3 ===================================================================
4 --- src/base.h (.../tags/lighttpd-1.4.24)
5 +++ src/base.h (.../branches/lighttpd-1.4.x)
7 unsigned short ssl_verifyclient_enforce;
8 unsigned short ssl_verifyclient_depth;
9 buffer *ssl_verifyclient_username;
10 + unsigned short ssl_verifyclient_export_cert;
12 unsigned short use_ipv6;
13 unsigned short defer_accept;
14 Index: src/mod_rewrite.c
15 ===================================================================
16 --- src/mod_rewrite.c (.../tags/lighttpd-1.4.24)
17 +++ src/mod_rewrite.c (.../branches/lighttpd-1.4.x)
33 static int rewrite_rule_buffer_append(rewrite_rule_buffer *kvb, buffer *key, buffer *value, int once) {
52 static void rewrite_rule_buffer_free(rewrite_rule_buffer *kvb) {
56 for (i = 0; i < kvb->size; i++) {
60 if (kvb->ptr) free(kvb->ptr);
66 ((data_string *)(da->value->data[j]))->key,
67 ((data_string *)(da->value->data[j]))->value,
70 log_error_write(srv, __FILE__, __LINE__, "sb",
71 "pcre-compile failed for", da->value->data[j]->key);
73 - log_error_write(srv, __FILE__, __LINE__, "s",
74 - "pcre support is missing, please install libpcre and the headers");
83 +static int parse_config_entry(server *srv, array *ca, const char *option) {
84 + static int logged_message = 0;
85 + if (logged_message) return 0;
86 + if (NULL != array_get_element(ca, option)) {
88 + log_error_write(srv, __FILE__, __LINE__, "s",
89 + "pcre support is missing, please install libpcre and the headers");
95 SETDEFAULTS_FUNC(mod_rewrite_set_defaults) {
96 - plugin_data *p = p_d;
99 config_values_t cv[] = {
100 { "url.rewrite-repeat", NULL, T_CONFIG_LOCAL, T_CONFIG_SCOPE_CONNECTION }, /* 0 */
101 { "url.rewrite-once", NULL, T_CONFIG_LOCAL, T_CONFIG_SCOPE_CONNECTION }, /* 1 */
102 @@ -243,33 +236,37 @@
103 { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
107 + plugin_data *p = p_d;
109 if (!p) return HANDLER_ERROR;
112 p->config_storage = calloc(1, srv->config_context->used * sizeof(specific_config *));
117 for (i = 0; i < srv->config_context->used; i++) {
123 s = calloc(1, sizeof(plugin_config));
124 s->rewrite = rewrite_rule_buffer_init();
125 s->rewrite_NF = rewrite_rule_buffer_init();
127 - cv[0].destination = s->rewrite;
128 - cv[1].destination = s->rewrite;
129 - cv[2].destination = s->rewrite_NF;
130 - cv[3].destination = s->rewrite_NF;
131 - cv[4].destination = s->rewrite;
132 - cv[5].destination = s->rewrite;
134 p->config_storage[i] = s;
137 ca = ((data_config *)srv->config_context->data[i])->value;
139 if (0 != config_insert_values_global(srv, ca, cv)) {
140 return HANDLER_ERROR;
144 +# define parse_config_entry(srv, ca, x, option, y) parse_config_entry(srv, ca, option)
146 parse_config_entry(srv, ca, s->rewrite, "url.rewrite-once", 1);
147 parse_config_entry(srv, ca, s->rewrite, "url.rewrite-final", 1);
148 parse_config_entry(srv, ca, s->rewrite_NF, "url.rewrite-if-not-file", 1);
151 return HANDLER_GO_ON;
158 static int mod_rewrite_patch_connection(server *srv, connection *con, plugin_data *p) {
165 URIHANDLER_FUNC(mod_rewrite_con_reset) {
166 plugin_data *p = p_d;
171 static int process_rewrite_rules(server *srv, connection *con, plugin_data *p, rewrite_rule_buffer *kvb) {
176 @@ -444,19 +442,11 @@
188 return HANDLER_GO_ON;
191 URIHANDLER_FUNC(mod_rewrite_physical) {
193 plugin_data *p = p_d;
195 stat_cache_entry *sce;
196 @@ -480,17 +470,11 @@
206 return HANDLER_GO_ON;
209 URIHANDLER_FUNC(mod_rewrite_uri_handler) {
211 plugin_data *p = p_d;
213 mod_rewrite_patch_connection(srv, con, p);
214 @@ -498,29 +482,27 @@
215 if (!p->conf.rewrite) return HANDLER_GO_ON;
217 return process_rewrite_rules(srv, con, p, p->conf.rewrite);
224 return HANDLER_GO_ON;
228 int mod_rewrite_plugin_init(plugin *p);
229 int mod_rewrite_plugin_init(plugin *p) {
230 p->version = LIGHTTPD_VERSION_ID;
231 p->name = buffer_init_string("rewrite");
234 p->init = mod_rewrite_init;
235 /* it has to stay _raw as we are matching on uri + querystring
