-Index: configure.in
+# Revision 2815
+Index: src/http_auth_digest.c
===================================================================
-Index: src/configfile-glue.c
+--- src/http_auth_digest.c (.../tags/lighttpd-1.4.29)
++++ src/http_auth_digest.c (.../branches/lighttpd-1.4.x)
+@@ -1,26 +0,0 @@
+-#include "buffer.h"
+-
+-#include "http_auth_digest.h"
+-
+-#include <string.h>
+-
+-#ifndef USE_OPENSSL
+-# include "md5.h"
+-
+-typedef li_MD5_CTX MD5_CTX;
+-#define MD5_Init li_MD5_Init
+-#define MD5_Update li_MD5_Update
+-#define MD5_Final li_MD5_Final
+-
+-#endif
+-
+-void CvtHex(IN HASH Bin, OUT HASHHEX Hex) {
+- unsigned short i;
+-
+- for (i = 0; i < HASHLEN; i++) {
+- Hex[i*2] = int2hex((Bin[i] >> 4) & 0xf);
+- Hex[i*2+1] = int2hex(Bin[i] & 0xf);
+- }
+- Hex[HASHHEXLEN] = '\0';
+-}
+-
+Index: src/http_auth_digest.h
===================================================================
---- src/configfile-glue.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/configfile-glue.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -277,7 +277,7 @@
- }
- break;
- }
-- case COMP_HTTP_REMOTEIP: {
-+ case COMP_HTTP_REMOTE_IP: {
- char *nm_slash;
- /* handle remoteip limitations
- *
-@@ -341,11 +341,15 @@
- }
- break;
- }
-+ case COMP_HTTP_SCHEME:
-+ l = con->uri.scheme;
-+ break;
-+
- case COMP_HTTP_URL:
- l = con->uri.path;
- break;
+--- src/http_auth_digest.h (.../tags/lighttpd-1.4.29)
++++ src/http_auth_digest.h (.../branches/lighttpd-1.4.x)
+@@ -1,24 +0,0 @@
+-#ifndef _DIGCALC_H_
+-#define _DIGCALC_H_
+-
+-#ifdef HAVE_CONFIG_H
+-# include "config.h"
+-#endif
+-
+-#define HASHLEN 16
+-typedef unsigned char HASH[HASHLEN];
+-#define HASHHEXLEN 32
+-typedef char HASHHEX[HASHHEXLEN+1];
+-#ifdef USE_OPENSSL
+-#define IN const
+-#else
+-#define IN
+-#endif
+-#define OUT
+-
+-void CvtHex(
+- IN HASH Bin,
+- OUT HASHHEX Hex
+- );
+-
+-#endif
+Index: src/network_write.c
+===================================================================
+--- src/network_write.c (.../tags/lighttpd-1.4.29)
++++ src/network_write.c (.../branches/lighttpd-1.4.x)
+@@ -24,17 +24,16 @@
+ # include <sys/resource.h>
+ #endif
-- case COMP_HTTP_QUERYSTRING:
-+ case COMP_HTTP_QUERY_STRING:
- l = con->uri.query;
- break;
+-int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq) {
++int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) {
+ chunk *c;
+- size_t chunks_written = 0;
-@@ -372,7 +376,7 @@
- }
- break;
- }
-- case COMP_HTTP_USERAGENT: {
-+ case COMP_HTTP_USER_AGENT: {
- data_string *ds;
- if (NULL != (ds = (data_string *)array_get_element(con->request.headers, "User-Agent"))) {
- l = ds->value;
-@@ -381,7 +385,17 @@
- }
- break;
- }
-+ case COMP_HTTP_REQUEST_METHOD: {
-+ const char *method = get_http_method_name(con->request.http_method);
+- for(c = cq->first; c; c = c->next) {
++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
+ int chunk_finished = 0;
-+ /* we only have the request method as const char but we need a buffer for comparing */
-+
-+ buffer_copy_string(srv->tmp_buf, method);
-+
-+ l = srv->tmp_buf;
+ switch(c->type) {
+ case MEM_CHUNK: {
+ char * offset;
+- size_t toSend;
++ off_t toSend;
+ ssize_t r;
+
+ if (c->mem->used == 0) {
+@@ -44,6 +43,8 @@
+
+ offset = c->mem->ptr + c->offset;
+ toSend = c->mem->used - 1 - c->offset;
++ if (toSend > max_bytes) toSend = max_bytes;
+
-+ break;
-+ }
- default:
- return COND_RESULT_FALSE;
- }
-Index: src/mod_cgi.c
-===================================================================
---- src/mod_cgi.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/mod_cgi.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1004,6 +1004,7 @@
- case -1:
- /* error */
- log_error_write(srv, __FILE__, __LINE__, "ss", "fork failed:", strerror(errno));
-+ return -1;
- break;
- default: {
- handler_ctx *hctx;
-@@ -1227,8 +1228,14 @@
- #if 0
- log_error_write(srv, __FILE__, __LINE__, "sd", "(debug) cgi exited fine, pid:", p->cgi_pid.ptr[ndx]);
- #endif
-+ } else if (WIFSIGNALED(status)) {
-+ /* FIXME: what if we killed the CGI script with a kill(..., SIGTERM) ?
-+ */
-+ if (WTERMSIG(status) != SIGTERM) {
-+ log_error_write(srv, __FILE__, __LINE__, "sd", "cleaning up CGI: process died with signal", WTERMSIG(status));
-+ }
- } else {
-- log_error_write(srv, __FILE__, __LINE__, "s", "cgi died ?");
-+ log_error_write(srv, __FILE__, __LINE__, "s", "cleaning up CGI: ended unexpectedly");
- }
+ #ifdef __WIN32
+ if ((r = send(fd, offset, toSend, 0)) < 0) {
+ /* no error handling for windows... */
+@@ -72,6 +73,7 @@
- cgi_pid_del(srv, p, p->cgi_pid.ptr[ndx]);
-Index: src/mod_secure_download.c
-===================================================================
---- src/mod_secure_download.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/mod_secure_download.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -245,7 +245,8 @@
- /* timed-out */
- if (srv->cur_ts - ts > p->conf.timeout ||
- srv->cur_ts - ts < -p->conf.timeout) {
-- con->http_status = 408;
-+ /* "Gone" as the url will never be valid again instead of "408 - Timeout" where the request may be repeated */
-+ con->http_status = 410;
-
- return HANDLER_FINISHED;
- }
-Index: src/base.h
-===================================================================
---- src/base.h (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/base.h (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -515,6 +515,7 @@
- #ifdef USE_OPENSSL
- SSL_CTX *ssl_ctx;
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ if (c->offset == (off_t)c->mem->used - 1) {
+ chunk_finished = 1;
+@@ -85,7 +87,7 @@
#endif
-+ unsigned short is_proxy_ssl;
- } server_socket;
+ ssize_t r;
+ off_t offset;
+- size_t toSend;
++ off_t toSend;
+ stat_cache_entry *sce = NULL;
+ int ifd;
- typedef struct {
-Index: src/connections.c
-===================================================================
---- src/connections.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/connections.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -394,10 +394,13 @@
- * 403 is from the response handler when noone else catched it
- *
- * */
-- if (con->uri.path->used &&
-+ if ((!con->http_status || con->http_status == 200) && con->uri.path->used &&
- con->uri.path->ptr[0] != '*') {
- response_header_insert(srv, con, CONST_STR_LEN("Allow"), CONST_STR_LEN("OPTIONS, GET, HEAD, POST"));
-
-+ con->response.transfer_encoding &= ~HTTP_TRANSFER_ENCODING_CHUNKED;
-+ con->parsed_response &= ~HTTP_CONTENT_LENGTH;
+@@ -98,6 +100,8 @@
+ offset = c->file.start + c->offset;
+ toSend = c->file.length - c->offset;
+
++ if (toSend > max_bytes) toSend = max_bytes;
+
- con->http_status = 200;
- con->file_finished = 1;
-
-@@ -498,9 +501,11 @@
- case 207:
- case 200: /* class: header + body */
- case 201:
-+ case 300:
- case 301:
- case 302:
- case 303:
-+ case 307:
- break;
+ if (offset > sce->st.st_size) {
+ log_error_write(srv, __FILE__, __LINE__, "sb", "file was shrinked:", c->file.name);
- case 206: /* write_queue is already prepared */
-@@ -511,13 +516,13 @@
- default:
- /* disable chunked encoding again as we have no body */
- con->response.transfer_encoding &= ~HTTP_TRANSFER_ENCODING_CHUNKED;
-+ con->parsed_response &= ~HTTP_CONTENT_LENGTH;
- chunkqueue_reset(con->write_queue);
+@@ -181,6 +185,7 @@
- con->file_finished = 1;
- break;
- }
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ if (c->offset == c->file.length) {
+ chunk_finished = 1;
+@@ -200,11 +205,9 @@
+ break;
+ }
-
- if (con->file_finished) {
- /* we have all the content and chunked encoding is not used, set a content-length */
-
-@@ -536,12 +541,16 @@
- if ((con->http_status >= 100 && con->http_status < 200) ||
- con->http_status == 204 ||
- con->http_status == 304) {
-+ data_string *ds;
- /* no Content-Body, no Content-Length */
-- } else if (qlen >= 0) {
-+ if (NULL != (ds = (data_string*) array_get_element(con->response.headers, "Content-Length"))) {
-+ buffer_reset(ds->value); // Headers with empty values are ignored for output
-+ }
-+ } else if (qlen > 0 || con->request.http_method != HTTP_METHOD_HEAD) {
- /* qlen = 0 is important for Redirects (301, ...) as they MAY have
- * a content. Browsers are waiting for a Content otherwise
- */
-- buffer_copy_off_t(srv->tmp_buf, chunkqueue_length(con->write_queue));
-+ buffer_copy_off_t(srv->tmp_buf, qlen);
-
- response_header_overwrite(srv, con, CONST_STR_LEN("Content-Length"), CONST_BUF_LEN(srv->tmp_buf));
- }
-@@ -582,6 +591,8 @@
- * a HEAD request has the same as a GET
- * without the content
- */
-+ con->file_finished = 1;
-+
- chunkqueue_reset(con->write_queue);
- con->response.transfer_encoding &= ~HTTP_TRANSFER_ENCODING_CHUNKED;
- }
-@@ -834,14 +845,8 @@
- con->plugin_ctx[pd->id] = NULL;
+- chunks_written++;
}
--#if COND_RESULT_UNSET
-- for (i = srv->config_context->used - 1; i >= 0; i --) {
-- con->cond_cache[i].result = COND_RESULT_UNSET;
-- con->cond_cache[i].patterncount = 0;
-- }
--#else
-- memset(con->cond_cache, 0, sizeof(cond_cache_t) * srv->config_context->used);
--#endif
-+ /* The cond_cache gets reset in response.c */
-+// config_cond_cache_reset(srv, con);
+- return chunks_written;
++ return 0;
+ }
- #ifdef USE_OPENSSL
- if (con->ssl_error_want_reuse_buffer) {
-Index: src/array.h
-===================================================================
---- src/array.h (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/array.h (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -86,10 +86,12 @@
- COMP_HTTP_URL,
- COMP_HTTP_HOST,
- COMP_HTTP_REFERER,
-- COMP_HTTP_USERAGENT,
-+ COMP_HTTP_USER_AGENT,
- COMP_HTTP_COOKIE,
-- COMP_HTTP_REMOTEIP,
-- COMP_HTTP_QUERYSTRING,
-+ COMP_HTTP_REMOTE_IP,
-+ COMP_HTTP_QUERY_STRING,
-+ COMP_HTTP_SCHEME,
-+ COMP_HTTP_REQUEST_METHOD,
-
- COMP_LAST_ELEMENT
- } comp_key_t;
-Index: src/mod_staticfile.c
+ #if 0
+Index: src/mod_secure_download.c
===================================================================
---- src/mod_staticfile.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/mod_staticfile.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -352,7 +352,7 @@
- size_t k;
- int s_len;
- stat_cache_entry *sce = NULL;
-- buffer *mtime;
-+ buffer *mtime = NULL;
- data_string *ds;
- int allow_caching = 1;
+--- src/mod_secure_download.c (.../tags/lighttpd-1.4.29)
++++ src/mod_secure_download.c (.../branches/lighttpd-1.4.x)
+@@ -8,18 +8,8 @@
+ #include <stdlib.h>
+ #include <string.h>
-@@ -450,7 +450,9 @@
- }
- }
+-#ifdef USE_OPENSSL
+-# include <openssl/md5.h>
+-#else
+-# include "md5.h"
++#include "md5.h"
-- response_header_overwrite(srv, con, CONST_STR_LEN("Accept-Ranges"), CONST_STR_LEN("bytes"));
-+ if (con->conf.range_requests) {
-+ response_header_overwrite(srv, con, CONST_STR_LEN("Accept-Ranges"), CONST_STR_LEN("bytes"));
-+ }
+-typedef li_MD5_CTX MD5_CTX;
+-#define MD5_Init li_MD5_Init
+-#define MD5_Update li_MD5_Update
+-#define MD5_Final li_MD5_Final
+-
+-#endif
+-
+ #define HASHLEN 16
+ typedef unsigned char HASH[HASHLEN];
+ #define HASHHEXLEN 32
+@@ -200,7 +190,7 @@
- if (allow_caching) {
- if (p->conf.etags_used && con->etag_flags != 0 && !buffer_is_empty(sce->etag)) {
-@@ -483,8 +485,24 @@
- /* if the value is the same as our ETag, we do a Range-request,
- * otherwise a full 200 */
-
-- if (!buffer_is_equal(ds->value, con->physical.etag)) {
-+ if (ds->value->ptr[0] == '"') {
-+ /**
-+ * client wants a ETag
-+ */
-+ if (!con->physical.etag) {
-+ do_range_request = 0;
-+ } else if (!buffer_is_equal(ds->value, con->physical.etag)) {
-+ do_range_request = 0;
-+ }
-+ } else if (!mtime) {
-+ /**
-+ * we don't have a Last-Modified and can match the If-Range:
-+ *
-+ * sending all
-+ */
- do_range_request = 0;
-+ } else if (!buffer_is_equal(ds->value, mtime)) {
-+ do_range_request = 0;
- }
- }
+ URIHANDLER_FUNC(mod_secdownload_uri_handler) {
+ plugin_data *p = p_d;
+- MD5_CTX Md5Ctx;
++ li_MD5_CTX Md5Ctx;
+ HASH HA1;
+ const char *rel_uri, *ts_str, *md5_str;
+ time_t ts = 0;
+@@ -266,9 +256,9 @@
+ buffer_append_string(p->md5, rel_uri);
+ buffer_append_string_len(p->md5, ts_str, 8);
+
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)p->md5->ptr, p->md5->used - 1);
+- MD5_Final(HA1, &Md5Ctx);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)p->md5->ptr, p->md5->used - 1);
++ li_MD5_Final(HA1, &Md5Ctx);
+
+ buffer_copy_string_hex(p->md5, (char *)HA1, 16);
-Index: src/fdevent_solaris_devpoll.c
-===================================================================
---- src/fdevent_solaris_devpoll.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/fdevent_solaris_devpoll.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -67,7 +67,7 @@
- int ret;
-
- dopoll.dp_timeout = timeout_ms;
-- dopoll.dp_nfds = ev->maxfds;
-+ dopoll.dp_nfds = ev->maxfds - 1;
- dopoll.dp_fds = ev->devpollfds;
-
- ret = ioctl(ev->devpoll_fd, DP_POLL, &dopoll);
-Index: src/etag.c
+Index: src/base.h
===================================================================
---- src/etag.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/etag.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1,5 +1,14 @@
- #include <string.h>
-+
-+#ifdef HAVE_CONFIG_H
-+#include "config.h"
-+#endif
-+
-+#if defined HAVE_STDINT_H
- #include <stdint.h>
-+#elif defined HAVE_INTTYPES_H
-+#include <inttypes.h>
-+#endif
+--- src/base.h (.../tags/lighttpd-1.4.29)
++++ src/base.h (.../branches/lighttpd-1.4.x)
+@@ -277,6 +277,7 @@
+ buffer *ssl_cipher_list;
+ buffer *ssl_dh_file;
+ buffer *ssl_ec_curve;
++ unsigned short ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */
+ unsigned short ssl_use_sslv2;
+ unsigned short ssl_use_sslv3;
+ unsigned short ssl_verifyclient;
+@@ -284,6 +285,7 @@
+ unsigned short ssl_verifyclient_depth;
+ buffer *ssl_verifyclient_username;
+ unsigned short ssl_verifyclient_export_cert;
++ unsigned short ssl_disable_client_renegotiation;
+
+ unsigned short use_ipv6, set_v6only; /* set_v6only is only a temporary option */
+ unsigned short defer_accept;
+@@ -437,6 +439,7 @@
+ # ifndef OPENSSL_NO_TLSEXT
+ buffer *tlsext_server_name;
+ # endif
++ unsigned int renegotiations; /* count of SSL_CB_HANDSHAKE_START */
+ #endif
+ /* etag handling */
+ etag_flags_t etag_flags;
+@@ -647,11 +650,9 @@
- #include "buffer.h"
- #include "etag.h"
-Index: src/mod_scgi.c
-===================================================================
---- src/mod_scgi.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/mod_scgi.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1057,6 +1057,9 @@
- /* a local socket + self spawning */
- size_t pno;
-
-+ /* HACK: just to make sure the adaptive spawing is disabled */
-+ df->min_procs = df->max_procs;
-+
- if (df->min_procs > df->max_procs) df->max_procs = df->min_procs;
- if (df->max_load_per_proc < 1) df->max_load_per_proc = 0;
-
-@@ -2694,8 +2697,9 @@
- if (s_len < ct_len) continue;
-
- /* check extension in the form "/scgi_pattern" */
-- if (*(extension->key->ptr) == '/' && strncmp(fn->ptr, extension->key->ptr, ct_len) == 0) {
-- break;
-+ if (*(extension->key->ptr) == '/') {
-+ if (strncmp(fn->ptr, extension->key->ptr, ct_len) == 0)
-+ break;
- } else if (0 == strncmp(fn->ptr + s_len - ct_len, extension->key->ptr, ct_len)) {
- /* check extension in the form ".fcg" */
- break;
-Index: src/response.c
-===================================================================
---- src/response.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/response.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -19,6 +19,7 @@
- #include "stat_cache.h"
- #include "chunk.h"
-
-+#include "configfile.h"
- #include "connections.h"
-
- #include "plugin.h"
-@@ -59,7 +60,8 @@
- ds = (data_string *)con->response.headers->data[i];
-
- if (ds->value->used && ds->key->used &&
-- 0 != strncmp(ds->key->ptr, "X-LIGHTTPD-", sizeof("X-LIGHTTPD-") - 1)) {
-+ 0 != strncmp(ds->key->ptr, "X-LIGHTTPD-", sizeof("X-LIGHTTPD-") - 1) &&
-+ 0 != strncmp(ds->key->ptr, "X-Sendfile", sizeof("X-Sendfile") - 1)) {
- if (buffer_is_equal_string(ds->key, CONST_STR_LEN("Date"))) have_date = 1;
- if (buffer_is_equal_string(ds->key, CONST_STR_LEN("Server"))) have_server = 1;
-
-@@ -149,6 +151,9 @@
- *
- * */
-
-+ config_cond_cache_reset(srv, con);
-+ config_setup_connection(srv, con); // Perhaps this could be removed at other places.
