5Ctx); | |
1359 | - MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16); | |
1360 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1361 | - MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); | |
1362 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1363 | - MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); | |
1364 | - MD5_Final(HA1, &Md5Ctx); | |
1365 | + li_MD5_Init(&Md5Ctx); | |
1366 | + li_MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16); | |
1367 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1368 | + li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); | |
1369 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1370 | + li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); | |
1371 | + li_MD5_Final(HA1, &Md5Ctx); | |
1372 | } | |
1373 | ||
1374 | CvtHex(HA1, a1); | |
1375 | ||
1376 | /* calculate H(A2) */ | |
1377 | - MD5_Init(&Md5Ctx); | |
1378 | - MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m)); | |
1379 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1380 | - MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri)); | |
1381 | + li_MD5_Init(&Md5Ctx); | |
1382 | + li_MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m)); | |
1383 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1384 | + li_MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri)); | |
1385 | if (qop && strcasecmp(qop, "auth-int") == 0) { | |
1386 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1387 | - MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN); | |
1388 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1389 | + li_MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN); | |
1390 | } | |
1391 | - MD5_Final(HA2, &Md5Ctx); | |
1392 | + li_MD5_Final(HA2, &Md5Ctx); | |
1393 | CvtHex(HA2, HA2Hex); | |
1394 | ||
1395 | /* calculate response */ | |
1396 | - MD5_Init(&Md5Ctx); | |
1397 | - MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN); | |
1398 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1399 | - MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); | |
1400 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1401 | + li_MD5_Init(&Md5Ctx); | |
1402 | + li_MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN); | |
1403 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1404 | + li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); | |
1405 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1406 | if (qop && *qop) { | |
1407 | - MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc)); | |
1408 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1409 | - MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); | |
1410 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1411 | - MD5_Update(&Md5Ctx, (unsigned char *)qop, strlen(qop)); | |
1412 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1413 | + li_MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc)); | |
1414 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1415 | + li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); | |
1416 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1417 | + li_MD5_Update(&Md5Ctx, (unsigned char *)qop, strlen(qop)); | |
1418 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1419 | }; | |
1420 | - MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN); | |
1421 | - MD5_Final(RespHash, &Md5Ctx); | |
1422 | + li_MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN); | |
1423 | + li_MD5_Final(RespHash, &Md5Ctx); | |
1424 | CvtHex(RespHash, a2); | |
1425 | ||
1426 | if (0 != strcmp(a2, respons)) { | |
1427 | @@ -1171,24 +1175,24 @@ | |