238 p->handle_uri_raw = mod_rewrite_uri_handler;
239 p->handle_physical = mod_rewrite_physical;
240 - p->set_defaults = mod_rewrite_set_defaults;
241 p->cleanup = mod_rewrite_free;
242 p->connection_reset = mod_rewrite_con_reset;
244 + p->set_defaults = mod_rewrite_set_defaults;
248 Index: src/connections.c
249 ===================================================================
250 --- src/connections.c (.../tags/lighttpd-1.4.24)
251 +++ src/connections.c (.../branches/lighttpd-1.4.x)
255 CLEAN(error_handler);
256 +#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
257 + CLEAN(tlsext_server_name);
262 @@ -1250,8 +1253,10 @@
267 log_error_write(srv, __FILE__, __LINE__, "sdd",
268 "CLOSE-read()", con->fd, b);
272 read(con->fd, buf, sizeof(buf));
273 @@ -1621,8 +1626,10 @@
278 log_error_write(srv, __FILE__, __LINE__, "sdd",
279 "CLOSE-read()", con->fd, b);
283 read(con->fd, buf, sizeof(buf));
284 Index: src/configfile.c
285 ===================================================================
286 --- src/configfile.c (.../tags/lighttpd-1.4.24)
287 +++ src/configfile.c (.../branches/lighttpd-1.4.x)
289 { "ssl.verifyclient.enforce", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 57 */
290 { "ssl.verifyclient.depth", NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_SERVER }, /* 58 */
291 { "ssl.verifyclient.username", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 59 */
292 + { "ssl.verifyclient.exportcert", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 60 */
293 { "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
294 { "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
295 { "server.virtual-root", "load mod_simple_vhost and use simple-vhost.server-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
297 s->ssl_verifyclient_enforce = 1;
298 s->ssl_verifyclient_username = buffer_init();
299 s->ssl_verifyclient_depth = 9;
300 + s->ssl_verifyclient_export_cert = 0;
302 cv[2].destination = s->errorfile_prefix;
305 cv[57].destination = &(s->ssl_verifyclient_enforce);
306 cv[58].destination = &(s->ssl_verifyclient_depth);
307 cv[59].destination = s->ssl_verifyclient_username;
308 + cv[60].destination = &(s->ssl_verifyclient_export_cert);
310 srv->config_storage[i] = s;
313 PATCH(ssl_verifyclient_enforce);
314 PATCH(ssl_verifyclient_depth);
315 PATCH(ssl_verifyclient_username);
316 + PATCH(ssl_verifyclient_export_cert);
321 PATCH(ssl_verifyclient_depth);
322 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.username"))) {
323 PATCH(ssl_verifyclient_username);
324 + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.exportcert"))) {
325 + PATCH(ssl_verifyclient_export_cert);
329 Index: src/mod_rrdtool.c
330 ===================================================================
331 --- src/mod_rrdtool.c (.../tags/lighttpd-1.4.24)
332 +++ src/mod_rrdtool.c (.../branches/lighttpd-1.4.x)
333 @@ -237,11 +237,11 @@
334 "not a regular file:", s->path_rrd);
335 return HANDLER_ERROR;
339 - /* still create DB if it's empty file */
340 - if (st.st_size > 0) {
341 - return HANDLER_GO_ON;
342 + /* still create DB if it's empty file */
343 + if (st.st_size > 0) {
344 + return HANDLER_GO_ON;
348 /* create a new one */
349 Index: src/response.c
350 ===================================================================
351 --- src/response.c (.../tags/lighttpd-1.4.24)
352 +++ src/response.c (.../branches/lighttpd-1.4.x)
358 +static void https_add_ssl_entries(connection *con) {
361 + X509_NAME_ENTRY *xe;
363 + SSL_get_verify_result(con->ssl) != X509_V_OK
364 + || !(xs = SSL_get_peer_certificate(con->ssl))
369 + xn = X509_get_subject_name(xs);
370 + for (int i = 0, nentries = X509_NAME_entry_count(xn); i < nentries; ++i) {
372 + const char * xobjsn;
373 + data_string *envds;
375 + if (!(xe = X509_NAME_get_entry(xn, i))) {
378 + xobjnid = OBJ_obj2nid((ASN1_OBJECT*)X509_NAME_ENTRY_get_object(xe));
379 + xobjsn = OBJ_nid2sn(xobjnid);
