-Index: configure.in
+# Revision 2815
+Index: src/http_auth_digest.c
===================================================================
---- configure.in (.../tags/lighttpd-1.4.13) (revision 1718)
-+++ configure.in (.../branches/lighttpd-1.4.x) (revision 1718)
-@@ -398,7 +398,7 @@
-
- AC_MSG_RESULT($WITH_LUA)
- if test "$WITH_LUA" != "no"; then
-- if test "$WITH_LUA" == "yes"; then
-+ if test "$WITH_LUA" = "yes"; then
- WITH_LUA=lua
- fi
- PKG_CHECK_MODULES(LUA, $WITH_LUA >= 5.1, [
-@@ -538,7 +538,7 @@
- AC_OUTPUT
-
-
--do_build="mod_cgi mod_fastcgi mod_proxy mod_evhost mod_simple_vhost mod_access mod_alias mod_setenv mod_usertrack mod_auth mod_status mod_accesslog mod_rrdtool mod_secdownload mod_expire mod_compress mod_dirlisting mod_indexfiles mod_userdir mod_webdav mod_staticfile mod_scgi mod_flv_streaming"
-+do_build="mod_cgi mod_fastcgi mod_extforward mod_proxy mod_evhost mod_simple_vhost mod_access mod_alias mod_setenv mod_usertrack mod_auth mod_status mod_accesslog mod_rrdtool mod_secdownload mod_expire mod_compress mod_dirlisting mod_indexfiles mod_userdir mod_webdav mod_staticfile mod_scgi mod_flv_streaming"
-
- plugins="mod_rewrite mod_redirect mod_ssi mod_trigger_b4_dl"
- features="regex-conditionals"
-Index: src/mod_cgi.c
+--- src/http_auth_digest.c (.../tags/lighttpd-1.4.29)
++++ src/http_auth_digest.c (.../branches/lighttpd-1.4.x)
+@@ -1,26 +0,0 @@
+-#include "buffer.h"
+-
+-#include "http_auth_digest.h"
+-
+-#include <string.h>
+-
+-#ifndef USE_OPENSSL
+-# include "md5.h"
+-
+-typedef li_MD5_CTX MD5_CTX;
+-#define MD5_Init li_MD5_Init
+-#define MD5_Update li_MD5_Update
+-#define MD5_Final li_MD5_Final
+-
+-#endif
+-
+-void CvtHex(IN HASH Bin, OUT HASHHEX Hex) {
+- unsigned short i;
+-
+- for (i = 0; i < HASHLEN; i++) {
+- Hex[i*2] = int2hex((Bin[i] >> 4) & 0xf);
+- Hex[i*2+1] = int2hex(Bin[i] & 0xf);
+- }
+- Hex[HASHHEXLEN] = '\0';
+-}
+-
+Index: src/http_auth_digest.h
===================================================================
---- src/mod_cgi.c (.../tags/lighttpd-1.4.13) (revision 1718)
-+++ src/mod_cgi.c (.../branches/lighttpd-1.4.x) (revision 1718)
-@@ -842,6 +842,12 @@
- CONST_BUF_LEN(con->authed_user));
- }
+--- src/http_auth_digest.h (.../tags/lighttpd-1.4.29)
++++ src/http_auth_digest.h (.../branches/lighttpd-1.4.x)
+@@ -1,24 +0,0 @@
+-#ifndef _DIGCALC_H_
+-#define _DIGCALC_H_
+-
+-#ifdef HAVE_CONFIG_H
+-# include "config.h"
+-#endif
+-
+-#define HASHLEN 16
+-typedef unsigned char HASH[HASHLEN];
+-#define HASHHEXLEN 32
+-typedef char HASHHEX[HASHHEXLEN+1];
+-#ifdef USE_OPENSSL
+-#define IN const
+-#else
+-#define IN
+-#endif
+-#define OUT
+-
+-void CvtHex(
+- IN HASH Bin,
+- OUT HASHHEX Hex
+- );
+-
+-#endif
+Index: src/network_write.c
+===================================================================
+--- src/network_write.c (.../tags/lighttpd-1.4.29)
++++ src/network_write.c (.../branches/lighttpd-1.4.x)
+@@ -24,17 +24,16 @@
+ # include <sys/resource.h>
+ #endif
-+#ifdef USE_OPENSSL
-+ if (srv_sock->is_ssl) {
-+ cgi_env_add(&env, CONST_STR_LEN("HTTPS"), CONST_STR_LEN("on"));
-+ }
-+#endif
+-int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq) {
++int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) {
+ chunk *c;
+- size_t chunks_written = 0;
+
+- for(c = cq->first; c; c = c->next) {
++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
+ int chunk_finished = 0;
+
+ switch(c->type) {
+ case MEM_CHUNK: {
+ char * offset;
+- size_t toSend;
++ off_t toSend;
+ ssize_t r;
+
+ if (c->mem->used == 0) {
+@@ -44,6 +43,8 @@
+
+ offset = c->mem->ptr + c->offset;
+ toSend = c->mem->used - 1 - c->offset;
++ if (toSend > max_bytes) toSend = max_bytes;
++
+ #ifdef __WIN32
+ if ((r = send(fd, offset, toSend, 0)) < 0) {
+ /* no error handling for windows... */
+@@ -72,6 +73,7 @@
+
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ if (c->offset == (off_t)c->mem->used - 1) {
+ chunk_finished = 1;
+@@ -85,7 +87,7 @@
+ #endif
+ ssize_t r;
+ off_t offset;
+- size_t toSend;
++ off_t toSend;
+ stat_cache_entry *sce = NULL;
+ int ifd;
+
+@@ -98,6 +100,8 @@
+ offset = c->file.start + c->offset;
+ toSend = c->file.length - c->offset;
+
++ if (toSend > max_bytes) toSend = max_bytes;
+
- /* request.content_length < SSIZE_MAX, see request.c */
- ltostr(buf, con->request.content_length);
- cgi_env_add(&env, CONST_STR_LEN("CONTENT_LENGTH"), buf, strlen(buf));
+ if (offset > sce->st.st_size) {
+ log_error_write(srv, __FILE__, __LINE__, "sb", "file was shrinked:", c->file.name);
+
+@@ -181,6 +185,7 @@
+
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ if (c->offset == c->file.length) {
+ chunk_finished = 1;
+@@ -200,11 +205,9 @@
+
+ break;
+ }
+-
+- chunks_written++;
+ }
+
+- return chunks_written;
++ return 0;
+ }
+
+ #if 0
+Index: src/mod_secure_download.c
+===================================================================
+--- src/mod_secure_download.c (.../tags/lighttpd-1.4.29)
++++ src/mod_secure_download.c (.../branches/lighttpd-1.4.x)
+@@ -8,18 +8,8 @@
+ #include <stdlib.h>
+ #include <string.h>
+
+-#ifdef USE_OPENSSL
+-# include <openssl/md5.h>
+-#else
+-# include "md5.h"
++#include "md5.h"
+
+-typedef li_MD5_CTX MD5_CTX;
+-#define MD5_Init li_MD5_Init
+-#define MD5_Update li_MD5_Update
+-#define MD5_Final li_MD5_Final
+-
+-#endif
+-
+ #define HASHLEN 16
+ typedef unsigned char HASH[HASHLEN];
+ #define HASHHEXLEN 32
+@@ -200,7 +190,7 @@
+
+ URIHANDLER_FUNC(mod_secdownload_uri_handler) {
+ plugin_data *p = p_d;
+- MD5_CTX Md5Ctx;
++ li_MD5_CTX Md5Ctx;
+ HASH HA1;
+ const char *rel_uri, *ts_str, *md5_str;
+ time_t ts = 0;
+@@ -266,9 +256,9 @@
+ buffer_append_string(p->md5, rel_uri);
+ buffer_append_string_len(p->md5, ts_str, 8);
+
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)p->md5->ptr, p->md5->used - 1);
+- MD5_Final(HA1, &Md5Ctx);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)p->md5->ptr, p->md5->used - 1);
++ li_MD5_Final(HA1, &Md5Ctx);
+
+ buffer_copy_string_hex(p->md5, (char *)HA1, 16);
+
Index: src/base.h
===================================================================
---- src/base.h (.../tags/lighttpd-1.4.13) (revision 1718)
-+++ src/base.h (.../branches/lighttpd-1.4.x) (revision 1718)
-@@ -481,7 +481,9 @@
- enum { STAT_CACHE_ENGINE_UNSET,
- STAT_CACHE_ENGINE_NONE,
- STAT_CACHE_ENGINE_SIMPLE,
-+#ifdef HAVE_FAM_H
- STAT_CACHE_ENGINE_FAM
-+#endif
- } stat_cache_engine;
- unsigned short enable_cores;
- } server_config;
+--- src/base.h (.../tags/lighttpd-1.4.29)
++++ src/base.h (.../branches/lighttpd-1.4.x)
+@@ -277,6 +277,7 @@
+ buffer *ssl_cipher_list;
+ buffer *ssl_dh_file;
+ buffer *ssl_ec_curve;
++ unsigned short ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */
+ unsigned short ssl_use_sslv2;
+ unsigned short ssl_use_sslv3;
+ unsigned short ssl_verifyclient;
+@@ -284,6 +285,7 @@
+ unsigned short ssl_verifyclient_depth;
+ buffer *ssl_verifyclient_username;
+ unsigned short ssl_verifyclient_export_cert;
++ unsigned short ssl_disable_client_renegotiation;
+
+ unsigned short use_ipv6, set_v6only; /* set_v6only is only a temporary option */
+ unsigned short defer_accept;
+@@ -437,6 +439,7 @@
+ # ifndef OPENSSL_NO_TLSEXT
+ buffer *tlsext_server_name;
+ # endif
++ unsigned int renegotiations; /* count of SSL_CB_HANDSHAKE_START */
+ #endif
+ /* etag handling */
+ etag_flags_t etag_flags;
+@@ -647,11 +650,9 @@
+
+ fdevent_handler_t event_handler;
+
+- int (* network_backend_write)(struct server *srv, connection *con, int fd, chunkqueue *cq);
+- int (* network_backend_read)(struct server *srv, connection *con, int fd, chunkqueue *cq);
++ int (* network_backend_write)(struct server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes);
+ #ifdef USE_OPENSSL
+- int (* network_ssl_backend_write)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq);
+- int (* network_ssl_backend_read)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq);
++ int (* network_ssl_backend_write)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes);
+ #endif
+
+ uid_t uid;
Index: src/connections.c
===================================================================
---- src/connections.c (.../tags/lighttpd-1.4.13) (revision 1718)
-+++ src/connections.c (.../branches/lighttpd-1.4.x) (revision 1718)
-@@ -500,11 +500,10 @@
- case 201:
- case 301:
- case 302:
-+ case 303:
- break;
+--- src/connections.c (.../tags/lighttpd-1.4.29)
++++ src/connections.c (.../branches/lighttpd-1.4.x)
+@@ -223,6 +223,12 @@
- case 206: /* write_queue is already prepared */
-- con->file_finished = 1;
--
+ len = SSL_read(con->ssl, b->ptr + read_offset, toread);
+
++ if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
++ connection_set_state(srv, con, CON_STATE_ERROR);
++ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
++ return -1;
++ }
++
+ if (len > 0) {
+ if (b->used > 0) b->used--;
+ b->used += len;
+@@ -445,6 +451,7 @@
+ default:
+ switch(con->http_status) {
+ case 400: /* bad request */
++ case 401: /* authorization required */
+ case 414: /* overload request header */
+ case 505: /* unknown protocol */
+ case 207: /* this was webdav */
+@@ -617,8 +624,9 @@
+ }
+
+ static int connection_handle_write(server *srv, connection *con) {
+- switch(network_write_chunkqueue(srv, con, con->write_queue)) {
++ switch(network_write_chunkqueue(srv, con, con->write_queue, MAX_WRITE_LIMIT)) {
+ case 0:
++ con->write_request_ts = srv->cur_ts;
+ if (con->file_finished) {
+ connection_set_state(srv, con, CON_STATE_RESPONSE_END);
+ joblist_append(srv, con);
+@@ -635,6 +643,7 @@
+ joblist_append(srv, con);
break;
- case 205: /* class: header only */
- case 304:
-@@ -970,7 +969,7 @@
- }
- } else {
- /* a splited \r \n */
-- return -1;
-+ break;
- }
- }
- }
-Index: src/configfile.c
+ case 1:
++ con->write_request_ts = srv->cur_ts;
+ con->is_writable = 0;
+
+ /* not finished yet -> WRITE */
+@@ -1251,8 +1260,6 @@
+ log_error_write(srv, __FILE__, __LINE__, "ds",
+ con->fd,
+ "handle write failed.");
+- } else if (con->state == CON_STATE_WRITE) {
+- con->write_request_ts = srv->cur_ts;
+ }
+ }
+
+@@ -1352,6 +1359,7 @@
+ return NULL;
+ }
+
++ con->renegotiations = 0;
+ #ifndef OPENSSL_NO_TLSEXT
+ SSL_set_app_data(con->ssl, con);
+ #endif
+@@ -1667,8 +1675,6 @@
+ con->fd,
+ "handle write failed.");
+ connection_set_state(srv, con, CON_STATE_ERROR);
+- } else if (con->state == CON_STATE_WRITE) {
+- con->write_request_ts = srv->cur_ts;
+ }
+ }
+
+Index: src/mod_staticfile.c
===================================================================
---- src/configfile.c (.../tags/lighttpd-1.4.13) (revision 1718)
-+++ src/configfile.c (.../branches/lighttpd-1.4.x) (revision 1718)
-@@ -218,13 +218,19 @@
- srv->srvconf.stat_cache_engine = STAT_CACHE_ENGINE_SIMPLE;
- } else if (buffer_is_equal_string(stat_cache_string, CONST_STR_LEN("simple"))) {
- srv->srvconf.stat_cache_engine = STAT_CACHE_ENGINE_SIMPLE;
-+#ifdef HAVE_FAM_H
- } else if (buffer_is_equal_string(stat_cache_string, CONST_STR_LEN("fam"))) {
- srv->srvconf.stat_cache_engine = STAT_CACHE_ENGINE_FAM;
+--- src/mod_staticfile.c (.../tags/lighttpd-1.4.29)