1428 | ||
1429 | int http_auth_digest_generate_nonce(server *srv, mod_auth_plugin_data *p, buffer *fn, char out[33]) { | |
1430 | HASH h; | |
1431 | - MD5_CTX Md5Ctx; | |
1432 | + li_MD5_CTX Md5Ctx; | |
1433 | char hh[32]; | |
4ae864ca | 1434 | |
902fac5f ER |
1435 | UNUSED(p); |
1436 | ||
1437 | /* generate shared-secret */ | |
1438 | - MD5_Init(&Md5Ctx); | |
1439 | - MD5_Update(&Md5Ctx, (unsigned char *)fn->ptr, fn->used - 1); | |
1440 | - MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); | |
1441 | + li_MD5_Init(&Md5Ctx); | |
1442 | + li_MD5_Update(&Md5Ctx, (unsigned char *)fn->ptr, fn->used - 1); | |
1443 | + li_MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); | |
1444 | ||
1445 | /* we assume sizeof(time_t) == 4 here, but if not it ain't a problem at all */ | |
1446 | LI_ltostr(hh, srv->cur_ts); | |
1447 | - MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); | |
1448 | - MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); | |
1449 | + li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); | |
1450 | + li_MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); | |
1451 | LI_ltostr(hh, rand()); | |
1452 | - MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); | |
1453 | + li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); | |
1454 | ||
1455 | - MD5_Final(h, &Md5Ctx); | |
1456 | + li_MD5_Final(h, &Md5Ctx); | |
1457 | ||
1458 | CvtHex(h, out); | |
1459 | ||
1460 | Index: src/mod_usertrack.c | |
1461 | =================================================================== | |
1462 | --- src/mod_usertrack.c (.../tags/lighttpd-1.4.29) | |
1463 | +++ src/mod_usertrack.c (.../branches/lighttpd-1.4.x) | |
1464 | @@ -8,18 +8,8 @@ | |
1465 | #include <stdlib.h> | |
1466 | #include <string.h> | |
1467 | ||
1468 | -#ifdef USE_OPENSSL | |
1469 | -# include <openssl/md5.h> | |
1470 | -#else | |
1471 | -# include "md5.h" | |
1472 | +#include "md5.h" | |
1473 | ||
1474 | -typedef li_MD5_CTX MD5_CTX; | |
1475 | -#define MD5_Init li_MD5_Init | |
1476 | -#define MD5_Update li_MD5_Update | |
1477 | -#define MD5_Final li_MD5_Final | |
1478 | - | |
1479 | -#endif | |
1480 | - | |
1481 | /* plugin config for all request/connections */ | |
1482 | ||
1483 | typedef struct { | |
1484 | @@ -182,7 +172,7 @@ | |
1485 | plugin_data *p = p_d; | |
1486 | data_string *ds; | |
1487 | unsigned char h[16]; | |
1488 | - MD5_CTX Md5Ctx; | |
1489 | + li_MD5_CTX Md5Ctx; | |
1490 | char hh[32]; | |
1491 | ||
1492 | if (con->uri.path->used == 0) return HANDLER_GO_ON; | |
1493 | @@ -228,18 +218,18 @@ | |
1494 | /* taken from mod_auth.c */ | |
1495 | ||
1496 | /* generate shared-secret */ | |
1497 | - MD5_Init(&Md5Ctx); | |
1498 | - MD5_Update(&Md5Ctx, (unsigned char *)con->uri.path->ptr, con->uri.path->used - 1); | |
1499 | - MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); | |
1500 | + li_MD5_Init(&Md5Ctx); | |
1501 | + li_MD5_Update(&Md5Ctx, (unsigned char *)con->uri.path->ptr, con->uri.path->used - 1); | |
1502 | + li_MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); | |
1503 | ||
1504 | /* we assume sizeof(time_t) == 4 here, but if not it ain't a problem at all */ | |
1505 | LI_ltostr(hh, srv->cur_ts); | |
1506 | - MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); | |
1507 | - MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); | |
1508 | + li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); | |
1509 | + li_MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); | |
1510 | LI_ltostr(hh, rand()); | |
1511 | - MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); | |