384 + if (NULL == (envds = (data_string *)array_get_unused_element(con->environment, TYPE_STRING))) {
385 + envds = data_string_init();
387 + buffer_copy_string_len(envds->key, CONST_STR_LEN("SSL_CLIENT_S_DN_"));
388 + buffer_append_string(envds->key, xobjsn);
389 + buffer_copy_string_len(
391 + (const char *)xe->value->data, xe->value->length
393 + /* pick one of the exported values as "authed user", for example
394 + * ssl.verifyclient.username = "SSL_CLIENT_S_DN_UID" or "SSL_CLIENT_S_DN_emailAddress"
396 + if (buffer_is_equal(con->conf.ssl_verifyclient_username, envds->key)) {
397 + buffer_copy_string_buffer(con->authed_user, envds->value);
399 + array_insert_unique(con->environment, (data_unset *)envds);
401 + if (con->conf.ssl_verifyclient_export_cert) {
403 + if (NULL != (bio = BIO_new(BIO_s_mem()))) {
404 + data_string *envds;
407 + PEM_write_bio_X509(bio, xs);
408 + n = BIO_pending(bio);
410 + if (NULL == (envds = (data_string *)array_get_unused_element(con->environment, TYPE_STRING))) {
411 + envds = data_string_init();
414 + buffer_copy_string_len(envds->key, CONST_STR_LEN("SSL_CLIENT_CERT"));
415 + buffer_prepare_copy(envds->value, n+1);
416 + BIO_read(bio, envds->value->ptr, n);
418 + envds->value->ptr[n] = '\0';
419 + envds->value->used = n+1;
420 + array_insert_unique(con->environment, (data_unset *)envds);
428 handler_t http_response_prepare(server *srv, connection *con) {
432 log_error_write(srv, __FILE__, __LINE__, "sb", "URI-path : ", con->uri.path);
436 + if (con->conf.is_ssl && con->conf.ssl_verifyclient) {
437 + https_add_ssl_entries(con);
444 Index: src/mod_fastcgi.c
445 ===================================================================
446 --- src/mod_fastcgi.c (.../tags/lighttpd-1.4.24)
447 +++ src/mod_fastcgi.c (.../branches/lighttpd-1.4.x)
448 @@ -2416,8 +2416,8 @@
450 static int fastcgi_get_packet(server *srv, handler_ctx *hctx, fastcgi_response_packet *packet) {
458 if (!hctx->rb->first) return -1;
459 @@ -2428,20 +2428,22 @@
461 packet->request_id = 0;
463 + offset = 0; toread = 8;
464 /* get at least the FastCGI header */
465 for (c = hctx->rb->first; c; c = c->next) {
466 - size_t weWant = sizeof(*header) - (packet->b->used - 1);
467 size_t weHave = c->mem->used - c->offset - 1;
469 - if (weHave > weWant) weHave = weWant;
470 + if (weHave > toread) weHave = toread;
472 if (packet->b->used == 0) {
473 buffer_copy_string_len(packet->b, c->mem->ptr + c->offset, weHave);
475 buffer_append_string_len(packet->b, c->mem->ptr + c->offset, weHave);
478 + offset = weHave; /* skip offset bytes in chunk for "real" data */
480 - if (packet->b->used >= sizeof(*header) + 1) break;
481 + if (0 == toread) break;
484 if ((packet->b->used == 0) ||
485 @@ -2449,7 +2451,9 @@
487 buffer_free(packet->b);
489 - log_error_write(srv, __FILE__, __LINE__, "sdsds", "FastCGI: header too small:", packet->b->used, "bytes <", sizeof(FCGI_Header), "bytes");
490 + if (hctx->plugin_data->conf.debug) {
491 + log_error_write(srv, __FILE__, __LINE__, "sdsds", "FastCGI: header too small:", packet->b->used, "bytes <", sizeof(FCGI_Header), "bytes, waiting for more data");
496 @@ -2461,9 +2465,6 @@
497 packet->type = header->type;
498 packet->padding = header->paddingLength;
500 - /* the first bytes in packet->b are the header */
501 - offset = sizeof(*header);
503 /* ->b should only be the content */
504 buffer_copy_string_len(packet->b, CONST_STR_LEN("")); /* used == 1 */
506 @@ -2477,7 +2478,7 @@
508 buffer_append_string_len(packet->b, c->mem->ptr + c->offset + offset, weHave);
510 - /* we only skipped the first 8 bytes as they are the fcgi header */
511 + /* we only skipped the first bytes as they belonged to the fcgi header */
515 @@ -3080,34 +3081,17 @@
522 /* the connection got dropped after accept()
524 - * this is most of the time a PHP which dies
525 - * after PHP_FCGI_MAX_REQUESTS
527 + * we don't care about that - if you accept() it, you have to handle it.