++++ src/mod_staticfile.c (.../branches/lighttpd-1.4.x)
+@@ -26,6 +26,7 @@
+ typedef struct {
+ array *exclude_ext;
+ unsigned short etags_used;
++ unsigned short disable_pathinfo;
+ } plugin_config;
+
+ typedef struct {
+@@ -84,6 +85,7 @@
+ config_values_t cv[] = {
+ { "static-file.exclude-extensions", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 0 */
+ { "static-file.etags", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 1 */
++ { "static-file.disable-pathinfo", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 2 */
+ { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
+ };
+
+@@ -97,9 +99,11 @@
+ s = calloc(1, sizeof(plugin_config));
+ s->exclude_ext = array_init();
+ s->etags_used = 1;
++ s->disable_pathinfo = 0;
+
+ cv[0].destination = s->exclude_ext;
+ cv[1].destination = &(s->etags_used);
++ cv[2].destination = &(s->disable_pathinfo);
+
+ p->config_storage[i] = s;
+
+@@ -119,6 +123,7 @@
+
+ PATCH(exclude_ext);
+ PATCH(etags_used);
++ PATCH(disable_pathinfo);
+
+ /* skip the first, the global context */
+ for (i = 1; i < srv->config_context->used; i++) {
+@@ -136,7 +141,9 @@
+ PATCH(exclude_ext);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("static-file.etags"))) {
+ PATCH(etags_used);
+- }
++ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("static-file.disable-pathinfo"))) {
++ PATCH(disable_pathinfo);
++ }
+ }
+ }
+
+@@ -350,7 +357,6 @@
+ URIHANDLER_FUNC(mod_staticfile_subrequest) {
+ plugin_data *p = p_d;
+ size_t k;
+- int s_len;
+ stat_cache_entry *sce = NULL;
+ buffer *mtime = NULL;
+ data_string *ds;
+@@ -376,7 +382,12 @@
+
+ mod_staticfile_patch_connection(srv, con, p);
+
+- s_len = con->uri.path->used - 1;
++ if (p->conf.disable_pathinfo && 0 != con->request.pathinfo->used) {
++ if (con->conf.log_request_handling) {
++ log_error_write(srv, __FILE__, __LINE__, "s", "-- NOT handling file as static file, pathinfo forbidden");
++ }
++ return HANDLER_GO_ON;
++ }
+
+ /* ignore certain extensions */
+ for (k = 0; k < p->conf.exclude_ext->used; k++) {
+Index: src/network.c
+===================================================================
+--- src/network.c (.../tags/lighttpd-1.4.29)
++++ src/network.c (.../branches/lighttpd-1.4.x)
+@@ -27,6 +27,19 @@
+ # include <openssl/rand.h>
+ #endif
+
++#ifdef USE_OPENSSL
++static void ssl_info_callback(const SSL *ssl, int where, int ret) {
++ UNUSED(ret);
++
++ if (0 != (where & SSL_CB_HANDSHAKE_START)) {
++ connection *con = SSL_get_app_data(ssl);
++ ++con->renegotiations;
++ } else if (0 != (where & SSL_CB_HANDSHAKE_DONE)) {
++ ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
++ }
++}
+#endif
- } else if (buffer_is_equal_string(stat_cache_string, CONST_STR_LEN("disable"))) {
- srv->srvconf.stat_cache_engine = STAT_CACHE_ENGINE_NONE;
- } else {
- log_error_write(srv, __FILE__, __LINE__, "sb",
-- "server.stat-cache-engine can be one of \"disable\", \"simple\", \"fam\", but not:", stat_cache_string);
-+ "server.stat-cache-engine can be one of \"disable\", \"simple\","
-+#ifdef HAVE_FAM_H
-+ " \"fam\","
++
+ static handler_t network_server_handle_fdevent(server *srv, void *context, int revents) {
+ server_socket *srv_socket = (server_socket *)context;
+ connection *con;
+@@ -480,9 +493,11 @@
+ network_backend_t backend;
+
+ #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
++#ifndef OPENSSL_NO_ECDH
+ EC_KEY *ecdh;
+ int nid;
+ #endif
++#endif
+
+ #ifdef USE_OPENSSL
+ DH *dh;
+@@ -553,6 +568,11 @@
+ /* load SSL certificates */
+ for (i = 0; i < srv->config_context->used; i++) {
+ specific_config *s = srv->config_storage[i];
++#ifndef SSL_OP_NO_COMPRESSION
++# define SSL_OP_NO_COMPRESSION 0
+#endif
-+ " but not:", stat_cache_string);
- ret = HANDLER_ERROR;
++ long ssloptions =
++ SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_COMPRESSION;
+
+ if (buffer_is_empty(s->ssl_pemfile)) continue;
+
+@@ -586,6 +606,9 @@
+ return -1;
+ }
+
++ SSL_CTX_set_options(s->ssl_ctx, ssloptions);
++ SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback);
++
+ if (!s->ssl_use_sslv2) {
+ /* disable SSLv2 */
+ if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) {
+@@ -611,6 +634,10 @@
+ ERR_error_string(ERR_get_error(), NULL));
+ return -1;
+ }
++
++ if (s->ssl_honor_cipher_order) {
++ SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
++ }
+ }
+
+ /* Support for Diffie-Hellman key exchange */
+@@ -847,7 +874,7 @@
+ return 0;
+ }
+
+-int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq) {
++int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq, off_t max_bytes) {
+ int ret = -1;
+ off_t written = 0;
+ #ifdef TCP_CORK
+@@ -855,16 +882,34 @@
+ #endif
+ server_socket *srv_socket = con->srv_socket;
+
+- if (con->conf.global_kbytes_per_second &&
+- *(con->conf.global_bytes_per_second_cnt_ptr) > con->conf.global_kbytes_per_second * 1024) {
+- /* we reached the global traffic limit */
++ if (con->conf.global_kbytes_per_second) {
++ off_t limit = con->conf.global_kbytes_per_second * 1024 - *(con->conf.global_bytes_per_second_cnt_ptr);
++ if (limit <= 0) {
++ /* we reached the global traffic limit */
+
+- con->traffic_limit_reached = 1;
+- joblist_append(srv, con);
++ con->traffic_limit_reached = 1;
++ joblist_append(srv, con);
+
+- return 1;
++ return 1;
++ } else {
++ if (max_bytes > limit) max_bytes = limit;
++ }
}
++ if (con->conf.kbytes_per_second) {
++ off_t limit = con->conf.kbytes_per_second * 1024 - con->bytes_written_cur_second;
++ if (limit <= 0) {
++ /* we reached the traffic limit */
++
++ con->traffic_limit_reached = 1;
++ joblist_append(srv, con);
++
++ return 1;
++ } else {
++ if (max_bytes > limit) max_bytes = limit;
++ }
++ }
++
+ written = cq->bytes_out;
+
+ #ifdef TCP_CORK
+@@ -879,10 +924,10 @@
+
+ if (srv_socket->is_ssl) {
+ #ifdef USE_OPENSSL
+- ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq);
++ ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq, max_bytes);
+ #endif
+ } else {
+- ret = srv->network_backend_write(srv, con, con->fd, cq);
++ ret = srv->network_backend_write(srv, con, con->fd, cq, max_bytes);
+ }
+
+ if (ret >= 0) {
+@@ -903,12 +948,5 @@
+
+ *(con->conf.global_bytes_per_second_cnt_ptr) += written;
+
+- if (con->conf.kbytes_per_second &&
+- (con->bytes_written_cur_second > con->conf.kbytes_per_second * 1024)) {
+- /* we reached the traffic limit */
+-
+- con->traffic_limit_reached = 1;
+- joblist_append(srv, con);
+- }
+ return ret;
+ }
+Index: src/network.h
+===================================================================
+--- src/network.h (.../tags/lighttpd-1.4.29)
++++ src/network.h (.../branches/lighttpd-1.4.x)
+@@ -3,7 +3,7 @@
+
+ #include "server.h"
+
+-int network_write_chunkqueue(server *srv, connection *con, chunkqueue *c);
++int network_write_chunkqueue(server *srv, connection *con, chunkqueue *c, off_t max_bytes);
+
+ int network_init(server *srv);
+ int network_close(server *srv);
+Index: src/configfile.c
+===================================================================
+--- src/configfile.c (.../tags/lighttpd-1.4.29)
++++ src/configfile.c (.../branches/lighttpd-1.4.x)
+@@ -105,6 +105,8 @@
+ { "ssl.use-sslv3", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 62 */
+ { "ssl.dh-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 63 */
+ { "ssl.ec-curve", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 64 */
++ { "ssl.disable-client-renegotiation", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },/* 65 */
++ { "ssl.honor-cipher-order", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 66 */
+
+ { "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
+ { "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
+@@ -176,6 +178,7 @@
+ s->max_write_idle = 360;
+ s->use_xattr = 0;
+ s->is_ssl = 0;
++ s->ssl_honor_cipher_order = 1;
+ s->ssl_use_sslv2 = 0;
+ s->ssl_use_sslv3 = 1;
+ s->use_ipv6 = 0;
+@@ -199,6 +202,7 @@
+ s->ssl_verifyclient_username = buffer_init();
+ s->ssl_verifyclient_depth = 9;
+ s->ssl_verifyclient_export_cert = 0;
++ s->ssl_disable_client_renegotiation = 1;
+
+ cv[2].destination = s->errorfile_prefix;
+
+@@ -245,6 +249,8 @@
+ cv[62].destination = &(s->ssl_use_sslv3);
+ cv[63].destination = s->ssl_dh_file;
+ cv[64].destination = s->ssl_ec_curve;
++ cv[66].destination = &(s->ssl_honor_cipher_order);
++
+ cv[49].destination = &(s->etag_use_inode);
+ cv[50].destination = &(s->etag_use_mtime);
+ cv[51].destination = &(s->etag_use_size);
+@@ -255,6 +261,7 @@
+ cv[58].destination = &(s->ssl_verifyclient_depth);
+ cv[59].destination = s->ssl_verifyclient_username;
+ cv[60].destination = &(s->ssl_verifyclient_export_cert);
++ cv[65].destination = &(s->ssl_disable_client_renegotiation);
+
+ srv->config_storage[i] = s;
+
+@@ -335,6 +342,7 @@
+ PATCH(ssl_cipher_list);
+ PATCH(ssl_dh_file);
+ PATCH(ssl_ec_curve);
++ PATCH(ssl_honor_cipher_order);
+ PATCH(ssl_use_sslv2);
+ PATCH(ssl_use_sslv3);
+ PATCH(etag_use_inode);
+@@ -346,6 +354,7 @@
+ PATCH(ssl_verifyclient_depth);
+ PATCH(ssl_verifyclient_username);
+ PATCH(ssl_verifyclient_export_cert);
++ PATCH(ssl_disable_client_renegotiation);
+
+ return 0;
+ }
+@@ -400,6 +409,8 @@
+ #endif
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
+ PATCH(ssl_ca_file);
++ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) {
++ PATCH(ssl_honor_cipher_order);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {
+ PATCH(ssl_use_sslv2);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv3"))) {
+@@ -454,6 +465,8 @@
+ PATCH(ssl_verifyclient_username);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.exportcert"))) {
+ PATCH(ssl_verifyclient_export_cert);
++ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.disable-client-renegotiation"))) {
++ PATCH(ssl_disable_client_renegotiation);
+ }
+ }
+ }
Index: src/mod_scgi.c
===================================================================
---- src/mod_scgi.c (.../tags/lighttpd-1.4.13) (revision 1718)
-+++ src/mod_scgi.c (.../branches/lighttpd-1.4.x) (revision 1718)
-@@ -2528,7 +2528,7 @@
- hctx->reconnects < 5) {
- scgi_reconnect(srv, hctx);
-
-- log_error_write(srv, __FILE__, __LINE__, "sdsdsd",
-+ log_error_write(srv, __FILE__, __LINE__, "ssdsd",
- "response not sent, request not sent, reconnection.",
- "connection-fd:", con->fd,
- "fcgi-fd:", hctx->fd);
+--- src/mod_scgi.c (.../tags/lighttpd-1.4.29)
++++ src/mod_scgi.c (.../branches/lighttpd-1.4.x)
+@@ -2296,7 +2296,7 @@
+
+ /* fall through */
+ case FCGI_STATE_WRITE:
+- ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb);
++ ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT);
+
+ chunkqueue_remove_finished_chunks(hctx->wb);
+
Index: src/request.c
===================================================================
---- src/request.c (.../tags/lighttpd-1.4.13) (revision 1718)
-+++ src/request.c (.../branches/lighttpd-1.4.x) (revision 1718)
-@@ -85,6 +85,9 @@
- /* Host is empty */
- if (host_len == 0) return -1;
-
-+ /* if the hostname ends in a "." strip it */
-+ if (host->ptr[host_len-1] == '.') host_len -= 1;
-+
- /* scan from the right and skip the \0 */
- for (i = host_len - 1; i + 1 > 0; i--) {