1512 | + li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); | |
1513 | ||
1514 | - MD5_Final(h, &Md5Ctx); | |
1515 | + li_MD5_Final(h, &Md5Ctx); | |
1516 | ||
1517 | buffer_append_string_encoded(ds->value, (char *)h, 16, ENCODING_HEX); | |
1518 | buffer_append_string_len(ds->value, CONST_STR_LEN("; Path=/")); | |
1519 | Index: src/mod_status.c | |
1520 | =================================================================== | |
1521 | --- src/mod_status.c (.../tags/lighttpd-1.4.29) | |
1522 | +++ src/mod_status.c (.../branches/lighttpd-1.4.x) | |
1523 | @@ -487,7 +487,7 @@ | |
1524 | ||
1525 | buffer_append_string_len(b, CONST_STR_LEN("</td><td class=\"int\">")); | |
1526 | ||
1527 | - if (con->request.content_length) { | |
1528 | + if (c->request.content_length) { | |
1529 | buffer_append_long(b, c->request_content_queue->bytes_in); | |
1530 | buffer_append_string_len(b, CONST_STR_LEN("/")); | |
1531 | buffer_append_long(b, c->request.content_length); | |
1532 | Index: src/settings.h | |
1533 | =================================================================== | |
1534 | --- src/settings.h (.../tags/lighttpd-1.4.29) | |
1535 | +++ src/settings.h (.../branches/lighttpd-1.4.x) | |
1536 | @@ -21,8 +21,11 @@ | |
1537 | * 64kB (no real reason, just a guess) | |
1538 | */ | |
1539 | #define BUFFER_MAX_REUSE_SIZE (4 * 1024) | |
1540 | -#define MAX_READ_LIMIT (4*1024*1024) | |
1541 | ||
1542 | +/* both should be way smaller than SSIZE_MAX :) */ | |
1543 | +#define MAX_READ_LIMIT (256*1024) | |
1544 | +#define MAX_WRITE_LIMIT (256*1024) | |
1545 | + | |
1546 | /** | |
1547 | * max size of the HTTP request header | |
1548 | * | |
1549 | Index: src/mod_cml_lua.c | |
1550 | =================================================================== | |
1551 | --- src/mod_cml_lua.c (.../tags/lighttpd-1.4.29) | |
1552 | +++ src/mod_cml_lua.c (.../branches/lighttpd-1.4.x) | |
1553 | @@ -11,18 +11,6 @@ | |
1554 | #include <time.h> | |
1555 | #include <string.h> | |
1556 | ||
1557 | -#ifdef USE_OPENSSL | |
1558 | -# include <openssl/md5.h> | |
1559 | -#else | |
1560 | -# include "md5.h" | |
1561 | - | |
1562 | -typedef li_MD5_CTX MD5_CTX; | |
1563 | -#define MD5_Init li_MD5_Init | |
1564 | -#define MD5_Update li_MD5_Update | |
1565 | -#define MD5_Final li_MD5_Final | |
1566 | - | |
1567 | -#endif | |
1568 | - | |
1569 | #define HASHLEN 16 | |
1570 | typedef unsigned char HASH[HASHLEN]; | |
1571 | #define HASHHEXLEN 32 | |
1572 | Index: src/mod_fastcgi.c | |
1573 | =================================================================== | |
1574 | --- src/mod_fastcgi.c (.../tags/lighttpd-1.4.29) | |
1575 | +++ src/mod_fastcgi.c (.../branches/lighttpd-1.4.x) | |
1576 | @@ -3075,7 +3075,7 @@ | |
1577 | fcgi_set_state(srv, hctx, FCGI_STATE_WRITE); | |
1578 | /* fall through */ | |
1579 | case FCGI_STATE_WRITE: | |
1580 | - ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb); | |
1581 | + ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT); | |
1582 | ||
1583 | chunkqueue_remove_finished_chunks(hctx->wb); | |
1584 | ||
1585 | @@ -3132,7 +3132,6 @@ | |
1586 | plugin_data *p = p_d; | |
1587 | ||
1588 | handler_ctx *hctx = con->plugin_ctx[p->id]; | |
1589 | - fcgi_proc *proc; | |
1590 | fcgi_extension_host *host; | |
1591 | ||
1592 | if (NULL == hctx) return HANDLER_GO_ON; | |
1593 | @@ -3201,7 +3200,6 @@ | |
1594 | /* ok, create the request */ | |
1595 | switch(fcgi_write_request(srv, hctx)) { | |
1596 | case HANDLER_ERROR: | |
1597 | - proc = hctx->proc; | |
1598 | host = hctx->host; | |
1599 | ||
1600 | if (hctx->state == FCGI_STATE_INIT || | |
1601 | Index: src/network_solaris_sendfilev.c | |