-+
- if (con->conf.log_condition_handling) {
- log_error_write(srv, __FILE__, __LINE__, "s", "run condition");
- }
-@@ -180,11 +185,13 @@
- buffer_copy_string_buffer(con->uri.authority, con->request.http_host);
- buffer_to_lower(con->uri.authority);
-
-+ config_patch_connection(srv, con, COMP_HTTP_SCHEME); /* Scheme: */
- config_patch_connection(srv, con, COMP_HTTP_HOST); /* Host: */
-- config_patch_connection(srv, con, COMP_HTTP_REMOTEIP); /* Client-IP */
-+ config_patch_connection(srv, con, COMP_HTTP_REMOTE_IP); /* Client-IP */
- config_patch_connection(srv, con, COMP_HTTP_REFERER); /* Referer: */
-- config_patch_connection(srv, con, COMP_HTTP_USERAGENT); /* User-Agent: */
-+ config_patch_connection(srv, con, COMP_HTTP_USER_AGENT);/* User-Agent: */
- config_patch_connection(srv, con, COMP_HTTP_COOKIE); /* Cookie: */
-+ config_patch_connection(srv, con, COMP_HTTP_REQUEST_METHOD); /* REQUEST_METHOD */
-
- /** their might be a fragment which has to be cut away */
- if (NULL != (qstr = strchr(con->request.uri->ptr, '#'))) {
-@@ -270,7 +277,7 @@
- */
+ fdevent_handler_t event_handler;
- config_patch_connection(srv, con, COMP_HTTP_URL); /* HTTPurl */
-- config_patch_connection(srv, con, COMP_HTTP_QUERYSTRING); /* HTTPqs */
-+ config_patch_connection(srv, con, COMP_HTTP_QUERY_STRING); /* HTTPqs */
+- int (* network_backend_write)(struct server *srv, connection *con, int fd, chunkqueue *cq);
+- int (* network_backend_read)(struct server *srv, connection *con, int fd, chunkqueue *cq);
++ int (* network_backend_write)(struct server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes);
+ #ifdef USE_OPENSSL
+- int (* network_ssl_backend_write)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq);
+- int (* network_ssl_backend_read)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq);
++ int (* network_ssl_backend_write)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes);
+ #endif
- /* do we have to downgrade to 1.0 ? */
- if (!con->conf.allow_http11) {
-@@ -547,17 +554,14 @@
- buffer_copy_string_buffer(srv->tmp_buf, con->physical.path);
+ uid_t uid;
+Index: src/connections.c
+===================================================================
+--- src/connections.c (.../tags/lighttpd-1.4.29)
++++ src/connections.c (.../branches/lighttpd-1.4.x)
+@@ -223,6 +223,12 @@
- do {
-- struct stat st;
--
- if (slash) {
- buffer_copy_string_len(con->physical.path, srv->tmp_buf->ptr, slash - srv->tmp_buf->ptr);
- } else {
- buffer_copy_string_buffer(con->physical.path, srv->tmp_buf);
- }
+ len = SSL_read(con->ssl, b->ptr + read_offset, toread);
-- if (0 == stat(con->physical.path->ptr, &(st)) &&
-- S_ISREG(st.st_mode)) {
-- found = 1;
-+ if (HANDLER_ERROR != stat_cache_get_entry(srv, con, con->physical.path, &sce)) {
-+ found = S_ISREG(sce->st.st_mode);
- break;
- }
++ if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
++ connection_set_state(srv, con, CON_STATE_ERROR);
++ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
++ return -1;
++ }
++
+ if (len > 0) {
+ if (b->used > 0) b->used--;
+ b->used += len;
+@@ -445,6 +451,7 @@
+ default:
+ switch(con->http_status) {
+ case 400: /* bad request */
++ case 401: /* authorization required */
+ case 414: /* overload request header */
+ case 505: /* unknown protocol */
+ case 207: /* this was webdav */
+@@ -617,8 +624,9 @@
+ }
-@@ -589,6 +593,20 @@
- return HANDLER_FINISHED;
+ static int connection_handle_write(server *srv, connection *con) {
+- switch(network_write_chunkqueue(srv, con, con->write_queue)) {
++ switch(network_write_chunkqueue(srv, con, con->write_queue, MAX_WRITE_LIMIT)) {
+ case 0:
++ con->write_request_ts = srv->cur_ts;
+ if (con->file_finished) {
+ connection_set_state(srv, con, CON_STATE_RESPONSE_END);
+ joblist_append(srv, con);
+@@ -635,6 +643,7 @@
+ joblist_append(srv, con);
+ break;
+ case 1:
++ con->write_request_ts = srv->cur_ts;
+ con->is_writable = 0;
+
+ /* not finished yet -> WRITE */
+@@ -1251,8 +1260,6 @@
+ log_error_write(srv, __FILE__, __LINE__, "ds",
+ con->fd,
+ "handle write failed.");
+- } else if (con->state == CON_STATE_WRITE) {
+- con->write_request_ts = srv->cur_ts;
+ }
+ }
+
+@@ -1352,6 +1359,7 @@
+ return NULL;
}
-+#ifdef HAVE_LSTAT
-+ if ((sce->is_symlink != 0) && !con->conf.follow_symlink) {
-+ con->http_status = 403;
-+
-+ if (con->conf.log_request_handling) {
-+ log_error_write(srv, __FILE__, __LINE__, "s", "-- access denied due symlink restriction");
-+ log_error_write(srv, __FILE__, __LINE__, "sb", "Path :", con->physical.path);
-+ }
-+
-+ buffer_reset(con->physical.path);
-+ return HANDLER_FINISHED;
-+ };
-+#endif
-+
- /* we have a PATHINFO */
- if (pathinfo) {
- buffer_copy_string(con->request.pathinfo, pathinfo);
-@@ -631,8 +649,14 @@
-
- /* if we are still here, no one wanted the file, status 403 is ok I think */
-
-- if (con->mode == DIRECT) {
-- con->http_status = 403;
-+ if (con->mode == DIRECT && con->http_status == 0) {
-+ switch (con->request.http_method) {
-+ case HTTP_METHOD_OPTIONS:
-+ con->http_status = 200;
-+ break;
-+ default:
-+ con->http_status = 403;
-+ }
++ con->renegotiations = 0;
+ #ifndef OPENSSL_NO_TLSEXT
+ SSL_set_app_data(con->ssl, con);
+ #endif
+@@ -1667,8 +1675,6 @@
+ con->fd,
+ "handle write failed.");
+ connection_set_state(srv, con, CON_STATE_ERROR);
+- } else if (con->state == CON_STATE_WRITE) {
+- con->write_request_ts = srv->cur_ts;
+ }
+ }
- return HANDLER_FINISHED;
- }
-Index: src/mod_userdir.c
+Index: src/mod_staticfile.c
===================================================================
---- src/mod_userdir.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/mod_userdir.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -21,6 +21,7 @@
- array *include_user;
- buffer *path;
- buffer *basepath;
-+ unsigned short letterhomes;
+--- src/mod_staticfile.c (.../tags/lighttpd-1.4.29)
++++ src/mod_staticfile.c (.../branches/lighttpd-1.4.x)
+@@ -26,6 +26,7 @@
+ typedef struct {
+ array *exclude_ext;
+ unsigned short etags_used;
++ unsigned short disable_pathinfo;
} plugin_config;
typedef struct {
-@@ -87,6 +88,7 @@
- { "userdir.exclude-user", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 1 */
- { "userdir.include-user", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 2 */
- { "userdir.basepath", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 3 */
-+ { "userdir.letterhomes", NULL, T_CONFIG_BOOLEAN,T_CONFIG_SCOPE_CONNECTION }, /* 4 */
- { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
+@@ -84,6 +85,7 @@
+ config_values_t cv[] = {
+ { "static-file.exclude-extensions", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 0 */
+ { "static-file.etags", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 1 */
++ { "static-file.disable-pathinfo", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 2 */
+ { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
};
-@@ -102,11 +104,13 @@
- s->include_user = array_init();
- s->path = buffer_init();
- s->basepath = buffer_init();
-+ s->letterhomes = 0;
+@@ -97,9 +99,11 @@
+ s = calloc(1, sizeof(plugin_config));
+ s->exclude_ext = array_init();
+ s->etags_used = 1;
++ s->disable_pathinfo = 0;
- cv[0].destination = s->path;
- cv[1].destination = s->exclude_user;
- cv[2].destination = s->include_user;
- cv[3].destination = s->basepath;
-+ cv[4].destination = &(s->letterhomes);
+ cv[0].destination = s->exclude_ext;
+ cv[1].destination = &(s->etags_used);
++ cv[2].destination = &(s->disable_pathinfo);
p->config_storage[i] = s;
-@@ -128,6 +132,7 @@
- PATCH(exclude_user);
- PATCH(include_user);
- PATCH(basepath);
-+ PATCH(letterhomes);
+@@ -119,6 +123,7 @@
+
+ PATCH(exclude_ext);
+ PATCH(etags_used);
++ PATCH(disable_pathinfo);
/* skip the first, the global context */
for (i = 1; i < srv->config_context->used; i++) {
-@@ -149,6 +154,8 @@
- PATCH(include_user);
- } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("userdir.basepath"))) {
- PATCH(basepath);
-+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("userdir.letterhomes"))) {
-+ PATCH(letterhomes);
- }
+@@ -136,7 +141,9 @@
+ PATCH(exclude_ext);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("static-file.etags"))) {
+ PATCH(etags_used);
+- }
++ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("static-file.disable-pathinfo"))) {
++ PATCH(disable_pathinfo);
++ }
}
}
-@@ -253,6 +260,10 @@
- buffer_copy_string_buffer(p->temp_path, p->conf.basepath);
- BUFFER_APPEND_SLASH(p->temp_path);
-+ if (p->conf.letterhomes) {
-+ buffer_append_string_len(p->temp_path, p->username->ptr, 1);
-+ BUFFER_APPEND_SLASH(p->temp_path);
+@@ -350,7 +357,6 @@
+ URIHANDLER_FUNC(mod_staticfile_subrequest) {
+ plugin_data *p = p_d;
+ size_t k;
+- int s_len;
+ stat_cache_entry *sce = NULL;
+ buffer *mtime = NULL;
+ data_string *ds;
+@@ -376,7 +382,12 @@
+
+ mod_staticfile_patch_connection(srv, con, p);
+
+- s_len = con->uri.path->used - 1;
++ if (p->conf.disable_pathinfo && 0 != con->request.pathinfo->used) {
++ if (con->conf.log_request_handling) {
++ log_error_write(srv, __FILE__, __LINE__, "s", "-- NOT handling file as static file, pathinfo forbidden");
+ }
- buffer_append_string_buffer(p->temp_path, p->username);
- }
- BUFFER_APPEND_SLASH(p->temp_path);
-Index: src/mod_proxy.c
++ return HANDLER_GO_ON;
++ }
+
+ /* ignore certain extensions */
+ for (k = 0; k < p->conf.exclude_ext->used; k++) {
+Index: src/network.c
===================================================================
---- src/mod_proxy.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/mod_proxy.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1093,15 +1093,17 @@
- if (s_len < ct_len) continue;
-
- /* check extension in the form "/proxy_pattern" */
-- if (*(extension->key->ptr) == '/' && strncmp(fn->ptr, extension->key->ptr, ct_len) == 0) {
-- if (s_len > ct_len + 1) {
-- char *pi_offset;
-+ if (*(extension->key->ptr) == '/') {
-+ if (strncmp(fn->ptr, extension->key->ptr, ct_len) == 0) {
-+ if (s_len > ct_len + 1) {
-+ char *pi_offset;
-
-- if (0 != (pi_offset = strchr(fn->ptr + ct_len + 1, '/'))) {
-- path_info_offset = pi_offset - fn->ptr;
-+ if (0 != (pi_offset = strchr(fn->ptr + ct_len + 1, '/'))) {
-+ path_info_offset = pi_offset - fn->ptr;
-+ }
- }
-+ break;
- }
-- break;
- } else if (0 == strncmp(fn->ptr + s_len - ct_len, extension->key->ptr, ct_len)) {
- /* check extension in the form ".fcg" */
- break;
-@@ -1203,7 +1205,7 @@
- }
+--- src/network.c (.../tags/lighttpd-1.4.29)
++++ src/network.c (.../branches/lighttpd-1.4.x)
+@@ -27,6 +27,19 @@
+ # include <openssl/rand.h>
+ #endif
+
++#ifdef USE_OPENSSL
++static void ssl_info_callback(const SSL *ssl, int where, int ret) {
++ UNUSED(ret);
++
++ if (0 != (where & SSL_CB_HANDSHAKE_START)) {
++ connection *con = SSL_get_app_data(ssl);
++ ++con->renegotiations;
++ } else if (0 != (where & SSL_CB_HANDSHAKE_DONE)) {
++ ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
++ }
++}
++#endif
++
+ static handler_t network_server_handle_fdevent(server *srv, void *context, int revents) {
+ server_socket *srv_socket = (server_socket *)context;
+ connection *con;
+@@ -480,9 +493,11 @@
+ network_backend_t backend;
+
+ #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
++#ifndef OPENSSL_NO_ECDH
+ EC_KEY *ecdh;
+ int nid;
+ #endif
++#endif
+
+ #ifdef USE_OPENSSL
+ DH *dh;
+@@ -553,6 +568,11 @@
+ /* load SSL certificates */
+ for (i = 0; i < srv->config_context->used; i++) {
+ specific_config *s = srv->config_storage[i];
++#ifndef SSL_OP_NO_COMPRESSION
++# define SSL_OP_NO_COMPRESSION 0
++#endif
++ long ssloptions =
++ SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_COMPRESSION;
+
+ if (buffer_is_empty(s->ssl_pemfile)) continue;
- /* didn't found a higher id, wrap to the start */
-- if (ndx != -1 && max_usage != INT_MAX) {
-+ if (ndx == -1 && max_usage != INT_MAX) {
- ndx = max_usage;
+@@ -586,6 +606,9 @@
+ return -1;
}
-Index: src/mod_extforward.c
-===================================================================
---- src/mod_extforward.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/mod_extforward.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -20,6 +20,7 @@
- /**
- * mod_extforward.c for lighttpd, by comman.kang <at> gmail <dot> com
- * extended, modified by Lionel Elie Mamane (LEM), lionel <at> mamane <dot> lu
-+ * support chained proxies by glen@delfi.ee, #1528
- *
- * Config example:
- *
-@@ -33,6 +34,10 @@
- * Note that "all" has precedence over specific entries,
- * so "all except" setups will not work.
- *
-+ * In case you have chained proxies, you can add all their IP's to the
-+ * config. However "all" has effect only on connecting IP, as the
-+ * X-Forwarded-For header can not be trusted.
-+ *
- * Note: The effect of this module is variable on $HTTP["remotip"] directives and
- * other module's remote ip dependent actions.
- * Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP.
-@@ -225,18 +230,16 @@
- char *base, *curr;
- /* state variable, 0 means not in string, 1 means in string */
- int in_str = 0;
-- for (base = pbuffer->ptr, curr = pbuffer->ptr; *curr; curr++)
-- {
-+ for (base = pbuffer->ptr, curr = pbuffer->ptr; *curr; curr++) {
- if (in_str) {
-- if ( (*curr > '9' || *curr < '0') && *curr != '.' && *curr != ':' ) {
-+ if ((*curr > '9' || *curr < '0') && *curr != '.' && *curr != ':') {
- /* found an separator , insert value into result array */
-- put_string_into_array_len(result, base, curr-base);
-+ put_string_into_array_len(result, base, curr - base);
- /* change state to not in string */
- in_str = 0;
- }
- } else {
-- if (*curr >= '0' && *curr <= '9')
-- {
-+ if (*curr >= '0' && *curr <= '9') {
- /* found leading char of an IP address, move base pointer and change state */
- base = curr;
- in_str = 1;
-@@ -244,9 +247,8 @@
++ SSL_CTX_set_options(s->ssl_ctx, ssloptions);
++ SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback);
++
+ if (!s->ssl_use_sslv2) {
+ /* disable SSLv2 */
+ if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) {
+@@ -611,6 +634,10 @@
+ ERR_error_string(ERR_get_error(), NULL));
+ return -1;
}
- }
- /* if breaking out while in str, we got to the end of string, so add it */
-- if (in_str)
-- {
-- put_string_into_array_len(result, base, curr-base);
-+ if (in_str) {
-+ put_string_into_array_len(result, base, curr - base);
- }
- }
- return result;
-@@ -255,20 +257,42 @@
- #define IP_TRUSTED 1
- #define IP_UNTRUSTED 0
- /*
-- check whether ip is trusted, return 1 for trusted , 0 for untrusted
--*/
-+ * check whether ip is trusted, return 1 for trusted , 0 for untrusted
-+ */
- static int is_proxy_trusted(const char *ipstr, plugin_data *p)
- {
-- data_string* allds = (data_string *) array_get_element(p->conf.forwarder,"all");
-+ data_string* allds = (data_string *)array_get_element(p->conf.forwarder, "all");
+
- if (allds) {
-- if (strcasecmp(allds->value->ptr,"trust") == 0)
-+ if (strcasecmp(allds->value->ptr, "trust") == 0) {
- return IP_TRUSTED;
-- else
++ if (s->ssl_honor_cipher_order) {
++ SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
++ }
+ }
+
+ /* Support for Diffie-Hellman key exchange */
+@@ -847,7 +874,7 @@
+ return 0;
+ }
+
+-int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq) {
++int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq, off_t max_bytes) {
+ int ret = -1;
+ off_t written = 0;
+ #ifdef TCP_CORK
+@@ -855,16 +882,34 @@
+ #endif
+ server_socket *srv_socket = con->srv_socket;
+
+- if (con->conf.global_kbytes_per_second &&
+- *(con->conf.global_bytes_per_second_cnt_ptr) > con->conf.global_kbytes_per_second * 1024) {
+- /* we reached the global traffic limit */
++ if (con->conf.global_kbytes_per_second) {
++ off_t limit = con->conf.global_kbytes_per_second * 1024 - *(con->conf.global_bytes_per_second_cnt_ptr);
++ if (limit <= 0) {
++ /* we reached the global traffic limit */
+
+- con->traffic_limit_reached = 1;
+- joblist_append(srv, con);
++ con->traffic_limit_reached = 1;
++ joblist_append(srv, con);
+
+- return 1;
++ return 1;
+ } else {
- return IP_UNTRUSTED;
++ if (max_bytes > limit) max_bytes = limit;
+ }
}
-- return (data_string *)array_get_element(p->conf.forwarder,ipstr) ? IP_TRUSTED : IP_UNTRUSTED ;
-+
-+ return (data_string *)array_get_element(p->conf.forwarder, ipstr) ? IP_TRUSTED : IP_UNTRUSTED;
- }
-+/*
-+ * Return char *ip of last address of proxy that is not trusted.