- const char c = host->ptr[i];
+--- src/request.c (.../tags/lighttpd-1.4.29)
++++ src/request.c (.../branches/lighttpd-1.4.x)
+@@ -49,7 +49,7 @@
+ if (++colon_cnt > 7) {
+ return -1;
+ }
+- } else if (!light_isxdigit(*c)) {
++ } else if (!light_isxdigit(*c) && '.' != *c) {
+ return -1;
+ }
+ }
Index: src/network_backends.h
===================================================================
---- src/network_backends.h (.../tags/lighttpd-1.4.13) (revision 1718)
-+++ src/network_backends.h (.../branches/lighttpd-1.4.x) (revision 1718)
-@@ -14,7 +14,7 @@
- # include <sys/uio.h>
+--- src/network_backends.h (.../tags/lighttpd-1.4.29)
++++ src/network_backends.h (.../branches/lighttpd-1.4.x)
+@@ -47,18 +47,18 @@
+ #include "base.h"
+
+ /* return values:
+- * >= 0 : chunks completed
++ * >= 0 : no error
+ * -1 : error (on our side)
+ * -2 : remote close
+ */
+
+-int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq);
+-int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq);
+-int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq);
+-int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq);
+-int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq);
++int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes);
++int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes);
++int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes);
++int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes);
++int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes);
+ #ifdef USE_OPENSSL
+-int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq);
++int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes);
#endif
--#if defined HAVE_SYS_UIO_H && defined HAVE_SENDFILE && defined HAVE_WRITEV && defined(__FreeBSD__)
-+#if defined HAVE_SYS_UIO_H && defined HAVE_SENDFILE && defined HAVE_WRITEV && (defined(__FreeBSD__) || defined(__DragonFly__))
- # define USE_FREEBSD_SENDFILE
- # include <sys/uio.h>
#endif
+Index: src/SConscript
+===================================================================
+--- src/SConscript (.../tags/lighttpd-1.4.29)
++++ src/SConscript (.../branches/lighttpd-1.4.x)
+@@ -12,7 +12,8 @@
+ data_integer.c md5.c data_fastcgi.c \
+ fdevent_select.c fdevent_libev.c \
+ fdevent_poll.c fdevent_linux_sysepoll.c \
+- fdevent_solaris_devpoll.c fdevent_freebsd_kqueue.c \
++ fdevent_solaris_devpoll.c fdevent_solaris_port.c \
++ fdevent_freebsd_kqueue.c \
+ data_config.c bitset.c \
+ inet_ntop_cache.c crc32.c \
+ connections-glue.c \
+@@ -62,7 +63,7 @@
+ 'mod_redirect' : { 'src' : [ 'mod_redirect.c' ], 'lib' : [ env['LIBPCRE'] ] },
+ 'mod_rewrite' : { 'src' : [ 'mod_rewrite.c' ], 'lib' : [ env['LIBPCRE'] ] },
+ 'mod_auth' : {
+- 'src' : [ 'mod_auth.c', 'http_auth_digest.c', 'http_auth.c' ],
++ 'src' : [ 'mod_auth.c', 'http_auth.c' ],
+ 'lib' : [ env['LIBCRYPT'], env['LIBLDAP'], env['LIBLBER'] ] },
+ 'mod_webdav' : { 'src' : [ 'mod_webdav.c' ], 'lib' : [ env['LIBXML2'], env['LIBSQLITE3'], env['LIBUUID'] ] },
+ 'mod_mysql_vhost' : { 'src' : [ 'mod_mysql_vhost.c' ], 'lib' : [ env['LIBMYSQL'] ] },
+Index: src/mod_cml_funcs.c
+===================================================================
+--- src/mod_cml_funcs.c (.../tags/lighttpd-1.4.29)
++++ src/mod_cml_funcs.c (.../branches/lighttpd-1.4.x)
+@@ -17,18 +17,8 @@
+ #include <dirent.h>
+ #include <stdio.h>
+
+-#ifdef USE_OPENSSL
+-# include <openssl/md5.h>
+-#else
+-# include "md5.h"
++#include "md5.h"
+
+-typedef li_MD5_CTX MD5_CTX;
+-#define MD5_Init li_MD5_Init
+-#define MD5_Update li_MD5_Update
+-#define MD5_Final li_MD5_Final
+-
+-#endif
+-
+ #define HASHLEN 16
+ typedef unsigned char HASH[HASHLEN];
+ #define HASHHEXLEN 32
+@@ -43,7 +33,7 @@
+ #ifdef HAVE_LUA_H
+
+ int f_crypto_md5(lua_State *L) {
+- MD5_CTX Md5Ctx;
++ li_MD5_CTX Md5Ctx;
+ HASH HA1;
+ buffer b;
+ char hex[33];
+@@ -63,9 +53,9 @@
+ lua_error(L);
+ }
+
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)lua_tostring(L, 1), lua_strlen(L, 1));
+- MD5_Final(HA1, &Md5Ctx);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)lua_tostring(L, 1), lua_strlen(L, 1));
++ li_MD5_Final(HA1, &Md5Ctx);
+
+ buffer_copy_string_hex(&b, (char *)HA1, 16);
+
+Index: src/mod_userdir.c
+===================================================================
+--- src/mod_userdir.c (.../tags/lighttpd-1.4.29)
++++ src/mod_userdir.c (.../branches/lighttpd-1.4.x)
+@@ -166,7 +166,6 @@
+
+ URIHANDLER_FUNC(mod_userdir_docroot_handler) {
+ plugin_data *p = p_d;
+- int uri_len;
+ size_t k;
+ char *rel_url;
+ #ifdef HAVE_PWD_H
+@@ -182,8 +181,6 @@
+ */
+ if (p->conf.path->used == 0) return HANDLER_GO_ON;
+
+- uri_len = con->uri.path->used - 1;
+-
+ /* /~user/foo.html -> /home/user/public_html/foo.html */
+
+ if (con->uri.path->ptr[0] != '/' ||
Index: src/mod_proxy.c
===================================================================
---- src/mod_proxy.c (.../tags/lighttpd-1.4.13) (revision 1718)
-+++ src/mod_proxy.c (.../branches/lighttpd-1.4.x) (revision 1718)
-@@ -656,6 +656,7 @@
- }
+--- src/mod_proxy.c (.../tags/lighttpd-1.4.29)
++++ src/mod_proxy.c (.../branches/lighttpd-1.4.x)
+@@ -825,7 +825,7 @@
+
+ /* fall through */
+ case PROXY_STATE_WRITE:;
+- ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb);
++ ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT);
- if (-1 == (r = read(hctx->fd, hctx->response->ptr + hctx->response->used - 1, b))) {
-+ if (errno == EAGAIN) return 0;
- log_error_write(srv, __FILE__, __LINE__, "sds",
- "unexpected end-of-file (perhaps the proxy process died):",
- proxy_fd, strerror(errno));
-Index: src/mod_extforward.c
+ chunkqueue_remove_finished_chunks(hctx->wb);
+
+Index: src/Makefile.am
===================================================================
---- src/mod_extforward.c (.../tags/lighttpd-1.4.13) (revision 0)
-+++ src/mod_extforward.c (.../branches/lighttpd-1.4.x) (revision 1718)
-@@ -0,0 +1,490 @@
-+#include <ctype.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <stdio.h>
-+#include <netinet/in.h>
-+
-+#include "base.h"
-+#include "log.h"
-+#include "buffer.h"
-+
-+#include "plugin.h"
-+
-+#include "inet_ntop_cache.h"
-+#ifdef HAVE_CONFIG_H
-+#include "config.h"
-+#endif
-+
-+/**
-+ * mod_extforward.c for lighttpd, by comman.kang <at> gmail <dot> com
-+ * extended, modified by Lionel Elie Mamane (LEM), lionel <at> mamane <dot> lu
-+ *
-+ * Config example:
-+ *
-+ * Trust proxy 10.0.0.232 and 10.0.0.232
-+ * extforward.forwarder = ( "10.0.0.232" => "trust",
-+ * "10.0.0.233" => "trust" )
-+ *
-+ * Trust all proxies (NOT RECOMMENDED!)
-+ * extforward.forwarder = ( "all" => "trust")
-+ *
-+ * Note that "all" has precedence over specific entries,
-+ * so "all except" setups will not work.
-+ *
-+ * Note: The effect of this module is variable on $HTTP["remotip"] directives and
-+ * other module's remote ip dependent actions.
-+ * Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP.
-+ * Things done in between these two moments will match on the real client's IP.
-+ * The moment things are done by a module depends on in which hook it does things and within the same hook
-+ * on whether they are before/after us in the module loading order
-+ * (order in the server.modules directive in the config file).
-+ *
-+ * Tested behaviours:
-+ *
-+ * mod_access: Will match on the real client.
-+ *
-+ * mod_accesslog:
-+ * In order to see the "real" ip address in access log ,
-+ * you'll have to load mod_extforward after mod_accesslog.
-+ * like this:
-+ *
-+ * server.modules = (
-+ * .....
-+ * mod_accesslog,
-+ * mod_extforward
-+ * )
-+ *
-+ * Known issues:
-+ * seems causing segfault with mod_ssl and $HTTP{"socket"} directives
-+ * LEM 2006.05.26: Fixed segfault $SERVER["socket"] directive. Untested with SSL.
-+ *
-+ * ChangeLog:
-+ * 2005.12.19 Initial Version
-+ * 2005.12.19 fixed conflict with conditional directives
-+ * 2006.05.26 LEM: IPv6 support
-+ * 2006.05.26 LEM: Fix a segfault with $SERVER["socket"] directive.
-+ * 2006.05.26 LEM: Run at uri_raw time, as we don't need to see the URI
-+ * In this manner, we run before mod_access and $HTTP["remoteip"] directives work!
-+ * 2006.05.26 LEM: Clean config_cond cache of tests whose result we probably change.
-+ */
-+
-+
-+/* plugin config for all request/connections */
-+
-+typedef struct {
-+ array *forwarder;
-+} plugin_config;
-+
-+typedef struct {
-+ PLUGIN_DATA;
-+
-+ plugin_config **config_storage;
-+
-+ plugin_config conf;
-+} plugin_data;
-+
-+
-+/* context , used for restore remote ip */
-+
-+typedef struct {
-+ sock_addr saved_remote_addr;
-+ buffer *saved_remote_addr_buf;
-+} handler_ctx;
-+
-+
-+static handler_ctx * handler_ctx_init(sock_addr oldaddr, buffer *oldaddr_buf) {
-+ handler_ctx * hctx;
-+ hctx = calloc(1, sizeof(*hctx));
-+ hctx->saved_remote_addr = oldaddr;
-+ hctx->saved_remote_addr_buf = oldaddr_buf;
-+ return hctx;
-+}
-+
-+static void handler_ctx_free(handler_ctx *hctx) {
-+ free(hctx);
-+}
-+
-+/* init the plugin data */
-+INIT_FUNC(mod_extforward_init) {
-+ plugin_data *p;
-+ p = calloc(1, sizeof(*p));
-+ return p;
-+}
-+
-+/* destroy the plugin data */
-+FREE_FUNC(mod_extforward_free) {
-+ plugin_data *p = p_d;
-+
-+ UNUSED(srv);
-+
-+ if (!p) return HANDLER_GO_ON;
-+
-+ if (p->config_storage) {
-+ size_t i;
-+
-+ for (i = 0; i < srv->config_context->used; i++) {
-+ plugin_config *s = p->config_storage[i];
-+
-+ if (!s) continue;
-+
-+ array_free(s->forwarder);
-+
-+ free(s);
-+ }
-+ free(p->config_storage);
-+ }
-+
-+
-+ free(p);
-+
-+ return HANDLER_GO_ON;
-+}
-+
-+/* handle plugin config and check values */
-+
-+SETDEFAULTS_FUNC(mod_extforward_set_defaults) {
-+ plugin_data *p = p_d;
-+ size_t i = 0;
-+
-+ config_values_t cv[] = {
-+ { "extforward.forwarder", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 0 */
-+ { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
-+ };
-+
-+ if (!p) return HANDLER_ERROR;
-+
-+ p->config_storage = calloc(1, srv->config_context->used * sizeof(specific_config *));
-+
-+ for (i = 0; i < srv->config_context->used; i++) {
-+ plugin_config *s;
-+
-+ s = calloc(1, sizeof(plugin_config));
-+ s->forwarder = array_init();
-+
-+ cv[0].destination = s->forwarder;
-+
-+ p->config_storage[i] = s;
-+
-+ if (0 != config_insert_values_global(srv, ((data_config *)srv->config_context->data[i])->value, cv)) {
-+ return HANDLER_ERROR;
-+ }
-+ }
-+
-+ return HANDLER_GO_ON;
-+}
-+
-+#define PATCH(x) \
-+ p->conf.x = s->x;
-+static int mod_extforward_patch_connection(server *srv, connection *con, plugin_data *p) {
-+ size_t i, j;
-+ plugin_config *s = p->config_storage[0];
-+
-+ PATCH(forwarder);
-+
-+ /* LEM: The purpose of this seems to match extforward configuration
-+ stanzas that are not in the global context, but in some sub-context.
-+ I fear this will break contexts of the form HTTP['remote'] = .
-+ (in the form that they do not work with the real remote, but matching on
-+ the proxy instead).
-+
-+ I'm not sure this this is all thread-safe. Is the p we are passed different
-+ for each connection or is it global?
-+
-+ mod_fastcgi does the same, so it must be safe.