1602 | =================================================================== | |
1603 | --- src/network_solaris_sendfilev.c (.../tags/lighttpd-1.4.29) | |
1604 | +++ src/network_solaris_sendfilev.c (.../branches/lighttpd-1.4.x) | |
1605 | @@ -38,17 +38,16 @@ | |
1606 | */ | |
1607 | ||
1608 | ||
1609 | -int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq) { | |
1610 | +int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { | |
1611 | chunk *c; | |
1612 | - size_t chunks_written = 0; | |
1613 | ||
1614 | - for(c = cq->first; c; c = c->next, chunks_written++) { | |
1615 | + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { | |
1616 | int chunk_finished = 0; | |
1617 | ||
1618 | switch(c->type) { | |
1619 | case MEM_CHUNK: { | |
1620 | char * offset; | |
1621 | - size_t toSend; | |
1622 | + off_t toSend; | |
1623 | ssize_t r; | |
1624 | ||
1625 | size_t num_chunks, i; | |
1626 | @@ -77,9 +76,9 @@ | |
1627 | chunks[i].iov_base = offset; | |
1628 | ||
1629 | /* protect the return value of writev() */ | |
1630 | - if (toSend > SSIZE_MAX || | |
1631 | - num_bytes + toSend > SSIZE_MAX) { | |
1632 | - chunks[i].iov_len = SSIZE_MAX - num_bytes; | |
1633 | + if (toSend > max_bytes || | |
1634 | + (off_t) num_bytes + toSend > max_bytes) { | |
1635 | + chunks[i].iov_len = max_bytes - num_bytes; | |
1636 | ||
1637 | num_chunks = i + 1; | |
1638 | break; | |
1639 | @@ -119,11 +118,10 @@ | |
1640 | ||
1641 | if (chunk_finished) { | |
1642 | /* skip the chunks from further touches */ | |
1643 | - chunks_written++; | |
1644 | c = c->next; | |
1645 | } else { | |
1646 | /* chunks_written + c = c->next is done in the for()*/ | |
1647 | - chunk_finished++; | |
1648 | + chunk_finished = 1; | |
4ae864ca | 1649 | } |
902fac5f ER |
1650 | } else { |
1651 | /* partially written */ | |
1652 | @@ -139,8 +137,8 @@ | |
1653 | } | |
1654 | case FILE_CHUNK: { | |
1655 | ssize_t r; | |
1656 | - off_t offset; | |
1657 | - size_t toSend, written; | |
1658 | + off_t offset, toSend; | |
1659 | + size_t written; | |
1660 | sendfilevec_t fvec; | |
1661 | stat_cache_entry *sce = NULL; | |
1662 | int ifd; | |
1663 | @@ -153,6 +151,7 @@ | |
1664 | ||
1665 | offset = c->file.start + c->offset; | |
1666 | toSend = c->file.length - c->offset; | |
1667 | + if (toSend > max_bytes) toSend = max_bytes; | |
1668 | ||
1669 | if (offset > sce->st.st_size) { | |
1670 | log_error_write(srv, __FILE__, __LINE__, "sb", "file was shrinked:", c->file.name); | |
1671 | @@ -186,6 +185,7 @@ | |
1672 | close(ifd); | |
1673 | c->offset += written; | |
1674 | cq->bytes_out += written; | |
1675 | + max_bytes -= written; | |
1676 | ||
1677 | if (c->offset == c->file.length) { | |
1678 | chunk_finished = 1; | |
1679 | @@ -207,7 +207,7 @@ | |
1680 | } | |
1681 | } | |
1682 | ||
1683 | - return chunks_written; | |
1684 | + return 0; | |
1685 | } | |
1686 | ||
1687 | #endif | |
1688 | Index: src/CMakeLists.txt | |
1689 | =================================================================== | |
1690 | Index: src/mod_dirlisting.c | |
1691 | =================================================================== | |
1692 | --- src/mod_dirlisting.c (.../tags/lighttpd-1.4.29) | |
1693 | +++ src/mod_dirlisting.c (.../branches/lighttpd-1.4.x) | |
1694 | @@ -657,7 +657,8 @@ | |
1695 | i = dir->used - 1; | |
1696 | ||
1697 | #ifdef HAVE_PATHCONF | |
1698 | - if (-1 == (name_max = pathconf(dir->ptr, _PC_NAME_MAX))) { | |
1699 | + if (0 >= (name_max = pathconf(dir->ptr, _PC_NAME_MAX))) { | |
1700 | + /* some broken fs (fuse) return 0 instead of -1 */ | |
1701 | #ifdef NAME_MAX | |
1702 | name_max = NAME_MAX; | |