-+ * Do not accept "all" keyword here.
-+ */
-+static const char *last_not_in_array(array *a, plugin_data *p)
-+{
-+ array *forwarder = p->conf.forwarder;
++ if (con->conf.kbytes_per_second) {
++ off_t limit = con->conf.kbytes_per_second * 1024 - con->bytes_written_cur_second;
++ if (limit <= 0) {
++ /* we reached the traffic limit */
+
-+ for (int i = a->used - 1; i >= 0; i--) {
-+ data_string *ds = (data_string *)a->data[i];
-+ const char *ip = ds->value->ptr;
++ con->traffic_limit_reached = 1;
++ joblist_append(srv, con);
+
-+ if (!array_get_element(forwarder, ip)) {
-+ return ip;
++ return 1;
++ } else {
++ if (max_bytes > limit) max_bytes = limit;
+ }
+ }
-+ return NULL;
-+}
+
- struct addrinfo *ipstr_to_sockaddr(const char *host)
- {
- struct addrinfo hints, *res0;
-@@ -305,7 +329,7 @@
-
+ written = cq->bytes_out;
- static void clean_cond_cache(server *srv, connection *con) {
-- config_cond_cache_reset_item(srv, con, COMP_HTTP_REMOTEIP);
-+ config_cond_cache_reset_item(srv, con, COMP_HTTP_REMOTE_IP);
- }
+ #ifdef TCP_CORK
+@@ -879,10 +924,10 @@
- URIHANDLER_FUNC(mod_extforward_uri_handler) {
-@@ -316,9 +340,8 @@
- struct addrinfo *addrlist = NULL;
- #endif
- const char *dst_addr_str = NULL;
-- int i;
- array *forward_array = NULL;
-- char *real_remote_addr = NULL;
-+ const char *real_remote_addr = NULL;
- #ifdef HAVE_IPV6
+ if (srv_socket->is_ssl) {
+ #ifdef USE_OPENSSL
+- ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq);
++ ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq, max_bytes);
#endif
-
-@@ -342,7 +365,6 @@
- return HANDLER_GO_ON;
+ } else {
+- ret = srv->network_backend_write(srv, con, con->fd, cq);
++ ret = srv->network_backend_write(srv, con, con->fd, cq, max_bytes);
}
-- /* if the remote ip itself is not trusted , then do nothing */
- #ifdef HAVE_IPV6
- dst_addr_str = inet_ntop(con->dst_addr.plain.sa_family,
- con->dst_addr.plain.sa_family == AF_INET6 ?
-@@ -353,7 +375,9 @@
- #else
- dst_addr_str = inet_ntoa(con->dst_addr.ipv4.sin_addr);
- #endif
-- if (IP_UNTRUSTED == is_proxy_trusted (dst_addr_str, p) ) {
-+
-+ /* if the remote ip itself is not trusted, then do nothing */
-+ if (IP_UNTRUSTED == is_proxy_trusted(dst_addr_str, p)) {
- if (con->conf.log_request_handling) {
- log_error_write(srv, __FILE__, __LINE__, "s",
- "remote address is NOT a trusted proxy, skipping");
-@@ -362,40 +386,34 @@
- return HANDLER_GO_ON;
- }
+ if (ret >= 0) {
+@@ -903,12 +948,5 @@
-+ /* build forward_array from forwarded data_string */
- forward_array = extract_forward_array(forwarded->value);
-+ real_remote_addr = last_not_in_array(forward_array, p);
-
-- /* Testing shows that multiple headers and multiple values in one header
-- come in _reverse_ order. So the first one we get is the last one in the request. */
-- for (i = forward_array->used - 1; i >= 0; i--) {
-- data_string *ds = (data_string *) forward_array->data[i];
-- if (ds) {
-- real_remote_addr = ds->value->ptr;
-- break;
-- } else {
-- /* bug ? bailing out here */
-- break;
-- }
-- }
--
- if (real_remote_addr != NULL) { /* parsed */
- sock_addr sock;
+ *(con->conf.global_bytes_per_second_cnt_ptr) += written;
+
+- if (con->conf.kbytes_per_second &&
+- (con->bytes_written_cur_second > con->conf.kbytes_per_second * 1024)) {
+- /* we reached the traffic limit */
-
- struct addrinfo *addrs_left;
-+ server_socket *srv_sock = con->srv_socket;
-+ data_string *forwarded_proto = (data_string *)array_get_element(con->request.headers, "X-Forwarded-Proto");
+- con->traffic_limit_reached = 1;
+- joblist_append(srv, con);
+- }
+ return ret;
+ }
+Index: src/network.h
+===================================================================
+--- src/network.h (.../tags/lighttpd-1.4.29)
++++ src/network.h (.../branches/lighttpd-1.4.x)
+@@ -3,7 +3,7 @@
-+ if (forwarded_proto && !strcmp(forwarded_proto->value->ptr, "https")) {
-+ srv_sock->is_proxy_ssl = 1;
-+ } else {
-+ srv_sock->is_proxy_ssl = 0;
-+ }
-+
- if (con->conf.log_request_handling) {
-- log_error_write(srv, __FILE__, __LINE__, "ss",
-- "using address:", real_remote_addr);
-+ log_error_write(srv, __FILE__, __LINE__, "ss", "using address:", real_remote_addr);
- }
- #ifdef HAVE_IPV6
- addrlist = ipstr_to_sockaddr(real_remote_addr);
- sock.plain.sa_family = AF_UNSPEC;
-- for (addrs_left = addrlist; addrs_left != NULL;
-- addrs_left = addrs_left -> ai_next) {
-+ for (addrs_left = addrlist; addrs_left != NULL; addrs_left = addrs_left -> ai_next) {
- sock.plain.sa_family = addrs_left->ai_family;
-- if ( sock.plain.sa_family == AF_INET ) {
-+ if (sock.plain.sa_family == AF_INET) {
- sock.ipv4.sin_addr = ((struct sockaddr_in*)addrs_left->ai_addr)->sin_addr;
- break;
-- } else if ( sock.plain.sa_family == AF_INET6 ) {
-+ } else if (sock.plain.sa_family == AF_INET6) {
- sock.ipv6.sin6_addr = ((struct sockaddr_in6*)addrs_left->ai_addr)->sin6_addr;
- break;
- }
-@@ -430,7 +448,7 @@
- if (addrlist != NULL ) freeaddrinfo(addrlist);
+ #include "server.h"
+
+-int network_write_chunkqueue(server *srv, connection *con, chunkqueue *c);
++int network_write_chunkqueue(server *srv, connection *con, chunkqueue *c, off_t max_bytes);
+
+ int network_init(server *srv);
+ int network_close(server *srv);
+Index: src/configfile.c
+===================================================================
+--- src/configfile.c (.../tags/lighttpd-1.4.29)
++++ src/configfile.c (.../branches/lighttpd-1.4.x)
+@@ -105,6 +105,8 @@
+ { "ssl.use-sslv3", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 62 */
+ { "ssl.dh-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 63 */
+ { "ssl.ec-curve", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 64 */
++ { "ssl.disable-client-renegotiation", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },/* 65 */
++ { "ssl.honor-cipher-order", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 66 */
+
+ { "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
+ { "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
+@@ -176,6 +178,7 @@
+ s->max_write_idle = 360;
+ s->use_xattr = 0;
+ s->is_ssl = 0;
++ s->ssl_honor_cipher_order = 1;
+ s->ssl_use_sslv2 = 0;
+ s->ssl_use_sslv3 = 1;
+ s->use_ipv6 = 0;
+@@ -199,6 +202,7 @@
+ s->ssl_verifyclient_username = buffer_init();
+ s->ssl_verifyclient_depth = 9;
+ s->ssl_verifyclient_export_cert = 0;
++ s->ssl_disable_client_renegotiation = 1;
+
+ cv[2].destination = s->errorfile_prefix;
+
+@@ -245,6 +249,8 @@
+ cv[62].destination = &(s->ssl_use_sslv3);
+ cv[63].destination = s->ssl_dh_file;
+ cv[64].destination = s->ssl_ec_curve;
++ cv[66].destination = &(s->ssl_honor_cipher_order);
++
+ cv[49].destination = &(s->etag_use_inode);
+ cv[50].destination = &(s->etag_use_mtime);
+ cv[51].destination = &(s->etag_use_size);
+@@ -255,6 +261,7 @@
+ cv[58].destination = &(s->ssl_verifyclient_depth);
+ cv[59].destination = s->ssl_verifyclient_username;
+ cv[60].destination = &(s->ssl_verifyclient_export_cert);
++ cv[65].destination = &(s->ssl_disable_client_renegotiation);
+
+ srv->config_storage[i] = s;
+
+@@ -335,6 +342,7 @@
+ PATCH(ssl_cipher_list);
+ PATCH(ssl_dh_file);
+ PATCH(ssl_ec_curve);
++ PATCH(ssl_honor_cipher_order);
+ PATCH(ssl_use_sslv2);
+ PATCH(ssl_use_sslv3);
+ PATCH(etag_use_inode);
+@@ -346,6 +354,7 @@
+ PATCH(ssl_verifyclient_depth);
+ PATCH(ssl_verifyclient_username);
+ PATCH(ssl_verifyclient_export_cert);
++ PATCH(ssl_disable_client_renegotiation);
+
+ return 0;
+ }
+@@ -400,6 +409,8 @@
#endif
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
+ PATCH(ssl_ca_file);
++ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) {
++ PATCH(ssl_honor_cipher_order);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {
+ PATCH(ssl_use_sslv2);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv3"))) {
+@@ -454,6 +465,8 @@
+ PATCH(ssl_verifyclient_username);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.exportcert"))) {
+ PATCH(ssl_verifyclient_export_cert);
++ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.disable-client-renegotiation"))) {
++ PATCH(ssl_disable_client_renegotiation);
+ }
+ }
}
-- array_free(forward_array);
-+ array_free(forward_array);
-
- /* not found */
- return HANDLER_GO_ON;
-Index: src/Makefile.am
-===================================================================
---- src/Makefile.am (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/Makefile.am (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -16,20 +16,20 @@
- configparser.c configparser.h:
- mod_ssi_exprparser.c mod_ssi_exprparser.h:
- else
--configparser.y: lemon
--mod_ssi_exprparser.y: lemon
-+$(srcdir)/configparser.y: lemon
-+$(srcdir)/mod_ssi_exprparser.y: lemon
-
--configparser.c configparser.h: configparser.y
-+configparser.c configparser.h: $(srcdir)/configparser.y
- rm -f configparser.h
- $(LEMON) -q $(srcdir)/configparser.y $(srcdir)/lempar.c
-
--mod_ssi_exprparser.c mod_ssi_exprparser.h: mod_ssi_exprparser.y
-+mod_ssi_exprparser.c mod_ssi_exprparser.h: $(srcdir)/mod_ssi_exprparser.y
- rm -f mod_ssi_exprparser.h
- $(LEMON) -q $(srcdir)/mod_ssi_exprparser.y $(srcdir)/lempar.c
- endif
-
--configfile.c: configparser.h
--mod_ssi_expr.c: mod_ssi_exprparser.h
-+$(srcdir)/configfile.c: configparser.h
-+$(srcdir)/mod_ssi_expr.c: mod_ssi_exprparser.h
-
- common_src=buffer.c log.c \
- keyvalue.c chunk.c \
-@@ -281,4 +281,4 @@
- #ajp_SOURCES = ajp.c
-
- noinst_HEADERS = $(hdr)
--EXTRA_DIST = mod_skeleton.c configparser.y mod_ssi_exprparser.y lempar.c
-+EXTRA_DIST = mod_skeleton.c configparser.y mod_ssi_exprparser.y lempar.c SConscript
-Index: src/network_openssl.c
+Index: src/mod_scgi.c
===================================================================
---- src/network_openssl.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/network_openssl.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -58,31 +58,6 @@
- SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
- }
+--- src/mod_scgi.c (.../tags/lighttpd-1.4.29)
++++ src/mod_scgi.c (.../branches/lighttpd-1.4.x)
+@@ -2296,7 +2296,7 @@
-- /* evil hack for opera 9.01 and 8.54 and earlier
-- *
-- * opera hangs if the trainling 0\r\n\r\n is in a seperate SSL-packet
-- *
-- * we try to move the packet into the previous mem-chunk if possible
-- */
-- if ((cq == con->write_queue) &&
-- (con->response.transfer_encoding & HTTP_TRANSFER_ENCODING_CHUNKED) &&
-- (con->file_finished)) {
-- /* merge the last chunk into the previous chunk */
--
-- for(c = cq->first; c && c->next && c->next->next; c = c->next);
--
-- if (c &&
-- c->type == MEM_CHUNK &&
-- c->next &&
-- c->next->type == MEM_CHUNK &&
-- c->next->mem->used == sizeof("0\r\n\r\n") &&
-- 0 == strcmp(c->next->mem->ptr, "0\r\n\r\n")) {
-- buffer_append_string_buffer(c->mem, c->next->mem);
--
-- c->next->mem->used = 0;
-- }
-- }
--
- for(c = cq->first; c; c = c->next) {
- int chunk_finished = 0;
+ /* fall through */
+ case FCGI_STATE_WRITE:
+- ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb);
++ ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT);
-@@ -128,6 +103,7 @@
- /* no, but we have errno */
- switch(errno) {
- case EPIPE:
-+ case ECONNRESET:
- return -2;
- default:
- log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL:",
-@@ -230,6 +206,7 @@
- /* no, but we have errno */
- switch(errno) {
- case EPIPE:
-+ case ECONNRESET:
- return -2;
- default:
- log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL:",
-Index: src/http_auth.c
+ chunkqueue_remove_finished_chunks(hctx->wb);
+
+Index: src/request.c
===================================================================
---- src/http_auth.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/http_auth.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -29,6 +29,7 @@
- #include "log.h"
- #include "http_auth.h"
- #include "http_auth_digest.h"
-+#include "inet_ntop_cache.h"
- #include "stream.h"
+--- src/request.c (.../tags/lighttpd-1.4.29)
++++ src/request.c (.../branches/lighttpd-1.4.x)
+@@ -49,7 +49,7 @@
+ if (++colon_cnt > 7) {
+ return -1;
+ }
+- } else if (!light_isxdigit(*c)) {
++ } else if (!light_isxdigit(*c) && '.' != *c) {
+ return -1;
+ }
+ }
+Index: src/network_backends.h
+===================================================================
+--- src/network_backends.h (.../tags/lighttpd-1.4.29)
++++ src/network_backends.h (.../branches/lighttpd-1.4.x)
+@@ -47,18 +47,18 @@
+ #include "base.h"
+
+ /* return values:
+- * >= 0 : chunks completed
++ * >= 0 : no error
+ * -1 : error (on our side)
+ * -2 : remote close
+ */
+-int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq);
+-int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq);
+-int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq);
+-int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq);
+-int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq);
++int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes);
++int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes);
++int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes);
++int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes);
++int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes);
#ifdef USE_OPENSSL
-@@ -862,7 +863,7 @@
+-int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq);
++int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes);
+ #endif
- /* password doesn't match */
- if (http_auth_basic_password_compare(srv, p, req, username, realm->value, password, pw)) {
-- log_error_write(srv, __FILE__, __LINE__, "sbb", "password doesn't match for", con->uri.path, username);
-+ log_error_write(srv, __FILE__, __LINE__, "sbbss", "password doesn't match for ", con->uri.path, username, ", IP:", inet_ntop_cache_get_ip(srv, &(con->dst_addr)));
+ #endif
+Index: src/SConscript
+===================================================================
+--- src/SConscript (.../tags/lighttpd-1.4.29)
++++ src/SConscript (.../branches/lighttpd-1.4.x)
+@@ -12,7 +12,8 @@
+ data_integer.c md5.c data_fastcgi.c \
+ fdevent_select.c fdevent_libev.c \
+ fdevent_poll.c fdevent_linux_sysepoll.c \
+- fdevent_solaris_devpoll.c fdevent_freebsd_kqueue.c \
++ fdevent_solaris_devpoll.c fdevent_solaris_port.c \
++ fdevent_freebsd_kqueue.c \
+ data_config.c bitset.c \
+ inet_ntop_cache.c crc32.c \
+ connections-glue.c \
+@@ -62,7 +63,7 @@