529 - if (hctx->wb->bytes_out == 0 &&
530 - hctx->reconnects < 5) {
531 - usleep(10000); /* take away the load of the webserver
532 - * to give the php a chance to restart
535 - fcgi_reconnect(srv, hctx);
537 - return HANDLER_WAIT_FOR_FD;
540 - /* not reconnected ... why
542 - * far@#lighttpd report this for FreeBSD
546 - log_error_write(srv, __FILE__, __LINE__, "ssosd",
547 - "[REPORT ME] connection was dropped after accept(). reconnect() denied:",
548 + log_error_write(srv, __FILE__, __LINE__, "ssosb",
549 + "connection was dropped after accept() (perhaps the fastcgi process died),",
550 "write-offset:", hctx->wb->bytes_out,
551 - "reconnect attempts:", hctx->reconnects);
552 + "socket:", hctx->proc->connection_name);
554 return HANDLER_ERROR;
556 Index: src/mod_magnet.c
557 ===================================================================
558 --- src/mod_magnet.c (.../tags/lighttpd-1.4.24)
559 +++ src/mod_magnet.c (.../branches/lighttpd-1.4.x)
561 return lua_gettop(L);
563 lua_pushvalue(L, lua_upvalueindex(1));
565 lua_call(L, lua_gettop(L) - 1, LUA_MULTRET);
566 return lua_gettop(L);
572 +static int traceback (lua_State *L) {
573 + if (!lua_isstring(L, 1)) /* 'message' not a string? */
574 + return 1; /* keep it intact */
575 + lua_getfield(L, LUA_GLOBALSINDEX, "debug");
576 + if (!lua_istable(L, -1)) {
580 + lua_getfield(L, -1, "traceback");
581 + if (!lua_isfunction(L, -1)) {
585 + lua_pushvalue(L, 1); /* pass error message */
586 + lua_pushinteger(L, 2); /* skip this function and traceback */
587 + lua_call(L, 2, 1); /* call debug.traceback */
591 +static int push_traceback(lua_State *L, int narg) {
592 + int base = lua_gettop(L) - narg; /* function index */
593 + lua_pushcfunction(L, traceback);
594 + lua_insert(L, base);
598 static handler_t magnet_attract(server *srv, connection *con, plugin_data *p, buffer *name) {
600 int lua_return_value = -1;
602 /* get the script-context */
607 lua_setfenv(L, -2); /* on the stack should be a modified env (sp -= 1) */
609 - if (lua_pcall(L, 0, 1, 0)) {
610 + errfunc = push_traceback(L, 0);
611 + if (lua_pcall(L, 0, 1, errfunc)) {
612 + lua_remove(L, errfunc);
613 log_error_write(srv, __FILE__, __LINE__,
618 return HANDLER_FINISHED;
620 + lua_remove(L, errfunc);
622 /* we should have the function-copy and the return value on the stack */
623 assert(lua_gettop(L) == 2);
625 ===================================================================
627 ===================================================================
629 ===================================================================
630 --- NEWS (.../tags/lighttpd-1.4.24)
631 +++ NEWS (.../branches/lighttpd-1.4.x)
638 + * mod_magnet: fix pairs() for normal tables and strings (fixes #1307)
639 + * mod_magnet: add traceback for printing lua errors
640 + * mod_rewrite: fix compile error if compiled without pcre
641 + * disable warning "CLOSE-read" (fixes #2091)
642 + * mod_rrdtool: fix creating file if it doesn't exist (#1788)
643 + * reset tlsext_server_name in connection_reset - fixes random hostnames in the $HTTP["host"] conditional
644 + * export some SSL_CLIENT_* vars for client cert validation (fixes #1288, thx presbrey)
645 + * mod_fastcgi: fix mod_fastcgi packet parsing
646 + * mod_fastcgi: Don't reconnect after connect() succeeded (fixes #2096)
648 +- 1.4.24 - 2009-10-25
649 * Add T_CONFIG_INT for bigger integers from the config (needed for #1966)
650 * Use unsigned int (and T_CONFIG_INT) for max_request_size
651 * Use unsigned int for secdownload.timeout (fixes #1966)
652 Index: CMakeLists.txt
653 ===================================================================