]>
Commit | Line | Data |
---|---|---|
902fac5f ER |
1 | # Revision 2812 |
2 | Index: src/http_auth_digest.c | |
3 | =================================================================== | |
4 | --- src/http_auth_digest.c (.../tags/lighttpd-1.4.29) | |
5 | +++ src/http_auth_digest.c (.../branches/lighttpd-1.4.x) | |
6 | @@ -1,26 +0,0 @@ | |
7 | -#include "buffer.h" | |
8 | - | |
9 | -#include "http_auth_digest.h" | |
10 | - | |
11 | -#include <string.h> | |
12 | - | |
13 | -#ifndef USE_OPENSSL | |
14 | -# include "md5.h" | |
15 | - | |
16 | -typedef li_MD5_CTX MD5_CTX; | |
17 | -#define MD5_Init li_MD5_Init | |
18 | -#define MD5_Update li_MD5_Update | |
19 | -#define MD5_Final li_MD5_Final | |
20 | - | |
21 | -#endif | |
22 | - | |
23 | -void CvtHex(IN HASH Bin, OUT HASHHEX Hex) { | |
24 | - unsigned short i; | |
25 | - | |
26 | - for (i = 0; i < HASHLEN; i++) { | |
27 | - Hex[i*2] = int2hex((Bin[i] >> 4) & 0xf); | |
28 | - Hex[i*2+1] = int2hex(Bin[i] & 0xf); | |
29 | - } | |
30 | - Hex[HASHHEXLEN] = '\0'; | |
31 | -} | |
32 | - | |
33 | Index: src/http_auth_digest.h | |
34 | =================================================================== | |
35 | --- src/http_auth_digest.h (.../tags/lighttpd-1.4.29) | |
36 | +++ src/http_auth_digest.h (.../branches/lighttpd-1.4.x) | |
37 | @@ -1,24 +0,0 @@ | |
38 | -#ifndef _DIGCALC_H_ | |
39 | -#define _DIGCALC_H_ | |
40 | - | |
41 | -#ifdef HAVE_CONFIG_H | |
42 | -# include "config.h" | |
43 | -#endif | |
44 | - | |
45 | -#define HASHLEN 16 | |
46 | -typedef unsigned char HASH[HASHLEN]; | |
47 | -#define HASHHEXLEN 32 | |
48 | -typedef char HASHHEX[HASHHEXLEN+1]; | |
49 | -#ifdef USE_OPENSSL | |
50 | -#define IN const | |
51 | -#else | |
52 | -#define IN | |
53 | -#endif | |
54 | -#define OUT | |
55 | - | |
56 | -void CvtHex( | |
57 | - IN HASH Bin, | |
58 | - OUT HASHHEX Hex | |
59 | - ); | |
60 | - | |
61 | -#endif | |
62 | Index: src/network_write.c | |
63 | =================================================================== | |
64 | --- src/network_write.c (.../tags/lighttpd-1.4.29) | |
65 | +++ src/network_write.c (.../branches/lighttpd-1.4.x) | |
66 | @@ -24,17 +24,16 @@ | |
67 | # include <sys/resource.h> | |
68 | #endif | |
69 | ||
70 | -int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq) { | |
71 | +int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { | |
72 | chunk *c; | |
73 | - size_t chunks_written = 0; | |
74 | ||
75 | - for(c = cq->first; c; c = c->next) { | |
76 | + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { | |
77 | int chunk_finished = 0; | |
78 | ||
79 | switch(c->type) { | |
80 | case MEM_CHUNK: { | |
81 | char * offset; | |
82 | - size_t toSend; | |
83 | + off_t toSend; | |
84 | ssize_t r; | |
85 | ||
86 | if (c->mem->used == 0) { | |
87 | @@ -44,6 +43,8 @@ | |
88 | ||
89 | offset = c->mem->ptr + c->offset; | |
90 | toSend = c->mem->used - 1 - c->offset; | |
91 | + if (toSend > max_bytes) toSend = max_bytes; | |
92 | + | |
93 | #ifdef __WIN32 | |
94 | if ((r = send(fd, offset, toSend, 0)) < 0) { | |
95 | /* no error handling for windows... */ | |
96 | @@ -72,6 +73,7 @@ | |
97 | ||
98 | c->offset += r; | |
99 | cq->bytes_out += r; | |
100 | + max_bytes -= r; | |
101 | ||
102 | if (c->offset == (off_t)c->mem->used - 1) { | |
103 | chunk_finished = 1; | |
104 | @@ -85,7 +87,7 @@ | |
105 | #endif | |
106 | ssize_t r; | |
107 | off_t offset; | |
108 | - size_t toSend; | |
109 | + off_t toSend; | |
110 | stat_cache_entry *sce = NULL; | |
111 | int ifd; | |
112 | ||
113 | @@ -98,6 +100,8 @@ | |
114 | offset = c->file.start + c->offset; | |
115 | toSend = c->file.length - c->offset; | |
116 | ||
117 | + if (toSend > max_bytes) toSend = max_bytes; | |
118 | + | |
119 | if (offset > sce->st.st_size) { | |
120 | log_error_write(srv, __FILE__, __LINE__, "sb", "file was shrinked:", c->file.name); | |
121 | ||
122 | @@ -181,6 +185,7 @@ | |
123 | ||
124 | c->offset += r; | |
125 | cq->bytes_out += r; | |
126 | + max_bytes -= r; | |
127 | ||
128 | if (c->offset == c->file.length) { | |
129 | chunk_finished = 1; | |
130 | @@ -200,11 +205,9 @@ | |
131 | ||
132 | break; | |
133 | } | |
134 | - | |
135 | - chunks_written++; | |
136 | } | |
137 | ||
138 | - return chunks_written; | |
139 | + return 0; | |
140 | } | |
141 | ||
142 | #if 0 | |
143 | Index: src/mod_secure_download.c | |
144 | =================================================================== | |
145 | --- src/mod_secure_download.c (.../tags/lighttpd-1.4.29) | |
146 | +++ src/mod_secure_download.c (.../branches/lighttpd-1.4.x) | |
147 | @@ -8,18 +8,8 @@ | |
148 | #include <stdlib.h> | |
149 | #include <string.h> | |
150 | ||
151 | -#ifdef USE_OPENSSL | |
152 | -# include <openssl/md5.h> | |
153 | -#else | |
154 | -# include "md5.h" | |
155 | +#include "md5.h" | |
156 | ||
157 | -typedef li_MD5_CTX MD5_CTX; | |
158 | -#define MD5_Init li_MD5_Init | |
159 | -#define MD5_Update li_MD5_Update | |
160 | -#define MD5_Final li_MD5_Final | |
161 | - | |
162 | -#endif | |
163 | - | |
164 | #define HASHLEN 16 | |
165 | typedef unsigned char HASH[HASHLEN]; | |
166 | #define HASHHEXLEN 32 | |
167 | @@ -200,7 +190,7 @@ | |
168 | ||
169 | URIHANDLER_FUNC(mod_secdownload_uri_handler) { | |
170 | plugin_data *p = p_d; | |
171 | - MD5_CTX Md5Ctx; | |
172 | + li_MD5_CTX Md5Ctx; | |
173 | HASH HA1; | |
174 | const char *rel_uri, *ts_str, *md5_str; | |
175 | time_t ts = 0; | |
176 | @@ -266,9 +256,9 @@ | |
177 | buffer_append_string(p->md5, rel_uri); | |
178 | buffer_append_string_len(p->md5, ts_str, 8); | |
179 | ||
180 | - MD5_Init(&Md5Ctx); | |
181 | - MD5_Update(&Md5Ctx, (unsigned char *)p->md5->ptr, p->md5->used - 1); | |
182 | - MD5_Final(HA1, &Md5Ctx); | |
183 | + li_MD5_Init(&Md5Ctx); | |
184 | + li_MD5_Update(&Md5Ctx, (unsigned char *)p->md5->ptr, p->md5->used - 1); | |
185 | + li_MD5_Final(HA1, &Md5Ctx); | |
186 | ||
187 | buffer_copy_string_hex(p->md5, (char *)HA1, 16); | |
188 | ||
189 | Index: src/base.h | |
190 | =================================================================== | |
191 | --- src/base.h (.../tags/lighttpd-1.4.29) | |
192 | +++ src/base.h (.../branches/lighttpd-1.4.x) | |
193 | @@ -277,6 +277,7 @@ | |
194 | buffer *ssl_cipher_list; | |
195 | buffer *ssl_dh_file; | |
196 | buffer *ssl_ec_curve; | |
197 | + unsigned short ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */ | |
198 | unsigned short ssl_use_sslv2; | |
199 | unsigned short ssl_use_sslv3; | |
200 | unsigned short ssl_verifyclient; | |
201 | @@ -284,6 +285,7 @@ | |
202 | unsigned short ssl_verifyclient_depth; | |
203 | buffer *ssl_verifyclient_username; | |
204 | unsigned short ssl_verifyclient_export_cert; | |
205 | + unsigned short ssl_disable_client_renegotiation; | |
206 | ||
207 | unsigned short use_ipv6, set_v6only; /* set_v6only is only a temporary option */ | |
208 | unsigned short defer_accept; | |
209 | @@ -437,6 +439,7 @@ | |
210 | # ifndef OPENSSL_NO_TLSEXT | |
211 | buffer *tlsext_server_name; | |
212 | # endif | |
213 | + unsigned int renegotiations; /* count of SSL_CB_HANDSHAKE_START */ | |
214 | #endif | |
215 | /* etag handling */ | |
216 | etag_flags_t etag_flags; | |
217 | @@ -647,11 +650,9 @@ | |
218 | ||
219 | fdevent_handler_t event_handler; | |
220 | ||
221 | - int (* network_backend_write)(struct server *srv, connection *con, int fd, chunkqueue *cq); | |
222 | - int (* network_backend_read)(struct server *srv, connection *con, int fd, chunkqueue *cq); | |
223 | + int (* network_backend_write)(struct server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); | |
224 | #ifdef USE_OPENSSL | |
225 | - int (* network_ssl_backend_write)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq); | |
226 | - int (* network_ssl_backend_read)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq); | |
227 | + int (* network_ssl_backend_write)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes); | |
228 | #endif | |
229 | ||
230 | uid_t uid; | |
4ae864ca ER |
231 | Index: src/connections.c |
232 | =================================================================== | |
902fac5f | 233 | --- src/connections.c (.../tags/lighttpd-1.4.29) |
4ae864ca | 234 | +++ src/connections.c (.../branches/lighttpd-1.4.x) |
902fac5f | 235 | @@ -223,6 +223,12 @@ |
4ae864ca | 236 | |
902fac5f | 237 | len = SSL_read(con->ssl, b->ptr + read_offset, toread); |
4ae864ca | 238 | |
902fac5f ER |
239 | + if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { |
240 | + connection_set_state(srv, con, CON_STATE_ERROR); | |
241 | + log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); | |
242 | + return -1; | |
243 | + } | |
4ae864ca | 244 | + |
902fac5f ER |
245 | if (len > 0) { |
246 | if (b->used > 0) b->used--; | |
247 | b->used += len; | |
248 | @@ -445,6 +451,7 @@ | |
249 | default: | |
250 | switch(con->http_status) { | |
251 | case 400: /* bad request */ | |
252 | + case 401: /* authorization required */ | |
253 | case 414: /* overload request header */ | |
254 | case 505: /* unknown protocol */ | |
255 | case 207: /* this was webdav */ | |
256 | @@ -617,8 +624,9 @@ | |
257 | } | |
258 | ||
259 | static int connection_handle_write(server *srv, connection *con) { | |
260 | - switch(network_write_chunkqueue(srv, con, con->write_queue)) { | |