-+ */
-+ /* skip the first, the global context */
-+ for (i = 1; i < srv->config_context->used; i++) {
-+ data_config *dc = (data_config *)srv->config_context->data[i];
-+ s = p->config_storage[i];
-+
-+ /* condition didn't match */
-+ if (!config_check_cond(srv, con, dc)) continue;
-+
-+ /* merge config */
-+ for (j = 0; j < dc->value->used; j++) {
-+ data_unset *du = dc->value->data[j];
-+
-+ if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.forwarder"))) {
-+ PATCH(forwarder);
-+ }
-+ }
-+ }
+--- src/Makefile.am (.../tags/lighttpd-1.4.29)
++++ src/Makefile.am (.../branches/lighttpd-1.4.x)
+@@ -241,7 +241,7 @@
+ mod_compress_la_LIBADD = $(Z_LIB) $(BZ_LIB) $(common_libadd)
+
+ lib_LTLIBRARIES += mod_auth.la
+-mod_auth_la_SOURCES = mod_auth.c http_auth_digest.c http_auth.c
++mod_auth_la_SOURCES = mod_auth.c http_auth.c
+ mod_auth_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined
+ mod_auth_la_LIBADD = $(CRYPT_LIB) $(LDAP_LIB) $(LBER_LIB) $(common_libadd)
+
+@@ -268,7 +268,7 @@
+
+ hdr = server.h buffer.h network.h log.h keyvalue.h \
+ response.h request.h fastcgi.h chunk.h \
+- settings.h http_chunk.h http_auth_digest.h \
++ settings.h http_chunk.h \
+ md5.h http_auth.h stream.h \
+ fdevent.h connections.h base.h stat_cache.h \
+ plugin.h mod_auth.h \
+Index: src/network_writev.c
+===================================================================
+--- src/network_writev.c (.../tags/lighttpd-1.4.29)
++++ src/network_writev.c (.../branches/lighttpd-1.4.x)
+@@ -30,17 +30,16 @@
+ #define LOCAL_BUFFERING 1
+ #endif
+
+-int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq) {
++int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) {
+ chunk *c;
+- size_t chunks_written = 0;
+
+- for(c = cq->first; c; c = c->next) {
++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
+ int chunk_finished = 0;
+
+ switch(c->type) {
+ case MEM_CHUNK: {
+ char * offset;
+- size_t toSend;
++ off_t toSend;
+ ssize_t r;
+
+ size_t num_chunks, i;
+@@ -65,12 +64,10 @@
+ #error "sysconf() doesnt return _SC_IOV_MAX ..., check the output of 'man writev' for the EINVAL error and send the output to jan@kneschke.de"
+ #endif
+
+- /* we can't send more then SSIZE_MAX bytes in one chunk */
+-
+ /* build writev list
+ *
+ * 1. limit: num_chunks < max_chunks
+- * 2. limit: num_bytes < SSIZE_MAX
++ * 2. limit: num_bytes < max_bytes
+ */
+ for (num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < max_chunks; num_chunks++, tc = tc->next);
+
+@@ -87,9 +84,9 @@
+ chunks[i].iov_base = offset;
+
+ /* protect the return value of writev() */
+- if (toSend > SSIZE_MAX ||
+- num_bytes + toSend > SSIZE_MAX) {
+- chunks[i].iov_len = SSIZE_MAX - num_bytes;
++ if (toSend > max_bytes ||
++ (off_t) num_bytes + toSend > max_bytes) {
++ chunks[i].iov_len = max_bytes - num_bytes;
+
+ num_chunks = i + 1;
+ break;
+@@ -121,6 +118,7 @@
+ }
+
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ /* check which chunks have been written */
+
+@@ -132,11 +130,10 @@
+
+ if (chunk_finished) {
+ /* skip the chunks from further touches */
+- chunks_written++;
+ c = c->next;
+ } else {
+ /* chunks_written + c = c->next is done in the for()*/
+- chunk_finished++;
++ chunk_finished = 1;
+ }
+ } else {
+ /* partially written */
+@@ -284,6 +281,8 @@
+ assert(toSend < 0);
+ }
+
++ if (toSend > max_bytes) toSend = max_bytes;
+
+ #ifdef LOCAL_BUFFERING
+ start = c->mem->ptr;
+ #else
+@@ -309,6 +308,7 @@
+
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ if (c->offset == c->file.length) {
+ chunk_finished = 1;
+@@ -334,11 +334,9 @@
+
+ break;
+ }
+-
+- chunks_written++;
+ }
+
+- return chunks_written;
+ return 0;
-+}
-+#undef PATCH
-+
+ }
+
+ #endif
+Index: src/network_freebsd_sendfile.c
+===================================================================
+--- src/network_freebsd_sendfile.c (.../tags/lighttpd-1.4.29)
++++ src/network_freebsd_sendfile.c (.../branches/lighttpd-1.4.x)
+@@ -31,17 +31,16 @@
+ # endif
+ #endif
+
+-int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq) {
++int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) {
+ chunk *c;
+- size_t chunks_written = 0;
+
+- for(c = cq->first; c; c = c->next, chunks_written++) {
++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
+ int chunk_finished = 0;
+
+ switch(c->type) {
+ case MEM_CHUNK: {
+ char * offset;
+- size_t toSend;
++ off_t toSend;
+ ssize_t r;
+
+ size_t num_chunks, i;
+@@ -49,12 +48,10 @@
+ chunk *tc;
+ size_t num_bytes = 0;
+
+- /* we can't send more then SSIZE_MAX bytes in one chunk */
+-
+ /* build writev list
+ *
+ * 1. limit: num_chunks < UIO_MAXIOV
+- * 2. limit: num_bytes < SSIZE_MAX
++ * 2. limit: num_bytes < max_bytes
+ */
+ for(num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < UIO_MAXIOV; num_chunks++, tc = tc->next);
+
+@@ -69,9 +66,9 @@
+ chunks[i].iov_base = offset;
+
+ /* protect the return value of writev() */
+- if (toSend > SSIZE_MAX ||
+- num_bytes + toSend > SSIZE_MAX) {
+- chunks[i].iov_len = SSIZE_MAX - num_bytes;
++ if (toSend > max_bytes ||
++ (off_t) num_bytes + toSend > max_bytes) {
++ chunks[i].iov_len = max_bytes - num_bytes;
+
+ num_chunks = i + 1;
+ break;
+@@ -105,6 +102,7 @@
+
+ /* check which chunks have been written */
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ for(i = 0, tc = c; i < num_chunks; i++, tc = tc->next) {
+ if (r >= (ssize_t)chunks[i].iov_len) {
+@@ -114,11 +112,10 @@
+
+ if (chunk_finished) {
+ /* skip the chunks from further touches */
+- chunks_written++;
+ c = c->next;
+ } else {
+ /* chunks_written + c = c->next is done in the for()*/
+- chunk_finished++;
++ chunk_finished = 1;
+ }
+ } else {
+ /* partially written */
+@@ -134,7 +131,7 @@
+ }
+ case FILE_CHUNK: {
+ off_t offset, r;
+- size_t toSend;
++ off_t toSend;
+ stat_cache_entry *sce = NULL;
+
+ if (HANDLER_ERROR == stat_cache_get_entry(srv, con, c->file.name, &sce)) {
+@@ -144,9 +141,8 @@
+ }
+
+ offset = c->file.start + c->offset;
+- /* limit the toSend to 2^31-1 bytes in a chunk */
+- toSend = c->file.length - c->offset > ((1 << 30) - 1) ?
+- ((1 << 30) - 1) : c->file.length - c->offset;
++ toSend = c->file.length - c->offset;
++ if (toSend > max_bytes) toSend = max_bytes;
+
+ if (-1 == c->file.fd) {
+ if (-1 == (c->file.fd = open(c->file.name->ptr, O_RDONLY))) {
+@@ -197,6 +193,7 @@
+
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ if (c->offset == c->file.length) {
+ chunk_finished = 1;
+@@ -218,7 +215,7 @@
+ }
+ }
+
+- return chunks_written;
++ return 0;
+ }
+
+ #endif
+Index: src/network_openssl.c
+===================================================================
+--- src/network_openssl.c (.../tags/lighttpd-1.4.29)
++++ src/network_openssl.c (.../branches/lighttpd-1.4.x)
+@@ -27,10 +27,9 @@
+ # include <openssl/ssl.h>
+ # include <openssl/err.h>
+
+-int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq) {
++int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes) {
+ int ssl_r;
+ chunk *c;
+- size_t chunks_written = 0;
+
+ /* this is a 64k sendbuffer
+ *
+@@ -59,13 +58,13 @@
+ SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
+ }
+
+- for(c = cq->first; c; c = c->next) {
++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
+ int chunk_finished = 0;
+
+ switch(c->type) {
+ case MEM_CHUNK: {
+ char * offset;
+- size_t toSend;
++ off_t toSend;
+ ssize_t r;
+
+ if (c->mem->used == 0 || c->mem->used == 1) {
+@@ -75,6 +74,7 @@
+
+ offset = c->mem->ptr + c->offset;
+ toSend = c->mem->used - 1 - c->offset;
++ if (toSend > max_bytes) toSend = max_bytes;
+
+ /**
+ * SSL_write man-page
+@@ -87,7 +87,14 @@
+ */
+
+ ERR_clear_error();
+- if ((r = SSL_write(ssl, offset, toSend)) <= 0) {
++ r = SSL_write(ssl, offset, toSend);
+
-+static void put_string_into_array_len(array *ary, const char *str, int len)
-+{
-+ data_string *tempdata;
-+ if (len == 0)
-+ return;
-+ tempdata = data_string_init();
-+ buffer_copy_string_len(tempdata->value,str,len);
-+ array_insert_unique(ary,(data_unset *)tempdata);
-+}
-+/*
-+ extract a forward array from the environment
-+*/
-+static array *extract_forward_array(buffer *pbuffer)
-+{
-+ array *result = array_init();
-+ if (pbuffer->used > 0) {
-+ char *base, *curr;
-+ /* state variable, 0 means not in string, 1 means in string */
-+ int in_str = 0;
-+ for (base = pbuffer->ptr, curr = pbuffer->ptr; *curr; curr++)
-+ {
-+ if (in_str) {
-+ if ( (*curr > '9' || *curr < '0') && *curr != '.' && *curr != ':' ) {
-+ /* found an separator , insert value into result array */
-+ put_string_into_array_len(result, base, curr-base);
-+ /* change state to not in string */
-+ in_str = 0;
-+ }
-+ } else {
-+ if (*curr >= '0' && *curr <= '9')
-+ {
-+ /* found leading char of an IP address, move base pointer and change state */
-+ base = curr;
-+ in_str = 1;
-+ }
++ if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
++ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
++ return -1;
+ }
-+ }
-+ /* if breaking out while in str, we got to the end of string, so add it */
-+ if (in_str)
-+ {
-+ put_string_into_array_len(result, base, curr-base);
-+ }
-+ }
-+ return result;
-+}
-+
-+#define IP_TRUSTED 1
-+#define IP_UNTRUSTED 0
-+/*
-+ check whether ip is trusted, return 1 for trusted , 0 for untrusted
-+*/
-+static int is_proxy_trusted(const char *ipstr, plugin_data *p)
-+{
-+ data_string* allds = (data_string *) array_get_element(p->conf.forwarder,"all");
-+ if (allds) {
-+ if (strcasecmp(allds->value->ptr,"trust") == 0)
-+ return IP_TRUSTED;
-+ else
-+ return IP_UNTRUSTED;
-+ }
-+ return (data_string *)array_get_element(p->conf.forwarder,ipstr) ? IP_TRUSTED : IP_UNTRUSTED ;
-+}
-+
-+struct addrinfo *ipstr_to_sockaddr(const char *host)
-+{
-+ struct addrinfo hints, *res0;
-+ int result;
-+ memset(&hints, 0, sizeof(hints));
-+ hints.ai_flags = AI_NUMERICHOST | AI_NUMERICSERV;
-+
-+ result = getaddrinfo(host, NULL, &hints, &res0);
-+ if ( result != 0 )
-+ {
-+ fprintf(stderr,"could not resolve hostname %s because %s\n", host,gai_strerror(result));
-+ if (result == EAI_SYSTEM)
-+ perror("The system error is ");
-+ return NULL;
-+ }
-+ else
-+ if (res0==0)
-+ fprintf(stderr, "Problem in resolving hostname %s: succeeded, but no information returned\n", host);
-+
-+ return res0;
-+}
-+
-+
-+static void clean_cond_cache(server *srv, connection *con)
-+{
-+ size_t i;
-+
-+ for (i = 0; i < srv->config_context->used; i++) {
-+ data_config *dc = (data_config *)srv->config_context->data[i];
-+
-+ if (dc->comp == COMP_HTTP_REMOTEIP)
-+ {
-+ con->cond_cache[i].result = COND_RESULT_UNSET;
-+ con->cond_cache[i].patterncount = 0;
-+ }
-+ }
-+}
-+
-+URIHANDLER_FUNC(mod_extforward_uri_handler) {
-+ plugin_data *p = p_d;
-+ data_string *forwarded = NULL;
-+#ifdef HAVE_IPV6
-+ char b2[INET6_ADDRSTRLEN + 1];
-+#endif
-+ const char *s;
-+ UNUSED(srv);
-+ mod_extforward_patch_connection(srv, con, p);
-+
-+/* log_error_write(srv, __FILE__, __LINE__,"s","mod_extforward_uri_handler called\n"); */
-+
-+ /* if the remote ip itself is not trusted , then do nothing */
-+#ifdef HAVE_IPV6
-+ s = inet_ntop(con->dst_addr.plain.sa_family,
-+ con->dst_addr.plain.sa_family == AF_INET6 ?
-+ &(con->dst_addr.ipv6.sin6_addr) :
-+ &(con->dst_addr.ipv4.sin_addr),
-+ b2,
-+ (sizeof b2) - 1);
-+#else
-+ s = inet_ntoa(con->dst_addr.ipv4.sin_addr);
-+#endif
-+ if (IP_UNTRUSTED == is_proxy_trusted (s, p) )
-+ return HANDLER_GO_ON;
+
-+ /* log_error_write(srv, __FILE__, __LINE__,"s","remote address is trusted proxy, go on\n");*/
-+ if (con->request.headers &&
-+ ((forwarded = (data_string *) array_get_element(con->request.headers,"X-Forwarded-For")) ||
-+ (forwarded = (data_string *) array_get_element(con->request.headers, "Forwarded-For"))))
-+ {
-+ /* log_error_write(srv, __FILE__, __LINE__,"s","found forwarded header\n");*/
-+ /* found forwarded for header */
-+ int i;
-+ array *forward_array = extract_forward_array(forwarded->value);
-+ char *real_remote_addr = NULL;
-+#ifdef HAVE_IPV6
-+ struct addrinfo *addrlist = NULL;
-+#endif
-+ /* Testing shows that multiple headers and multiple values in one header
-+ come in _reverse_ order. So the first one we get is the last one in the request. */
-+ for (i = forward_array->used - 1; i >= 0; i--)
-+ {
-+ data_string *ds = (data_string *) forward_array->data[i];
-+ if (ds) {
-+/* log_error_write(srv, __FILE__, __LINE__,"ss","forward",ds->value->ptr); */
-+ real_remote_addr = ds->value->ptr;
-+ break;
-+ /* LEM: What the hell is this about?
-+ We test whether the forwarded for IP is trusted?
-+ This looks like an ugly hack to handle multiple Forwarded-For's
-+ and avoid those set to our proxies, or something like that.
-+ My testing shows that reverse proxies add a new X-Forwarded-For header,
-+ and we should thus take the last one, which is the first one we see.
-+
-+ The net result of the old code is that we use the first untrusted IP,
-+ or if all are trusted, the last trusted IP.
-+ That's crazy. So I've disabled this.