+ 'mod_redirect' : { 'src' : [ 'mod_redirect.c' ], 'lib' : [ env['LIBPCRE'] ] },
+ 'mod_rewrite' : { 'src' : [ 'mod_rewrite.c' ], 'lib' : [ env['LIBPCRE'] ] },
+ 'mod_auth' : {
+- 'src' : [ 'mod_auth.c', 'http_auth_digest.c', 'http_auth.c' ],
++ 'src' : [ 'mod_auth.c', 'http_auth.c' ],
+ 'lib' : [ env['LIBCRYPT'], env['LIBLDAP'], env['LIBLBER'] ] },
+ 'mod_webdav' : { 'src' : [ 'mod_webdav.c' ], 'lib' : [ env['LIBXML2'], env['LIBSQLITE3'], env['LIBUUID'] ] },
+ 'mod_mysql_vhost' : { 'src' : [ 'mod_mysql_vhost.c' ], 'lib' : [ env['LIBMYSQL'] ] },
+Index: src/mod_cml_funcs.c
+===================================================================
+--- src/mod_cml_funcs.c (.../tags/lighttpd-1.4.29)
++++ src/mod_cml_funcs.c (.../branches/lighttpd-1.4.x)
+@@ -17,18 +17,8 @@
+ #include <dirent.h>
+ #include <stdio.h>
- buffer_free(username);
- buffer_free(password);
-@@ -1130,7 +1131,7 @@
- }
+-#ifdef USE_OPENSSL
+-# include <openssl/md5.h>
+-#else
+-# include "md5.h"
++#include "md5.h"
- log_error_write(srv, __FILE__, __LINE__, "sss",
-- "digest: auth failed for", username, "wrong password");
-+ "digest: auth failed for ", username, ": wrong password, IP:", inet_ntop_cache_get_ip(srv, &(con->dst_addr)));
+-typedef li_MD5_CTX MD5_CTX;
+-#define MD5_Init li_MD5_Init
+-#define MD5_Update li_MD5_Update
+-#define MD5_Final li_MD5_Final
+-
+-#endif
+-
+ #define HASHLEN 16
+ typedef unsigned char HASH[HASHLEN];
+ #define HASHHEXLEN 32
+@@ -43,7 +33,7 @@
+ #ifdef HAVE_LUA_H
+
+ int f_crypto_md5(lua_State *L) {
+- MD5_CTX Md5Ctx;
++ li_MD5_CTX Md5Ctx;
+ HASH HA1;
+ buffer b;
+ char hex[33];
+@@ -63,9 +53,9 @@
+ lua_error(L);
+ }
- buffer_free(b);
- return 0;
-Index: src/configparser.y
-===================================================================
---- src/configparser.y (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/configparser.y (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -51,7 +51,7 @@
- return NULL;
- }
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)lua_tostring(L, 1), lua_strlen(L, 1));
+- MD5_Final(HA1, &Md5Ctx);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)lua_tostring(L, 1), lua_strlen(L, 1));
++ li_MD5_Final(HA1, &Md5Ctx);
--/* op1 is to be eat/return by this function, op1->key is not cared
-+/* op1 is to be eat/return by this function if success, op1->key is not cared
- op2 is left untouch, unreferenced
- */
- data_unset *configparser_merge_data(data_unset *op1, const data_unset *op2) {
-@@ -69,7 +69,6 @@
- return (data_unset *)ds;
- } else {
- fprintf(stderr, "data type mismatch, cannot be merge\n");
-- op1->free(op1);
- return NULL;
- }
- }
-@@ -123,6 +122,7 @@
- %type aelement {data_unset *}
- %type condline {data_config *}
- %type condlines {data_config *}
-+%type global {data_config *}
- %type aelements {array *}
- %type array {array *}
- %type key {buffer *}
-@@ -142,22 +142,24 @@
- %token_destructor { buffer_free($$); }
-
- varline ::= key(A) ASSIGN expression(B). {
-- buffer_copy_string_buffer(B->key, A);
-- if (strncmp(A->ptr, "env.", sizeof("env.") - 1) == 0) {
-- fprintf(stderr, "Setting env variable is not supported in conditional %d %s: %s\n",
-- ctx->current->context_ndx,
-- ctx->current->key->ptr, A->ptr);
-- ctx->ok = 0;
-- } else if (NULL == array_get_element(ctx->current->value, B->key->ptr)) {
-- array_insert_unique(ctx->current->value, B);
-- B = NULL;
-- } else {
-- fprintf(stderr, "Duplicate config variable in conditional %d %s: %s\n",
-- ctx->current->context_ndx,
-- ctx->current->key->ptr, B->key->ptr);
-- ctx->ok = 0;
-- B->free(B);
-- B = NULL;
-+ if (ctx->ok) {
-+ buffer_copy_string_buffer(B->key, A);
-+ if (strncmp(A->ptr, "env.", sizeof("env.") - 1) == 0) {
-+ fprintf(stderr, "Setting env variable is not supported in conditional %d %s: %s\n",
-+ ctx->current->context_ndx,
-+ ctx->current->key->ptr, A->ptr);
-+ ctx->ok = 0;
-+ } else if (NULL == array_get_element(ctx->current->value, B->key->ptr)) {
-+ array_insert_unique(ctx->current->value, B);
-+ B = NULL;
-+ } else {
-+ fprintf(stderr, "Duplicate config variable in conditional %d %s: %s\n",
-+ ctx->current->context_ndx,
-+ ctx->current->key->ptr, B->key->ptr);
-+ ctx->ok = 0;
-+ B->free(B);
-+ B = NULL;
-+ }
- }
- buffer_free(A);
- A = NULL;
-@@ -187,6 +189,7 @@
- du = configparser_merge_data(du, B);
- if (NULL == du) {
- ctx->ok = 0;
-+ du->free(du);
- }
- else {
- buffer_copy_string_buffer(du->key, A);
-@@ -418,10 +421,15 @@
- { COMP_HTTP_URL, CONST_STR_LEN("HTTP[\"url\"]" ) },
- { COMP_HTTP_HOST, CONST_STR_LEN("HTTP[\"host\"]" ) },
- { COMP_HTTP_REFERER, CONST_STR_LEN("HTTP[\"referer\"]" ) },
-- { COMP_HTTP_USERAGENT, CONST_STR_LEN("HTTP[\"useragent\"]" ) },
-+ { COMP_HTTP_USER_AGENT, CONST_STR_LEN("HTTP[\"useragent\"]" ) },
-+ { COMP_HTTP_USER_AGENT, CONST_STR_LEN("HTTP[\"user-agent\"]" ) },
- { COMP_HTTP_COOKIE, CONST_STR_LEN("HTTP[\"cookie\"]" ) },
-- { COMP_HTTP_REMOTEIP, CONST_STR_LEN("HTTP[\"remoteip\"]" ) },
-- { COMP_HTTP_QUERYSTRING, CONST_STR_LEN("HTTP[\"querystring\"]") },
-+ { COMP_HTTP_REMOTE_IP, CONST_STR_LEN("HTTP[\"remoteip\"]" ) },
-+ { COMP_HTTP_REMOTE_IP, CONST_STR_LEN("HTTP[\"remote-ip\"]" ) },
-+ { COMP_HTTP_QUERY_STRING, CONST_STR_LEN("HTTP[\"querystring\"]") },
-+ { COMP_HTTP_QUERY_STRING, CONST_STR_LEN("HTTP[\"query-string\"]") },
-+ { COMP_HTTP_REQUEST_METHOD, CONST_STR_LEN("HTTP[\"request-method\"]") },
-+ { COMP_HTTP_SCHEME, CONST_STR_LEN("HTTP[\"scheme\"]" ) },
- { COMP_UNSET, NULL, 0 },
- };
- size_t i;
-Index: src/mod_status.c
-===================================================================
---- src/mod_status.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/mod_status.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -560,6 +560,8 @@
- double avg;
- time_t ts;
- char buf[32];
-+ unsigned int k;
-+ unsigned int l;
-
- b = chunkqueue_get_append_buffer(con->write_queue);
-
-@@ -588,6 +590,22 @@
- buffer_append_long(b, srv->conns->used);
- BUFFER_APPEND_STRING_CONST(b, "\n");
-
-+ BUFFER_APPEND_STRING_CONST(b, "IdleServers: ");
-+ buffer_append_long(b, srv->conns->size - srv->conns->used);
-+ BUFFER_APPEND_STRING_CONST(b, "\n");
-+
-+ /* output scoreboard */
-+ BUFFER_APPEND_STRING_CONST(b, "Scoreboard: ");
-+ for (k = 0; k < srv->conns->used; k++) {
-+ connection *c = srv->conns->ptr[k];
-+ const char *state = connection_get_short_state(c->state);
-+ buffer_append_string_len(b, state, 1);
-+ }
-+ for (l = 0; l < srv->conns->size - srv->conns->used; l++) {
-+ BUFFER_APPEND_STRING_CONST(b, "_");
-+ }
-+ BUFFER_APPEND_STRING_CONST(b, "\n");
-+
- /* set text/plain output */
+ buffer_copy_string_hex(&b, (char *)HA1, 16);
- response_header_overwrite(srv, con, CONST_STR_LEN("Content-Type"), CONST_STR_LEN("text/plain"));
-Index: src/mod_compress.c
+Index: src/mod_userdir.c
===================================================================
---- src/mod_compress.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/mod_compress.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -102,6 +102,50 @@
- return HANDLER_GO_ON;
- }
+--- src/mod_userdir.c (.../tags/lighttpd-1.4.29)
++++ src/mod_userdir.c (.../branches/lighttpd-1.4.x)
+@@ -166,7 +166,6 @@
-+// 0 on success, -1 for error
-+int mkdir_recursive(char *dir) {
-+ char *p = dir;
-+
-+ if (!dir || !dir[0])
-+ return 0;
-+
-+ while ((p = strchr(p + 1, '/')) != NULL) {
-+
-+ *p = '\0';
-+ if ((mkdir(dir, 0700) != 0) && (errno != EEXIST)) {
-+ *p = '/';
-+ return -1;
-+ }
-+
-+ *p++ = '/';
-+ if (!*p) return 0; // Ignore trailing slash
-+ }
-+
-+ return (mkdir(dir, 0700) != 0) && (errno != EEXIST) ? -1 : 0;
-+}
-+
-+// 0 on success, -1 for error
-+int mkdir_for_file(char *filename) {
-+ char *p = filename;
-+
-+ if (!filename || !filename[0])
-+ return -1;
-+
-+ while ((p = strchr(p + 1, '/')) != NULL) {
-+
-+ *p = '\0';
-+ if ((mkdir(filename, 0700) != 0) && (errno != EEXIST)) {
-+ *p = '/';
-+ return -1;
-+ }
-+
-+ *p++ = '/';
-+ if (!*p) return -1; // Unexpected trailing slash in filename
-+ }
-+
-+ return 0;
-+}
-+
- SETDEFAULTS_FUNC(mod_compress_setdefaults) {
+ URIHANDLER_FUNC(mod_userdir_docroot_handler) {
plugin_data *p = p_d;
- size_t i = 0;
-@@ -134,6 +178,8 @@
- }
+- int uri_len;
+ size_t k;
+ char *rel_url;
+ #ifdef HAVE_PWD_H
+@@ -182,8 +181,6 @@
+ */
+ if (p->conf.path->used == 0) return HANDLER_GO_ON;
- if (!buffer_is_empty(s->compress_cache_dir)) {
-+ mkdir_recursive(s->compress_cache_dir->ptr);
-+
- struct stat st;
- if (0 != stat(s->compress_cache_dir->ptr, &st)) {
- log_error_write(srv, __FILE__, __LINE__, "sbs", "can't stat compress.cache-dir",
-@@ -342,27 +388,8 @@
- BUFFER_APPEND_SLASH(p->ofn);
-
- if (0 == strncmp(con->physical.path->ptr, con->physical.doc_root->ptr, con->physical.doc_root->used-1)) {
-- size_t offset = p->ofn->used - 1;
-- char *dir, *nextdir;
+- uri_len = con->uri.path->used - 1;
-
- buffer_append_string(p->ofn, con->physical.path->ptr + con->physical.doc_root->used - 1);
--
- buffer_copy_string_buffer(p->b, p->ofn);
--
-- /* mkdir -p ... */
-- for (dir = p->b->ptr + offset; NULL != (nextdir = strchr(dir, '/')); dir = nextdir + 1) {
-- *nextdir = '\0';
--
-- if (-1 == mkdir(p->b->ptr, 0700)) {
-- if (errno != EEXIST) {
-- log_error_write(srv, __FILE__, __LINE__, "sbss", "creating cache-directory", p->b, "failed", strerror(errno));
--
-- return -1;
-- }
-- }
--
-- *nextdir = '/';
-- }
- } else {
- buffer_append_string_buffer(p->ofn, con->uri.path);
- }
-@@ -384,6 +411,11 @@
+ /* /~user/foo.html -> /home/user/public_html/foo.html */
- buffer_append_string_buffer(p->ofn, sce->etag);
+ if (con->uri.path->ptr[0] != '/' ||
+Index: src/mod_proxy.c
+===================================================================
+--- src/mod_proxy.c (.../tags/lighttpd-1.4.29)
++++ src/mod_proxy.c (.../branches/lighttpd-1.4.x)
+@@ -825,7 +825,7 @@
-+ if (-1 == mkdir_for_file(p->ofn->ptr)) {
-+ log_error_write(srv, __FILE__, __LINE__, "sb", "couldn't create directory for file", p->ofn);
-+ return -1;
-+ }
-+
- if (-1 == (ofd = open(p->ofn->ptr, O_WRONLY | O_CREAT | O_EXCL | O_BINARY, 0600))) {
- if (errno == EEXIST) {
- /* cache-entry exists */
-@@ -407,6 +439,11 @@
+ /* fall through */
+ case PROXY_STATE_WRITE:;
+- ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb);
++ ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT);
- close(ofd);
+ chunkqueue_remove_finished_chunks(hctx->wb);
-+ /* Remove the incomplete cache file, so that later hits aren't served from it */
-+ if (-1 == unlink(p->ofn->ptr)) {
-+ log_error_write(srv, __FILE__, __LINE__, "sbss", "unlinking incomplete cachefile", p->ofn, "failed:", strerror(errno));
-+ }
-+
- return -1;
- }
+Index: src/Makefile.am
+===================================================================
+--- src/Makefile.am (.../tags/lighttpd-1.4.29)
++++ src/Makefile.am (.../branches/lighttpd-1.4.x)
+@@ -241,7 +241,7 @@
+ mod_compress_la_LIBADD = $(Z_LIB) $(BZ_LIB) $(common_libadd)
+
+ lib_LTLIBRARIES += mod_auth.la
+-mod_auth_la_SOURCES = mod_auth.c http_auth_digest.c http_auth.c
++mod_auth_la_SOURCES = mod_auth.c http_auth.c
+ mod_auth_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined
+ mod_auth_la_LIBADD = $(CRYPT_LIB) $(LDAP_LIB) $(LBER_LIB) $(common_libadd)
+
+@@ -268,7 +268,7 @@
+
+ hdr = server.h buffer.h network.h log.h keyvalue.h \
+ response.h request.h fastcgi.h chunk.h \
+- settings.h http_chunk.h http_auth_digest.h \
++ settings.h http_chunk.h \
+ md5.h http_auth.h stream.h \
+ fdevent.h connections.h base.h stat_cache.h \
+ plugin.h mod_auth.h \
+Index: src/network_writev.c
+===================================================================
+--- src/network_writev.c (.../tags/lighttpd-1.4.29)
++++ src/network_writev.c (.../branches/lighttpd-1.4.x)
+@@ -30,17 +30,16 @@
+ #define LOCAL_BUFFERING 1
+ #endif
-@@ -416,6 +453,12 @@
+-int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq) {
++int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) {
+ chunk *c;
+- size_t chunks_written = 0;
- close(ofd);
- close(ifd);
-+
-+ /* Remove the incomplete cache file, so that later hits aren't served from it */
-+ if (-1 == unlink(p->ofn->ptr)) {
-+ log_error_write(srv, __FILE__, __LINE__, "sbss", "unlinking incomplete cachefile", p->ofn, "failed:", strerror(errno));
-+ }
-+
- return -1;
- }
+- for(c = cq->first; c; c = c->next) {
++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
+ int chunk_finished = 0;
-@@ -438,23 +481,30 @@
- break;
- }
+ switch(c->type) {
+ case MEM_CHUNK: {
+ char * offset;
+- size_t toSend;
++ off_t toSend;
+ ssize_t r;
-- if (-1 == (r = write(ofd, p->b->ptr, p->b->used))) {
-- munmap(start, sce->st.st_size);
-- close(ofd);
-- close(ifd);
-- return -1;
-+ if (ret == 0) {
-+ r = write(ofd, p->b->ptr, p->b->used);
-+ if (-1 == r) {
-+ log_error_write(srv, __FILE__, __LINE__, "sbss", "writing cachefile", p->ofn, "failed:", strerror(errno));
-+ ret = -1;
-+ } else if ((size_t)r != p->b->used) {
-+ log_error_write(srv, __FILE__, __LINE__, "sbs", "writing cachefile", p->ofn, "failed: not enough bytes written");
-+ ret = -1;
-+ }
- }
+ size_t num_chunks, i;
+@@ -65,12 +64,10 @@
+ #error "sysconf() doesnt return _SC_IOV_MAX ..., check the output of 'man writev' for the EINVAL error and send the output to jan@kneschke.de"
+ #endif
-- if ((size_t)r != p->b->used) {
--
-- }
+- /* we can't send more then SSIZE_MAX bytes in one chunk */
-
- munmap(start, sce->st.st_size);
- close(ofd);
- close(ifd);
-
-- if (ret != 0) return -1;
-+ if (ret != 0) {
-+ /* Remove the incomplete cache file, so that later hits aren't served from it */
-+ if (-1 == unlink(p->ofn->ptr)) {
-+ log_error_write(srv, __FILE__, __LINE__, "sbss", "unlinking incomplete cachefile", p->ofn, "failed:", strerror(errno));
-+ }
-
-+ return -1;
-+ }
-+
- buffer_copy_string_buffer(con->physical.path, p->ofn);
+ /* build writev list
+ *
+ * 1. limit: num_chunks < max_chunks
+- * 2. limit: num_bytes < SSIZE_MAX
++ * 2. limit: num_bytes < max_bytes
+ */
+ for (num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < max_chunks; num_chunks++, tc = tc->next);
+
+@@ -87,9 +84,9 @@
+ chunks[i].iov_base = offset;
+
+ /* protect the return value of writev() */
+- if (toSend > SSIZE_MAX ||
+- num_bytes + toSend > SSIZE_MAX) {
+- chunks[i].iov_len = SSIZE_MAX - num_bytes;