1703 | #else | |
1704 | Index: src/network_linux_sendfile.c | |
1705 | =================================================================== | |
1706 | --- src/network_linux_sendfile.c (.../tags/lighttpd-1.4.29) | |
1707 | +++ src/network_linux_sendfile.c (.../branches/lighttpd-1.4.x) | |
1708 | @@ -27,17 +27,16 @@ | |
1709 | /* on linux 2.4.29 + debian/ubuntu we have crashes if this is enabled */ | |
1710 | #undef HAVE_POSIX_FADVISE | |
1711 | ||
1712 | -int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq) { | |
1713 | +int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { | |
1714 | chunk *c; | |
1715 | - size_t chunks_written = 0; | |
1716 | ||
1717 | - for(c = cq->first; c; c = c->next, chunks_written++) { | |
1718 | + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { | |
1719 | int chunk_finished = 0; | |
1720 | ||
1721 | switch(c->type) { | |
1722 | case MEM_CHUNK: { | |
1723 | char * offset; | |
1724 | - size_t toSend; | |
1725 | + off_t toSend; | |
1726 | ssize_t r; | |
4ae864ca | 1727 | |
902fac5f ER |
1728 | size_t num_chunks, i; |
1729 | @@ -45,12 +44,10 @@ | |
1730 | chunk *tc; | |
1731 | size_t num_bytes = 0; | |
1732 | ||
1733 | - /* we can't send more then SSIZE_MAX bytes in one chunk */ | |
1734 | - | |
1735 | /* build writev list | |
1736 | * | |
1737 | * 1. limit: num_chunks < UIO_MAXIOV | |
1738 | - * 2. limit: num_bytes < SSIZE_MAX | |
1739 | + * 2. limit: num_bytes < max_bytes | |
1740 | */ | |
1741 | for (num_chunks = 0, tc = c; | |
1742 | tc && tc->type == MEM_CHUNK && num_chunks < UIO_MAXIOV; | |
1743 | @@ -67,9 +64,9 @@ | |
1744 | chunks[i].iov_base = offset; | |
1745 | ||
1746 | /* protect the return value of writev() */ | |
1747 | - if (toSend > SSIZE_MAX || | |
1748 | - num_bytes + toSend > SSIZE_MAX) { | |
1749 | - chunks[i].iov_len = SSIZE_MAX - num_bytes; | |
1750 | + if (toSend > max_bytes || | |
1751 | + (off_t) num_bytes + toSend > max_bytes) { | |
1752 | + chunks[i].iov_len = max_bytes - num_bytes; | |
1753 | ||
1754 | num_chunks = i + 1; | |
1755 | break; | |
1756 | @@ -100,6 +97,7 @@ | |
1757 | ||
1758 | /* check which chunks have been written */ | |
1759 | cq->bytes_out += r; | |
1760 | + max_bytes -= r; | |
1761 | ||
1762 | for(i = 0, tc = c; i < num_chunks; i++, tc = tc->next) { | |
1763 | if (r >= (ssize_t)chunks[i].iov_len) { | |
1764 | @@ -109,11 +107,10 @@ | |
1765 | ||
1766 | if (chunk_finished) { | |
1767 | /* skip the chunks from further touches */ | |
1768 | - chunks_written++; | |
1769 | c = c->next; | |
4ae864ca | 1770 | } else { |
902fac5f ER |
1771 | /* chunks_written + c = c->next is done in the for()*/ |
1772 | - chunk_finished++; | |
1773 | + chunk_finished = 1; | |
4ae864ca | 1774 | } |
902fac5f ER |
1775 | } else { |
1776 | /* partially written */ | |
1777 | @@ -130,13 +127,12 @@ | |
1778 | case FILE_CHUNK: { | |
1779 | ssize_t r; | |
1780 | off_t offset; | |
1781 | - size_t toSend; | |
1782 | + off_t toSend; | |
1783 | stat_cache_entry *sce = NULL; | |
1784 | ||
1785 | offset = c->file.start + c->offset; | |
1786 | - /* limit the toSend to 2^31-1 bytes in a chunk */ | |
1787 | - toSend = c->file.length - c->offset > ((1 << 30) - 1) ? | |
1788 | - ((1 << 30) - 1) : c->file.length - c->offset; | |
1789 | + toSend = c->file.length - c->offset; | |
1790 | + if (toSend > max_bytes) toSend = max_bytes; | |
1791 | ||
1792 | /* open file if not already opened */ | |
1793 | if (-1 == c->file.fd) { | |
1794 | @@ -215,6 +211,7 @@ | |
1795 | ||
1796 | c->offset += r; | |
1797 | cq->bytes_out += r; | |
1798 | + max_bytes -= r; | |
1799 | ||
1800 | if (c->offset == c->file.length) { | |