261 | + switch(network_write_chunkqueue(srv, con, con->write_queue, MAX_WRITE_LIMIT)) { | |
262 | case 0: | |
263 | + con->write_request_ts = srv->cur_ts; | |
264 | if (con->file_finished) { | |
265 | connection_set_state(srv, con, CON_STATE_RESPONSE_END); | |
266 | joblist_append(srv, con); | |
267 | @@ -635,6 +643,7 @@ | |
268 | joblist_append(srv, con); | |
269 | break; | |
270 | case 1: | |
271 | + con->write_request_ts = srv->cur_ts; | |
272 | con->is_writable = 0; | |
273 | ||
274 | /* not finished yet -> WRITE */ | |
275 | @@ -1251,8 +1260,6 @@ | |
276 | log_error_write(srv, __FILE__, __LINE__, "ds", | |
277 | con->fd, | |
278 | "handle write failed."); | |
279 | - } else if (con->state == CON_STATE_WRITE) { | |
280 | - con->write_request_ts = srv->cur_ts; | |
281 | } | |
282 | } | |
283 | ||
284 | @@ -1352,6 +1359,7 @@ | |
285 | return NULL; | |
286 | } | |
287 | ||
288 | + con->renegotiations = 0; | |
289 | #ifndef OPENSSL_NO_TLSEXT | |
290 | SSL_set_app_data(con->ssl, con); | |
291 | #endif | |
292 | @@ -1667,8 +1675,6 @@ | |
293 | con->fd, | |
294 | "handle write failed."); | |
295 | connection_set_state(srv, con, CON_STATE_ERROR); | |
296 | - } else if (con->state == CON_STATE_WRITE) { | |
297 | - con->write_request_ts = srv->cur_ts; | |
298 | } | |
299 | } | |
300 | ||
301 | Index: src/mod_staticfile.c | |
302 | =================================================================== | |
303 | --- src/mod_staticfile.c (.../tags/lighttpd-1.4.29) | |
304 | +++ src/mod_staticfile.c (.../branches/lighttpd-1.4.x) | |
305 | @@ -26,6 +26,7 @@ | |
306 | typedef struct { | |
307 | array *exclude_ext; | |
308 | unsigned short etags_used; | |
309 | + unsigned short disable_pathinfo; | |
310 | } plugin_config; | |
311 | ||
312 | typedef struct { | |
313 | @@ -84,6 +85,7 @@ | |
314 | config_values_t cv[] = { | |
315 | { "static-file.exclude-extensions", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 0 */ | |
316 | { "static-file.etags", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 1 */ | |
317 | + { "static-file.disable-pathinfo", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 2 */ | |
318 | { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET } | |
319 | }; | |
320 | ||
321 | @@ -97,9 +99,11 @@ | |
322 | s = calloc(1, sizeof(plugin_config)); | |
323 | s->exclude_ext = array_init(); | |
324 | s->etags_used = 1; | |
325 | + s->disable_pathinfo = 0; | |
326 | ||
327 | cv[0].destination = s->exclude_ext; | |
328 | cv[1].destination = &(s->etags_used); | |
329 | + cv[2].destination = &(s->disable_pathinfo); | |
330 | ||
331 | p->config_storage[i] = s; | |
332 | ||
333 | @@ -119,6 +123,7 @@ | |
334 | ||
335 | PATCH(exclude_ext); | |
336 | PATCH(etags_used); | |
337 | + PATCH(disable_pathinfo); | |
4ae864ca | 338 | |
902fac5f ER |
339 | /* skip the first, the global context */ |
340 | for (i = 1; i < srv->config_context->used; i++) { | |
341 | @@ -136,7 +141,9 @@ | |
342 | PATCH(exclude_ext); | |
343 | } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("static-file.etags"))) { | |
344 | PATCH(etags_used); | |
345 | - } | |
346 | + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("static-file.disable-pathinfo"))) { | |
347 | + PATCH(disable_pathinfo); | |
348 | + } | |
349 | } | |
350 | } | |
351 | ||
352 | @@ -350,7 +357,6 @@ | |
353 | URIHANDLER_FUNC(mod_staticfile_subrequest) { | |
354 | plugin_data *p = p_d; | |
355 | size_t k; | |
356 | - int s_len; | |
357 | stat_cache_entry *sce = NULL; | |
358 | buffer *mtime = NULL; | |
359 | data_string *ds; | |
360 | @@ -376,7 +382,12 @@ | |
361 | ||
362 | mod_staticfile_patch_connection(srv, con, p); | |
363 | ||
364 | - s_len = con->uri.path->used - 1; | |
365 | + if (p->conf.disable_pathinfo && 0 != con->request.pathinfo->used) { | |
366 | + if (con->conf.log_request_handling) { | |
367 | + log_error_write(srv, __FILE__, __LINE__, "s", "-- NOT handling file as static file, pathinfo forbidden"); | |
368 | + } | |
369 | + return HANDLER_GO_ON; | |
370 | + } | |
371 | ||
372 | /* ignore certain extensions */ | |
373 | for (k = 0; k < p->conf.exclude_ext->used; k++) { | |
6422e148 AM |
374 | Index: src/network.c |
375 | =================================================================== | |
902fac5f | 376 | --- src/network.c (.../tags/lighttpd-1.4.29) |
6422e148 | 377 | +++ src/network.c (.../branches/lighttpd-1.4.x) |
902fac5f ER |
378 | @@ -27,6 +27,19 @@ |
379 | # include <openssl/rand.h> | |
380 | #endif | |
4ae864ca | 381 | |
902fac5f ER |
382 | +#ifdef USE_OPENSSL |
383 | +static void ssl_info_callback(const SSL *ssl, int where, int ret) { | |
384 | + UNUSED(ret); | |
4ae864ca | 385 | + |
902fac5f ER |
386 | + if (0 != (where & SSL_CB_HANDSHAKE_START)) { |
387 | + connection *con = SSL_get_app_data(ssl); | |
388 | + ++con->renegotiations; | |
389 | + } else if (0 != (where & SSL_CB_HANDSHAKE_DONE)) { | |
390 | + ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; | |
391 | + } | |
392 | +} | |
393 | +#endif | |
394 | + | |
395 | static handler_t network_server_handle_fdevent(server *srv, void *context, int revents) { | |
396 | server_socket *srv_socket = (server_socket *)context; | |
397 | connection *con; | |
398 | @@ -480,9 +493,11 @@ | |
399 | network_backend_t backend; | |
400 | ||
401 | #if OPENSSL_VERSION_NUMBER >= 0x0090800fL | |
402 | +#ifndef OPENSSL_NO_ECDH | |
403 | EC_KEY *ecdh; | |
404 | int nid; | |
405 | #endif | |
406 | +#endif | |
407 | ||
408 | #ifdef USE_OPENSSL | |
409 | DH *dh; | |
410 | @@ -553,6 +568,11 @@ | |
411 | /* load SSL certificates */ | |
412 | for (i = 0; i < srv->config_context->used; i++) { | |
413 | specific_config *s = srv->config_storage[i]; | |
414 | +#ifndef SSL_OP_NO_COMPRESSION | |
415 | +# define SSL_OP_NO_COMPRESSION 0 | |
416 | +#endif | |
417 | + long ssloptions = | |
418 | + SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_COMPRESSION; | |
419 | ||
420 | if (buffer_is_empty(s->ssl_pemfile)) continue; | |
4ae864ca | 421 | |
902fac5f ER |
422 | @@ -586,6 +606,9 @@ |
423 | return -1; | |
424 | } | |
6422e148 | 425 | |
902fac5f ER |
426 | + SSL_CTX_set_options(s->ssl_ctx, ssloptions); |
427 | + SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback); | |
428 | + | |
6422e148 AM |
429 | if (!s->ssl_use_sslv2) { |
430 | /* disable SSLv2 */ | |
902fac5f ER |
431 | if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) { |
432 | @@ -611,6 +634,10 @@ | |
6422e148 | 433 | ERR_error_string(ERR_get_error(), NULL)); |
9d2ca5f8 | 434 | return -1; |
902fac5f ER |
435 | } |
436 | + | |
437 | + if (s->ssl_honor_cipher_order) { | |
438 | + SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | |
439 | + } | |
440 | } | |
4ae864ca | 441 | |
902fac5f ER |
442 | /* Support for Diffie-Hellman key exchange */ |
443 | @@ -847,7 +874,7 @@ | |
444 | return 0; | |
445 | } | |
446 | ||
447 | -int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq) { | |
448 | +int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq, off_t max_bytes) { | |
449 | int ret = -1; | |
450 | off_t written = 0; | |
451 | #ifdef TCP_CORK | |
452 | @@ -855,16 +882,34 @@ | |
453 | #endif | |
454 | server_socket *srv_socket = con->srv_socket; | |
455 | ||
456 | - if (con->conf.global_kbytes_per_second && | |
457 | - *(con->conf.global_bytes_per_second_cnt_ptr) > con->conf.global_kbytes_per_second * 1024) { | |
458 | - /* we reached the global traffic limit */ | |
459 | + if (con->conf.global_kbytes_per_second) { | |
460 | + off_t limit = con->conf.global_kbytes_per_second * 1024 - *(con->conf.global_bytes_per_second_cnt_ptr); | |
461 | + if (limit <= 0) { | |
462 | + /* we reached the global traffic limit */ | |
463 | ||
464 | - con->traffic_limit_reached = 1; | |
465 | - joblist_append(srv, con); | |
466 | + con->traffic_limit_reached = 1; | |
467 | + joblist_append(srv, con); | |
468 | ||
469 | - return 1; | |
470 | + return 1; | |
471 | + } else { | |
472 | + if (max_bytes > limit) max_bytes = limit; | |
473 | + } | |
4ae864ca ER |
474 | } |
475 | ||
902fac5f ER |
476 | + if (con->conf.kbytes_per_second) { |
477 | + off_t limit = con->conf.kbytes_per_second * 1024 - con->bytes_written_cur_second; | |
478 | + if (limit <= 0) { | |
479 | + /* we reached the traffic limit */ | |
480 | + | |
481 | + con->traffic_limit_reached = 1; | |
482 | + joblist_append(srv, con); | |
483 | + | |
484 | + return 1; | |
485 | + } else { | |
486 | + if (max_bytes > limit) max_bytes = limit; | |
487 | + } | |
4ae864ca ER |
488 | + } |
489 | + | |
902fac5f ER |
490 | written = cq->bytes_out; |
491 | ||
492 | #ifdef TCP_CORK | |
493 | @@ -879,10 +924,10 @@ | |
494 | ||
495 | if (srv_socket->is_ssl) { | |
496 | #ifdef USE_OPENSSL | |
497 | - ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq); | |
498 | + ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq, max_bytes); | |
499 | #endif | |
500 | } else { | |
501 | - ret = srv->network_backend_write(srv, con, con->fd, cq); | |
502 | + ret = srv->network_backend_write(srv, con, con->fd, cq, max_bytes); | |
503 | } | |
504 | ||
505 | if (ret >= 0) { | |
506 | @@ -903,12 +948,5 @@ | |
507 | ||
508 | *(con->conf.global_bytes_per_second_cnt_ptr) += written; | |
509 | ||
510 | - if (con->conf.kbytes_per_second && | |
511 | - (con->bytes_written_cur_second > con->conf.kbytes_per_second * 1024)) { | |