++ if (toSend > max_bytes ||
++ (off_t) num_bytes + toSend > max_bytes) {
++ chunks[i].iov_len = max_bytes - num_bytes;
+
+ num_chunks = i + 1;
+ break;
+@@ -121,6 +118,7 @@
+ }
- return 0;
-@@ -570,6 +620,8 @@
- off_t max_fsize;
- stat_cache_entry *sce = NULL;
+ cq->bytes_out += r;
++ max_bytes -= r;
-+ if (con->mode != DIRECT || con->http_status) return HANDLER_GO_ON;
-+
- /* only GET and POST can get compressed */
- if (con->request.http_method != HTTP_METHOD_GET &&
- con->request.http_method != HTTP_METHOD_POST) {
-@@ -678,8 +730,16 @@
- }
- } else if (0 == deflate_file_to_buffer(srv, con, p,
- con->physical.path, sce, compression_type)) {
-+ buffer *mtime;
-
- response_header_overwrite(srv, con, CONST_STR_LEN("Content-Encoding"), compression_name, strlen(compression_name));
-+
-+ mtime = strftime_cache_get(srv, sce->st.st_mtime);
-+ response_header_overwrite(srv, con, CONST_STR_LEN("Last-Modified"), CONST_BUF_LEN(mtime));
-+
-+ etag_mutate(con->physical.etag, sce->etag);
-+ response_header_overwrite(srv, con, CONST_STR_LEN("ETag"), CONST_BUF_LEN(con->physical.etag));
-+
- response_header_overwrite(srv, con, CONST_STR_LEN("Content-Type"), CONST_BUF_LEN(sce->content_type));
+ /* check which chunks have been written */
- return HANDLER_FINISHED;
-Index: src/mod_ssi.c
-===================================================================
---- src/mod_ssi.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/mod_ssi.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -36,6 +36,11 @@
- #include <sys/filio.h>
- #endif
+@@ -132,11 +130,10 @@
-+#include "etag.h"
-+
-+/* The newest modified time of included files for include statement */
-+static volatile time_t include_file_last_mtime = 0;
-+
- /* init the plugin data */
- INIT_FUNC(mod_ssi_init) {
- plugin_data *p;
-@@ -575,6 +580,11 @@
- break;
- case SSI_INCLUDE:
- chunkqueue_append_file(con->write_queue, p->stat_fn, 0, st.st_size);
-+
-+ /* Keep the newest mtime of included files */
-+ if (st.st_mtime > include_file_last_mtime)
-+ include_file_last_mtime = st.st_mtime;
-+
- break;
+ if (chunk_finished) {
+ /* skip the chunks from further touches */
+- chunks_written++;
+ c = c->next;
+ } else {
+ /* chunks_written + c = c->next is done in the for()*/
+- chunk_finished++;
++ chunk_finished = 1;
+ }
+ } else {
+ /* partially written */
+@@ -284,6 +281,8 @@
+ assert(toSend < 0);
}
- } else {
-@@ -912,6 +922,9 @@
- build_ssi_cgi_vars(srv, con, p);
- p->if_is_false = 0;
-
-+ /* Reset the modified time of included files */
-+ include_file_last_mtime = 0;
-+
- if (-1 == stream_open(&s, con->physical.path)) {
- log_error_write(srv, __FILE__, __LINE__, "sb",
- "stream-open: ", con->physical.path);
-@@ -1010,6 +1023,30 @@
-
- response_header_overwrite(srv, con, CONST_STR_LEN("Content-Type"), CONST_STR_LEN("text/html"));
-+ {
-+ /* Generate "ETag" & "Last-Modified" headers */
-+
-+ stat_cache_entry *sce = NULL;
-+ time_t lm_time = 0;
-+ buffer *mtime = NULL;
-+
-+ stat_cache_get_entry(srv, con, con->physical.path, &sce);
-+
-+ etag_mutate(con->physical.etag, sce->etag);
-+ response_header_overwrite(srv, con, CONST_STR_LEN("ETag"), CONST_BUF_LEN(con->physical.etag));
-+
-+ if (sce->st.st_mtime > include_file_last_mtime)
-+ lm_time = sce->st.st_mtime;
-+ else
-+ lm_time = include_file_last_mtime;
-+
-+ mtime = strftime_cache_get(srv, lm_time);
-+ response_header_overwrite(srv, con, CONST_STR_LEN("Last-Modified"), CONST_BUF_LEN(mtime));
-+ }
-+
-+ /* Reset the modified time of included files */
-+ include_file_last_mtime = 0;
++ if (toSend > max_bytes) toSend = max_bytes;
+
- /* reset physical.path */
- buffer_reset(con->physical.path);
-
-Index: src/spawn-fcgi.c
-===================================================================
---- src/spawn-fcgi.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/spawn-fcgi.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -37,7 +37,7 @@
- #endif
+ #ifdef LOCAL_BUFFERING
+ start = c->mem->ptr;
+ #else
+@@ -309,6 +308,7 @@
- #ifdef HAVE_SYS_UN_H
--int fcgi_spawn_connection(char *appPath, char *addr, unsigned short port, const char *unixsocket, int child_count, int pid_fd, int nofork) {
-+int fcgi_spawn_connection(char *appPath, char **appArgv, char *addr, unsigned short port, const char *unixsocket, int child_count, int pid_fd, int nofork) {
- int fcgi_fd;
- int socket_type, status;
- struct timeval tv = { 0, 100 * 1000 };
-@@ -48,6 +48,9 @@
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
- socklen_t servlen;
+ if (c->offset == c->file.length) {
+ chunk_finished = 1;
+@@ -334,11 +334,9 @@
-+ pid_t child;
-+ int val;
-+
- if (child_count < 2) {
- child_count = 5;
- }
-@@ -71,6 +74,25 @@
- #endif
- socket_type = AF_UNIX;
- fcgi_addr = (struct sockaddr *) &fcgi_addr_un;
-+
-+ /* check if some backend is listening on the socket
-+ * as if we delete the socket-file and rebind there will be no "socket already in use" error
-+ */
-+ if (-1 == (fcgi_fd = socket(socket_type, SOCK_STREAM, 0))) {
-+ fprintf(stderr, "%s.%d\n",
-+ __FILE__, __LINE__);
-+ return -1;
-+ }
-+
-+ if (-1 != connect(fcgi_fd, fcgi_addr, servlen)) {
-+ fprintf(stderr, "%s.%d: socket is already used, can't spawn\n",
-+ __FILE__, __LINE__);
-+ return -1;
-+ }
-+
-+ /* cleanup previous socket if it exists */
-+ unlink(unixsocket);
-+ close(fcgi_fd);
- } else {
- fcgi_addr_in.sin_family = AF_INET;
- if (addr != NULL) {
-@@ -85,144 +107,128 @@
- fcgi_addr = (struct sockaddr *) &fcgi_addr_in;
+ break;
+ }
+-
+- chunks_written++;
}
-+ /* open socket */
- if (-1 == (fcgi_fd = socket(socket_type, SOCK_STREAM, 0))) {
- fprintf(stderr, "%s.%d\n",
- __FILE__, __LINE__);
- return -1;
- }
+- return chunks_written;
++ return 0;
+ }
-- if (-1 == connect(fcgi_fd, fcgi_addr, servlen)) {
-- /* server is not up, spawn in */
-- pid_t child;
-- int val;
-+ val = 1;
-+ if (setsockopt(fcgi_fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)) < 0) {
-+ fprintf(stderr, "%s.%d\n",
-+ __FILE__, __LINE__);
-+ return -1;
-+ }
+ #endif
+Index: src/network_freebsd_sendfile.c
+===================================================================
+--- src/network_freebsd_sendfile.c (.../tags/lighttpd-1.4.29)
++++ src/network_freebsd_sendfile.c (.../branches/lighttpd-1.4.x)
+@@ -31,17 +31,16 @@
+ # endif
+ #endif
-- if (unixsocket) unlink(unixsocket);
-+ /* create socket */
-+ if (-1 == bind(fcgi_fd, fcgi_addr, servlen)) {
-+ fprintf(stderr, "%s.%d: bind failed: %s\n",
-+ __FILE__, __LINE__,
-+ strerror(errno));
-+ return -1;
-+ }
+-int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq) {
++int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) {
+ chunk *c;
+- size_t chunks_written = 0;
-- close(fcgi_fd);
-+ if (-1 == listen(fcgi_fd, 1024)) {
-+ fprintf(stderr, "%s.%d: fd = -1\n",
-+ __FILE__, __LINE__);
-+ return -1;
-+ }
+- for(c = cq->first; c; c = c->next, chunks_written++) {
++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
+ int chunk_finished = 0;
-- /* reopen socket */
-- if (-1 == (fcgi_fd = socket(socket_type, SOCK_STREAM, 0))) {
-- fprintf(stderr, "%s.%d\n",
-- __FILE__, __LINE__);
-- return -1;
-- }
-+ if (!nofork) {
-+ child = fork();
-+ } else {
-+ child = 0;
-+ }
+ switch(c->type) {
+ case MEM_CHUNK: {
+ char * offset;
+- size_t toSend;
++ off_t toSend;
+ ssize_t r;
-- val = 1;
-- if (setsockopt(fcgi_fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)) < 0) {
-- fprintf(stderr, "%s.%d\n",
-- __FILE__, __LINE__);
-- return -1;
-- }
-+ switch (child) {
-+ case 0: {
-+ char cgi_childs[64];
-
-- /* create socket */
-- if (-1 == bind(fcgi_fd, fcgi_addr, servlen)) {
-- fprintf(stderr, "%s.%d: bind failed: %s\n",
-- __FILE__, __LINE__,
-- strerror(errno));
-- return -1;
-- }
-+ int i = 0;
-
-- if (-1 == listen(fcgi_fd, 1024)) {
-- fprintf(stderr, "%s.%d: fd = -1\n",
-- __FILE__, __LINE__);
-- return -1;
-+ /* is safe as we limit to 256 childs */
-+ sprintf(cgi_childs, "PHP_FCGI_CHILDREN=%d", child_count);
-+
-+ if(fcgi_fd != FCGI_LISTENSOCK_FILENO) {
-+ close(FCGI_LISTENSOCK_FILENO);
-+ dup2(fcgi_fd, FCGI_LISTENSOCK_FILENO);
-+ close(fcgi_fd);
- }
+ size_t num_chunks, i;
+@@ -49,12 +48,10 @@
+ chunk *tc;
+ size_t num_bytes = 0;
-- if (!nofork) {
-- child = fork();
-- } else {
-- child = 0;
-+ /* we don't need the client socket */
-+ for (i = 3; i < 256; i++) {
-+ close(i);
- }
-
-- switch (child) {
-- case 0: {
-- char cgi_childs[64];
-- char *b;
-+ /* create environment */
-
-- int i = 0;
-+ putenv(cgi_childs);
-
-- /* is save as we limit to 256 childs */
-- sprintf(cgi_childs, "PHP_FCGI_CHILDREN=%d", child_count);
-+ /* fork and replace shell */
-+ if (appArgv) {
-+ execv(appArgv[0], appArgv);
-
-- if(fcgi_fd != FCGI_LISTENSOCK_FILENO) {
-- close(FCGI_LISTENSOCK_FILENO);
-- dup2(fcgi_fd, FCGI_LISTENSOCK_FILENO);
-- close(fcgi_fd);
-- }
--
-- /* we don't need the client socket */
-- for (i = 3; i < 256; i++) {
-- close(i);
-- }
+- /* we can't send more then SSIZE_MAX bytes in one chunk */
-
-- /* create environment */
--
-- putenv(cgi_childs);
--
-- /* fork and replace shell */
-- b = malloc(strlen("exec ") + strlen(appPath) + 1);
-+ } else {
-+ char *b = malloc(strlen("exec ") + strlen(appPath) + 1);
- strcpy(b, "exec ");
- strcat(b, appPath);
-
- /* exec the cgi */
- execl("/bin/sh", "sh", "-c", b, (char *)NULL);
-+ }
-
-- exit(errno);
-+ exit(errno);
-
-- break;
-- }
-- case -1:
-- /* error */
-- break;
-- default:
-- /* father */
-+ break;
-+ }
-+ case -1:
-+ /* error */
-+ break;
-+ default:
-+ /* father */
-
-- /* wait */
-- select(0, NULL, NULL, NULL, &tv);
-+ /* wait */
-+ select(0, NULL, NULL, NULL, &tv);
-
-- switch (waitpid(child, &status, WNOHANG)) {
-- case 0:
-- fprintf(stderr, "%s.%d: child spawned successfully: PID: %d\n",
-- __FILE__, __LINE__,
-- child);
-+ switch (waitpid(child, &status, WNOHANG)) {
-+ case 0:
-+ fprintf(stderr, "%s.%d: child spawned successfully: PID: %d\n",
-+ __FILE__, __LINE__,
-+ child);
-
-- /* write pid file */
-- if (pid_fd != -1) {
-- /* assume a 32bit pid_t */
-- char pidbuf[12];
-+ /* write pid file */
-+ if (pid_fd != -1) {
-+ /* assume a 32bit pid_t */
-+ char pidbuf[12];
-
-- snprintf(pidbuf, sizeof(pidbuf) - 1, "%d", child);
-+ snprintf(pidbuf, sizeof(pidbuf) - 1, "%d", child);
-
-- write(pid_fd, pidbuf, strlen(pidbuf));
-- close(pid_fd);
-- pid_fd = -1;
-- }
--
-- break;
-- case -1:
-- break;
-- default:
-- if (WIFEXITED(status)) {
-- fprintf(stderr, "%s.%d: child exited with: %d, %s\n",
-- __FILE__, __LINE__,
-- WEXITSTATUS(status), strerror(WEXITSTATUS(status)));
-- } else if (WIFSIGNALED(status)) {
-- fprintf(stderr, "%s.%d: child signaled: %d\n",
-- __FILE__, __LINE__,
-- WTERMSIG(status));
-- } else {
-- fprintf(stderr, "%s.%d: child died somehow: %d\n",
-- __FILE__, __LINE__,
-- status);
-- }
-+ write(pid_fd, pidbuf, strlen(pidbuf));
-+ close(pid_fd);
-+ pid_fd = -1;
- }
-
- break;
-+ case -1:
-+ break;
-+ default:
-+ if (WIFEXITED(status)) {
-+ fprintf(stderr, "%s.%d: child exited with: %d, %s\n",
-+ __FILE__, __LINE__,
-+ WEXITSTATUS(status), strerror(WEXITSTATUS(status)));
-+ } else if (WIFSIGNALED(status)) {
-+ fprintf(stderr, "%s.%d: child signaled: %d\n",
-+ __FILE__, __LINE__,
-+ WTERMSIG(status));
-+ } else {
-+ fprintf(stderr, "%s.%d: child died somehow: %d\n",
-+ __FILE__, __LINE__,
-+ status);
-+ }
+ /* build writev list
+ *
+ * 1. limit: num_chunks < UIO_MAXIOV
+- * 2. limit: num_bytes < SSIZE_MAX
++ * 2. limit: num_bytes < max_bytes
+ */
+ for(num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < UIO_MAXIOV; num_chunks++, tc = tc->next);
+
+@@ -69,9 +66,9 @@
+ chunks[i].iov_base = offset;
+
+ /* protect the return value of writev() */
+- if (toSend > SSIZE_MAX ||
+- num_bytes + toSend > SSIZE_MAX) {
+- chunks[i].iov_len = SSIZE_MAX - num_bytes;
++ if (toSend > max_bytes ||
++ (off_t) num_bytes + toSend > max_bytes) {
++ chunks[i].iov_len = max_bytes - num_bytes;
+
+ num_chunks = i + 1;
+ break;
+@@ -105,6 +102,7 @@
+
+ /* check which chunks have been written */
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ for(i = 0, tc = c; i < num_chunks; i++, tc = tc->next) {
+ if (r >= (ssize_t)chunks[i].iov_len) {
+@@ -114,11 +112,10 @@
+
+ if (chunk_finished) {
+ /* skip the chunks from further touches */
+- chunks_written++;
+ c = c->next;
+ } else {
+ /* chunks_written + c = c->next is done in the for()*/
+- chunk_finished++;
++ chunk_finished = 1;
+ }
+ } else {
+ /* partially written */
+@@ -134,7 +131,7 @@
}
-- } else {
-- fprintf(stderr, "%s.%d: socket is already used, can't spawn\n",
-- __FILE__, __LINE__);
-- return -1;
-+
-+ break;
- }
-
- close(fcgi_fd);
-@@ -239,9 +245,12 @@
- }
+ case FILE_CHUNK: {
+ off_t offset, r;
+- size_t toSend;
++ off_t toSend;
+ stat_cache_entry *sce = NULL;
+
+ if (HANDLER_ERROR == stat_cache_get_entry(srv, con, c->file.name, &sce)) {
+@@ -144,9 +141,8 @@
+ }
- void show_help () {
-- char *b = "spawn-fcgi" "-" PACKAGE_VERSION \
--" - spawns fastcgi processes\n" \
--"usage:\n" \
-+ char *b = \
-+"Usage: spawn-fcgi [options] -- <fcgiapp> [fcgi app arguments]\n" \
-+"\n" \
-+"spawn-fcgi v" PACKAGE_VERSION " - spawns fastcgi processes\n" \
-+"\n" \
-+"Options:\n" \
- " -f <fcgiapp> filename of the fcgi-application\n" \
- " -a <addr> bind to ip address\n" \
- " -p <port> bind to tcp-port\n" \
-@@ -264,6 +273,7 @@
- char *fcgi_app = NULL, *changeroot = NULL, *username = NULL,
- *groupname = NULL, *unixsocket = NULL, *pid_file = NULL,
- *addr = NULL;
-+ char **fcgi_app_argv = { NULL };
- unsigned short port = 0;
- int child_count = 5;
- int i_am_root, o;
-@@ -274,10 +284,10 @@
-
- i_am_root = (getuid() == 0);
-
-- while(-1 != (o = getopt(argc, argv, "c:f:g:hna:p:u:vC:s:P:"))) {
-+ while(-1 != (o = getopt(argc, argv, "c:f:g:hna:p:u:vC:s:P:"))) {
- switch(o) {
- case 'f': fcgi_app = optarg; break;
-- case 'a': addr = optarg;/* ip addr */ break;
-+ case 'a': addr = optarg;/* ip addr */ break;
- case 'p': port = strtol(optarg, NULL, 10);/* port */ break;
- case 'C': child_count = strtol(optarg, NULL, 10);/* */ break;
- case 's': unixsocket = optarg; /* unix-domain socket */ break;
-@@ -294,7 +304,11 @@
- }
- }
+ offset = c->file.start + c->offset;
+- /* limit the toSend to 2^31-1 bytes in a chunk */
+- toSend = c->file.length - c->offset > ((1 << 30) - 1) ?