1801 | chunk_finished = 1; | |
1802 | @@ -243,7 +240,7 @@ | |
1803 | } | |
1804 | } | |
1805 | ||
1806 | - return chunks_written; | |
1807 | + return 0; | |
1808 | } | |
1809 | ||
1810 | #endif | |
1811 | Index: tests/mod-auth.t | |
1812 | =================================================================== | |
1813 | --- tests/mod-auth.t (.../tags/lighttpd-1.4.29) | |
1814 | +++ tests/mod-auth.t (.../branches/lighttpd-1.4.x) | |
1815 | @@ -8,7 +8,7 @@ | |
1816 | ||
1817 | use strict; | |
1818 | use IO::Socket; | |
1819 | -use Test::More tests => 14; | |
1820 | +use Test::More tests => 15; | |
1821 | use LightyTest; | |
1822 | ||
1823 | my $tf = LightyTest->new(); | |
1824 | @@ -25,6 +25,14 @@ | |
1825 | ||
1826 | $t->{REQUEST} = ( <<EOF | |
1827 | GET /server-status HTTP/1.0 | |
1828 | +Authorization: Basic \x80mFuOmphb | |
1829 | +EOF | |
1830 | + ); | |
1831 | +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ]; | |
1832 | +ok($tf->handle_http($t) == 0, 'Basic-Auth: Invalid base64 Auth-token'); | |
1833 | + | |
1834 | +$t->{REQUEST} = ( <<EOF | |
1835 | +GET /server-status HTTP/1.0 | |
1836 | Authorization: Basic amFuOmphb | |
1837 | EOF | |
1838 | ); | |
1839 | Index: tests/request.t | |
1840 | =================================================================== | |
1841 | --- tests/request.t (.../tags/lighttpd-1.4.29) | |
1842 | +++ tests/request.t (.../branches/lighttpd-1.4.x) | |
1843 | @@ -8,7 +8,7 @@ | |
1844 | ||
1845 | use strict; | |
1846 | use IO::Socket; | |
1847 | -use Test::More tests => 44; | |
1848 | +use Test::More tests => 46; | |
1849 | use LightyTest; | |
1850 | ||
1851 | my $tf = LightyTest->new(); | |
1852 | @@ -413,5 +413,21 @@ | |
1853 | $t->{SLOWREQUEST} = 1; | |
1854 | ok($tf->handle_http($t) == 0, 'GET, slow \\r\\n\\r\\n (#2105)'); | |
1855 | ||
1856 | +print "\nPathinfo for static files\n"; | |
1857 | +$t->{REQUEST} = ( <<EOF | |
1858 | +GET /image.jpg/index.php HTTP/1.0 | |
1859 | +EOF | |
1860 | + ); | |
1861 | +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'Content-Type' => 'image/jpeg' } ]; | |
1862 | +ok($tf->handle_http($t) == 0, 'static file accepting pathinfo by default'); | |
1863 | + | |
1864 | +$t->{REQUEST} = ( <<EOF | |
1865 | +GET /image.jpg/index.php HTTP/1.0 | |
1866 | +Host: zzz.example.org | |
1867 | +EOF | |
1868 | + ); | |
1869 | +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 403 } ]; | |
1870 | +ok($tf->handle_http($t) == 0, 'static file with forbidden pathinfo'); | |
1871 | + | |
1872 | ok($tf->stop_proc == 0, "Stopping lighttpd"); | |
1873 | ||
1874 | Index: tests/wrapper.sh | |
1875 | =================================================================== | |
1876 | --- tests/wrapper.sh (.../tags/lighttpd-1.4.29) | |
1877 | +++ tests/wrapper.sh (.../branches/lighttpd-1.4.x) | |
1878 | @@ -6,4 +6,4 @@ | |
1879 | top_builddir=$2 | |
1880 | export SHELL srcdir top_builddir | |
1881 | ||
1882 | -$3 | |
1883 | +exec $3 | |
1884 | Index: tests/lighttpd.conf | |
1885 | =================================================================== | |
1886 | --- tests/lighttpd.conf (.../tags/lighttpd-1.4.29) | |
1887 | +++ tests/lighttpd.conf (.../branches/lighttpd-1.4.x) | |
1888 | @@ -149,6 +149,7 @@ | |
1889 | $HTTP["host"] == "zzz.example.org" { | |
1890 | server.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/" | |
1891 | server.name = "zzz.example.org" | |
1892 | + static-file.disable-pathinfo = "enable" | |
1893 | } | |
1894 | ||
1895 | $HTTP["host"] == "symlink.example.org" { | |
ceb30c4b ER |
1896 | Index: configure.ac |