512 | - /* we reached the traffic limit */ | |
513 | - | |
514 | - con->traffic_limit_reached = 1; | |
515 | - joblist_append(srv, con); | |
516 | - } | |
517 | return ret; | |
4ae864ca | 518 | } |
902fac5f ER |
519 | Index: src/network.h |
520 | =================================================================== | |
521 | --- src/network.h (.../tags/lighttpd-1.4.29) | |
522 | +++ src/network.h (.../branches/lighttpd-1.4.x) | |
523 | @@ -3,7 +3,7 @@ | |
524 | ||
525 | #include "server.h" | |
526 | ||
527 | -int network_write_chunkqueue(server *srv, connection *con, chunkqueue *c); | |
528 | +int network_write_chunkqueue(server *srv, connection *con, chunkqueue *c, off_t max_bytes); | |
529 | ||
530 | int network_init(server *srv); | |
531 | int network_close(server *srv); | |
532 | Index: src/configfile.c | |
533 | =================================================================== | |
534 | --- src/configfile.c (.../tags/lighttpd-1.4.29) | |
535 | +++ src/configfile.c (.../branches/lighttpd-1.4.x) | |
536 | @@ -105,6 +105,8 @@ | |
537 | { "ssl.use-sslv3", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 62 */ | |
538 | { "ssl.dh-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 63 */ | |
539 | { "ssl.ec-curve", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 64 */ | |
540 | + { "ssl.disable-client-renegotiation", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },/* 65 */ | |
541 | + { "ssl.honor-cipher-order", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 66 */ | |
542 | ||
543 | { "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET }, | |
544 | { "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET }, | |
545 | @@ -176,6 +178,7 @@ | |
546 | s->max_write_idle = 360; | |
547 | s->use_xattr = 0; | |
548 | s->is_ssl = 0; | |
549 | + s->ssl_honor_cipher_order = 1; | |
550 | s->ssl_use_sslv2 = 0; | |
551 | s->ssl_use_sslv3 = 1; | |
552 | s->use_ipv6 = 0; | |
553 | @@ -199,6 +202,7 @@ | |
554 | s->ssl_verifyclient_username = buffer_init(); | |
555 | s->ssl_verifyclient_depth = 9; | |
556 | s->ssl_verifyclient_export_cert = 0; | |
557 | + s->ssl_disable_client_renegotiation = 1; | |
558 | ||
559 | cv[2].destination = s->errorfile_prefix; | |
4ae864ca | 560 | |
902fac5f ER |
561 | @@ -245,6 +249,8 @@ |
562 | cv[62].destination = &(s->ssl_use_sslv3); | |
563 | cv[63].destination = s->ssl_dh_file; | |
564 | cv[64].destination = s->ssl_ec_curve; | |
565 | + cv[65].destination = &(s->ssl_honor_cipher_order); | |
566 | + | |
567 | cv[49].destination = &(s->etag_use_inode); | |
568 | cv[50].destination = &(s->etag_use_mtime); | |
569 | cv[51].destination = &(s->etag_use_size); | |
570 | @@ -255,6 +261,7 @@ | |
571 | cv[58].destination = &(s->ssl_verifyclient_depth); | |
572 | cv[59].destination = s->ssl_verifyclient_username; | |
573 | cv[60].destination = &(s->ssl_verifyclient_export_cert); | |
574 | + cv[65].destination = &(s->ssl_disable_client_renegotiation); | |
575 | ||
576 | srv->config_storage[i] = s; | |
577 | ||
578 | @@ -335,6 +342,7 @@ | |
579 | PATCH(ssl_cipher_list); | |
580 | PATCH(ssl_dh_file); | |
581 | PATCH(ssl_ec_curve); | |
582 | + PATCH(ssl_honor_cipher_order); | |
583 | PATCH(ssl_use_sslv2); | |
584 | PATCH(ssl_use_sslv3); | |
585 | PATCH(etag_use_inode); | |
586 | @@ -346,6 +354,7 @@ | |
587 | PATCH(ssl_verifyclient_depth); | |
588 | PATCH(ssl_verifyclient_username); | |
589 | PATCH(ssl_verifyclient_export_cert); | |
590 | + PATCH(ssl_disable_client_renegotiation); | |
4ae864ca | 591 | |
902fac5f ER |
592 | return 0; |
593 | } | |
594 | @@ -400,6 +409,8 @@ | |
595 | #endif | |
596 | } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) { | |
597 | PATCH(ssl_ca_file); | |
598 | + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) { | |
599 | + PATCH(ssl_honor_cipher_order); | |
600 | } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) { | |
601 | PATCH(ssl_use_sslv2); | |
602 | } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv3"))) { | |
603 | @@ -454,6 +465,8 @@ | |
604 | PATCH(ssl_verifyclient_username); | |
605 | } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.exportcert"))) { | |
606 | PATCH(ssl_verifyclient_export_cert); | |
607 | + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.disable-client-renegotiation"))) { | |
608 | + PATCH(ssl_disable_client_renegotiation); | |
609 | } | |
4ae864ca | 610 | } |
902fac5f ER |
611 | } |
612 | Index: src/mod_scgi.c | |
613 | =================================================================== | |
614 | --- src/mod_scgi.c (.../tags/lighttpd-1.4.29) | |
615 | +++ src/mod_scgi.c (.../branches/lighttpd-1.4.x) | |
616 | @@ -2296,7 +2296,7 @@ | |
4ae864ca | 617 | |
902fac5f ER |
618 | /* fall through */ |
619 | case FCGI_STATE_WRITE: | |
620 | - ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb); | |
621 | + ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT); | |
4ae864ca | 622 | |
902fac5f ER |
623 | chunkqueue_remove_finished_chunks(hctx->wb); |
624 | ||
625 | Index: src/request.c | |
626 | =================================================================== | |
627 | --- src/request.c (.../tags/lighttpd-1.4.29) | |
628 | +++ src/request.c (.../branches/lighttpd-1.4.x) | |
629 | @@ -49,7 +49,7 @@ | |
630 | if (++colon_cnt > 7) { | |
631 | return -1; | |
632 | } | |
633 | - } else if (!light_isxdigit(*c)) { | |
634 | + } else if (!light_isxdigit(*c) && '.' != *c) { | |
635 | return -1; | |
636 | } | |
4ae864ca | 637 | } |
902fac5f ER |
638 | Index: src/network_backends.h |
639 | =================================================================== | |
640 | --- src/network_backends.h (.../tags/lighttpd-1.4.29) | |
641 | +++ src/network_backends.h (.../branches/lighttpd-1.4.x) | |
642 | @@ -47,18 +47,18 @@ | |
643 | #include "base.h" | |
4ae864ca | 644 | |
902fac5f ER |
645 | /* return values: |
646 | - * >= 0 : chunks completed | |
647 | + * >= 0 : no error | |
648 | * -1 : error (on our side) | |
649 | * -2 : remote close | |
650 | */ | |
651 | ||
652 | -int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq); | |
653 | -int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq); | |
654 | -int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq); | |
655 | -int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq); | |
656 | -int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq); | |
657 | +int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); | |
658 | +int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); | |
659 | +int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); | |
660 | +int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); | |
661 | +int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); | |
662 | #ifdef USE_OPENSSL | |
663 | -int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq); | |
664 | +int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes); | |
665 | #endif | |
666 | ||
667 | #endif | |
668 | Index: src/SConscript | |
669 | =================================================================== | |
670 | --- src/SConscript (.../tags/lighttpd-1.4.29) | |
671 | +++ src/SConscript (.../branches/lighttpd-1.4.x) | |
672 | @@ -12,7 +12,8 @@ | |
673 | data_integer.c md5.c data_fastcgi.c \ | |
674 | fdevent_select.c fdevent_libev.c \ | |
675 | fdevent_poll.c fdevent_linux_sysepoll.c \ | |
676 | - fdevent_solaris_devpoll.c fdevent_freebsd_kqueue.c \ | |
677 | + fdevent_solaris_devpoll.c fdevent_solaris_port.c \ | |
678 | + fdevent_freebsd_kqueue.c \ | |
679 | data_config.c bitset.c \ | |
680 | inet_ntop_cache.c crc32.c \ | |
681 | connections-glue.c \ | |
682 | @@ -62,7 +63,7 @@ | |
683 | 'mod_redirect' : { 'src' : [ 'mod_redirect.c' ], 'lib' : [ env['LIBPCRE'] ] }, | |
684 | 'mod_rewrite' : { 'src' : [ 'mod_rewrite.c' ], 'lib' : [ env['LIBPCRE'] ] }, | |
685 | 'mod_auth' : { | |
686 | - 'src' : [ 'mod_auth.c', 'http_auth_digest.c', 'http_auth.c' ], | |
687 | + 'src' : [ 'mod_auth.c', 'http_auth.c' ], | |
688 | 'lib' : [ env['LIBCRYPT'], env['LIBLDAP'], env['LIBLBER'] ] }, | |
689 | 'mod_webdav' : { 'src' : [ 'mod_webdav.c' ], 'lib' : [ env['LIBXML2'], env['LIBSQLITE3'], env['LIBUUID'] ] }, | |
690 | 'mod_mysql_vhost' : { 'src' : [ 'mod_mysql_vhost.c' ], 'lib' : [ env['LIBMYSQL'] ] }, | |
691 | Index: src/mod_cml_funcs.c | |
692 | =================================================================== | |
693 | --- src/mod_cml_funcs.c (.../tags/lighttpd-1.4.29) | |
694 | +++ src/mod_cml_funcs.c (.../branches/lighttpd-1.4.x) | |
695 | @@ -17,18 +17,8 @@ | |
696 | #include <dirent.h> | |
697 | #include <stdio.h> | |
4ae864ca | 698 | |
902fac5f ER |
699 | -#ifdef USE_OPENSSL |
700 | -# include <openssl/md5.h> | |
701 | -#else | |
702 | -# include "md5.h" | |
703 | +#include "md5.h" | |
4ae864ca | 704 | |
902fac5f ER |
705 | -typedef li_MD5_CTX MD5_CTX; |
706 | -#define MD5_Init li_MD5_Init | |
707 | -#define MD5_Update li_MD5_Update | |
708 | -#define MD5_Final li_MD5_Final | |
709 | - | |
710 | -#endif | |
711 | - | |
712 | #define HASHLEN 16 | |
713 | typedef unsigned char HASH[HASHLEN]; | |
714 | #define HASHHEXLEN 32 | |
715 | @@ -43,7 +33,7 @@ | |
716 | #ifdef HAVE_LUA_H | |
717 | ||
718 | int f_crypto_md5(lua_State *L) { | |
719 | - MD5_CTX Md5Ctx; | |