+- ((1 << 30) - 1) : c->file.length - c->offset;
++ toSend = c->file.length - c->offset;
++ if (toSend > max_bytes) toSend = max_bytes;
-- if (fcgi_app == NULL || (port == 0 && unixsocket == NULL)) {
-+ if (optind < argc) {
-+ fcgi_app_argv = &argv[optind];
-+ }
-+
-+ if ((fcgi_app == NULL && fcgi_app_argv == NULL) || (port == 0 && unixsocket == NULL)) {
- show_help();
- return -1;
- }
-@@ -404,6 +418,18 @@
- }
- }
+ if (-1 == c->file.fd) {
+ if (-1 == (c->file.fd = open(c->file.name->ptr, O_RDONLY))) {
+@@ -197,6 +193,7 @@
-+ /*
-+ * Change group before chroot, when we have access
-+ * to /etc/group
-+ */
-+ if (groupname) {
-+ setgid(grp->gr_gid);
-+ setgroups(0, NULL);
-+ if (username) {
-+ initgroups(username, grp->gr_gid);
-+ }
-+ }
-+
- if (changeroot) {
- if (-1 == chroot(changeroot)) {
- fprintf(stderr, "%s.%d: %s %s\n",
-@@ -420,18 +446,12 @@
- }
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
- /* drop root privs */
-- if (groupname) {
-- setgid(grp->gr_gid);
-- }
- if (username) {
-- if (groupname) {
-- initgroups(username, grp->gr_gid);
-- }
- setuid(pwd->pw_uid);
+ if (c->offset == c->file.length) {
+ chunk_finished = 1;
+@@ -218,7 +215,7 @@
}
}
-- return fcgi_spawn_connection(fcgi_app, addr, port, unixsocket, child_count, pid_fd, nofork);
-+ return fcgi_spawn_connection(fcgi_app, fcgi_app_argv, addr, port, unixsocket, child_count, pid_fd, nofork);
+- return chunks_written;
++ return 0;
}
- #else
- int main() {
-Index: src/mod_auth.c
+
+ #endif
+Index: src/network_openssl.c
===================================================================
---- src/mod_auth.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/mod_auth.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -238,13 +238,13 @@
- int auth_type_len = auth_realm - http_authorization;
+--- src/network_openssl.c (.../tags/lighttpd-1.4.29)
++++ src/network_openssl.c (.../branches/lighttpd-1.4.x)
+@@ -27,10 +27,9 @@
+ # include <openssl/ssl.h>
+ # include <openssl/err.h>
- if ((auth_type_len == 5) &&
-- (0 == strncmp(http_authorization, "Basic", auth_type_len))) {
-+ (0 == strncasecmp(http_authorization, "Basic", auth_type_len))) {
+-int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq) {
++int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes) {
+ int ssl_r;
+ chunk *c;
+- size_t chunks_written = 0;
- if (0 == strcmp(method->value->ptr, "basic")) {
- auth_satisfied = http_auth_basic_check(srv, con, p, req, con->uri.path, auth_realm+1);
- }
- } else if ((auth_type_len == 6) &&
-- (0 == strncmp(http_authorization, "Digest", auth_type_len))) {
-+ (0 == strncasecmp(http_authorization, "Digest", auth_type_len))) {
- if (0 == strcmp(method->value->ptr, "digest")) {
- if (-1 == (auth_satisfied = http_auth_digest_check(srv, con, p, req, con->uri.path, auth_realm+1))) {
- con->http_status = 400;
-Index: src/mod_fastcgi.c
-===================================================================
---- src/mod_fastcgi.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/mod_fastcgi.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -162,8 +162,8 @@
- * if host is one of the local IP adresses the
- * whole connection is local
+ /* this is a 64k sendbuffer
*
-- * if tcp/ip should be used host AND port have
-- * to be specified
-+ * if port is not 0, and host is not specified,
-+ * "localhost" (INADDR_LOOPBACK) is assumed.
- *
- */
- buffer *host;
-@@ -823,12 +823,12 @@
- fcgi_addr_in.sin_family = AF_INET;
+@@ -59,13 +58,13 @@
+ SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
+ }
- if (buffer_is_empty(host->host)) {
-- fcgi_addr_in.sin_addr.s_addr = htonl(INADDR_ANY);
-+ fcgi_addr_in.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
- } else {
- struct hostent *he;
+- for(c = cq->first; c; c = c->next) {
++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
+ int chunk_finished = 0;
- /* set a useful default */
-- fcgi_addr_in.sin_addr.s_addr = htonl(INADDR_ANY);
-+ fcgi_addr_in.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+ switch(c->type) {
+ case MEM_CHUNK: {
+ char * offset;
+- size_t toSend;
++ off_t toSend;
+ ssize_t r;
+ if (c->mem->used == 0 || c->mem->used == 1) {
+@@ -75,6 +74,7 @@
- if (NULL == (he = gethostbyname(host->host->ptr))) {
-@@ -858,7 +858,11 @@
- fcgi_addr = (struct sockaddr *) &fcgi_addr_in;
+ offset = c->mem->ptr + c->offset;
+ toSend = c->mem->used - 1 - c->offset;
++ if (toSend > max_bytes) toSend = max_bytes;
- buffer_copy_string(proc->connection_name, "tcp:");
-- buffer_append_string_buffer(proc->connection_name, host->host);
-+ if (!buffer_is_empty(host->host)) {
-+ buffer_append_string_buffer(proc->connection_name, host->host);
-+ } else {
-+ buffer_append_string(proc->connection_name, "localhost");
-+ }
- buffer_append_string(proc->connection_name, ":");
- buffer_append_long(proc->connection_name, proc->port);
- }
-@@ -1687,12 +1691,16 @@
- #endif
- } else {
- fcgi_addr_in.sin_family = AF_INET;
-- if (0 == inet_aton(host->host->ptr, &(fcgi_addr_in.sin_addr))) {
-- log_error_write(srv, __FILE__, __LINE__, "sbs",
-- "converting IP address failed for", host->host,
-- "\nBe sure to specify an IP address here");
--
-- return -1;
-+ if (!buffer_is_empty(host->host)) {
-+ if (0 == inet_aton(host->host->ptr, &(fcgi_addr_in.sin_addr))) {
-+ log_error_write(srv, __FILE__, __LINE__, "sbs",
-+ "converting IP address failed for", host->host,
-+ "\nBe sure to specify an IP address here");
-+
+ /**
+ * SSL_write man-page
+@@ -87,7 +87,14 @@
+ */
+
+ ERR_clear_error();
+- if ((r = SSL_write(ssl, offset, toSend)) <= 0) {
++ r = SSL_write(ssl, offset, toSend);
++
++ if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
++ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
+ return -1;
+ }
-+ } else {
-+ fcgi_addr_in.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
- }
- fcgi_addr_in.sin_port = htons(proc->port);
- servlen = sizeof(fcgi_addr_in);
-@@ -1702,7 +1710,11 @@
- if (buffer_is_empty(proc->connection_name)) {
- /* on remote spawing we have to set the connection-name now */
- buffer_copy_string(proc->connection_name, "tcp:");
-- buffer_append_string_buffer(proc->connection_name, host->host);
-+ if (!buffer_is_empty(host->host)) {
-+ buffer_append_string_buffer(proc->connection_name, host->host);
-+ } else {
-+ buffer_append_string(proc->connection_name, "localhost");
-+ }
- buffer_append_string(proc->connection_name, ":");
- buffer_append_long(proc->connection_name, proc->port);
- }
-@@ -2045,13 +2057,10 @@
- s = get_http_version_name(con->request.http_version);
- FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("SERVER_PROTOCOL"), s, strlen(s)),con)
++
++ if (r <= 0) {
+ unsigned long err;
--#ifdef USE_OPENSSL
-- if (srv_sock->is_ssl) {
-+ if (srv_sock->is_ssl || srv_sock->is_proxy_ssl) {
- FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("HTTPS"), CONST_STR_LEN("on")),con)
- }
--#endif
+ switch ((ssl_r = SSL_get_error(ssl, r))) {
+@@ -139,6 +146,7 @@
+ } else {
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
+ }
--
- FCGI_ENV_ADD_CHECK(fcgi_env_add_request_headers(srv, con, p), con);
+ if (c->offset == (off_t)c->mem->used - 1) {
+@@ -168,6 +176,7 @@
+ do {
+ off_t offset = c->file.start + c->offset;
+ off_t toSend = c->file.length - c->offset;
++ if (toSend > max_bytes) toSend = max_bytes;
- fcgi_header(&(header), FCGI_PARAMS, request_id, p->fcgi_env->used, 0);
-@@ -2530,15 +2539,28 @@
- }
+ if (toSend > LOCAL_SEND_BUFSIZE) toSend = LOCAL_SEND_BUFSIZE;
- if (host->allow_xsendfile &&
-- NULL != (ds = (data_string *) array_get_element(con->response.headers, "X-LIGHTTPD-send-file"))) {
-+ (NULL != (ds = (data_string *) array_get_element(con->response.headers, "X-LIGHTTPD-send-file"))
-+ || NULL != (ds = (data_string *) array_get_element(con->response.headers, "X-Sendfile")))) {
- stat_cache_entry *sce;
+@@ -190,7 +199,14 @@
+ close(ifd);
- if (HANDLER_ERROR != stat_cache_get_entry(srv, con, ds->value, &sce)) {
-+ data_string *dcls = data_string_init();
- /* found */
--
- http_chunk_append_file(srv, con, ds->value, 0, sce->st.st_size);
- hctx->send_content_body = 0; /* ignore the content */
- joblist_append(srv, con);
+ ERR_clear_error();
+- if ((r = SSL_write(ssl, s, toSend)) <= 0) {
++ r = SSL_write(ssl, s, toSend);
+
-+ buffer_copy_string_len(dcls->key, "Content-Length", sizeof("Content-Length")-1);
-+ buffer_copy_long(dcls->value, sce->st.st_size);
-+ dcls = (data_string*) array_replace(con->response.headers, (data_unset *)dcls);
-+ if (dcls) dcls->free((data_unset*)dcls);
++ if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
++ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
++ return -1;
++ }
+
-+ con->parsed_response |= HTTP_CONTENT_LENGTH;
-+ con->response.content_length = sce->st.st_size;
-+ } else {
-+ log_error_write(srv, __FILE__, __LINE__, "sb",
-+ "send-file error: couldn't get stat_cache entry for:",
-+ ds->value);
- }
++ if (r <= 0) {
+ unsigned long err;
+
+ switch ((ssl_r = SSL_get_error(ssl, r))) {
+@@ -243,12 +259,13 @@
+ } else {
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
}
-@@ -2719,9 +2741,14 @@
-
- int ret;
-
-- /* sanity check */
-+ /* sanity check:
-+ * - host != NULL
-+ * - either:
-+ * - tcp socket (do not check host->host->uses, as it may be not set which means INADDR_LOOPBACK)
-+ * - unix socket
-+ */
- if (!host ||
-- ((!host->host->used || !host->port) && !host->unixsocket->used)) {
-+ (!host->port && !host->unixsocket->used)) {
- log_error_write(srv, __FILE__, __LINE__, "sxddd",
- "write-req: error",
- host,
-@@ -3456,8 +3483,9 @@
- if (s_len < ct_len) continue;
-
- /* check extension in the form "/fcgi_pattern" */
-- if (*(extension->key->ptr) == '/' && strncmp(fn->ptr, extension->key->ptr, ct_len) == 0) {
-- break;
-+ if (*(extension->key->ptr) == '/') {
-+ if (strncmp(fn->ptr, extension->key->ptr, ct_len) == 0)
-+ break;
- } else if (0 == strncmp(fn->ptr + s_len - ct_len, extension->key->ptr, ct_len)) {
- /* check extension in the form ".fcg" */
- break;
-@@ -3473,7 +3501,7 @@
- for (k = 0; k < extension->used; k++) {
- host = extension->hosts[k];
-
-- /* we should have at least one proc that can do somthing */
-+ /* we should have at least one proc that can do something */
- if (host->active_procs == 0) {
- host = NULL;
-
-Index: src/stream.c
-===================================================================
---- src/stream.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/stream.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -64,6 +64,7 @@
- NULL);
-
- if (!mh) {
-+/*
- LPVOID lpMsgBuf;
- FormatMessage(
- FORMAT_MESSAGE_ALLOCATE_BUFFER |
-@@ -73,7 +74,7 @@
- MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
- (LPTSTR) &lpMsgBuf,
- 0, NULL );
--
-+*/
- return -1;
- }
+ if (c->offset == c->file.length) {
+ chunk_finished = 1;
+ }
+- } while(!chunk_finished && !write_wait);
++ } while (!chunk_finished && !write_wait && max_bytes > 0);
-Index: src/server.c
-===================================================================
---- src/server.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/server.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -697,9 +697,6 @@
- }
+ break;
}
+@@ -263,11 +280,9 @@
-- /* #372: solaris need some fds extra for devpoll */
-- if (rlim.rlim_cur > 10) rlim.rlim_cur -= 10;
--
- if (srv->event_handler == FDEVENT_HANDLER_SELECT) {
- srv->max_fds = rlim.rlim_cur < FD_SETSIZE - 200 ? rlim.rlim_cur : FD_SETSIZE - 200;
- } else {
-@@ -759,6 +756,19 @@
-
- return -1;
+ break;
}
-+#ifdef HAVE_PWD_H
-+ /*
-+ * Change group before chroot, when we have access
-+ * to /etc/group
-+ * */
-+ if (srv->srvconf.groupname->used) {
-+ setgid(grp->gr_gid);
-+ setgroups(0, NULL);
-+ if (srv->srvconf.username->used) {
-+ initgroups(srv->srvconf.username->ptr, grp->gr_gid);
-+ }
-+ }
-+#endif
- #ifdef HAVE_CHROOT
- if (srv->srvconf.changeroot->used) {
- tzset();
-@@ -775,15 +785,7 @@
- #endif
- #ifdef HAVE_PWD_H
- /* drop root privs */
-- if (srv->srvconf.groupname->used) {
-- setgid(grp->gr_gid);
-- setgroups(0, NULL);
-- }
-
- if (srv->srvconf.username->used) {
-- if (srv->srvconf.groupname->used) {
-- initgroups(srv->srvconf.username->ptr, grp->gr_gid);
-- }
- setuid(pwd->pw_uid);
- }
- #endif
-@@ -891,6 +893,17 @@
- pid_fd = -1;
+- chunks_written++;
}
-+ // Close stderr ASAP in the child process to make sure that nothing
-+ // is being written to that fd which may not be valid anymore.
-+ if (-1 == log_error_open(srv)) {
-+ log_error_write(srv, __FILE__, __LINE__, "s", "Opening errorlog failed. Going down.");
-+
-+ plugins_free(srv);
-+ network_close(srv);
-+ server_free(srv);
-+ return -1;
+- return chunks_written;
++ return 0;
+ }
+ #endif
+
+Index: src/http_auth.c
+===================================================================
+--- src/http_auth.c (.../tags/lighttpd-1.4.29)
++++ src/http_auth.c (.../branches/lighttpd-1.4.x)
+@@ -1,7 +1,6 @@
+ #include "server.h"
+ #include "log.h"
+ #include "http_auth.h"
+-#include "http_auth_digest.h"
+ #include "inet_ntop_cache.h"
+ #include "stream.h"
+
+@@ -28,18 +27,23 @@
+ #include <unistd.h>
+ #include <ctype.h>
+
+-#ifdef USE_OPENSSL
+-# include <openssl/md5.h>
+-#else
+-# include "md5.h"
++#include "md5.h"
+
+-typedef li_MD5_CTX MD5_CTX;
+-#define MD5_Init li_MD5_Init
+-#define MD5_Update li_MD5_Update
+-#define MD5_Final li_MD5_Final
++#define HASHLEN 16
++#define HASHHEXLEN 32
++typedef unsigned char HASH[HASHLEN];
++typedef char HASHHEX[HASHHEXLEN+1];
+
+-#endif
++static void CvtHex(const HASH Bin, char Hex[33]) {
++ unsigned short i;
+
++ for (i = 0; i < 16; i++) {
++ Hex[i*2] = int2hex((Bin[i] >> 4) & 0xf);
++ Hex[i*2+1] = int2hex(Bin[i] & 0xf);
+ }
++ Hex[32] = '\0';
++}
+
- if (HANDLER_GO_ON != plugins_call_set_defaults(srv)) {
- log_error_write(srv, __FILE__, __LINE__, "s", "Configuration of plugins failed. Going down.");
+ /**
+ * the $apr1$ handling is taken from apache 1.3.x
+ */
+@@ -95,7 +99,7 @@
+ ch = in[0];
+ /* run through the whole string, converting as we go */
+ for (i = 0; i < in_len; i++) {
+- ch = in[i];
++ ch = (unsigned char) in[i];
-@@ -941,15 +954,7 @@
- return -1;
- }
+ if (ch == '\0') break;
-- if (-1 == log_error_open(srv)) {
-- log_error_write(srv, __FILE__, __LINE__, "s",
-- "opening errorlog failed, dying");
+@@ -435,7 +439,7 @@
-- plugins_free(srv);
-- network_close(srv);
-- server_free(srv);
-- return -1;
-- }
+ static void to64(char *s, unsigned long v, int n)
+ {
+- static unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */
++ static const unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */
+ "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+
+ while (--n >= 0) {
+@@ -455,7 +459,7 @@
+ const char *sp, *ep;
+ unsigned char final[APR_MD5_DIGESTSIZE];
+ ssize_t sl, pl, i;
+- MD5_CTX ctx, ctx1;
++ li_MD5_CTX ctx, ctx1;
+ unsigned long l;
+
+ /*
+@@ -487,33 +491,33 @@
+ /*
+ * 'Time to make the doughnuts..'