-+ */
-+ /* check whether it is trusted */
-+/* if (IP_UNTRUSTED == is_proxy_trusted(ds->value->ptr,p) ) */
-+/* break; */
-+/* log_error_write(srv, __FILE__, __LINE__,"ss",ds->value->ptr," is trusted."); */
++ if (r <= 0) {
+ unsigned long err;
+
+ switch ((ssl_r = SSL_get_error(ssl, r))) {
+@@ -139,6 +146,7 @@
+ } else {
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
+ }
+
+ if (c->offset == (off_t)c->mem->used - 1) {
+@@ -168,6 +176,7 @@
+ do {
+ off_t offset = c->file.start + c->offset;
+ off_t toSend = c->file.length - c->offset;
++ if (toSend > max_bytes) toSend = max_bytes;
+
+ if (toSend > LOCAL_SEND_BUFSIZE) toSend = LOCAL_SEND_BUFSIZE;
+
+@@ -190,7 +199,14 @@
+ close(ifd);
+
+ ERR_clear_error();
+- if ((r = SSL_write(ssl, s, toSend)) <= 0) {
++ r = SSL_write(ssl, s, toSend);
+
-+ }
-+ else {
-+ /* bug ? bailing out here */
-+ break;
-+ }
-+ }
-+ if (real_remote_addr != NULL) /* parsed */
-+ {
-+ sock_addr s;
-+ struct addrinfo *addrs_left;
-+/* log_error_write(srv, __FILE__, __LINE__,"ss","use forward",real_remote_addr); */
-+#ifdef HAVE_IPV6
-+ addrlist = ipstr_to_sockaddr(real_remote_addr);
-+ s.plain.sa_family = AF_UNSPEC;
-+ for (addrs_left = addrlist; addrs_left != NULL;
-+ addrs_left = addrs_left -> ai_next)
-+ {
-+ s.plain.sa_family = addrs_left->ai_family;
-+ if ( s.plain.sa_family == AF_INET )
-+ {
-+ s.ipv4.sin_addr = ((struct sockaddr_in*)addrs_left->ai_addr)->sin_addr;
-+ break;
-+ }
-+ else if ( s.plain.sa_family == AF_INET6 )
-+ {
-+ s.ipv6.sin6_addr = ((struct sockaddr_in6*)addrs_left->ai_addr)->sin6_addr;
-+ break;
++ if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
++ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
++ return -1;
+ }
-+ }
-+#else
-+ s.ipv4.sin_addr.s_addr = inet_addr(real_remote_addr);
-+ s.plain.sa_family = (s.ipv4.sin_addr.s_addr == 0xFFFFFFFF) ? AF_UNSPEC : AF_INET;
-+#endif
-+ if (s.plain.sa_family != AF_UNSPEC)
-+ {
-+ /* we found the remote address, modify current connection and save the old address */
-+ if (con->plugin_ctx[p->id]) {
-+ log_error_write(srv, __FILE__, __LINE__,"patching an already patched connection!");
-+ handler_ctx_free(con->plugin_ctx[p->id]);
-+ con->plugin_ctx[p->id] = NULL;
-+ }
-+ /* save old address */
-+ con->plugin_ctx[p->id] = handler_ctx_init(con->dst_addr, con->dst_addr_buf);
-+ /* patch connection address */
-+ con->dst_addr = s;
-+ con->dst_addr_buf = buffer_init();
-+ buffer_copy_string(con->dst_addr_buf, real_remote_addr);
-+/* log_error_write(srv, __FILE__, __LINE__,"ss","Set dst_addr_buf to ", real_remote_addr); */
-+ /* Now, clean the conf_cond cache, because we may have changed the results of tests */
-+ clean_cond_cache(srv, con);
-+ }
-+#ifdef HAVE_IPV6
-+ if (addrlist != NULL ) freeaddrinfo(addrlist);
-+#endif
-+ }
-+ array_free(forward_array);
-+ }
-+
-+ /* not found */
-+ return HANDLER_GO_ON;
-+}
-+
-+CONNECTION_FUNC(mod_extforward_restore) {
-+ plugin_data *p = p_d;
-+ UNUSED(srv);
-+
-+ /* LEM: This seems completely unuseful, as we are not using
-+ p->conf in this function. Furthermore, it brings a
-+ segfault if one of the conditional configuration
-+ blocks is "SERVER['socket'] == foo", because the
-+ socket is not known yet in the srv/con structure.
-+ */
-+ /* mod_extforward_patch_connection(srv, con, p); */
-+
-+ /* restore this connection's remote ip */
-+ if (con->plugin_ctx[p->id]) {
-+ handler_ctx *hctx = con->plugin_ctx[p->id];
-+ con->dst_addr = hctx->saved_remote_addr;
-+ buffer_free(con->dst_addr_buf);
-+ con->dst_addr_buf = hctx->saved_remote_addr_buf;
-+/* log_error_write(srv, __FILE__, __LINE__,"s","LEM: Reset dst_addr_buf"); */
-+ handler_ctx_free(hctx);
-+ con->plugin_ctx[p->id] = NULL;
-+ /* Now, clean the conf_cond cache, because we may have changed the results of tests */
-+ clean_cond_cache(srv, con);
-+ }
-+ return HANDLER_GO_ON;
-+}
-+
-+
-+/* this function is called at dlopen() time and inits the callbacks */
-+
-+int mod_extforward_plugin_init(plugin *p) {
-+ p->version = LIGHTTPD_VERSION_ID;
-+ p->name = buffer_init_string("extforward");
-+
-+ p->init = mod_extforward_init;
-+ p->handle_uri_raw = mod_extforward_uri_handler;
-+ p->handle_request_done = mod_extforward_restore;
-+ p->connection_reset = mod_extforward_restore;
-+ p->set_defaults = mod_extforward_set_defaults;
-+ p->cleanup = mod_extforward_free;
-+
-+ p->data = NULL;
+
++ if (r <= 0) {
+ unsigned long err;
+
+ switch ((ssl_r = SSL_get_error(ssl, r))) {
+@@ -243,12 +259,13 @@
+ } else {
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
+ }
+
+ if (c->offset == c->file.length) {
+ chunk_finished = 1;
+ }
+- } while(!chunk_finished && !write_wait);
++ } while (!chunk_finished && !write_wait && max_bytes > 0);
+
+ break;
+ }
+@@ -263,11 +280,9 @@
+
+ break;
+ }
+-
+- chunks_written++;
+ }
+
+- return chunks_written;
+ return 0;
-+}
-+
-
-Property changes on: src/mod_extforward.c
-___________________________________________________________________
-Name: svn:eol-style
- + native
-
-Index: src/Makefile.am
+ }
+ #endif
+
+Index: src/http_auth.c
===================================================================
---- src/Makefile.am (.../tags/lighttpd-1.4.13) (revision 1718)
-+++ src/Makefile.am (.../branches/lighttpd-1.4.x) (revision 1718)
-@@ -199,6 +199,11 @@
- mod_fastcgi_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined
- mod_fastcgi_la_LIBADD = $(common_libadd)
-
-+lib_LTLIBRARIES += mod_extforward.la
-+mod_extforward_la_SOURCES = mod_extforward.c
-+mod_extforward_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined
-+mod_extforward_la_LIBADD = $(common_libadd)
+--- src/http_auth.c (.../tags/lighttpd-1.4.29)
++++ src/http_auth.c (.../branches/lighttpd-1.4.x)
+@@ -1,7 +1,6 @@
+ #include "server.h"
+ #include "log.h"
+ #include "http_auth.h"
+-#include "http_auth_digest.h"
+ #include "inet_ntop_cache.h"
+ #include "stream.h"
+
+@@ -28,18 +27,23 @@
+ #include <unistd.h>
+ #include <ctype.h>
+
+-#ifdef USE_OPENSSL
+-# include <openssl/md5.h>
+-#else
+-# include "md5.h"
++#include "md5.h"
+
+-typedef li_MD5_CTX MD5_CTX;
+-#define MD5_Init li_MD5_Init
+-#define MD5_Update li_MD5_Update
+-#define MD5_Final li_MD5_Final
++#define HASHLEN 16
++#define HASHHEXLEN 32
++typedef unsigned char HASH[HASHLEN];
++typedef char HASHHEX[HASHHEXLEN+1];
+
+-#endif
++static void CvtHex(const HASH Bin, char Hex[33]) {
++ unsigned short i;
+
++ for (i = 0; i < 16; i++) {
++ Hex[i*2] = int2hex((Bin[i] >> 4) & 0xf);
++ Hex[i*2+1] = int2hex(Bin[i] & 0xf);
++ }
++ Hex[32] = '\0';
++}
+
- lib_LTLIBRARIES += mod_access.la
- mod_access_la_SOURCES = mod_access.c
- mod_access_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined
-Index: src/network_writev.c
-===================================================================
---- src/network_writev.c (.../tags/lighttpd-1.4.13) (revision 1718)
-+++ src/network_writev.c (.../branches/lighttpd-1.4.x) (revision 1718)
-@@ -55,7 +55,7 @@
- const size_t max_chunks = MAX_IOVEC;
- #elif defined(UIO_MAXIOV) /* Linux x86 (glibc-2.2.5-233) */
- const size_t max_chunks = UIO_MAXIOV;
--#elif (defined(__FreeBSD__) && __FreeBSD_version < 500000) /* FreeBSD 4.x */
-+#elif (defined(__FreeBSD__) && __FreeBSD_version < 500000) || defined(__DragonFly__) /* FreeBSD 4.x */
- const size_t max_chunks = 1024; /* UIO_MAXIOV value from sys/uio.h */
- #else
- #error "sysconf() doesnt return _SC_IOV_MAX ..., check the output of 'man writev' for the EINVAL error and send the output to jan@kneschke.de"
-Index: src/mod_expire.c
-===================================================================
---- src/mod_expire.c (.../tags/lighttpd-1.4.13) (revision 1718)
-+++ src/mod_expire.c (.../branches/lighttpd-1.4.x) (revision 1718)
-@@ -85,7 +85,7 @@
- /*
- * parse
- *
-- * '(access|modification) [plus] {<num> <type>}*'
-+ * '(access|now|modification) [plus] {<num> <type>}*'
- *
- * e.g. 'access 1 years'
- */
-@@ -101,6 +101,9 @@
- if (0 == strncmp(ts, "access ", 7)) {
- type = 0;
- ts += 7;
-+ } else if (0 == strncmp(ts, "now ", 4)) {
-+ type = 0;
-+ ts += 4;
- } else if (0 == strncmp(ts, "modification ", 13)) {
- type = 1;
- ts += 13;
-@@ -116,7 +119,7 @@
- ts += 5;
+ /**
+ * the $apr1$ handling is taken from apache 1.3.x
+ */
+@@ -95,7 +99,7 @@
+ ch = in[0];
+ /* run through the whole string, converting as we go */
+ for (i = 0; i < in_len; i++) {
+- ch = in[i];
++ ch = (unsigned char) in[i];
+
+ if (ch == '\0') break;
+
+@@ -435,7 +439,7 @@
+
+ static void to64(char *s, unsigned long v, int n)
+ {
+- static unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */
++ static const unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */
+ "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+
+ while (--n >= 0) {
+@@ -455,7 +459,7 @@
+ const char *sp, *ep;
+ unsigned char final[APR_MD5_DIGESTSIZE];
+ ssize_t sl, pl, i;
+- MD5_CTX ctx, ctx1;
++ li_MD5_CTX ctx, ctx1;
+ unsigned long l;
+
+ /*
+@@ -487,33 +491,33 @@
+ /*
+ * 'Time to make the doughnuts..'
+ */
+- MD5_Init(&ctx);
++ li_MD5_Init(&ctx);
+
+ /*
+ * The password first, since that is what is most unknown
+ */
+- MD5_Update(&ctx, pw, strlen(pw));
++ li_MD5_Update(&ctx, pw, strlen(pw));
+
+ /*
+ * Then our magic string
+ */
+- MD5_Update(&ctx, APR1_ID, strlen(APR1_ID));
++ li_MD5_Update(&ctx, APR1_ID, strlen(APR1_ID));
+
+ /*
+ * Then the raw salt
+ */
+- MD5_Update(&ctx, sp, sl);
++ li_MD5_Update(&ctx, sp, sl);
+
+ /*
+ * Then just as many characters of the MD5(pw, salt, pw)
+ */
+- MD5_Init(&ctx1);
+- MD5_Update(&ctx1, pw, strlen(pw));
+- MD5_Update(&ctx1, sp, sl);
+- MD5_Update(&ctx1, pw, strlen(pw));
+- MD5_Final(final, &ctx1);
++ li_MD5_Init(&ctx1);
++ li_MD5_Update(&ctx1, pw, strlen(pw));
++ li_MD5_Update(&ctx1, sp, sl);
++ li_MD5_Update(&ctx1, pw, strlen(pw));
++ li_MD5_Final(final, &ctx1);
+ for (pl = strlen(pw); pl > 0; pl -= APR_MD5_DIGESTSIZE) {
+- MD5_Update(&ctx, final,
++ li_MD5_Update(&ctx, final,
+ (pl > APR_MD5_DIGESTSIZE) ? APR_MD5_DIGESTSIZE : pl);
+ }
+
+@@ -527,10 +531,10 @@
+ */
+ for (i = strlen(pw); i != 0; i >>= 1) {
+ if (i & 1) {
+- MD5_Update(&ctx, final, 1);
++ li_MD5_Update(&ctx, final, 1);
+ }
+ else {
+- MD5_Update(&ctx, pw, 1);
++ li_MD5_Update(&ctx, pw, 1);
+ }
+ }
+
+@@ -542,7 +546,7 @@
+ strncat(passwd, sp, sl);
+ strcat(passwd, "$");
+
+- MD5_Final(final, &ctx);
++ li_MD5_Final(final, &ctx);
+
+ /*
+ * And now, just to make sure things don't run too fast..
+@@ -550,28 +554,28 @@
+ * need 30 seconds to build a 1000 entry dictionary...