720 | + li_MD5_CTX Md5Ctx; | |
721 | HASH HA1; | |
722 | buffer b; | |
723 | char hex[33]; | |
724 | @@ -63,9 +53,9 @@ | |
725 | lua_error(L); | |
4ae864ca | 726 | } |
902fac5f ER |
727 | |
728 | - MD5_Init(&Md5Ctx); | |
729 | - MD5_Update(&Md5Ctx, (unsigned char *)lua_tostring(L, 1), lua_strlen(L, 1)); | |
730 | - MD5_Final(HA1, &Md5Ctx); | |
731 | + li_MD5_Init(&Md5Ctx); | |
732 | + li_MD5_Update(&Md5Ctx, (unsigned char *)lua_tostring(L, 1), lua_strlen(L, 1)); | |
733 | + li_MD5_Final(HA1, &Md5Ctx); | |
734 | ||
735 | buffer_copy_string_hex(&b, (char *)HA1, 16); | |
736 | ||
737 | Index: src/mod_userdir.c | |
738 | =================================================================== | |
739 | --- src/mod_userdir.c (.../tags/lighttpd-1.4.29) | |
740 | +++ src/mod_userdir.c (.../branches/lighttpd-1.4.x) | |
741 | @@ -166,7 +166,6 @@ | |
742 | ||
743 | URIHANDLER_FUNC(mod_userdir_docroot_handler) { | |
744 | plugin_data *p = p_d; | |
745 | - int uri_len; | |
746 | size_t k; | |
747 | char *rel_url; | |
748 | #ifdef HAVE_PWD_H | |
749 | @@ -182,8 +181,6 @@ | |
750 | */ | |
751 | if (p->conf.path->used == 0) return HANDLER_GO_ON; | |
752 | ||
753 | - uri_len = con->uri.path->used - 1; | |
754 | - | |
755 | /* /~user/foo.html -> /home/user/public_html/foo.html */ | |
756 | ||
757 | if (con->uri.path->ptr[0] != '/' || | |
758 | Index: src/mod_proxy.c | |
759 | =================================================================== | |
760 | --- src/mod_proxy.c (.../tags/lighttpd-1.4.29) | |
761 | +++ src/mod_proxy.c (.../branches/lighttpd-1.4.x) | |
762 | @@ -825,7 +825,7 @@ | |
763 | ||
764 | /* fall through */ | |
765 | case PROXY_STATE_WRITE:; | |
766 | - ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb); | |
767 | + ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT); | |
768 | ||
769 | chunkqueue_remove_finished_chunks(hctx->wb); | |
770 | ||
4ae864ca ER |
771 | Index: src/Makefile.am |
772 | =================================================================== | |
902fac5f | 773 | --- src/Makefile.am (.../tags/lighttpd-1.4.29) |
4ae864ca | 774 | +++ src/Makefile.am (.../branches/lighttpd-1.4.x) |
902fac5f ER |
775 | @@ -241,7 +241,7 @@ |
776 | mod_compress_la_LIBADD = $(Z_LIB) $(BZ_LIB) $(common_libadd) | |
777 | ||
778 | lib_LTLIBRARIES += mod_auth.la | |
779 | -mod_auth_la_SOURCES = mod_auth.c http_auth_digest.c http_auth.c | |
780 | +mod_auth_la_SOURCES = mod_auth.c http_auth.c | |
781 | mod_auth_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined | |
782 | mod_auth_la_LIBADD = $(CRYPT_LIB) $(LDAP_LIB) $(LBER_LIB) $(common_libadd) | |
783 | ||
784 | @@ -268,7 +268,7 @@ | |
785 | ||
786 | hdr = server.h buffer.h network.h log.h keyvalue.h \ | |
787 | response.h request.h fastcgi.h chunk.h \ | |
788 | - settings.h http_chunk.h http_auth_digest.h \ | |
789 | + settings.h http_chunk.h \ | |
790 | md5.h http_auth.h stream.h \ | |
791 | fdevent.h connections.h base.h stat_cache.h \ | |
792 | plugin.h mod_auth.h \ | |
793 | Index: src/network_writev.c | |
794 | =================================================================== | |
795 | --- src/network_writev.c (.../tags/lighttpd-1.4.29) | |
796 | +++ src/network_writev.c (.../branches/lighttpd-1.4.x) | |
797 | @@ -30,17 +30,16 @@ | |
798 | #define LOCAL_BUFFERING 1 | |
799 | #endif | |
800 | ||
801 | -int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq) { | |
802 | +int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { | |
803 | chunk *c; | |
804 | - size_t chunks_written = 0; | |
805 | ||
806 | - for(c = cq->first; c; c = c->next) { | |
807 | + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { | |
808 | int chunk_finished = 0; | |
809 | ||
810 | switch(c->type) { | |
811 | case MEM_CHUNK: { | |
812 | char * offset; | |
813 | - size_t toSend; | |
814 | + off_t toSend; | |
815 | ssize_t r; | |
816 | ||
817 | size_t num_chunks, i; | |
818 | @@ -65,12 +64,10 @@ | |
819 | #error "sysconf() doesnt return _SC_IOV_MAX ..., check the output of 'man writev' for the EINVAL error and send the output to jan@kneschke.de" | |
820 | #endif | |
821 | ||
822 | - /* we can't send more then SSIZE_MAX bytes in one chunk */ | |
823 | - | |
824 | /* build writev list | |
825 | * | |
826 | * 1. limit: num_chunks < max_chunks | |
827 | - * 2. limit: num_bytes < SSIZE_MAX | |
828 | + * 2. limit: num_bytes < max_bytes | |
829 | */ | |
830 | for (num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < max_chunks; num_chunks++, tc = tc->next); | |
831 | ||
832 | @@ -87,9 +84,9 @@ | |
833 | chunks[i].iov_base = offset; | |
834 | ||
835 | /* protect the return value of writev() */ | |
836 | - if (toSend > SSIZE_MAX || | |
837 | - num_bytes + toSend > SSIZE_MAX) { | |
838 | - chunks[i].iov_len = SSIZE_MAX - num_bytes; | |
839 | + if (toSend > max_bytes || | |
840 | + (off_t) num_bytes + toSend > max_bytes) { | |
841 | + chunks[i].iov_len = max_bytes - num_bytes; | |
842 | ||
843 | num_chunks = i + 1; | |
844 | break; | |
845 | @@ -121,6 +118,7 @@ | |
846 | } | |
847 | ||
848 | cq->bytes_out += r; | |
849 | + max_bytes -= r; | |
850 | ||
851 | /* check which chunks have been written */ | |
852 | ||
853 | @@ -132,11 +130,10 @@ | |
854 | ||
855 | if (chunk_finished) { | |
856 | /* skip the chunks from further touches */ | |
857 | - chunks_written++; | |
858 | c = c->next; | |
859 | } else { | |
860 | /* chunks_written + c = c->next is done in the for()*/ | |
861 | - chunk_finished++; | |
862 | + chunk_finished = 1; | |
4ae864ca | 863 | } |
902fac5f ER |
864 | } else { |
865 | /* partially written */ | |
866 | @@ -284,6 +281,8 @@ | |
867 | assert(toSend < 0); | |
868 | } | |
869 | ||
870 | + if (toSend > max_bytes) toSend = max_bytes; | |
871 | + | |
872 | #ifdef LOCAL_BUFFERING | |
873 | start = c->mem->ptr; | |
874 | #else | |
875 | @@ -309,6 +308,7 @@ | |
876 | ||
877 | c->offset += r; | |
878 | cq->bytes_out += r; | |
879 | + max_bytes -= r; | |
880 | ||
881 | if (c->offset == c->file.length) { | |
882 | chunk_finished = 1; | |
883 | @@ -334,11 +334,9 @@ | |
884 | ||
885 | break; | |
886 | } | |
887 | - | |
888 | - chunks_written++; | |
889 | } | |
890 | ||
891 | - return chunks_written; | |
892 | + return 0; | |
893 | } | |
4ae864ca | 894 | |
902fac5f ER |
895 | #endif |
896 | Index: src/network_freebsd_sendfile.c | |
897 | =================================================================== | |
898 | --- src/network_freebsd_sendfile.c (.../tags/lighttpd-1.4.29) | |
899 | +++ src/network_freebsd_sendfile.c (.../branches/lighttpd-1.4.x) | |
900 | @@ -31,17 +31,16 @@ | |
901 | # endif | |
902 | #endif | |
903 | ||
904 | -int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq) { | |
905 | +int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { | |
906 | chunk *c; | |
907 | - size_t chunks_written = 0; | |
908 | ||
909 | - for(c = cq->first; c; c = c->next, chunks_written++) { | |
910 | + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { | |
911 | int chunk_finished = 0; | |
912 | ||
913 | switch(c->type) { | |
914 | case MEM_CHUNK: { | |
915 | char * offset; | |
916 | - size_t toSend; | |
917 | + off_t toSend; | |
918 | ssize_t r; | |
919 | ||
920 | size_t num_chunks, i; | |
921 | @@ -49,12 +48,10 @@ | |
922 | chunk *tc; | |
923 | size_t num_bytes = 0; | |
924 | ||
925 | - /* we can't send more then SSIZE_MAX bytes in one chunk */ | |
926 | - | |
927 | /* build writev list | |
928 | * | |
929 | * 1. limit: num_chunks < UIO_MAXIOV | |
930 | - * 2. limit: num_bytes < SSIZE_MAX | |
931 | + * 2. limit: num_bytes < max_bytes | |
932 | */ | |
933 | for(num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < UIO_MAXIOV; num_chunks++, tc = tc->next); | |
934 | ||
935 | @@ -69,9 +66,9 @@ | |
936 | chunks[i].iov_base = offset; | |
937 | ||
938 | /* protect the return value of writev() */ | |
939 | - if (toSend > SSIZE_MAX || | |
940 | - num_bytes + toSend > SSIZE_MAX) { | |
941 | - chunks[i].iov_len = SSIZE_MAX - num_bytes; | |
942 | + if (toSend > max_bytes || | |
943 | + (off_t) num_bytes + toSend > max_bytes) { | |
944 | + chunks[i].iov_len = max_bytes - num_bytes; | |
945 | ||
946 | num_chunks = i + 1; | |
947 | break; | |
948 | @@ -105,6 +102,7 @@ | |
949 | ||
950 | /* check which chunks have been written */ | |
951 | cq->bytes_out += r; | |
952 | + max_bytes -= r; | |
953 | ||
954 | for(i = 0, tc = c; i < num_chunks; i++, tc = tc->next) { | |
955 | if (r >= (ssize_t)chunks[i].iov_len) { | |
956 | @@ -114,11 +112,10 @@ | |
957 | ||
958 | if (chunk_finished) { | |
959 | /* skip the chunks from further touches */ | |
960 | - chunks_written++; | |
961 | c = c->next; | |
962 | } else { | |
963 | /* chunks_written + c = c->next is done in the for()*/ | |
964 | - chunk_finished++; | |
965 | + chunk_finished = 1; | |
4ae864ca | 966 | } |
902fac5f ER |
967 | } else { |
968 | /* partially written */ | |
969 | @@ -134,7 +131,7 @@ | |
970 | } | |
971 | case FILE_CHUNK: { | |
972 | off_t offset, r; | |
973 | - size_t toSend; | |
974 | + off_t toSend; | |
975 | stat_cache_entry *sce = NULL; | |
976 | ||
977 | if (HANDLER_ERROR == stat_cache_get_entry(srv, con, c->file.name, &sce)) { | |
978 | @@ -144,9 +141,8 @@ | |
979 | } | |
980 | ||
981 | offset = c->file.start + c->offset; | |
982 | - /* limit the toSend to 2^31-1 bytes in a chunk */ | |