+ */
+- MD5_Init(&ctx);
++ li_MD5_Init(&ctx);
+
+ /*
+ * The password first, since that is what is most unknown
+ */
+- MD5_Update(&ctx, pw, strlen(pw));
++ li_MD5_Update(&ctx, pw, strlen(pw));
+
+ /*
+ * Then our magic string
+ */
+- MD5_Update(&ctx, APR1_ID, strlen(APR1_ID));
++ li_MD5_Update(&ctx, APR1_ID, strlen(APR1_ID));
+
+ /*
+ * Then the raw salt
+ */
+- MD5_Update(&ctx, sp, sl);
++ li_MD5_Update(&ctx, sp, sl);
+
+ /*
+ * Then just as many characters of the MD5(pw, salt, pw)
+ */
+- MD5_Init(&ctx1);
+- MD5_Update(&ctx1, pw, strlen(pw));
+- MD5_Update(&ctx1, sp, sl);
+- MD5_Update(&ctx1, pw, strlen(pw));
+- MD5_Final(final, &ctx1);
++ li_MD5_Init(&ctx1);
++ li_MD5_Update(&ctx1, pw, strlen(pw));
++ li_MD5_Update(&ctx1, sp, sl);
++ li_MD5_Update(&ctx1, pw, strlen(pw));
++ li_MD5_Final(final, &ctx1);
+ for (pl = strlen(pw); pl > 0; pl -= APR_MD5_DIGESTSIZE) {
+- MD5_Update(&ctx, final,
++ li_MD5_Update(&ctx, final,
+ (pl > APR_MD5_DIGESTSIZE) ? APR_MD5_DIGESTSIZE : pl);
+ }
+@@ -527,10 +531,10 @@
+ */
+ for (i = strlen(pw); i != 0; i >>= 1) {
+ if (i & 1) {
+- MD5_Update(&ctx, final, 1);
++ li_MD5_Update(&ctx, final, 1);
+ }
+ else {
+- MD5_Update(&ctx, pw, 1);
++ li_MD5_Update(&ctx, pw, 1);
+ }
+ }
- #ifdef HAVE_SIGACTION
-Index: src/network_linux_sendfile.c
-===================================================================
---- src/network_linux_sendfile.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ src/network_linux_sendfile.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -162,6 +162,7 @@
- switch (errno) {
- case EAGAIN:
- case EINTR:
-+ /* ok, we can't send more, let's try later again */
- r = 0;
- break;
- case EPIPE:
-@@ -172,9 +173,7 @@
- "sendfile failed:", strerror(errno), fd);
- return -1;
- }
-- }
--
-- if (r == 0) {
-+ } else if (r == 0) {
- int oerrno = errno;
- /* We got an event to write but we wrote nothing
- *
-Index: tests/mod-access.t
-===================================================================
---- tests/mod-access.t (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/mod-access.t (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1,9 +1,9 @@
- #!/usr/bin/env perl
- BEGIN {
-- # add current source dir to the include-path
-- # we need this for make distcheck
-- (my $srcdir = $0) =~ s#/[^/]+$#/#;
-- unshift @INC, $srcdir;
-+ # add current source dir to the include-path
-+ # we need this for make distcheck
-+ (my $srcdir = $0) =~ s,/[^/]+$,/,;
-+ unshift @INC, $srcdir;
- }
+@@ -542,7 +546,7 @@
+ strncat(passwd, sp, sl);
+ strcat(passwd, "$");
+
+- MD5_Final(final, &ctx);
++ li_MD5_Final(final, &ctx);
+
+ /*
+ * And now, just to make sure things don't run too fast..
+@@ -550,28 +554,28 @@
+ * need 30 seconds to build a 1000 entry dictionary...
+ */
+ for (i = 0; i < 1000; i++) {
+- MD5_Init(&ctx1);
++ li_MD5_Init(&ctx1);
+ if (i & 1) {
+- MD5_Update(&ctx1, pw, strlen(pw));
++ li_MD5_Update(&ctx1, pw, strlen(pw));
+ }
+ else {
+- MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE);
++ li_MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE);
+ }
+ if (i % 3) {
+- MD5_Update(&ctx1, sp, sl);
++ li_MD5_Update(&ctx1, sp, sl);
+ }
+
+ if (i % 7) {
+- MD5_Update(&ctx1, pw, strlen(pw));
++ li_MD5_Update(&ctx1, pw, strlen(pw));
+ }
+
+ if (i & 1) {
+- MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE);
++ li_MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE);
+ }
+ else {
+- MD5_Update(&ctx1, pw, strlen(pw));
++ li_MD5_Update(&ctx1, pw, strlen(pw));
+ }
+- MD5_Final(final,&ctx1);
++ li_MD5_Final(final,&ctx1);
+ }
- use strict;
-Index: tests/mod-auth.t
-===================================================================
---- tests/mod-auth.t (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/mod-auth.t (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1,14 +1,14 @@
- #!/usr/bin/env perl
- BEGIN {
-- # add current source dir to the include-path
-- # we need this for make distcheck
-- (my $srcdir = $0) =~ s#/[^/]+$#/#;
-- unshift @INC, $srcdir;
-+ # add current source dir to the include-path
-+ # we need this for make distcheck
-+ (my $srcdir = $0) =~ s,/[^/]+$,/,;
-+ unshift @INC, $srcdir;
- }
+ p = passwd + strlen(passwd);
+@@ -614,17 +618,17 @@
+ * user:realm:md5(user:realm:password)
+ */
- use strict;
- use IO::Socket;
--use Test::More tests => 13;
-+use Test::More tests => 14;
- use LightyTest;
+- MD5_CTX Md5Ctx;
++ li_MD5_CTX Md5Ctx;
+ HASH HA1;
+ char a1[256];
+
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)username->ptr, username->used - 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)realm->ptr, realm->used - 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)pw, strlen(pw));
+- MD5_Final(HA1, &Md5Ctx);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)username->ptr, username->used - 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)realm->ptr, realm->used - 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)pw, strlen(pw));
++ li_MD5_Final(HA1, &Md5Ctx);
+
+ CvtHex(HA1, a1);
+
+@@ -930,7 +934,7 @@
+ int i;
+ buffer *password, *b, *username_buf, *realm_buf;
+
+- MD5_CTX Md5Ctx;
++ li_MD5_CTX Md5Ctx;
+ HASH HA1;
+ HASH HA2;
+ HASH RespHash;
+@@ -1067,13 +1071,13 @@
+
+ if (p->conf.auth_backend == AUTH_BACKEND_PLAIN) {
+ /* generate password from plain-text */
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)username, strlen(username));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)realm, strlen(realm));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)password->ptr, password->used - 1);
+- MD5_Final(HA1, &Md5Ctx);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)username, strlen(username));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)realm, strlen(realm));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)password->ptr, password->used - 1);
++ li_MD5_Final(HA1, &Md5Ctx);
+ } else if (p->conf.auth_backend == AUTH_BACKEND_HTDIGEST) {
+ /* HA1 */
+ /* transform the 32-byte-hex-md5 to a 16-byte-md5 */
+@@ -1090,45 +1094,45 @@
+
+ if (algorithm &&
+ strcasecmp(algorithm, "md5-sess") == 0) {
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16);
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce));
+- MD5_Final(HA1, &Md5Ctx);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce));
++ li_MD5_Final(HA1, &Md5Ctx);
+ }
- my $tf = LightyTest->new();
-@@ -48,6 +48,16 @@
- $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
- ok($tf->handle_http($t) == 0, 'Basic-Auth: Valid Auth-token - htpasswd (des)');
+ CvtHex(HA1, a1);
+
+ /* calculate H(A2) */
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri));
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri));
+ if (qop && strcasecmp(qop, "auth-int") == 0) {
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN);
+ }
+- MD5_Final(HA2, &Md5Ctx);
++ li_MD5_Final(HA2, &Md5Ctx);
+ CvtHex(HA2, HA2Hex);
+
+ /* calculate response */
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN);
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+ if (qop && *qop) {
+- MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)qop, strlen(qop));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)qop, strlen(qop));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+ };
+- MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN);
+- MD5_Final(RespHash, &Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN);
++ li_MD5_Final(RespHash, &Md5Ctx);
+ CvtHex(RespHash, a2);
+
+ if (0 != strcmp(a2, respons)) {
+@@ -1171,24 +1175,24 @@
+
+ int http_auth_digest_generate_nonce(server *srv, mod_auth_plugin_data *p, buffer *fn, char out[33]) {
+ HASH h;
+- MD5_CTX Md5Ctx;
++ li_MD5_CTX Md5Ctx;
+ char hh[32];
+
+ UNUSED(p);
+
+ /* generate shared-secret */
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)fn->ptr, fn->used - 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)"+", 1);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)fn->ptr, fn->used - 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)"+", 1);
+
+ /* we assume sizeof(time_t) == 4 here, but if not it ain't a problem at all */
+ LI_ltostr(hh, srv->cur_ts);
+- MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
+- MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy));
+ LI_ltostr(hh, rand());
+- MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
+
+- MD5_Final(h, &Md5Ctx);
++ li_MD5_Final(h, &Md5Ctx);
+
+ CvtHex(h, out);
+
+Index: src/mod_usertrack.c
+===================================================================
+--- src/mod_usertrack.c (.../tags/lighttpd-1.4.29)
++++ src/mod_usertrack.c (.../branches/lighttpd-1.4.x)
+@@ -8,18 +8,8 @@
+ #include <stdlib.h>
+ #include <string.h>
-+$t->{REQUEST} = ( <<EOF
-+GET /server-config HTTP/1.0
-+Host: auth-htpasswd.example.org
-+Authorization: basic ZGVzOmRlcw==
-+EOF
-+ );
-+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
-+ok($tf->handle_http($t) == 0, 'Basic-Auth: Valid Auth-token - htpasswd (des) (lowercase)');
-+
-+
- SKIP: {
- skip "no md5 for crypt under cygwin", 1 if $^O eq 'cygwin';
- $t->{REQUEST} = ( <<EOF
-Index: tests/mod-secdownload.t
-===================================================================
-Index: tests/core-response.t
-===================================================================
---- tests/core-response.t (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/core-response.t (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1,10 +1,9 @@
- #!/usr/bin/env perl
--
- BEGIN {
-- # add current source dir to the include-path
-- # we need this for make distcheck
-- (my $srcdir = $0) =~ s#/[^/]+$#/#;
-- unshift @INC, $srcdir;
-+ # add current source dir to the include-path
-+ # we need this for make distcheck
-+ (my $srcdir = $0) =~ s,/[^/]+$,/,;
-+ unshift @INC, $srcdir;
- }
+-#ifdef USE_OPENSSL
+-# include <openssl/md5.h>
+-#else
+-# include "md5.h"
++#include "md5.h"
- use strict;
-Index: tests/mod-extforward.conf
-===================================================================
---- tests/mod-extforward.conf (.../tags/lighttpd-1.4.18) (revision 0)
-+++ tests/mod-extforward.conf (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -0,0 +1,31 @@
-+debug.log-request-handling = "enable"
-+debug.log-response-header = "disable"
-+debug.log-request-header = "disable"
-+
-+server.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/"
-+server.pid-file = env.SRCDIR + "/tmp/lighttpd/lighttpd.pid"
-+
-+## bind to port (default: 80)
-+server.port = 2048
-+
-+## bind to localhost (default: all interfaces)
-+server.bind = "localhost"
-+server.errorlog = env.SRCDIR + "/tmp/lighttpd/logs/lighttpd.error.log"
-+server.name = "www.example.org"
-+server.tag = "Apache 1.3.29"
-+
-+server.modules = (
-+ "mod_cgi",
-+ "mod_extforward"
-+)
-+
-+######################## MODULE CONFIG ############################
-+
-+mimetype.assign = ( ".html" => "text/html" )
-+
-+cgi.assign = (".pl" => "/usr/bin/perl" )
-+
-+extforward.forwarder = (
-+ "127.0.0.1" => "trust",
-+ "127.0.30.1" => "trust",
-+)
-Index: tests/symlink.t
-===================================================================
-Index: tests/request.t
-===================================================================
---- tests/request.t (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/request.t (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1,9 +1,9 @@
- #!/usr/bin/env perl
- BEGIN {
-- # add current source dir to the include-path
-- # we need this for make distcheck
-- (my $srcdir = $0) =~ s#/[^/]+$#/#;
-- unshift @INC, $srcdir;
-+ # add current source dir to the include-path
-+ # we need this for make distcheck
-+ (my $srcdir = $0) =~ s,/[^/]+$,/,;
-+ unshift @INC, $srcdir;
- }
+-typedef li_MD5_CTX MD5_CTX;
+-#define MD5_Init li_MD5_Init
+-#define MD5_Update li_MD5_Update
+-#define MD5_Final li_MD5_Final
+-
+-#endif
+-
+ /* plugin config for all request/connections */
- use strict;
-Index: tests/mod-userdir.t
+ typedef struct {
+@@ -182,7 +172,7 @@
+ plugin_data *p = p_d;
+ data_string *ds;
+ unsigned char h[16];
+- MD5_CTX Md5Ctx;
++ li_MD5_CTX Md5Ctx;
+ char hh[32];
+
+ if (con->uri.path->used == 0) return HANDLER_GO_ON;
+@@ -228,18 +218,18 @@
+ /* taken from mod_auth.c */
+
+ /* generate shared-secret */
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)con->uri.path->ptr, con->uri.path->used - 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)"+", 1);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)con->uri.path->ptr, con->uri.path->used - 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)"+", 1);
+
+ /* we assume sizeof(time_t) == 4 here, but if not it ain't a problem at all */
+ LI_ltostr(hh, srv->cur_ts);
+- MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
+- MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy));
+ LI_ltostr(hh, rand());
+- MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
+
+- MD5_Final(h, &Md5Ctx);
++ li_MD5_Final(h, &Md5Ctx);
+
+ buffer_append_string_encoded(ds->value, (char *)h, 16, ENCODING_HEX);
+ buffer_append_string_len(ds->value, CONST_STR_LEN("; Path=/"));
+Index: src/mod_status.c
===================================================================
---- tests/mod-userdir.t (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/mod-userdir.t (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1,9 +1,9 @@
- #!/usr/bin/env perl
- BEGIN {
-- # add current source dir to the include-path
-- # we need this for make distcheck
-- (my $srcdir = $0) =~ s#/[^/]+$#/#;
-- unshift @INC, $srcdir;
-+ # add current source dir to the include-path
-+ # we need this for make distcheck
-+ (my $srcdir = $0) =~ s,/[^/]+$,/,;
-+ unshift @INC, $srcdir;
- }
+--- src/mod_status.c (.../tags/lighttpd-1.4.29)
++++ src/mod_status.c (.../branches/lighttpd-1.4.x)
+@@ -487,7 +487,7 @@
- use strict;
-Index: tests/core-keepalive.t
-===================================================================
---- tests/core-keepalive.t (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/core-keepalive.t (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1,10 +1,9 @@
- #!/usr/bin/env perl
--
- BEGIN {
-- # add current source dir to the include-path
-- # we need this for make distcheck
-- (my $srcdir = $0) =~ s#/[^/]+$#/#;
-- unshift @INC, $srcdir;
-+ # add current source dir to the include-path
-+ # we need this for make distcheck
-+ (my $srcdir = $0) =~ s,/[^/]+$,/,;
-+ unshift @INC, $srcdir;
- }
+ buffer_append_string_len(b, CONST_STR_LEN("</td><td class=\"int\">"));
- use strict;
-Index: tests/mod-proxy.t
+- if (con->request.content_length) {
++ if (c->request.content_length) {
+ buffer_append_long(b, c->request_content_queue->bytes_in);
+ buffer_append_string_len(b, CONST_STR_LEN("/"));
+ buffer_append_long(b, c->request.content_length);
+Index: src/settings.h
===================================================================
-Index: tests/env-variables.t
-===================================================================
-Index: tests/core-var-include.t
-===================================================================
---- tests/core-var-include.t (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/core-var-include.t (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1,9 +1,9 @@
- #!/usr/bin/env perl
- BEGIN {
-- # add current source dir to the include-path
-- # we need this for make distcheck
-- (my $srcdir = $0) =~ s#/[^/]+$#/#;
-- unshift @INC, $srcdir;
-+ # add current source dir to the include-path
-+ # we need this for make distcheck
-+ (my $srcdir = $0) =~ s,/[^/]+$,/,;
-+ unshift @INC, $srcdir;
- }
+--- src/settings.h (.../tags/lighttpd-1.4.29)
++++ src/settings.h (.../branches/lighttpd-1.4.x)
+@@ -21,8 +21,11 @@
+ * 64kB (no real reason, just a guess)
+ */
+ #define BUFFER_MAX_REUSE_SIZE (4 * 1024)
+-#define MAX_READ_LIMIT (4*1024*1024)
- use strict;
-Index: tests/mod-extforward.t
-===================================================================
---- tests/mod-extforward.t (.../tags/lighttpd-1.4.18) (revision 0)
-+++ tests/mod-extforward.t (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -0,0 +1,48 @@
-+#!/usr/bin/env perl
-+BEGIN {
-+ # add current source dir to the include-path
-+ # we need this for make distcheck
-+ (my $srcdir = $0) =~ s,/[^/]+$,/,;
-+ unshift @INC, $srcdir;
-+}
-+
-+use strict;
-+use IO::Socket;
-+use Test::More tests => 5;
-+use LightyTest;
-+
-+my $tf = LightyTest->new();
-+my $t;
-+
-+$tf->{CONFIGFILE} = 'mod-extforward.conf';
-+
-+ok($tf->start_proc == 0, "Starting lighttpd") or die();
-+
-+$t->{REQUEST} = ( <<EOF
-+GET /ip.pl HTTP/1.0
-+Host: www.example.org
-+X-Forwarded-For: 127.0.10.1
-+EOF
-+);
-+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'HTTP-Content' => '127.0.10.1' } ];
-+ok($tf->handle_http($t) == 0, 'expect 127.0.10.1, from single ip');
-+
-+$t->{REQUEST} = ( <<EOF
-+GET /ip.pl HTTP/1.0
-+Host: www.example.org
-+X-Forwarded-For: 127.0.10.1, 127.0.20.1
-+EOF
-+);
-+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'HTTP-Content' => '127.0.20.1' } ];
-+ok($tf->handle_http($t) == 0, 'expect 127.0.20.1, from two ips');
-+
-+$t->{REQUEST} = ( <<EOF
-+GET /ip.pl HTTP/1.0
-+Host: www.example.org