+ */
+ for (i = 0; i < 1000; i++) {
+- MD5_Init(&ctx1);
++ li_MD5_Init(&ctx1);
+ if (i & 1) {
+- MD5_Update(&ctx1, pw, strlen(pw));
++ li_MD5_Update(&ctx1, pw, strlen(pw));
+ }
+ else {
+- MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE);
++ li_MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE);
+ }
+ if (i % 3) {
+- MD5_Update(&ctx1, sp, sl);
++ li_MD5_Update(&ctx1, sp, sl);
+ }
+
+ if (i % 7) {
+- MD5_Update(&ctx1, pw, strlen(pw));
++ li_MD5_Update(&ctx1, pw, strlen(pw));
+ }
+
+ if (i & 1) {
+- MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE);
++ li_MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE);
+ }
+ else {
+- MD5_Update(&ctx1, pw, strlen(pw));
++ li_MD5_Update(&ctx1, pw, strlen(pw));
+ }
+- MD5_Final(final,&ctx1);
++ li_MD5_Final(final,&ctx1);
+ }
+
+ p = passwd + strlen(passwd);
+@@ -614,17 +618,17 @@
+ * user:realm:md5(user:realm:password)
+ */
+
+- MD5_CTX Md5Ctx;
++ li_MD5_CTX Md5Ctx;
+ HASH HA1;
+ char a1[256];
+
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)username->ptr, username->used - 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)realm->ptr, realm->used - 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)pw, strlen(pw));
+- MD5_Final(HA1, &Md5Ctx);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)username->ptr, username->used - 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)realm->ptr, realm->used - 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)pw, strlen(pw));
++ li_MD5_Final(HA1, &Md5Ctx);
+
+ CvtHex(HA1, a1);
+
+@@ -930,7 +934,7 @@
+ int i;
+ buffer *password, *b, *username_buf, *realm_buf;
+
+- MD5_CTX Md5Ctx;
++ li_MD5_CTX Md5Ctx;
+ HASH HA1;
+ HASH HA2;
+ HASH RespHash;
+@@ -1067,13 +1071,13 @@
+
+ if (p->conf.auth_backend == AUTH_BACKEND_PLAIN) {
+ /* generate password from plain-text */
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)username, strlen(username));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)realm, strlen(realm));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)password->ptr, password->used - 1);
+- MD5_Final(HA1, &Md5Ctx);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)username, strlen(username));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)realm, strlen(realm));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)password->ptr, password->used - 1);
++ li_MD5_Final(HA1, &Md5Ctx);
+ } else if (p->conf.auth_backend == AUTH_BACKEND_HTDIGEST) {
+ /* HA1 */
+ /* transform the 32-byte-hex-md5 to a 16-byte-md5 */
+@@ -1090,45 +1094,45 @@
+
+ if (algorithm &&
+ strcasecmp(algorithm, "md5-sess") == 0) {
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16);
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce));
+- MD5_Final(HA1, &Md5Ctx);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce));
++ li_MD5_Final(HA1, &Md5Ctx);
}
-- /* the rest is just <number> (years|months|days|hours|minutes|seconds) */
-+ /* the rest is just <number> (years|months|weeks|days|hours|minutes|seconds) */
- while (1) {
- char *space, *err;
- int num;
-@@ -148,6 +151,9 @@
- } else if (slen == 6 &&
- 0 == strncmp(ts, "months", slen)) {
- num *= 60 * 60 * 24 * 30;
-+ } else if (slen == 5 &&
-+ 0 == strncmp(ts, "weeks", slen)) {
-+ num *= 60 * 60 * 24 * 7;
- } else if (slen == 4 &&
- 0 == strncmp(ts, "days", slen)) {
- num *= 60 * 60 * 24;
-@@ -174,6 +180,8 @@
- num *= 60 * 60 * 24 * 30 * 12;
- } else if (0 == strcmp(ts, "months")) {
- num *= 60 * 60 * 24 * 30;
-+ } else if (0 == strcmp(ts, "weeks")) {
-+ num *= 60 * 60 * 24 * 7;
- } else if (0 == strcmp(ts, "days")) {
- num *= 60 * 60 * 24;
- } else if (0 == strcmp(ts, "hours")) {
-Index: src/network_freebsd_sendfile.c
-===================================================================
---- src/network_freebsd_sendfile.c (.../tags/lighttpd-1.4.13) (revision 1718)
-+++ src/network_freebsd_sendfile.c (.../branches/lighttpd-1.4.x) (revision 1718)
-@@ -25,7 +25,7 @@
+ CvtHex(HA1, a1);
+ /* calculate H(A2) */
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri));
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri));
+ if (qop && strcasecmp(qop, "auth-int") == 0) {
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN);
+ }
+- MD5_Final(HA2, &Md5Ctx);
++ li_MD5_Final(HA2, &Md5Ctx);
+ CvtHex(HA2, HA2Hex);
- #ifndef UIO_MAXIOV
--# ifdef __FreeBSD__
-+# if defined(__FreeBSD__) || defined(__DragonFly__)
- /* FreeBSD 4.7, 4.9 defined it in sys/uio.h only if _KERNEL is specified */
- # define UIO_MAXIOV 1024
- # endif
-Index: src/http_auth.c
+ /* calculate response */
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN);
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+ if (qop && *qop) {
+- MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)qop, strlen(qop));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)qop, strlen(qop));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+ };
+- MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN);
+- MD5_Final(RespHash, &Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN);
++ li_MD5_Final(RespHash, &Md5Ctx);
+ CvtHex(RespHash, a2);
+
+ if (0 != strcmp(a2, respons)) {
+@@ -1171,24 +1175,24 @@
+
+ int http_auth_digest_generate_nonce(server *srv, mod_auth_plugin_data *p, buffer *fn, char out[33]) {
+ HASH h;
+- MD5_CTX Md5Ctx;
++ li_MD5_CTX Md5Ctx;
+ char hh[32];
+
+ UNUSED(p);
+
+ /* generate shared-secret */
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)fn->ptr, fn->used - 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)"+", 1);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)fn->ptr, fn->used - 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)"+", 1);
+
+ /* we assume sizeof(time_t) == 4 here, but if not it ain't a problem at all */
+ LI_ltostr(hh, srv->cur_ts);
+- MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
+- MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy));
+ LI_ltostr(hh, rand());
+- MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
+
+- MD5_Final(h, &Md5Ctx);
++ li_MD5_Final(h, &Md5Ctx);
+
+ CvtHex(h, out);
+
+Index: src/mod_usertrack.c
===================================================================
---- src/http_auth.c (.../tags/lighttpd-1.4.13) (revision 1718)
-+++ src/http_auth.c (.../branches/lighttpd-1.4.x) (revision 1718)
-@@ -733,8 +733,9 @@
- }
- }
+--- src/mod_usertrack.c (.../tags/lighttpd-1.4.29)
++++ src/mod_usertrack.c (.../branches/lighttpd-1.4.x)
+@@ -8,18 +8,8 @@
+ #include <stdlib.h>
+ #include <string.h>
-+ if (p->conf.auth_ldap_allow_empty_pw != 1 && pw[0] == '\0')
-+ return -1;
+-#ifdef USE_OPENSSL
+-# include <openssl/md5.h>
+-#else
+-# include "md5.h"
++#include "md5.h"
+-typedef li_MD5_CTX MD5_CTX;
+-#define MD5_Init li_MD5_Init
+-#define MD5_Update li_MD5_Update
+-#define MD5_Final li_MD5_Final
-
- /* build filter */
- buffer_copy_string_buffer(p->ldap_filter, p->conf.ldap_filter_pre);
- buffer_append_string_buffer(p->ldap_filter, username);
-Index: src/http_auth.h
+-#endif
+-
+ /* plugin config for all request/connections */
+
+ typedef struct {
+@@ -182,7 +172,7 @@
+ plugin_data *p = p_d;
+ data_string *ds;
+ unsigned char h[16];
+- MD5_CTX Md5Ctx;
++ li_MD5_CTX Md5Ctx;
+ char hh[32];
+
+ if (con->uri.path->used == 0) return HANDLER_GO_ON;
+@@ -228,18 +218,18 @@
+ /* taken from mod_auth.c */
+
+ /* generate shared-secret */
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)con->uri.path->ptr, con->uri.path->used - 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)"+", 1);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)con->uri.path->ptr, con->uri.path->used - 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)"+", 1);
+
+ /* we assume sizeof(time_t) == 4 here, but if not it ain't a problem at all */
+ LI_ltostr(hh, srv->cur_ts);
+- MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
+- MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy));
+ LI_ltostr(hh, rand());
+- MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
+
+- MD5_Final(h, &Md5Ctx);
++ li_MD5_Final(h, &Md5Ctx);
+
+ buffer_append_string_encoded(ds->value, (char *)h, 16, ENCODING_HEX);
+ buffer_append_string_len(ds->value, CONST_STR_LEN("; Path=/"));
+Index: src/mod_status.c
===================================================================
---- src/http_auth.h (.../tags/lighttpd-1.4.13) (revision 1718)
-+++ src/http_auth.h (.../branches/lighttpd-1.4.x) (revision 1718)
-@@ -36,6 +36,7 @@
- buffer *auth_ldap_filter;
- buffer *auth_ldap_cafile;
- unsigned short auth_ldap_starttls;
-+ unsigned short auth_ldap_allow_empty_pw;
+--- src/mod_status.c (.../tags/lighttpd-1.4.29)
++++ src/mod_status.c (.../branches/lighttpd-1.4.x)
+@@ -487,7 +487,7 @@
- unsigned short auth_debug;
+ buffer_append_string_len(b, CONST_STR_LEN("</td><td class=\"int\">"));
-Index: src/mod_auth.c
+- if (con->request.content_length) {
++ if (c->request.content_length) {
+ buffer_append_long(b, c->request_content_queue->bytes_in);
+ buffer_append_string_len(b, CONST_STR_LEN("/"));
+ buffer_append_long(b, c->request.content_length);
+Index: src/settings.h
===================================================================
---- src/mod_auth.c (.../tags/lighttpd-1.4.13) (revision 1718)
-+++ src/mod_auth.c (.../branches/lighttpd-1.4.x) (revision 1718)
-@@ -113,6 +113,7 @@
- PATCH(auth_ldap_filter);
- PATCH(auth_ldap_cafile);
- PATCH(auth_ldap_starttls);
-+ PATCH(auth_ldap_allow_empty_pw);
- #ifdef USE_LDAP
- PATCH(ldap);
- PATCH(ldap_filter_pre);
-@@ -160,6 +161,8 @@
- PATCH(auth_ldap_cafile);
- } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.starttls"))) {
- PATCH(auth_ldap_starttls);
-+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.allow-empty-pw"))) {
-+ PATCH(auth_ldap_allow_empty_pw);
- }
- }
- }
-@@ -312,6 +315,7 @@
- { "auth.backend.ldap.starttls", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION },
- { "auth.backend.ldap.bind-dn", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
- { "auth.backend.ldap.bind-pw", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 10 */
-+ { "auth.backend.ldap.allow-empty-pw", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION },
- { "auth.backend.htdigest.userfile", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
- { "auth.backend.htpasswd.userfile", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
- { "auth.debug", NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_CONNECTION }, /* 13 */
-@@ -359,11 +363,12 @@
- cv[6].destination = s->auth_ldap_filter;
- cv[7].destination = s->auth_ldap_cafile;
- cv[8].destination = &(s->auth_ldap_starttls);
-- cv[9].destination = s->auth_ldap_binddn;
-- cv[10].destination = s->auth_ldap_bindpw;
-- cv[11].destination = s->auth_htdigest_userfile;
-- cv[12].destination = s->auth_htpasswd_userfile;
-- cv[13].destination = &(s->auth_debug);
-+ cv[9].destination = s->auth_ldap_binddn;
-+ cv[10].destination = s->auth_ldap_bindpw;
-+ cv[11].destination = &(s->auth_ldap_allow_empty_pw);
-+ cv[12].destination = s->auth_htdigest_userfile;
-+ cv[13].destination = s->auth_htpasswd_userfile;
-+ cv[14].destination = &(s->auth_debug);
+--- src/settings.h (.../tags/lighttpd-1.4.29)
++++ src/settings.h (.../branches/lighttpd-1.4.x)
+@@ -21,8 +21,11 @@
+ * 64kB (no real reason, just a guess)
+ */
+ #define BUFFER_MAX_REUSE_SIZE (4 * 1024)
+-#define MAX_READ_LIMIT (4*1024*1024)
- p->config_storage[i] = s;
- ca = ((data_config *)srv->config_context->data[i])->value;
-Index: src/http-header-glue.c
++/* both should be way smaller than SSIZE_MAX :) */
++#define MAX_READ_LIMIT (256*1024)
++#define MAX_WRITE_LIMIT (256*1024)
++
+ /**
+ * max size of the HTTP request header
+ *
+Index: src/mod_cml_lua.c
===================================================================
---- src/http-header-glue.c (.../tags/lighttpd-1.4.13) (revision 1718)
-+++ src/http-header-glue.c (.../branches/lighttpd-1.4.x) (revision 1718)
-@@ -148,7 +148,7 @@
- char dst[INET6_ADDRSTRLEN];
-
- log_error_write(srv, __FILE__, __LINE__,
-- "SSSS", "NOTICE: getnameinfo failed: ",
-+ "SSS", "NOTICE: getnameinfo failed: ",
- strerror(errno), ", using ip-address instead");
-
- buffer_append_string(o,
-@@ -162,7 +162,7 @@
- case AF_INET:
- if (NULL == (he = gethostbyaddr((char *)&our_addr.ipv4.sin_addr, sizeof(struct in_addr), AF_INET))) {
- log_error_write(srv, __FILE__, __LINE__,
-- "SdSS", "NOTICE: gethostbyaddr failed: ",
-+ "SdS", "NOTICE: gethostbyaddr failed: ",
- h_errno, ", using ip-address instead");
-
- buffer_append_string(o, inet_ntoa(our_addr.ipv4.sin_addr));
+--- src/mod_cml_lua.c (.../tags/lighttpd-1.4.29)