983 | - toSend = c->file.length - c->offset > ((1 << 30) - 1) ? | |
984 | - ((1 << 30) - 1) : c->file.length - c->offset; | |
985 | + toSend = c->file.length - c->offset; | |
986 | + if (toSend > max_bytes) toSend = max_bytes; | |
987 | ||
988 | if (-1 == c->file.fd) { | |
989 | if (-1 == (c->file.fd = open(c->file.name->ptr, O_RDONLY))) { | |
990 | @@ -197,6 +193,7 @@ | |
991 | ||
992 | c->offset += r; | |
993 | cq->bytes_out += r; | |
994 | + max_bytes -= r; | |
995 | ||
996 | if (c->offset == c->file.length) { | |
997 | chunk_finished = 1; | |
998 | @@ -218,7 +215,7 @@ | |
999 | } | |
1000 | } | |
1001 | ||
1002 | - return chunks_written; | |
1003 | + return 0; | |
1004 | } | |
1005 | ||
1006 | #endif | |
1007 | Index: src/network_openssl.c | |
1008 | =================================================================== | |
1009 | --- src/network_openssl.c (.../tags/lighttpd-1.4.29) | |
1010 | +++ src/network_openssl.c (.../branches/lighttpd-1.4.x) | |
1011 | @@ -27,10 +27,9 @@ | |
1012 | # include <openssl/ssl.h> | |
1013 | # include <openssl/err.h> | |
1014 | ||
1015 | -int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq) { | |
1016 | +int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes) { | |
1017 | int ssl_r; | |
1018 | chunk *c; | |
1019 | - size_t chunks_written = 0; | |
1020 | ||
1021 | /* this is a 64k sendbuffer | |
1022 | * | |
1023 | @@ -59,13 +58,13 @@ | |
1024 | SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN); | |
1025 | } | |
1026 | ||
1027 | - for(c = cq->first; c; c = c->next) { | |
1028 | + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { | |
1029 | int chunk_finished = 0; | |
1030 | ||
1031 | switch(c->type) { | |
1032 | case MEM_CHUNK: { | |
1033 | char * offset; | |
1034 | - size_t toSend; | |
1035 | + off_t toSend; | |
1036 | ssize_t r; | |
1037 | ||
1038 | if (c->mem->used == 0 || c->mem->used == 1) { | |
1039 | @@ -75,6 +74,7 @@ | |
1040 | ||
1041 | offset = c->mem->ptr + c->offset; | |
1042 | toSend = c->mem->used - 1 - c->offset; | |
1043 | + if (toSend > max_bytes) toSend = max_bytes; | |
1044 | ||
1045 | /** | |
1046 | * SSL_write man-page | |
1047 | @@ -87,7 +87,14 @@ | |
1048 | */ | |
1049 | ||
1050 | ERR_clear_error(); | |
1051 | - if ((r = SSL_write(ssl, offset, toSend)) <= 0) { | |
1052 | + r = SSL_write(ssl, offset, toSend); | |
1053 | + | |
1054 | + if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { | |
1055 | + log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); | |
1056 | + return -1; | |
1057 | + } | |
1058 | + | |
1059 | + if (r <= 0) { | |
1060 | unsigned long err; | |
1061 | ||
1062 | switch ((ssl_r = SSL_get_error(ssl, r))) { | |
1063 | @@ -139,6 +146,7 @@ | |
1064 | } else { | |
1065 | c->offset += r; | |
1066 | cq->bytes_out += r; | |
1067 | + max_bytes -= r; | |
1068 | } | |
1069 | ||
1070 | if (c->offset == (off_t)c->mem->used - 1) { | |
1071 | @@ -168,6 +176,7 @@ | |
1072 | do { | |
1073 | off_t offset = c->file.start + c->offset; | |
1074 | off_t toSend = c->file.length - c->offset; | |
1075 | + if (toSend > max_bytes) toSend = max_bytes; | |
1076 | ||
1077 | if (toSend > LOCAL_SEND_BUFSIZE) toSend = LOCAL_SEND_BUFSIZE; | |
1078 | ||
1079 | @@ -190,7 +199,14 @@ | |
1080 | close(ifd); | |
1081 | ||
1082 | ERR_clear_error(); | |
1083 | - if ((r = SSL_write(ssl, s, toSend)) <= 0) { | |
1084 | + r = SSL_write(ssl, s, toSend); | |
1085 | + | |
1086 | + if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { | |
1087 | + log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); | |
1088 | + return -1; | |
1089 | + } | |
1090 | + | |
1091 | + if (r <= 0) { | |
1092 | unsigned long err; | |
1093 | ||
1094 | switch ((ssl_r = SSL_get_error(ssl, r))) { | |
1095 | @@ -243,6 +259,7 @@ | |
1096 | } else { | |
1097 | c->offset += r; | |
1098 | cq->bytes_out += r; | |
1099 | + max_bytes -= r; | |
1100 | } | |
1101 | ||
1102 | if (c->offset == c->file.length) { | |
1103 | @@ -263,11 +280,9 @@ | |
1104 | ||
1105 | break; | |
1106 | } | |
1107 | - | |
1108 | - chunks_written++; | |
1109 | } | |
1110 | ||
1111 | - return chunks_written; | |
1112 | + return 0; | |
1113 | } | |
1114 | #endif | |
1115 | ||
1116 | Index: src/http_auth.c | |
1117 | =================================================================== | |
1118 | --- src/http_auth.c (.../tags/lighttpd-1.4.29) | |
1119 | +++ src/http_auth.c (.../branches/lighttpd-1.4.x) | |
1120 | @@ -1,7 +1,6 @@ | |
1121 | #include "server.h" | |
1122 | #include "log.h" | |
1123 | #include "http_auth.h" | |
1124 | -#include "http_auth_digest.h" | |
1125 | #include "inet_ntop_cache.h" | |
1126 | #include "stream.h" | |
1127 | ||
1128 | @@ -28,18 +27,23 @@ | |
1129 | #include <unistd.h> | |
1130 | #include <ctype.h> | |
1131 | ||
1132 | -#ifdef USE_OPENSSL | |
1133 | -# include <openssl/md5.h> | |
1134 | -#else | |
1135 | -# include "md5.h" | |
1136 | +#include "md5.h" | |
1137 | ||
1138 | -typedef li_MD5_CTX MD5_CTX; | |
1139 | -#define MD5_Init li_MD5_Init | |
1140 | -#define MD5_Update li_MD5_Update | |
1141 | -#define MD5_Final li_MD5_Final | |
1142 | +#define HASHLEN 16 | |
1143 | +#define HASHHEXLEN 32 | |
1144 | +typedef unsigned char HASH[HASHLEN]; | |
1145 | +typedef char HASHHEX[HASHHEXLEN+1]; | |
1146 | ||
1147 | -#endif | |
1148 | +static void CvtHex(const HASH Bin, char Hex[33]) { | |
1149 | + unsigned short i; | |
1150 | ||
1151 | + for (i = 0; i < 16; i++) { | |
1152 | + Hex[i*2] = int2hex((Bin[i] >> 4) & 0xf); | |
1153 | + Hex[i*2+1] = int2hex(Bin[i] & 0xf); | |
1154 | + } | |
1155 | + Hex[32] = '\0'; | |
1156 | +} | |
1157 | + | |
1158 | /** | |
1159 | * the $apr1$ handling is taken from apache 1.3.x | |
1160 | */ | |
1161 | @@ -95,7 +99,7 @@ | |
1162 | ch = in[0]; | |
1163 | /* run through the whole string, converting as we go */ | |
1164 | for (i = 0; i < in_len; i++) { | |
1165 | - ch = in[i]; | |
1166 | + ch = (unsigned char) in[i]; | |
1167 | ||
1168 | if (ch == '\0') break; | |
1169 | ||
1170 | @@ -435,7 +439,7 @@ | |
1171 | ||
1172 | static void to64(char *s, unsigned long v, int n) | |
1173 | { | |
1174 | - static unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */ | |
1175 | + static const unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */ | |
1176 | "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; | |
1177 | ||
1178 | while (--n >= 0) { | |
1179 | @@ -455,7 +459,7 @@ | |
1180 | const char *sp, *ep; | |
1181 | unsigned char final[APR_MD5_DIGESTSIZE]; | |
1182 | ssize_t sl, pl, i; | |
1183 | - MD5_CTX ctx, ctx1; | |
1184 | + li_MD5_CTX ctx, ctx1; | |
1185 | unsigned long l; | |
1186 | ||
1187 | /* | |
1188 | @@ -487,33 +491,33 @@ | |
1189 | /* | |
1190 | * 'Time to make the doughnuts..' | |
1191 | */ | |
1192 | - MD5_Init(&ctx); | |
1193 | + li_MD5_Init(&ctx); | |
1194 | ||
1195 | /* | |
1196 | * The password first, since that is what is most unknown | |
1197 | */ | |
1198 | - MD5_Update(&ctx, pw, strlen(pw)); | |
1199 | + li_MD5_Update(&ctx, pw, strlen(pw)); | |
1200 | ||
1201 | /* | |
1202 | * Then our magic string | |
1203 | */ | |
1204 | - MD5_Update(&ctx, APR1_ID, strlen(APR1_ID)); | |
1205 | + li_MD5_Update(&ctx, APR1_ID, strlen(APR1_ID)); | |
1206 | ||
1207 | /* | |
1208 | * Then the raw salt | |
1209 | */ | |
1210 | - MD5_Update(&ctx, sp, sl); | |
1211 | + li_MD5_Update(&ctx, sp, sl); | |
1212 | ||
1213 | /* | |
1214 | * Then just as many characters of the MD5(pw, salt, pw) | |
1215 | */ | |
1216 | - MD5_Init(&ctx1); | |
1217 | - MD5_Update(&ctx1, pw, strlen(pw)); | |
1218 | - MD5_Update(&ctx1, sp, sl); | |
1219 | - MD5_Update(&ctx1, pw, strlen(pw)); | |
1220 | - MD5_Final(final, &ctx1); | |
1221 | + li_MD5_Init(&ctx1); | |
1222 | + li_MD5_Update(&ctx1, pw, strlen(pw)); | |
1223 | + li_MD5_Update(&ctx1, sp, sl); | |
1224 | + li_MD5_Update(&ctx1, pw, strlen(pw)); | |
1225 | + li_MD5_Final(final, &ctx1); | |
1226 | for (pl = strlen(pw); pl > 0; pl -= APR_MD5_DIGESTSIZE) { | |
1227 | - MD5_Update(&ctx, final, | |
1228 | + li_MD5_Update(&ctx, final, | |
1229 | (pl > APR_MD5_DIGESTSIZE) ? APR_MD5_DIGESTSIZE : pl); | |
1230 | } | |
1231 | ||
1232 | @@ -527,10 +531,10 @@ | |
1233 | */ | |
1234 | for (i = strlen(pw); i != 0; i >>= 1) { | |
1235 | if (i & 1) { | |
1236 | - MD5_Update(&ctx, final, 1); | |
1237 | + li_MD5_Update(&ctx, final, 1); | |
1238 | } | |
1239 | else { | |
1240 | - MD5_Update(&ctx, pw, 1); | |
1241 | + li_MD5_Update(&ctx, pw, 1); | |
1242 | } | |
1243 | } | |
1244 | ||
1245 | @@ -542,7 +546,7 @@ | |
1246 | strncat(passwd, sp, sl); | |
1247 | strcat(passwd, "$"); | |
1248 | ||
1249 | - MD5_Final(final, &ctx); | |
1250 | + li_MD5_Final(final, &ctx); | |
1251 | ||
1252 | /* | |
1253 | * And now, just to make sure things don't run too fast.. | |
1254 | @@ -550,28 +554,28 @@ | |
1255 | * need 30 seconds to build a 1000 entry dictionary... | |
1256 | */ | |
1257 | for (i = 0; i < 1000; i++) { | |
1258 | - MD5_Init(&ctx1); | |
1259 | + li_MD5_Init(&ctx1); | |
1260 | if (i & 1) { | |
1261 | - MD5_Update(&ctx1, pw, strlen(pw)); | |
1262 | + li_MD5_Update(&ctx1, pw, strlen(pw)); | |
1263 | } | |
1264 | else { | |
1265 | - MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); | |
1266 | + li_MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); | |
1267 | } | |