1897 | =================================================================== | |
902fac5f ER |
1898 | Index: doc/config/lighttpd.conf |
1899 | =================================================================== | |
1900 | --- doc/config/lighttpd.conf (.../tags/lighttpd-1.4.29) | |
1901 | +++ doc/config/lighttpd.conf (.../branches/lighttpd-1.4.x) | |
bc81decf | 1902 | @@ -394,6 +394,25 @@ |
902fac5f ER |
1903 | ## $SERVER["socket"] == "10.0.0.1:443" { |
1904 | ## ssl.engine = "enable" | |
1905 | ## ssl.pemfile = "/etc/ssl/private/www.example.com.pem" | |
bc81decf ER |
1906 | +## # |
1907 | +## # Mitigate BEAST attack: | |
1908 | +## # | |
1909 | +## # A stricter base cipher suite. For details see: | |
902fac5f | 1910 | +## # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html |
bc81decf ER |
1911 | +## # |
1912 | +## ssl.ciphers = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" | |
1913 | +## # | |
1914 | +## # Make the server prefer the order of the server side cipher suite instead of the client suite. | |
1915 | +## # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms). | |
1916 | +## # This option is enabled by default, but only used if ssl.ciphers is set. | |
1917 | +## # | |
1918 | +## # ssl.honor-cipher-order = "enable" | |
1919 | +## # | |
1920 | +## # Mitigate CVE-2009-3555 by disabling client triggered renegotation | |
1921 | +## # This is enabled by default. | |
1922 | +## # | |
1923 | +## # ssl.disable-client-renegotiation = "enable" | |
1924 | +## # | |
902fac5f ER |
1925 | ## server.name = "www.example.com" |
1926 | ## | |
1927 | ## server.document-root = "/srv/www/vhosts/example.com/www/" | |
ceb30c4b ER |
1928 | Index: SConstruct |
1929 | =================================================================== | |
1930 | Index: NEWS | |
1931 | =================================================================== | |
902fac5f | 1932 | --- NEWS (.../tags/lighttpd-1.4.29) |
cc37bbfb | 1933 | +++ NEWS (.../branches/lighttpd-1.4.x) |
bc81decf | 1934 | @@ -3,7 +3,20 @@ |
ceb30c4b ER |
1935 | NEWS |
1936 | ==== | |
1937 | ||
902fac5f ER |
1938 | -- 1.4.29 - |
1939 | +- 1.4.30 - | |
1940 | + * Always use our 'own' md5 implementation, fixes linking issues on MacOS (fixes #2331) | |
1941 | + * Limit amount of bytes we send in one go; fixes stalling in one connection and timeouts on slow systems. | |
1942 | + * [ssl] fix build errors when Elliptic-Curve Diffie-Hellman is disabled | |
1943 | + * Add static-file.disable-pathinfo option to prevent handling of urls like .../secret.php/image.jpg as static file | |
1944 | + * Don't overwrite 401 (auth required) with 501 (unknown method) (fixes #2341) | |
1945 | + * Fix mod_status bug: always showed "0/0" in the "Read" column for uploads (fixes #2351) | |
1946 | + * [mod_auth] Fix signedness error in http_auth (fixes #2370, CVE-2011-4362) | |
1947 | + * [ssl] count renegotiations to prevent client renegotiations | |
1948 | + * [ssl] add option to honor server cipher order (fixes #2364, BEAST attack) | |
1949 | + * [core] accept dots in ipv6 addresses in host header (fixes #2359) | |
bc81decf | 1950 | + * [ssl] fix ssl connection aborts if files are larger than the MAX_WRITE_LIMIT (256kb) |
902fac5f ER |
1951 | + |
1952 | +- 1.4.29 - 2011-07-03 | |
1953 | * Fix mod_proxy waiting for response even if content-length is 0 (fixes #2259) | |
1954 | * Silence annoying "connection closed: poll() -> ERR" error.log message (fixes #2257) | |
1955 | * mod_cgi: make read buffer as big as incoming data block | |
ceb30c4b ER |
1956 | Index: CMakeLists.txt |
1957 | =================================================================== |