++++ src/mod_cml_lua.c (.../branches/lighttpd-1.4.x)
+@@ -11,18 +11,6 @@
+ #include <time.h>
+ #include <string.h>
+
+-#ifdef USE_OPENSSL
+-# include <openssl/md5.h>
+-#else
+-# include "md5.h"
+-
+-typedef li_MD5_CTX MD5_CTX;
+-#define MD5_Init li_MD5_Init
+-#define MD5_Update li_MD5_Update
+-#define MD5_Final li_MD5_Final
+-
+-#endif
+-
+ #define HASHLEN 16
+ typedef unsigned char HASH[HASHLEN];
+ #define HASHHEXLEN 32
Index: src/mod_fastcgi.c
===================================================================
---- src/mod_fastcgi.c (.../tags/lighttpd-1.4.13) (revision 1718)
-+++ src/mod_fastcgi.c (.../branches/lighttpd-1.4.x) (revision 1718)
-@@ -275,6 +275,7 @@
- buffer *key; /* like .php */
-
- int note_is_sent;
-+ int last_used_ndx;
-
- fcgi_extension_host **hosts;
-
-@@ -563,6 +564,7 @@
- fe = calloc(1, sizeof(*fe));
- assert(fe);
- fe->key = buffer_init();
-+ fe->last_used_ndx = -1;
- buffer_copy_string_buffer(fe->key, key);
-
- /* */
-@@ -2365,6 +2367,7 @@
- * check how much we have to read
- */
- if (ioctl(hctx->fd, FIONREAD, &toread)) {
-+ if (errno == EAGAIN) return 0;
- log_error_write(srv, __FILE__, __LINE__, "sd",
- "unexpected end-of-file (perhaps the fastcgi process died):",
- fcgi_fd);
-@@ -2375,12 +2378,23 @@
-
- if (toread > 0) {
- buffer *b;
-+ chunk *cq_first = hctx->rb->first;
-+ chunk *cq_last = hctx->rb->last;
-
- b = chunkqueue_get_append_buffer(hctx->rb);
- buffer_prepare_copy(b, toread + 1);
-
- /* append to read-buffer */
- if (-1 == (r = read(hctx->fd, b->ptr, toread))) {
-+ if (errno == EAGAIN) {
-+ /* roll back the last chunk allocation,
-+ and continue on next iteration */
-+ buffer_free(hctx->rb->last->mem);
-+ free(hctx->rb->last);
-+ hctx->rb->first = cq_first;
-+ hctx->rb->last = cq_last;
-+ return 0;
-+ }
- log_error_write(srv, __FILE__, __LINE__, "sds",
- "unexpected end-of-file (perhaps the fastcgi process died):",
- fcgi_fd, strerror(errno));
-@@ -2393,6 +2407,7 @@
- b->used = r + 1; /* one extra for the fake \0 */
- b->ptr[b->used - 1] = '\0';
- } else {
-+ if (errno == EAGAIN) return 0;
- log_error_write(srv, __FILE__, __LINE__, "ssdsb",
- "unexpected end-of-file (perhaps the fastcgi process died):",
- "pid:", proc->pid,
-@@ -2499,6 +2514,8 @@
- }
- break;
- case FCGI_STDERR:
-+ if (packet.len == 0) break;
-+
- log_error_write(srv, __FILE__, __LINE__, "sb",
- "FastCGI-stderr:", packet.b);
-
-@@ -2979,17 +2996,23 @@
- size_t k;
- int ndx, used = -1;
-
-- /* get best server */
-- for (k = 0, ndx = -1; k < hctx->ext->used; k++) {
-- host = hctx->ext->hosts[k];
-+ /* check if the next server has no load. */
-+ ndx = hctx->ext->last_used_ndx + 1;
-+ if(ndx >= hctx->ext->used || ndx < 0) ndx = 0;
-+ host = hctx->ext->hosts[ndx];
-+ if (host->load > 0) {
-+ /* get backend with the least load. */
-+ for (k = 0, ndx = -1; k < hctx->ext->used; k++) {
-+ host = hctx->ext->hosts[k];
-
-- /* we should have at least one proc that can do something */
-- if (host->active_procs == 0) continue;
-+ /* we should have at least one proc that can do something */
-+ if (host->active_procs == 0) continue;
-
-- if (used == -1 || host->load < used) {
-- used = host->load;
-+ if (used == -1 || host->load < used) {
-+ used = host->load;
-
-- ndx = k;
-+ ndx = k;
-+ }
- }
+--- src/mod_fastcgi.c (.../tags/lighttpd-1.4.29)
++++ src/mod_fastcgi.c (.../branches/lighttpd-1.4.x)
+@@ -3075,7 +3075,7 @@
+ fcgi_set_state(srv, hctx, FCGI_STATE_WRITE);
+ /* fall through */
+ case FCGI_STATE_WRITE:
+- ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb);
++ ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT);
+
+ chunkqueue_remove_finished_chunks(hctx->wb);
+
+@@ -3132,7 +3132,6 @@
+ plugin_data *p = p_d;
+
+ handler_ctx *hctx = con->plugin_ctx[p->id];
+- fcgi_proc *proc;
+ fcgi_extension_host *host;
+
+ if (NULL == hctx) return HANDLER_GO_ON;
+@@ -3201,7 +3200,6 @@
+ /* ok, create the request */
+ switch(fcgi_write_request(srv, hctx)) {
+ case HANDLER_ERROR:
+- proc = hctx->proc;
+ host = hctx->host;
+
+ if (hctx->state == FCGI_STATE_INIT ||
+Index: src/network_solaris_sendfilev.c
+===================================================================
+--- src/network_solaris_sendfilev.c (.../tags/lighttpd-1.4.29)
++++ src/network_solaris_sendfilev.c (.../branches/lighttpd-1.4.x)
+@@ -38,17 +38,16 @@
+ */
+
+
+-int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq) {
++int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) {
+ chunk *c;
+- size_t chunks_written = 0;
+
+- for(c = cq->first; c; c = c->next, chunks_written++) {
++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
+ int chunk_finished = 0;
+
+ switch(c->type) {
+ case MEM_CHUNK: {
+ char * offset;
+- size_t toSend;
++ off_t toSend;
+ ssize_t r;
+
+ size_t num_chunks, i;
+@@ -77,9 +76,9 @@
+ chunks[i].iov_base = offset;
+
+ /* protect the return value of writev() */
+- if (toSend > SSIZE_MAX ||
+- num_bytes + toSend > SSIZE_MAX) {
+- chunks[i].iov_len = SSIZE_MAX - num_bytes;
++ if (toSend > max_bytes ||
++ (off_t) num_bytes + toSend > max_bytes) {
++ chunks[i].iov_len = max_bytes - num_bytes;
+
+ num_chunks = i + 1;
+ break;
+@@ -119,11 +118,10 @@
+
+ if (chunk_finished) {
+ /* skip the chunks from further touches */
+- chunks_written++;
+ c = c->next;
+ } else {
+ /* chunks_written + c = c->next is done in the for()*/
+- chunk_finished++;
++ chunk_finished = 1;
+ }
+ } else {
+ /* partially written */
+@@ -139,8 +137,8 @@
}
+ case FILE_CHUNK: {
+ ssize_t r;
+- off_t offset;
+- size_t toSend, written;
++ off_t offset, toSend;
++ size_t written;
+ sendfilevec_t fvec;
+ stat_cache_entry *sce = NULL;
+ int ifd;
+@@ -153,6 +151,7 @@
+
+ offset = c->file.start + c->offset;
+ toSend = c->file.length - c->offset;
++ if (toSend > max_bytes) toSend = max_bytes;
+
+ if (offset > sce->st.st_size) {
+ log_error_write(srv, __FILE__, __LINE__, "sb", "file was shrinked:", c->file.name);
+@@ -186,6 +185,7 @@
+ close(ifd);
+ c->offset += written;
+ cq->bytes_out += written;
++ max_bytes -= written;
-@@ -3005,6 +3028,7 @@
- return HANDLER_FINISHED;
+ if (c->offset == c->file.length) {
+ chunk_finished = 1;
+@@ -207,7 +207,7 @@
}
+ }
-+ hctx->ext->last_used_ndx = ndx;
- host = hctx->ext->hosts[ndx];
+- return chunks_written;
++ return 0;
+ }
- /*
-Index: src/server.c
+ #endif
+Index: src/CMakeLists.txt
===================================================================
---- src/server.c (.../tags/lighttpd-1.4.13) (revision 1718)
-+++ src/server.c (.../branches/lighttpd-1.4.x) (revision 1718)
-@@ -163,6 +163,7 @@
- #undef CLEAN
-
- for (i = 0; i < FILE_CACHE_MAX; i++) {
-+ srv->mtime_cache[i].mtime = (time_t)-1;
- srv->mtime_cache[i].str = buffer_init();
- }
+Index: src/mod_dirlisting.c
+===================================================================
+--- src/mod_dirlisting.c (.../tags/lighttpd-1.4.29)
++++ src/mod_dirlisting.c (.../branches/lighttpd-1.4.x)
+@@ -657,7 +657,8 @@
+ i = dir->used - 1;
-@@ -1231,6 +1232,19 @@
- srv_socket->fd = -1;
+ #ifdef HAVE_PATHCONF
+- if (-1 == (name_max = pathconf(dir->ptr, _PC_NAME_MAX))) {
++ if (0 >= (name_max = pathconf(dir->ptr, _PC_NAME_MAX))) {
++ /* some broken fs (fuse) return 0 instead of -1 */
+ #ifdef NAME_MAX
+ name_max = NAME_MAX;
+ #else
+Index: src/network_linux_sendfile.c
+===================================================================
+--- src/network_linux_sendfile.c (.../tags/lighttpd-1.4.29)
++++ src/network_linux_sendfile.c (.../branches/lighttpd-1.4.x)
+@@ -27,17 +27,16 @@
+ /* on linux 2.4.29 + debian/ubuntu we have crashes if this is enabled */
+ #undef HAVE_POSIX_FADVISE
- /* network_close() will cleanup after us */
-+
-+ if (srv->srvconf.pid_file->used &&
-+ srv->srvconf.changeroot->used == 0) {
-+ if (0 != unlink(srv->srvconf.pid_file->ptr)) {
-+ if (errno != EACCES && errno != EPERM) {
-+ log_error_write(srv, __FILE__, __LINE__, "sbds",
-+ "unlink failed for:",
-+ srv->srvconf.pid_file,
-+ errno,
-+ strerror(errno));
-+ }
-+ }
-+ }
+-int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq) {
++int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) {
+ chunk *c;
+- size_t chunks_written = 0;
+
+- for(c = cq->first; c; c = c->next, chunks_written++) {
++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
+ int chunk_finished = 0;
+
+ switch(c->type) {
+ case MEM_CHUNK: {
+ char * offset;
+- size_t toSend;
++ off_t toSend;
+ ssize_t r;
+
+ size_t num_chunks, i;
+@@ -45,12 +44,10 @@
+ chunk *tc;
+ size_t num_bytes = 0;
+
+- /* we can't send more then SSIZE_MAX bytes in one chunk */
+-
+ /* build writev list
+ *
+ * 1. limit: num_chunks < UIO_MAXIOV
+- * 2. limit: num_bytes < SSIZE_MAX
++ * 2. limit: num_bytes < max_bytes
+ */
+ for (num_chunks = 0, tc = c;
+ tc && tc->type == MEM_CHUNK && num_chunks < UIO_MAXIOV;
+@@ -67,9 +64,9 @@
+ chunks[i].iov_base = offset;
+
+ /* protect the return value of writev() */
+- if (toSend > SSIZE_MAX ||
+- num_bytes + toSend > SSIZE_MAX) {
+- chunks[i].iov_len = SSIZE_MAX - num_bytes;
++ if (toSend > max_bytes ||
++ (off_t) num_bytes + toSend > max_bytes) {
++ chunks[i].iov_len = max_bytes - num_bytes;
+
+ num_chunks = i + 1;
+ break;
+@@ -100,6 +97,7 @@
+
+ /* check which chunks have been written */
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ for(i = 0, tc = c; i < num_chunks; i++, tc = tc->next) {
+ if (r >= (ssize_t)chunks[i].iov_len) {
+@@ -109,11 +107,10 @@
+
+ if (chunk_finished) {
+ /* skip the chunks from further touches */
+- chunks_written++;
+ c = c->next;
+ } else {
+ /* chunks_written + c = c->next is done in the for()*/
+- chunk_finished++;
++ chunk_finished = 1;
}
- }
+ } else {
+ /* partially written */
+@@ -130,13 +127,12 @@
+ case FILE_CHUNK: {
+ ssize_t r;
+ off_t offset;
+- size_t toSend;
++ off_t toSend;
+ stat_cache_entry *sce = NULL;
+
+ offset = c->file.start + c->offset;
+- /* limit the toSend to 2^31-1 bytes in a chunk */
+- toSend = c->file.length - c->offset > ((1 << 30) - 1) ?
+- ((1 << 30) - 1) : c->file.length - c->offset;
++ toSend = c->file.length - c->offset;
++ if (toSend > max_bytes) toSend = max_bytes;
-@@ -1335,7 +1349,8 @@
+ /* open file if not already opened */
+ if (-1 == c->file.fd) {
+@@ -215,6 +211,7 @@
+
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ if (c->offset == c->file.length) {
+ chunk_finished = 1;
+@@ -243,7 +240,7 @@
+ }
}
- if (srv->srvconf.pid_file->used &&
-- srv->srvconf.changeroot->used == 0) {
-+ srv->srvconf.changeroot->used == 0 &&
-+ 0 == graceful_shutdown) {
- if (0 != unlink(srv->srvconf.pid_file->ptr)) {
- if (errno != EACCES && errno != EPERM) {
- log_error_write(srv, __FILE__, __LINE__, "sbds",
-Index: doc/extforward.txt
+- return chunks_written;
++ return 0;
+ }
+
+ #endif
+Index: tests/mod-auth.t
===================================================================
---- doc/extforward.txt (.../tags/lighttpd-1.4.13) (revision 0)
-+++ doc/extforward.txt (.../branches/lighttpd-1.4.x) (revision 1718)
-@@ -0,0 +1,96 @@
-+==============
-+mod_extforward
-+==============
-+
-+.. contents::
-+
-+Overview
-+========
-+
-+Comman Kang <comman.kang at gmail.com> sent me: ::
-+
-+ Hello jan.
-+
-+ I've made something rough but similar to mod_extract_forwarded for
-+ Apache. This module will extract the client's "real" ip from
-+ X-Forwarded-For header which is added by squid or other proxies. It might be
-+ useful for servers behind reverse proxy servers.
-+
-+ However, this module is causing segfault with mod_ssl or
-+ $HTTP{''socket"} directive, crashing in config_check_cond while patching
-+ connection , I do not understand architecture of the lighttpd well, does it
-+ need to call patch_connection in either handle_request_done and
-+ connection_reset ?
-+
-+Lionel Elie Mamane <lionel@mamane.lu> improved the patch: ::
-+
-+ I've taken lighttpd-1.4.10-mod_extforward.c from the wiki and I've
-+ extended it. Here is the result.
-+
-+ Major changes:
-+
-+ - IPv6 support
-+
-+ - Fixed at least one segfault with SERVER['socket']
-+
-+ - Arrange things so that a url.access-deny under scope of a
-+ HTTP['remoteip'] condition works well :)
-+
-+ I've commented the code in some places, mostly where I wasn't sure
-+ what was going on, or I didn't see what the original author meant to
-+ do.
-+
-+Options
-+=======
-+
-+extforward.forwarder
-+ Sets trust level of proxy IP's.
-+
-+ Default: empty
-+
-+ Example: ::
-+
-+ extforward.forwarder = ("10.0.0.232" => "trust")
-+
-+ will translate ip addresses coming from 10.0.0.232 to real ip addresses extracted from X-Forwarded-For: HTTP request header.