1268 | if (i % 3) { | |
1269 | - MD5_Update(&ctx1, sp, sl); | |
1270 | + li_MD5_Update(&ctx1, sp, sl); | |
1271 | } | |
1272 | ||
1273 | if (i % 7) { | |
1274 | - MD5_Update(&ctx1, pw, strlen(pw)); | |
1275 | + li_MD5_Update(&ctx1, pw, strlen(pw)); | |
1276 | } | |
1277 | ||
1278 | if (i & 1) { | |
1279 | - MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); | |
1280 | + li_MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); | |
1281 | } | |
1282 | else { | |
1283 | - MD5_Update(&ctx1, pw, strlen(pw)); | |
1284 | + li_MD5_Update(&ctx1, pw, strlen(pw)); | |
1285 | } | |
1286 | - MD5_Final(final,&ctx1); | |
1287 | + li_MD5_Final(final,&ctx1); | |
1288 | } | |
1289 | ||
1290 | p = passwd + strlen(passwd); | |
1291 | @@ -614,17 +618,17 @@ | |
1292 | * user:realm:md5(user:realm:password) | |
1293 | */ | |
1294 | ||
1295 | - MD5_CTX Md5Ctx; | |
1296 | + li_MD5_CTX Md5Ctx; | |
1297 | HASH HA1; | |
1298 | char a1[256]; | |
1299 | ||
1300 | - MD5_Init(&Md5Ctx); | |
1301 | - MD5_Update(&Md5Ctx, (unsigned char *)username->ptr, username->used - 1); | |
1302 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1303 | - MD5_Update(&Md5Ctx, (unsigned char *)realm->ptr, realm->used - 1); | |
1304 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1305 | - MD5_Update(&Md5Ctx, (unsigned char *)pw, strlen(pw)); | |
1306 | - MD5_Final(HA1, &Md5Ctx); | |
1307 | + li_MD5_Init(&Md5Ctx); | |
1308 | + li_MD5_Update(&Md5Ctx, (unsigned char *)username->ptr, username->used - 1); | |
1309 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1310 | + li_MD5_Update(&Md5Ctx, (unsigned char *)realm->ptr, realm->used - 1); | |
1311 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1312 | + li_MD5_Update(&Md5Ctx, (unsigned char *)pw, strlen(pw)); | |
1313 | + li_MD5_Final(HA1, &Md5Ctx); | |
1314 | ||
1315 | CvtHex(HA1, a1); | |
1316 | ||
1317 | @@ -930,7 +934,7 @@ | |
1318 | int i; | |
1319 | buffer *password, *b, *username_buf, *realm_buf; | |
1320 | ||
1321 | - MD5_CTX Md5Ctx; | |
1322 | + li_MD5_CTX Md5Ctx; | |
1323 | HASH HA1; | |
1324 | HASH HA2; | |
1325 | HASH RespHash; | |
1326 | @@ -1067,13 +1071,13 @@ | |
1327 | ||
1328 | if (p->conf.auth_backend == AUTH_BACKEND_PLAIN) { | |
1329 | /* generate password from plain-text */ | |
1330 | - MD5_Init(&Md5Ctx); | |
1331 | - MD5_Update(&Md5Ctx, (unsigned char *)username, strlen(username)); | |
1332 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1333 | - MD5_Update(&Md5Ctx, (unsigned char *)realm, strlen(realm)); | |
1334 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1335 | - MD5_Update(&Md5Ctx, (unsigned char *)password->ptr, password->used - 1); | |
1336 | - MD5_Final(HA1, &Md5Ctx); | |
1337 | + li_MD5_Init(&Md5Ctx); | |
1338 | + li_MD5_Update(&Md5Ctx, (unsigned char *)username, strlen(username)); | |
1339 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1340 | + li_MD5_Update(&Md5Ctx, (unsigned char *)realm, strlen(realm)); | |
1341 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1342 | + li_MD5_Update(&Md5Ctx, (unsigned char *)password->ptr, password->used - 1); | |
1343 | + li_MD5_Final(HA1, &Md5Ctx); | |
1344 | } else if (p->conf.auth_backend == AUTH_BACKEND_HTDIGEST) { | |
1345 | /* HA1 */ | |
1346 | /* transform the 32-byte-hex-md5 to a 16-byte-md5 */ | |
1347 | @@ -1090,45 +1094,45 @@ | |
1348 | ||
1349 | if (algorithm && | |
1350 | strcasecmp(algorithm, "md5-sess") == 0) { | |
1351 | - MD5_Init(&Md5Ctx); | |
1352 | - MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16); | |
1353 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1354 | - MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); | |
1355 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1356 | - MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); | |
1357 | - MD5_Final(HA1, &Md5Ctx); | |
1358 | + li_MD5_Init(&Md5Ctx); | |
1359 | + li_MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16); | |
1360 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1361 | + li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); | |
1362 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1363 | + li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); | |
1364 | + li_MD5_Final(HA1, &Md5Ctx); | |
1365 | } | |
1366 | ||
1367 | CvtHex(HA1, a1); | |
1368 | ||
1369 | /* calculate H(A2) */ | |
1370 | - MD5_Init(&Md5Ctx); | |
1371 | - MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m)); | |
1372 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1373 | - MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri)); | |
1374 | + li_MD5_Init(&Md5Ctx); | |
1375 | + li_MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m)); | |
1376 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1377 | + li_MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri)); | |
1378 | if (qop && strcasecmp(qop, "auth-int") == 0) { | |
1379 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1380 | - MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN); | |
1381 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1382 | + li_MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN); | |
1383 | } | |
1384 | - MD5_Final(HA2, &Md5Ctx); | |
1385 | + li_MD5_Final(HA2, &Md5Ctx); | |
1386 | CvtHex(HA2, HA2Hex); | |
1387 | ||
1388 | /* calculate response */ | |
1389 | - MD5_Init(&Md5Ctx); | |
1390 | - MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN); | |
1391 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1392 | - MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); | |
1393 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1394 | + li_MD5_Init(&Md5Ctx); | |
1395 | + li_MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN); | |
1396 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1397 | + li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); | |
1398 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1399 | if (qop && *qop) { | |
1400 | - MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc)); | |
1401 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1402 | - MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); | |
1403 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1404 | - MD5_Update(&Md5Ctx, (unsigned char *)qop, strlen(qop)); | |
1405 | - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1406 | + li_MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc)); | |
1407 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1408 | + li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); | |
1409 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1410 | + li_MD5_Update(&Md5Ctx, (unsigned char *)qop, strlen(qop)); | |
1411 | + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); | |
1412 | }; | |
1413 | - MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN); | |
1414 | - MD5_Final(RespHash, &Md5Ctx); | |
1415 | + li_MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN); | |
1416 | + li_MD5_Final(RespHash, &Md5Ctx); | |
1417 | CvtHex(RespHash, a2); | |
1418 | ||
1419 | if (0 != strcmp(a2, respons)) { | |
1420 | @@ -1171,24 +1175,24 @@ | |
1421 | ||
1422 | int http_auth_digest_generate_nonce(server *srv, mod_auth_plugin_data *p, buffer *fn, char out[33]) { | |
1423 | HASH h; | |
1424 | - MD5_CTX Md5Ctx; | |
1425 | + li_MD5_CTX Md5Ctx; | |
1426 | char hh[32]; | |
4ae864ca | 1427 | |
902fac5f ER |
1428 | UNUSED(p); |
1429 | ||
1430 | /* generate shared-secret */ | |
1431 | - MD5_Init(&Md5Ctx); | |
1432 | - MD5_Update(&Md5Ctx, (unsigned char *)fn->ptr, fn->used - 1); | |
1433 | - MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); | |
1434 | + li_MD5_Init(&Md5Ctx); | |
1435 | + li_MD5_Update(&Md5Ctx, (unsigned char *)fn->ptr, fn->used - 1); | |
1436 | + li_MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); | |
1437 | ||
1438 | /* we assume sizeof(time_t) == 4 here, but if not it ain't a problem at all */ | |
1439 | LI_ltostr(hh, srv->cur_ts); | |
1440 | - MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); | |
1441 | - MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); | |
1442 | + li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); | |
1443 | + li_MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); | |
1444 | LI_ltostr(hh, rand()); | |
1445 | - MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); | |
1446 | + li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); | |
1447 | ||
1448 | - MD5_Final(h, &Md5Ctx); | |
1449 | + li_MD5_Final(h, &Md5Ctx); | |
1450 | ||
1451 | CvtHex(h, out); | |
1452 | ||
1453 | Index: src/mod_usertrack.c | |
1454 | =================================================================== | |
1455 | --- src/mod_usertrack.c (.../tags/lighttpd-1.4.29) | |
1456 | +++ src/mod_usertrack.c (.../branches/lighttpd-1.4.x) | |
1457 | @@ -8,18 +8,8 @@ | |
1458 | #include <stdlib.h> | |
1459 | #include <string.h> | |
1460 | ||
1461 | -#ifdef USE_OPENSSL | |
1462 | -# include <openssl/md5.h> | |
1463 | -#else | |
1464 | -# include "md5.h" | |
1465 | +#include "md5.h" | |
1466 | ||
1467 | -typedef li_MD5_CTX MD5_CTX; | |
1468 | -#define MD5_Init li_MD5_Init | |
1469 | -#define MD5_Update li_MD5_Update | |
1470 | -#define MD5_Final li_MD5_Final | |
1471 | - | |
1472 | -#endif | |
1473 | - | |
1474 | /* plugin config for all request/connections */ | |
1475 | ||
1476 | typedef struct { | |
1477 | @@ -182,7 +172,7 @@ | |
1478 | plugin_data *p = p_d; | |
1479 | data_string *ds; | |
1480 | unsigned char h[16]; | |
1481 | - MD5_CTX Md5Ctx; | |
1482 | + li_MD5_CTX Md5Ctx; | |
1483 | char hh[32]; | |
1484 | ||
1485 | if (con->uri.path->used == 0) return HANDLER_GO_ON; | |
1486 | @@ -228,18 +218,18 @@ | |
1487 | /* taken from mod_auth.c */ | |
1488 | ||
1489 | /* generate shared-secret */ | |
1490 | - MD5_Init(&Md5Ctx); | |
1491 | - MD5_Update(&Md5Ctx, (unsigned char *)con->uri.path->ptr, con->uri.path->used - 1); | |
1492 | - MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); | |
1493 | + li_MD5_Init(&Md5Ctx); | |
1494 | + li_MD5_Update(&Md5Ctx, (unsigned char *)con->uri.path->ptr, con->uri.path->used - 1); | |
1495 | + li_MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); | |
1496 | ||
1497 | /* we assume sizeof(time_t) == 4 here, but if not it ain't a problem at all */ | |
1498 | LI_ltostr(hh, srv->cur_ts); | |
1499 | - MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); | |
1500 | - MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); | |
1501 | + li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); | |
1502 | + li_MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); | |
1503 | LI_ltostr(hh, rand()); | |
1504 | - MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); | |
1505 | + li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); | |
1506 | ||
1507 | - MD5_Final(h, &Md5Ctx); | |
1508 | + li_MD5_Final(h, &Md5Ctx); | |
1509 | ||
1510 | buffer_append_string_encoded(ds->value, (char *)h, 16, ENCODING_HEX); | |
1511 | buffer_append_string_len(ds->value, CONST_STR_LEN("; Path=/")); | |
1512 | Index: src/mod_status.c | |
1513 | =================================================================== | |
1514 | --- src/mod_status.c (.../tags/lighttpd-1.4.29) | |
1515 | +++ src/mod_status.c (.../branches/lighttpd-1.4.x) | |
1516 | @@ -487,7 +487,7 @@ | |
1517 | ||
1518 | buffer_append_string_len(b, CONST_STR_LEN("</td><td class=\"int\">")); | |
1519 | ||
1520 | - if (con->request.content_length) { | |
1521 | + if (c->request.content_length) { | |
1522 | buffer_append_long(b, c->request_content_queue->bytes_in); | |
1523 | buffer_append_string_len(b, CONST_STR_LEN("/")); | |
1524 | buffer_append_long(b, c->request.content_length); | |
1525 | Index: src/settings.h | |
1526 | =================================================================== | |
1527 | --- src/settings.h (.../tags/lighttpd-1.4.29) | |
1528 | +++ src/settings.h (.../branches/lighttpd-1.4.x) | |
1529 | @@ -21,8 +21,11 @@ | |
1530 | * 64kB (no real reason, just a guess) | |
1531 | */ | |
1532 | #define BUFFER_MAX_REUSE_SIZE (4 * 1024) | |
1533 | -#define MAX_READ_LIMIT (4*1024*1024) | |
1534 | ||
1535 | +/* both should be way smaller than SSIZE_MAX :) */ | |
1536 | +#define MAX_READ_LIMIT (256*1024) | |
1537 | +#define MAX_WRITE_LIMIT (256*1024) | |
1538 | + | |
1539 | /** | |
1540 | * max size of the HTTP request header | |
1541 | * | |
1542 | Index: src/mod_cml_lua.c | |
1543 | =================================================================== | |
1544 | --- src/mod_cml_lua.c (.../tags/lighttpd-1.4.29) | |
1545 | +++ src/mod_cml_lua.c (.../branches/lighttpd-1.4.x) | |
1546 | @@ -11,18 +11,6 @@ | |
1547 | #include <time.h> | |
1548 | #include <string.h> | |
1549 | ||
1550 | -#ifdef USE_OPENSSL | |
1551 | -# include <openssl/md5.h> | |
1552 | -#else | |
1553 | -# include "md5.h" | |
1554 | - | |
1555 | -typedef li_MD5_CTX MD5_CTX; | |
1556 | -#define MD5_Init li_MD5_Init | |
1557 | -#define MD5_Update li_MD5_Update | |
1558 | -#define MD5_Final li_MD5_Final | |
1559 | - | |
1560 | -#endif | |
1561 | - | |
1562 | #define HASHLEN 16 | |
1563 | typedef unsigned char HASH[HASHLEN]; | |
1564 | #define HASHHEXLEN 32 | |
1565 | Index: src/mod_fastcgi.c | |
1566 | =================================================================== | |
1567 | --- src/mod_fastcgi.c (.../tags/lighttpd-1.4.29) | |
1568 | +++ src/mod_fastcgi.c (.../branches/lighttpd-1.4.x) | |
1569 | @@ -3075,7 +3075,7 @@ | |
1570 | fcgi_set_state(srv, hctx, FCGI_STATE_WRITE); | |
1571 | /* fall through */ | |
1572 | case FCGI_STATE_WRITE: | |
1573 | - ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb); | |
1574 | + ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT); | |
1575 | ||
1576 | chunkqueue_remove_finished_chunks(hctx->wb); | |
1577 | ||
1578 | @@ -3132,7 +3132,6 @@ | |
1579 | plugin_data *p = p_d; | |
1580 | ||
1581 | handler_ctx *hctx = con->plugin_ctx[p->id]; | |
1582 | - fcgi_proc *proc; | |
1583 | fcgi_extension_host *host; | |
1584 | ||
1585 | if (NULL == hctx) return HANDLER_GO_ON; | |
1586 | @@ -3201,7 +3200,6 @@ | |
1587 | /* ok, create the request */ | |
1588 | switch(fcgi_write_request(srv, hctx)) { | |
1589 | case HANDLER_ERROR: | |
1590 | - proc = hctx->proc; | |
1591 | host = hctx->host; | |
1592 | ||
1593 | if (hctx->state == FCGI_STATE_INIT || | |
1594 | Index: src/network_solaris_sendfilev.c | |
1595 | =================================================================== | |
1596 | --- src/network_solaris_sendfilev.c (.../tags/lighttpd-1.4.29) | |
1597 | +++ src/network_solaris_sendfilev.c (.../branches/lighttpd-1.4.x) | |
1598 | @@ -38,17 +38,16 @@ | |
1599 | */ | |
1600 | ||
1601 | ||
1602 | -int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq) { | |
1603 | +int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { | |
1604 | chunk *c; | |
1605 | - size_t chunks_written = 0; | |
1606 | ||
1607 | - for(c = cq->first; c; c = c->next, chunks_written++) { | |
1608 | + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { | |
1609 | int chunk_finished = 0; | |
1610 | ||
1611 | switch(c->type) { | |
1612 | case MEM_CHUNK: { | |
1613 | char * offset; | |
1614 | - size_t toSend; | |
1615 | + off_t toSend; | |
1616 | ssize_t r; | |
1617 | ||
1618 | size_t num_chunks, i; | |
1619 | @@ -77,9 +76,9 @@ | |
1620 | chunks[i].iov_base = offset; | |
1621 | ||
1622 | /* protect the return value of writev() */ | |
1623 | - if (toSend > SSIZE_MAX || | |
1624 | - num_bytes + toSend > SSIZE_MAX) { | |
1625 | - chunks[i].iov_len = SSIZE_MAX - num_bytes; | |
1626 | + if (toSend > max_bytes || | |
1627 | + (off_t) num_bytes + toSend > max_bytes) { | |
1628 | + chunks[i].iov_len = max_bytes - num_bytes; | |
1629 | ||
1630 | num_chunks = i + 1; | |
1631 | break; | |
1632 | @@ -119,11 +118,10 @@ | |
1633 | ||
1634 | if (chunk_finished) { | |
1635 | /* skip the chunks from further touches */ | |
1636 | - chunks_written++; | |
1637 | c = c->next; | |
1638 | } else { | |
1639 | /* chunks_written + c = c->next is done in the for()*/ | |
1640 | - chunk_finished++; | |
1641 | + chunk_finished = 1; | |
4ae864ca | 1642 | } |
902fac5f ER |
1643 | } else { |
1644 | /* partially written */ | |
1645 | @@ -139,8 +137,8 @@ | |
1646 | } | |
1647 | case FILE_CHUNK: { | |
1648 | ssize_t r; | |
1649 | - off_t offset; | |
1650 | - size_t toSend, written; | |
1651 | + off_t offset, toSend; | |
1652 | + size_t written; | |
1653 | sendfilevec_t fvec; | |
1654 | stat_cache_entry *sce = NULL; | |
1655 | int ifd; | |
1656 | @@ -153,6 +151,7 @@ | |
1657 | ||
1658 | offset = c->file.start + c->offset; | |
1659 | toSend = c->file.length - c->offset; | |
1660 | + if (toSend > max_bytes) toSend = max_bytes; | |
1661 | ||
1662 | if (offset > sce->st.st_size) { | |
1663 | log_error_write(srv, __FILE__, __LINE__, "sb", "file was shrinked:", c->file.name); | |
1664 | @@ -186,6 +185,7 @@ | |
1665 | close(ifd); | |
1666 | c->offset += written; | |
1667 | cq->bytes_out += written; | |
1668 | + max_bytes -= written; | |
1669 | ||
1670 | if (c->offset == c->file.length) { | |
1671 | chunk_finished = 1; | |
1672 | @@ -207,7 +207,7 @@ | |
1673 | } | |
1674 | } | |
1675 | ||
1676 | - return chunks_written; | |
1677 | + return 0; | |
1678 | } | |
1679 | ||
1680 | #endif | |
1681 | Index: src/CMakeLists.txt | |
1682 | =================================================================== | |
1683 | Index: src/mod_dirlisting.c | |
1684 | =================================================================== | |
1685 | --- src/mod_dirlisting.c (.../tags/lighttpd-1.4.29) | |
1686 | +++ src/mod_dirlisting.c (.../branches/lighttpd-1.4.x) | |
1687 | @@ -657,7 +657,8 @@ | |
1688 | i = dir->used - 1; | |
1689 | ||
1690 | #ifdef HAVE_PATHCONF | |
1691 | - if (-1 == (name_max = pathconf(dir->ptr, _PC_NAME_MAX))) { | |
1692 | + if (0 >= (name_max = pathconf(dir->ptr, _PC_NAME_MAX))) { | |
1693 | + /* some broken fs (fuse) return 0 instead of -1 */ | |
1694 | #ifdef NAME_MAX | |
1695 | name_max = NAME_MAX; | |
1696 | #else | |
1697 | Index: src/network_linux_sendfile.c | |
1698 | =================================================================== | |
1699 | --- src/network_linux_sendfile.c (.../tags/lighttpd-1.4.29) | |
1700 | +++ src/network_linux_sendfile.c (.../branches/lighttpd-1.4.x) | |
1701 | @@ -27,17 +27,16 @@ | |
1702 | /* on linux 2.4.29 + debian/ubuntu we have crashes if this is enabled */ | |
1703 | #undef HAVE_POSIX_FADVISE | |
1704 | ||
1705 | -int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq) { | |
1706 | +int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { | |
1707 | chunk *c; | |