-+
-+Note
-+=======
-+
-+The effect of this module is variable on $HTTP["remotip"] directives and other module's remote ip dependent actions.
-+Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP.
-+Things done in between these two moments will match on the real client's IP.
-+The moment things are done by a module depends on in which hook it does things and within the same hook
-+on whether they are before/after us in the module loading order
-+(order in the server.modules directive in the config file).
-+
-+Tested behaviours:
-+
-+ mod_access: Will match on the real client.
-+
-+ mod_accesslog:
-+ In order to see the "real" ip address in access log ,
-+ you'll have to load mod_extforward after mod_accesslog.
-+ like this: ::
-+
-+ server.modules = (
-+ .....
-+ mod_accesslog,
-+ mod_extforward
-+ )
-+
-+Samples
-+=======
-+
-+Trust proxy 10.0.0.232 and 10.0.0.232 ::
-+
-+ extforward.forwarder = (
-+ "10.0.0.232" => "trust",
-+ "10.0.0.233" => "trust",
-+ )
-+
-+Trust all proxies (NOT RECOMMENDED!) ::
-+
-+ extforward.forwarder = ( "all" => "trust")
-+
-+Note that "all" has precedence over specific entries, so "all except" setups will not work.
-Index: doc/Makefile.am
+--- tests/mod-auth.t (.../tags/lighttpd-1.4.29)
++++ tests/mod-auth.t (.../branches/lighttpd-1.4.x)
+@@ -8,7 +8,7 @@
+
+ use strict;
+ use IO::Socket;
+-use Test::More tests => 14;
++use Test::More tests => 15;
+ use LightyTest;
+
+ my $tf = LightyTest->new();
+@@ -25,6 +25,14 @@
+
+ $t->{REQUEST} = ( <<EOF
+ GET /server-status HTTP/1.0
++Authorization: Basic \x80mFuOmphb
++EOF
++ );
++$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ];
++ok($tf->handle_http($t) == 0, 'Basic-Auth: Invalid base64 Auth-token');
++
++$t->{REQUEST} = ( <<EOF
++GET /server-status HTTP/1.0
+ Authorization: Basic amFuOmphb
+ EOF
+ );
+Index: tests/request.t
+===================================================================
+--- tests/request.t (.../tags/lighttpd-1.4.29)
++++ tests/request.t (.../branches/lighttpd-1.4.x)
+@@ -8,7 +8,7 @@
+
+ use strict;
+ use IO::Socket;
+-use Test::More tests => 44;
++use Test::More tests => 46;
+ use LightyTest;
+
+ my $tf = LightyTest->new();
+@@ -413,5 +413,21 @@
+ $t->{SLOWREQUEST} = 1;
+ ok($tf->handle_http($t) == 0, 'GET, slow \\r\\n\\r\\n (#2105)');
+
++print "\nPathinfo for static files\n";
++$t->{REQUEST} = ( <<EOF
++GET /image.jpg/index.php HTTP/1.0
++EOF
++ );
++$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'Content-Type' => 'image/jpeg' } ];
++ok($tf->handle_http($t) == 0, 'static file accepting pathinfo by default');
++
++$t->{REQUEST} = ( <<EOF
++GET /image.jpg/index.php HTTP/1.0
++Host: zzz.example.org
++EOF
++ );
++$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 403 } ];
++ok($tf->handle_http($t) == 0, 'static file with forbidden pathinfo');
++
+ ok($tf->stop_proc == 0, "Stopping lighttpd");
+
+Index: tests/wrapper.sh
+===================================================================
+--- tests/wrapper.sh (.../tags/lighttpd-1.4.29)
++++ tests/wrapper.sh (.../branches/lighttpd-1.4.x)
+@@ -6,4 +6,4 @@
+ top_builddir=$2
+ export SHELL srcdir top_builddir
+
+-$3
++exec $3
+Index: tests/lighttpd.conf
+===================================================================
+--- tests/lighttpd.conf (.../tags/lighttpd-1.4.29)
++++ tests/lighttpd.conf (.../branches/lighttpd-1.4.x)
+@@ -149,6 +149,7 @@
+ $HTTP["host"] == "zzz.example.org" {
+ server.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/"
+ server.name = "zzz.example.org"
++ static-file.disable-pathinfo = "enable"
+ }
+
+ $HTTP["host"] == "symlink.example.org" {
+Index: configure.ac
+===================================================================
+Index: doc/config/lighttpd.conf
+===================================================================
+--- doc/config/lighttpd.conf (.../tags/lighttpd-1.4.29)
++++ doc/config/lighttpd.conf (.../branches/lighttpd-1.4.x)
+@@ -394,6 +394,25 @@
+ ## $SERVER["socket"] == "10.0.0.1:443" {
+ ## ssl.engine = "enable"
+ ## ssl.pemfile = "/etc/ssl/private/www.example.com.pem"
++## #
++## # Mitigate BEAST attack:
++## #
++## # A stricter base cipher suite. For details see:
++## # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
++## #
++## ssl.ciphers = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
++## #
++## # Make the server prefer the order of the server side cipher suite instead of the client suite.
++## # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms).
++## # This option is enabled by default, but only used if ssl.ciphers is set.
++## #
++## # ssl.honor-cipher-order = "enable"
++## #
++## # Mitigate CVE-2009-3555 by disabling client triggered renegotation
++## # This is enabled by default.
++## #
++## # ssl.disable-client-renegotiation = "enable"
++## #
+ ## server.name = "www.example.com"
+ ##
+ ## server.document-root = "/srv/www/vhosts/example.com/www/"
+Index: SConstruct
===================================================================
---- doc/Makefile.am (.../tags/lighttpd-1.4.13) (revision 1718)
-+++ doc/Makefile.am (.../branches/lighttpd-1.4.x) (revision 1718)
-@@ -6,6 +6,7 @@
- cgi.txt \
- compress.txt \
- configuration.txt \
-+extforward.txt \
- fastcgi-state.txt \
- fastcgi.txt \
- features.txt \
-@@ -43,6 +44,7 @@
- cgi.html \
- compress.html \
- configuration.html \
-+ extforward.html \
- fastcgi-state.html \
- fastcgi.html \
- features.html \
Index: NEWS
===================================================================
---- NEWS (.../tags/lighttpd-1.4.13) (revision 1718)
-+++ NEWS (.../branches/lighttpd-1.4.x) (revision 1718)
-@@ -3,6 +3,23 @@
+--- NEWS (.../tags/lighttpd-1.4.29)
++++ NEWS (.../branches/lighttpd-1.4.x)
+@@ -3,7 +3,20 @@
NEWS
====
-+- 1.4.14 - ???
-+ * added mod_extforward module [1665]
-+ * added HTTPS=on to the environment of cgi scripts (#861)
-+ * fix handling of 303 #1045
-+ * made the configure check for lua more portable [1677]
-+ * fix http 500 errors (colin.stephen/at/o2.com) #1041
-+ * prevent wrong pidfile unlinking on graceful restart (Chris Webb) [1656]
-+ * ignore empty packets from STDERR stream. #998
-+ * fix a crash for files with an mtime of 0 reported by cubiq on irc [1519]
-+ * allow empty passwords with ldap (Jörg Sonnenberger) [1516]
-+ * mod_scgi.c segfault fix #964
-+ * Added round-robin support to mod_fastcgi [1500]
-+ * Handle DragonFlyBSD the same way as Freebsd (Jörg Sonnenberger) [1492]
-+ * added now and weeks support to mod_expire. #943
-+ * fix cpu hog in certain requests [1473]
-+ * fix for handling hostnames with trailing dot [1406]
-+
- - 1.4.13 - 2006-10-09
-
- * added initgroups in spawn-fcgi (#871)
-@@ -56,7 +73,7 @@
- - 1.4.11 - 2006-03-09
-
- * added ability to specify which ip address spawn-fci listens on
-- (agkr@pobox.com)
-+ (agkr/at/pobox.com)
- * added mod_flv_streaming to streaming Flash Movies efficiently
- * fixed handling of error codes returned by mod_dav_svn behing a
- mod_proxy
-@@ -68,7 +85,7 @@
- * fixed local source retrieval on windows
- (secunia)
- * fixed hanging cgi if remote side is dieing while reading
-- from the pipe (sandy@meebo.com)
-+ from the pipe (sandy/at/meebo.com)
-
- - 1.4.10 - 2006-02-08
-
-@@ -84,23 +101,23 @@
-
- - 1.4.9 - 2006-01-14
-
-- * added server.core-files option (sandy <sandy@meebo.com>)
-+ * added server.core-files option (sandy <sandy/at/meebo.com>)
- * added docs for mod_status
-- * added mod_evasive to limit the number of connections by IP (<w1zzard@techpowerup.com>)
-+ * added mod_evasive to limit the number of connections by IP (<w1zzard/at/techpowerup.com>)
- * added the power-magnet to mod_cml
- * added internal statistics to mod_fastcgi
- * added server.statistics-url to get internal statistics from mod_status
- * added support for conditional range-requests through If-Range
- * added static building via scons
-- * fixed 100% cpu loops in mod_cgi ("sandy" <sjen@cs.stanford.edu>)
-- * fixed handling for secure-download.timeout (jamis@37signals.com)
-- * fixed IE bug in content-charset in the output of mod_dirlisting (sniper@php.net)
-- * fixed typos and language in the docs (ryan-2005@ryandesign.com)
-- * fixed assertion in mod_cgi on HEAD request is Content-Length (<sandy@meebo.com>)
-+ * fixed 100% cpu loops in mod_cgi ("sandy" <sjen/at/cs.stanford.edu>)
-+ * fixed handling for secure-download.timeout (jamis/at/37signals.com)
-+ * fixed IE bug in content-charset in the output of mod_dirlisting (sniper/at/php.net)
-+ * fixed typos and language in the docs (ryan-2005/at/ryandesign.com)
-+ * fixed assertion in mod_cgi on HEAD request is Content-Length (<sandy/at/meebo.com>)
- * fixed handling if equal but duplicate If-Modified-Since request headers
- * fixed endless loops in mod_fastcgi if backend is dead
- * fixed Depth: 1 handling in PROPFIND requests on empty dirs
-- * fixed encoding of UTF8 encoded dirlistings (Jani Taskinen <sniper@iki.fi>)
-+ * fixed encoding of UTF8 encoded dirlistings (Jani Taskinen <sniper/at/iki.fi>)
- * fixed initial bind to a unix-domain socket through server.bind
- * fixed handling of lowercase filesystems
- * fixed duplicate request headers cause by mod_setenv
-@@ -108,12 +125,12 @@
- - 1.4.8 - 2005-11-23
-
- * added auto-reconnect to ldap-server in mod_auth
-- (joerg@netbsd.org)
-+ (joerg/at/netbsd.org)
- * changed auth.ldap-cafile to be optional
-- (joerg@netbsd.org)
-+ (joerg/at/netbsd.org)
- * added strip_request_uri in mod_fastcgi
- * added more X-* headers to mod_proxy
-- (Ben Grimm <bengrimm@gmail.com>)
-+ (Ben Grimm <bengrimm/at/gmail.com>)
- * added 'debug' to simple-vhost to suppress the
- (mod_simple_vhost.c.157) No such file or directory /servers/ww.lighttpd.net/pages/
- messages by default
-@@ -124,11 +141,11 @@
- * fixed encoding the filenames in PROPFIND in mod_webdav
- * fixed range request handling in network_writev
- * fixed retry on connect error in mod_fastcgi
-- (Robert G. Jakabosky <bobby@alphatrade.com>)
-+ (Robert G. Jakabosky <bobby/at/alphatrade.com>)
- * fixed possible crash in mod_webdav if sqlite3 support
- is available but not use
- * fixed fdvent-handler init if server.max-worker was used
-- (Siddharth Vijayakrishnan <mail@bluefireworks.net>)
-+ (Siddharth Vijayakrishnan <mail/at/bluefireworks.net>)
- * fixed missing cleanup in mysql_vhost
- * fixed assert() in "connections.c:962:
- connection_handle_read_state: Assertion 'c->mem->used' failed."
-@@ -139,7 +156,7 @@
- * fixed unsigned/signed comparisions
- * fixed streaming in mod_cgi
- * fixed possible overflow in password-salt handling
-- (reported on slashdot by james-web@and.org)
-+ (reported on slashdot by james-web/at/and.org)
- * fixed server-traffic-limit if connection limit is not set
-
- - 1.4.7 - 2005-11-02
-@@ -150,7 +167,7 @@
- * added support for %I in mod_accesslog
- * added better compat to Apache for ?auto in mod_status
- * added support for userdirs without a entry in /etc/passwd in mod_userdir
-- (rob@inversepath.com)
-+ (rob/at/inversepath.com)
- * added startup-time selectable network-backend
- * added location of upload-files to config as array
- * added webdav.log-xml for logging xml-content in mod_webdav
-
-Property changes on: .
-___________________________________________________________________
-Name: svk:merge
- + a98e19e4-a712-0410-8832-6551a15ffc53:/local/branches/lighttpd-1.4.x:1557
-
+-- 1.4.29 -
++- 1.4.30 -
++ * Always use our 'own' md5 implementation, fixes linking issues on MacOS (fixes #2331)
++ * Limit amount of bytes we send in one go; fixes stalling in one connection and timeouts on slow systems.
++ * [ssl] fix build errors when Elliptic-Curve Diffie-Hellman is disabled
++ * Add static-file.disable-pathinfo option to prevent handling of urls like .../secret.php/image.jpg as static file
++ * Don't overwrite 401 (auth required) with 501 (unknown method) (fixes #2341)
++ * Fix mod_status bug: always showed "0/0" in the "Read" column for uploads (fixes #2351)
++ * [mod_auth] Fix signedness error in http_auth (fixes #2370, CVE-2011-4362)
++ * [ssl] count renegotiations to prevent client renegotiations
++ * [ssl] add option to honor server cipher order (fixes #2364, BEAST attack)
++ * [core] accept dots in ipv6 addresses in host header (fixes #2359)
++ * [ssl] fix ssl connection aborts if files are larger than the MAX_WRITE_LIMIT (256kb)
++
++- 1.4.29 - 2011-07-03
+ * Fix mod_proxy waiting for response even if content-length is 0 (fixes #2259)
+ * Silence annoying "connection closed: poll() -> ERR" error.log message (fixes #2257)
+ * mod_cgi: make read buffer as big as incoming data block
+Index: CMakeLists.txt
+===================================================================