1708 | - size_t chunks_written = 0; | |
1709 | ||
1710 | - for(c = cq->first; c; c = c->next, chunks_written++) { | |
1711 | + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { | |
1712 | int chunk_finished = 0; | |
1713 | ||
1714 | switch(c->type) { | |
1715 | case MEM_CHUNK: { | |
1716 | char * offset; | |
1717 | - size_t toSend; | |
1718 | + off_t toSend; | |
1719 | ssize_t r; | |
4ae864ca | 1720 | |
902fac5f ER |
1721 | size_t num_chunks, i; |
1722 | @@ -45,12 +44,10 @@ | |
1723 | chunk *tc; | |
1724 | size_t num_bytes = 0; | |
1725 | ||
1726 | - /* we can't send more then SSIZE_MAX bytes in one chunk */ | |
1727 | - | |
1728 | /* build writev list | |
1729 | * | |
1730 | * 1. limit: num_chunks < UIO_MAXIOV | |
1731 | - * 2. limit: num_bytes < SSIZE_MAX | |
1732 | + * 2. limit: num_bytes < max_bytes | |
1733 | */ | |
1734 | for (num_chunks = 0, tc = c; | |
1735 | tc && tc->type == MEM_CHUNK && num_chunks < UIO_MAXIOV; | |
1736 | @@ -67,9 +64,9 @@ | |
1737 | chunks[i].iov_base = offset; | |
1738 | ||
1739 | /* protect the return value of writev() */ | |
1740 | - if (toSend > SSIZE_MAX || | |
1741 | - num_bytes + toSend > SSIZE_MAX) { | |
1742 | - chunks[i].iov_len = SSIZE_MAX - num_bytes; | |
1743 | + if (toSend > max_bytes || | |
1744 | + (off_t) num_bytes + toSend > max_bytes) { | |
1745 | + chunks[i].iov_len = max_bytes - num_bytes; | |
1746 | ||
1747 | num_chunks = i + 1; | |
1748 | break; | |
1749 | @@ -100,6 +97,7 @@ | |
1750 | ||
1751 | /* check which chunks have been written */ | |
1752 | cq->bytes_out += r; | |
1753 | + max_bytes -= r; | |
1754 | ||
1755 | for(i = 0, tc = c; i < num_chunks; i++, tc = tc->next) { | |
1756 | if (r >= (ssize_t)chunks[i].iov_len) { | |
1757 | @@ -109,11 +107,10 @@ | |
1758 | ||
1759 | if (chunk_finished) { | |
1760 | /* skip the chunks from further touches */ | |
1761 | - chunks_written++; | |
1762 | c = c->next; | |
4ae864ca | 1763 | } else { |
902fac5f ER |
1764 | /* chunks_written + c = c->next is done in the for()*/ |
1765 | - chunk_finished++; | |
1766 | + chunk_finished = 1; | |
4ae864ca | 1767 | } |
902fac5f ER |
1768 | } else { |
1769 | /* partially written */ | |
1770 | @@ -130,13 +127,12 @@ | |
1771 | case FILE_CHUNK: { | |
1772 | ssize_t r; | |
1773 | off_t offset; | |
1774 | - size_t toSend; | |
1775 | + off_t toSend; | |
1776 | stat_cache_entry *sce = NULL; | |
1777 | ||
1778 | offset = c->file.start + c->offset; | |
1779 | - /* limit the toSend to 2^31-1 bytes in a chunk */ | |
1780 | - toSend = c->file.length - c->offset > ((1 << 30) - 1) ? | |
1781 | - ((1 << 30) - 1) : c->file.length - c->offset; | |
1782 | + toSend = c->file.length - c->offset; | |
1783 | + if (toSend > max_bytes) toSend = max_bytes; | |
1784 | ||
1785 | /* open file if not already opened */ | |
1786 | if (-1 == c->file.fd) { | |
1787 | @@ -215,6 +211,7 @@ | |
1788 | ||
1789 | c->offset += r; | |
1790 | cq->bytes_out += r; | |
1791 | + max_bytes -= r; | |
1792 | ||
1793 | if (c->offset == c->file.length) { | |
1794 | chunk_finished = 1; | |
1795 | @@ -243,7 +240,7 @@ | |
1796 | } | |
1797 | } | |
1798 | ||
1799 | - return chunks_written; | |
1800 | + return 0; | |
1801 | } | |
1802 | ||
1803 | #endif | |
1804 | Index: tests/mod-auth.t | |
1805 | =================================================================== | |
1806 | --- tests/mod-auth.t (.../tags/lighttpd-1.4.29) | |
1807 | +++ tests/mod-auth.t (.../branches/lighttpd-1.4.x) | |
1808 | @@ -8,7 +8,7 @@ | |
1809 | ||
1810 | use strict; | |
1811 | use IO::Socket; | |
1812 | -use Test::More tests => 14; | |
1813 | +use Test::More tests => 15; | |
1814 | use LightyTest; | |
1815 | ||
1816 | my $tf = LightyTest->new(); | |
1817 | @@ -25,6 +25,14 @@ | |
1818 | ||
1819 | $t->{REQUEST} = ( <<EOF | |
1820 | GET /server-status HTTP/1.0 | |
1821 | +Authorization: Basic \x80mFuOmphb | |
1822 | +EOF | |
1823 | + ); | |
1824 | +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ]; | |
1825 | +ok($tf->handle_http($t) == 0, 'Basic-Auth: Invalid base64 Auth-token'); | |
1826 | + | |
1827 | +$t->{REQUEST} = ( <<EOF | |
1828 | +GET /server-status HTTP/1.0 | |
1829 | Authorization: Basic amFuOmphb | |
1830 | EOF | |
1831 | ); | |
1832 | Index: tests/request.t | |
1833 | =================================================================== | |
1834 | --- tests/request.t (.../tags/lighttpd-1.4.29) | |
1835 | +++ tests/request.t (.../branches/lighttpd-1.4.x) | |
1836 | @@ -8,7 +8,7 @@ | |
1837 | ||
1838 | use strict; | |
1839 | use IO::Socket; | |
1840 | -use Test::More tests => 44; | |
1841 | +use Test::More tests => 46; | |
1842 | use LightyTest; | |
1843 | ||
1844 | my $tf = LightyTest->new(); | |
1845 | @@ -413,5 +413,21 @@ | |
1846 | $t->{SLOWREQUEST} = 1; | |
1847 | ok($tf->handle_http($t) == 0, 'GET, slow \\r\\n\\r\\n (#2105)'); | |
1848 | ||
1849 | +print "\nPathinfo for static files\n"; | |
1850 | +$t->{REQUEST} = ( <<EOF | |
1851 | +GET /image.jpg/index.php HTTP/1.0 | |
1852 | +EOF | |
1853 | + ); | |
1854 | +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'Content-Type' => 'image/jpeg' } ]; | |
1855 | +ok($tf->handle_http($t) == 0, 'static file accepting pathinfo by default'); | |
1856 | + | |
1857 | +$t->{REQUEST} = ( <<EOF | |
1858 | +GET /image.jpg/index.php HTTP/1.0 | |
1859 | +Host: zzz.example.org | |
1860 | +EOF | |
1861 | + ); | |
1862 | +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 403 } ]; | |
1863 | +ok($tf->handle_http($t) == 0, 'static file with forbidden pathinfo'); | |
1864 | + | |
1865 | ok($tf->stop_proc == 0, "Stopping lighttpd"); | |
1866 | ||
1867 | Index: tests/wrapper.sh | |
1868 | =================================================================== | |
1869 | --- tests/wrapper.sh (.../tags/lighttpd-1.4.29) | |
1870 | +++ tests/wrapper.sh (.../branches/lighttpd-1.4.x) | |
1871 | @@ -6,4 +6,4 @@ | |
1872 | top_builddir=$2 | |
1873 | export SHELL srcdir top_builddir | |
1874 | ||
1875 | -$3 | |
1876 | +exec $3 | |
1877 | Index: tests/lighttpd.conf | |
1878 | =================================================================== | |
1879 | --- tests/lighttpd.conf (.../tags/lighttpd-1.4.29) | |
1880 | +++ tests/lighttpd.conf (.../branches/lighttpd-1.4.x) | |
1881 | @@ -149,6 +149,7 @@ | |
1882 | $HTTP["host"] == "zzz.example.org" { | |
1883 | server.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/" | |
1884 | server.name = "zzz.example.org" | |
1885 | + static-file.disable-pathinfo = "enable" | |
1886 | } | |
1887 | ||
1888 | $HTTP["host"] == "symlink.example.org" { | |
ceb30c4b ER |
1889 | Index: configure.ac |
1890 | =================================================================== | |
902fac5f ER |
1891 | Index: doc/config/lighttpd.conf |
1892 | =================================================================== | |
1893 | --- doc/config/lighttpd.conf (.../tags/lighttpd-1.4.29) | |
1894 | +++ doc/config/lighttpd.conf (.../branches/lighttpd-1.4.x) | |
1895 | @@ -394,6 +394,8 @@ | |
1896 | ## $SERVER["socket"] == "10.0.0.1:443" { | |
1897 | ## ssl.engine = "enable" | |
1898 | ## ssl.pemfile = "/etc/ssl/private/www.example.com.pem" | |
1899 | +## # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html | |
1900 | +## ssl.ciphers = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" | |
1901 | ## server.name = "www.example.com" | |
1902 | ## | |
1903 | ## server.document-root = "/srv/www/vhosts/example.com/www/" | |
ceb30c4b ER |
1904 | Index: SConstruct |
1905 | =================================================================== | |
1906 | Index: NEWS | |
1907 | =================================================================== | |
902fac5f | 1908 | --- NEWS (.../tags/lighttpd-1.4.29) |
cc37bbfb | 1909 | +++ NEWS (.../branches/lighttpd-1.4.x) |
902fac5f | 1910 | @@ -3,7 +3,19 @@ |
ceb30c4b ER |
1911 | NEWS |
1912 | ==== | |
1913 | ||
902fac5f ER |
1914 | -- 1.4.29 - |
1915 | +- 1.4.30 - | |
1916 | + * Always use our 'own' md5 implementation, fixes linking issues on MacOS (fixes #2331) | |
1917 | + * Limit amount of bytes we send in one go; fixes stalling in one connection and timeouts on slow systems. | |
1918 | + * [ssl] fix build errors when Elliptic-Curve Diffie-Hellman is disabled | |
1919 | + * Add static-file.disable-pathinfo option to prevent handling of urls like .../secret.php/image.jpg as static file | |
1920 | + * Don't overwrite 401 (auth required) with 501 (unknown method) (fixes #2341) | |
1921 | + * Fix mod_status bug: always showed "0/0" in the "Read" column for uploads (fixes #2351) | |
1922 | + * [mod_auth] Fix signedness error in http_auth (fixes #2370, CVE-2011-4362) | |
1923 | + * [ssl] count renegotiations to prevent client renegotiations | |
1924 | + * [ssl] add option to honor server cipher order (fixes #2364, BEAST attack) | |
1925 | + * [core] accept dots in ipv6 addresses in host header (fixes #2359) | |
1926 | + | |
1927 | +- 1.4.29 - 2011-07-03 | |
1928 | * Fix mod_proxy waiting for response even if content-length is 0 (fixes #2259) | |
1929 | * Silence annoying "connection closed: poll() -> ERR" error.log message (fixes #2257) | |
1930 | * mod_cgi: make read buffer as big as incoming data block | |
ceb30c4b ER |
1931 | Index: CMakeLists.txt |
1932 | =================================================================== |