-+X-Forwarded-For: 127.0.10.1, 127.0.20.1, 127.0.30.1
-+EOF
-+);
-+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'HTTP-Content' => '127.0.20.1' } ];
-+ok($tf->handle_http($t) == 0, 'expect 127.0.20.1, from chained proxies');
++/* both should be way smaller than SSIZE_MAX :) */
++#define MAX_READ_LIMIT (256*1024)
++#define MAX_WRITE_LIMIT (256*1024)
+
-+ok($tf->stop_proc == 0, "Stopping lighttpd");
-
-Property changes on: tests/mod-extforward.t
-___________________________________________________________________
-Name: svn:executable
- + *
-
-Index: tests/core-request.t
+ /**
+ * max size of the HTTP request header
+ *
+Index: src/mod_cml_lua.c
===================================================================
---- tests/core-request.t (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/core-request.t (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1,9 +1,9 @@
- #!/usr/bin/env perl
- BEGIN {
-- # add current source dir to the include-path
-- # we need this for make distcheck
-- (my $srcdir = $0) =~ s#/[^/]+$#/#;
-- unshift @INC, $srcdir;
-+ # add current source dir to the include-path
-+ # we need this for make distcheck
-+ (my $srcdir = $0) =~ s,/[^/]+$,/,;
-+ unshift @INC, $srcdir;
- }
+--- src/mod_cml_lua.c (.../tags/lighttpd-1.4.29)
++++ src/mod_cml_lua.c (.../branches/lighttpd-1.4.x)
+@@ -11,18 +11,6 @@
+ #include <time.h>
+ #include <string.h>
- use strict;
-Index: tests/mod-redirect.t
+-#ifdef USE_OPENSSL
+-# include <openssl/md5.h>
+-#else
+-# include "md5.h"
+-
+-typedef li_MD5_CTX MD5_CTX;
+-#define MD5_Init li_MD5_Init
+-#define MD5_Update li_MD5_Update
+-#define MD5_Final li_MD5_Final
+-
+-#endif
+-
+ #define HASHLEN 16
+ typedef unsigned char HASH[HASHLEN];
+ #define HASHHEXLEN 32
+Index: src/mod_fastcgi.c
===================================================================
---- tests/mod-redirect.t (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/mod-redirect.t (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1,9 +1,9 @@
- #!/usr/bin/env perl
- BEGIN {
-- # add current source dir to the include-path
-- # we need this for make distcheck
-- (my $srcdir = $0) =~ s#/[^/]+$#/#;
-- unshift @INC, $srcdir;
-+ # add current source dir to the include-path
-+ # we need this for make distcheck
-+ (my $srcdir = $0) =~ s,/[^/]+$,/,;
-+ unshift @INC, $srcdir;
- }
+--- src/mod_fastcgi.c (.../tags/lighttpd-1.4.29)
++++ src/mod_fastcgi.c (.../branches/lighttpd-1.4.x)
+@@ -3075,7 +3075,7 @@
+ fcgi_set_state(srv, hctx, FCGI_STATE_WRITE);
+ /* fall through */
+ case FCGI_STATE_WRITE:
+- ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb);
++ ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT);
- use strict;
-Index: tests/mod-cgi.t
-===================================================================
---- tests/mod-cgi.t (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/mod-cgi.t (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1,9 +1,9 @@
- #!/usr/bin/env perl
- BEGIN {
-- # add current source dir to the include-path
-- # we need this for make distcheck
-- (my $srcdir = $0) =~ s#/[^/]+$#/#;
-- unshift @INC, $srcdir;
-+ # add current source dir to the include-path
-+ # we need this for make distcheck
-+ (my $srcdir = $0) =~ s,/[^/]+$,/,;
-+ unshift @INC, $srcdir;
- }
+ chunkqueue_remove_finished_chunks(hctx->wb);
- use strict;
-Index: tests/mod-setenv.t
-===================================================================
---- tests/mod-setenv.t (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/mod-setenv.t (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1,10 +1,9 @@
- #!/usr/bin/env perl
--
- BEGIN {
-- # add current source dir to the include-path
-- # we need this for make distcheck
-- (my $srcdir = $0) =~ s#/[^/]+$#/#;
-- unshift @INC, $srcdir;
-+ # add current source dir to the include-path
-+ # we need this for make distcheck
-+ (my $srcdir = $0) =~ s,/[^/]+$,/,;
-+ unshift @INC, $srcdir;
- }
+@@ -3132,7 +3132,6 @@
+ plugin_data *p = p_d;
- use strict;
-Index: tests/cachable.t
-===================================================================
---- tests/cachable.t (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/cachable.t (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1,9 +1,9 @@
- #!/usr/bin/env perl
- BEGIN {
-- # add current source dir to the include-path
-- # we need this for make distcheck
-- (my $srcdir = $0) =~ s#/[^/]+$#/#;
-- unshift @INC, $srcdir;
-+ # add current source dir to the include-path
-+ # we need this for make distcheck
-+ (my $srcdir = $0) =~ s,/[^/]+$,/,;
-+ unshift @INC, $srcdir;
- }
+ handler_ctx *hctx = con->plugin_ctx[p->id];
+- fcgi_proc *proc;
+ fcgi_extension_host *host;
- use strict;
-Index: tests/lowercase.t
-===================================================================
---- tests/lowercase.t (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/lowercase.t (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1,9 +1,9 @@
- #!/usr/bin/env perl
- BEGIN {
-- # add current source dir to the include-path
-- # we need this for make distcheck
-- (my $srcdir = $0) =~ s#/[^/]+$#/#;
-- unshift @INC, $srcdir;
-+ # add current source dir to the include-path
-+ # we need this for make distcheck
-+ (my $srcdir = $0) =~ s,/[^/]+$,/,;
-+ unshift @INC, $srcdir;
- }
+ if (NULL == hctx) return HANDLER_GO_ON;
+@@ -3201,7 +3200,6 @@
+ /* ok, create the request */
+ switch(fcgi_write_request(srv, hctx)) {
+ case HANDLER_ERROR:
+- proc = hctx->proc;
+ host = hctx->host;
- use strict;
-Index: tests/fcgi-responder.c
+ if (hctx->state == FCGI_STATE_INIT ||
+Index: src/network_solaris_sendfilev.c
===================================================================
---- tests/fcgi-responder.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/fcgi-responder.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1,4 +1,6 @@
-+#ifdef HAVE_CONFIG_H
- #include "config.h"
-+#endif
- #ifdef HAVE_FASTCGI_FASTCGI_H
- #include <fastcgi/fcgi_stdio.h>
- #else
-Index: tests/fcgi-auth.c
-===================================================================
---- tests/fcgi-auth.c (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/fcgi-auth.c (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1,4 +1,6 @@
-+#ifdef HAVE_CONFIG_H
- #include "config.h"
-+#endif
- #ifdef HAVE_FASTCGI_FASTCGI_H
- #include <fastcgi/fcgi_stdio.h>
- #else
-Index: tests/core.t
-===================================================================
---- tests/core.t (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/core.t (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1,10 +1,9 @@
- #!/usr/bin/env perl
--
- BEGIN {
-- # add current source dir to the include-path
-- # we need this for make distcheck
-- (my $srcdir = $0) =~ s#/[^/]+$#/#;
-- unshift @INC, $srcdir;
-+ # add current source dir to the include-path
-+ # we need this for make distcheck
-+ (my $srcdir = $0) =~ s,/[^/]+$,/,;
-+ unshift @INC, $srcdir;
- }
+--- src/network_solaris_sendfilev.c (.../tags/lighttpd-1.4.29)
++++ src/network_solaris_sendfilev.c (.../branches/lighttpd-1.4.x)
+@@ -38,17 +38,16 @@
+ */
- use strict;
-Index: tests/mod-fastcgi.t
-===================================================================
---- tests/mod-fastcgi.t (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/mod-fastcgi.t (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1,13 +1,13 @@
- #!/usr/bin/env perl
- BEGIN {
-- # add current source dir to the include-path
-- # we need this for make distcheck
-- (my $srcdir = $0) =~ s#/[^/]+$#/#;
-- unshift @INC, $srcdir;
-+ # add current source dir to the include-path
-+ # we need this for make distcheck
-+ (my $srcdir = $0) =~ s,/[^/]+$,/,;
-+ unshift @INC, $srcdir;
- }
- use strict;
--use Test::More tests => 46;
-+use Test::More tests => 47;
- use LightyTest;
+-int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq) {
++int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) {
+ chunk *c;
+- size_t chunks_written = 0;
- my $tf = LightyTest->new();
-@@ -223,7 +223,7 @@
- }
+- for(c = cq->first; c; c = c->next, chunks_written++) {
++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
+ int chunk_finished = 0;
- SKIP: {
-- skip "no php found", 4 unless -x "/usr/bin/php-cgi";
-+ skip "no php found", 5 unless -x "/usr/bin/php-cgi";
- $tf->{CONFIGFILE} = 'fastcgi-13.conf';
- ok($tf->start_proc == 0, "Starting lighttpd with $tf->{CONFIGFILE}") or die();
- $t->{REQUEST} = ( <<EOF
-@@ -234,6 +234,15 @@
- $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
- ok($tf->handle_http($t) == 0, 'FastCGI + local spawning');
-
-+ $t->{REQUEST} = ( <<EOF
-+HEAD /indexfile/index.php HTTP/1.0
-+Host: www.example.org
-+EOF
-+ );
-+ $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, '-Content-Length' => '0' } ];
-+ # Of course a valid content-length != 0 would be ok, but we assume for now that such one is not generated.
-+ ok($tf->handle_http($t) == 0, 'Check for buggy content length with HEAD');
-+
- $t->{REQUEST} = ( <<EOF
- GET /get-env.php?env=MAIL HTTP/1.0
- Host: www.example.org
-Index: tests/mod-rewrite.t
-===================================================================
---- tests/mod-rewrite.t (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/mod-rewrite.t (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1,9 +1,9 @@
- #!/usr/bin/env perl
- BEGIN {
-- # add current source dir to the include-path
-- # we need this for make distcheck
-- (my $srcdir = $0) =~ s#/[^/]+$#/#;
-- unshift @INC, $srcdir;
-+ # add current source dir to the include-path
-+ # we need this for make distcheck
-+ (my $srcdir = $0) =~ s,/[^/]+$,/,;
-+ unshift @INC, $srcdir;
+ switch(c->type) {
+ case MEM_CHUNK: {
+ char * offset;
+- size_t toSend;
++ off_t toSend;
+ ssize_t r;
+
+ size_t num_chunks, i;
+@@ -77,9 +76,9 @@
+ chunks[i].iov_base = offset;
+
+ /* protect the return value of writev() */
+- if (toSend > SSIZE_MAX ||
+- num_bytes + toSend > SSIZE_MAX) {
+- chunks[i].iov_len = SSIZE_MAX - num_bytes;
++ if (toSend > max_bytes ||
++ (off_t) num_bytes + toSend > max_bytes) {
++ chunks[i].iov_len = max_bytes - num_bytes;
+
+ num_chunks = i + 1;
+ break;
+@@ -119,11 +118,10 @@
+
+ if (chunk_finished) {
+ /* skip the chunks from further touches */
+- chunks_written++;
+ c = c->next;
+ } else {
+ /* chunks_written + c = c->next is done in the for()*/
+- chunk_finished++;
++ chunk_finished = 1;
+ }
+ } else {
+ /* partially written */
+@@ -139,8 +137,8 @@
+ }
+ case FILE_CHUNK: {
+ ssize_t r;
+- off_t offset;
+- size_t toSend, written;
++ off_t offset, toSend;
++ size_t written;
+ sendfilevec_t fvec;
+ stat_cache_entry *sce = NULL;
+ int ifd;
+@@ -153,6 +151,7 @@
+
+ offset = c->file.start + c->offset;
+ toSend = c->file.length - c->offset;
++ if (toSend > max_bytes) toSend = max_bytes;
+
+ if (offset > sce->st.st_size) {
+ log_error_write(srv, __FILE__, __LINE__, "sb", "file was shrinked:", c->file.name);
+@@ -186,6 +185,7 @@
+ close(ifd);
+ c->offset += written;
+ cq->bytes_out += written;
++ max_bytes -= written;
+
+ if (c->offset == c->file.length) {
+ chunk_finished = 1;
+@@ -207,7 +207,7 @@
+ }
+ }
+
+- return chunks_written;
++ return 0;
}
- use strict;
-Index: tests/docroot/www/ip.pl
+ #endif
+Index: src/CMakeLists.txt
===================================================================
---- tests/docroot/www/ip.pl (.../tags/lighttpd-1.4.18) (revision 0)
-+++ tests/docroot/www/ip.pl (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -0,0 +1,13 @@
-+#!/usr/bin/perl
-+print "Content-Type: text/html\r\n\r\n";
-+print $ENV{'REMOTE_ADDR'};
-+
-+if ($ENV{'QUERY_STRING'} eq 'info') {
-+ print "\nF:",$ENV{'HTTP_X_FORWARDED_FOR'},"\n";
-+
-+ while (my($key, $value) = each %ENV) {
-+ printf "%s => %s\n", $key, $value;
-+ }
-+}
-+
-+0;
-
-Property changes on: tests/docroot/www/ip.pl
-___________________________________________________________________
-Name: svn:executable
- + *
-
-Index: tests/Makefile.am
+Index: src/mod_dirlisting.c
===================================================================
---- tests/Makefile.am (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/Makefile.am (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -31,14 +31,20 @@
- core-response.t \
- core-keepalive.t \
- core.t \
-+ mod-proxy.t \
-+ proxy.conf \
-+ mod-secdownload.t \
- mod-access.t \
- mod-auth.t \
- mod-cgi.t \
- mod-compress.t \
- mod-fastcgi.t \
- mod-redirect.t \
-+ mod-rewrite.t \
- mod-userdir.t \
-- mod-rewrite.t \
-+ env-variables.t \
-+ env-variables.conf \
-+ symlink.t \
- request.t \
- mod-ssi.t \
- LightyTest.pm \
-@@ -49,12 +55,12 @@
- core-404-handler.t \
- 404-handler.conf
+--- src/mod_dirlisting.c (.../tags/lighttpd-1.4.29)
++++ src/mod_dirlisting.c (.../branches/lighttpd-1.4.x)
+@@ -657,7 +657,8 @@
+ i = dir->used - 1;
--
- TESTS_ENVIRONMENT=$(srcdir)/wrapper.sh $(srcdir) $(top_builddir)
+ #ifdef HAVE_PATHCONF
+- if (-1 == (name_max = pathconf(dir->ptr, _PC_NAME_MAX))) {
++ if (0 >= (name_max = pathconf(dir->ptr, _PC_NAME_MAX))) {
++ /* some broken fs (fuse) return 0 instead of -1 */
+ #ifdef NAME_MAX
+ name_max = NAME_MAX;
+ #else
+Index: src/network_linux_sendfile.c
+===================================================================
+--- src/network_linux_sendfile.c (.../tags/lighttpd-1.4.29)
++++ src/network_linux_sendfile.c (.../branches/lighttpd-1.4.x)
+@@ -27,17 +27,16 @@
+ /* on linux 2.4.29 + debian/ubuntu we have crashes if this is enabled */
+ #undef HAVE_POSIX_FADVISE
- EXTRA_DIST=wrapper.sh lighttpd.conf \
- lighttpd.user \
- lighttpd.htpasswd \
-+ SConscript \
- $(CONFS) \
- $(TESTS)
+-int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq) {
++int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) {
+ chunk *c;
+- size_t chunks_written = 0;
-Index: tests/core-404-handler.t
-===================================================================
---- tests/core-404-handler.t (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/core-404-handler.t (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -10,10 +10,10 @@
- # returning no status -> 200
- #
- BEGIN {
-- # add current source dir to the include-path
-- # we need this for make distcheck
-- (my $srcdir = $0) =~ s#/[^/]+$#/#;
-- unshift @INC, $srcdir;
-+ # add current source dir to the include-path
-+ # we need this for make distcheck
-+ (my $srcdir = $0) =~ s,/[^/]+$,/,;
-+ unshift @INC, $srcdir;
- }
+- for(c = cq->first; c; c = c->next, chunks_written++) {
++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
+ int chunk_finished = 0;
- use strict;
-Index: tests/mod-compress.t
-===================================================================
---- tests/mod-compress.t (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/mod-compress.t (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1,9 +1,9 @@
- #!/usr/bin/env perl
- BEGIN {
-- # add current source dir to the include-path
-- # we need this for make distcheck
-- (my $srcdir = $0) =~ s#/[^/]+$#/#;
-- unshift @INC, $srcdir;
-+ # add current source dir to the include-path
-+ # we need this for make distcheck
-+ (my $srcdir = $0) =~ s,/[^/]+$,/,;
-+ unshift @INC, $srcdir;
- }
+ switch(c->type) {
+ case MEM_CHUNK: {
+ char * offset;
+- size_t toSend;
++ off_t toSend;
+ ssize_t r;
- use strict;
-Index: tests/LightyTest.pm
-===================================================================
---- tests/LightyTest.pm (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/LightyTest.pm (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -72,7 +72,7 @@
-
- if (defined $pid) {
- kill('TERM',$pid) or return -1;
-- select(undef, undef, undef, 0.01);
-+ select(undef, undef, undef, 0.1);
+ size_t num_chunks, i;
+@@ -45,12 +44,10 @@
+ chunk *tc;
+ size_t num_bytes = 0;
+
+- /* we can't send more then SSIZE_MAX bytes in one chunk */
+-
+ /* build writev list
+ *
+ * 1. limit: num_chunks < UIO_MAXIOV
+- * 2. limit: num_bytes < SSIZE_MAX
++ * 2. limit: num_bytes < max_bytes
+ */
+ for (num_chunks = 0, tc = c;
+ tc && tc->type == MEM_CHUNK && num_chunks < UIO_MAXIOV;
+@@ -67,9 +64,9 @@
+ chunks[i].iov_base = offset;
+
+ /* protect the return value of writev() */
+- if (toSend > SSIZE_MAX ||
+- num_bytes + toSend > SSIZE_MAX) {
+- chunks[i].iov_len = SSIZE_MAX - num_bytes;
++ if (toSend > max_bytes ||
++ (off_t) num_bytes + toSend > max_bytes) {
++ chunks[i].iov_len = max_bytes - num_bytes;
+
+ num_chunks = i + 1;
+ break;
+@@ -100,6 +97,7 @@
+
+ /* check which chunks have been written */
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ for(i = 0, tc = c; i < num_chunks; i++, tc = tc->next) {
+ if (r >= (ssize_t)chunks[i].iov_len) {
+@@ -109,11 +107,10 @@
+
+ if (chunk_finished) {
+ /* skip the chunks from further touches */
+- chunks_written++;
+ c = c->next;
+ } else {
+ /* chunks_written + c = c->next is done in the for()*/
+- chunk_finished++;
++ chunk_finished = 1;
+ }
+ } else {
+ /* partially written */
+@@ -130,13 +127,12 @@
+ case FILE_CHUNK: {
+ ssize_t r;
+ off_t offset;
+- size_t toSend;
++ off_t toSend;
+ stat_cache_entry *sce = NULL;
+
+ offset = c->file.start + c->offset;
+- /* limit the toSend to 2^31-1 bytes in a chunk */
+- toSend = c->file.length - c->offset > ((1 << 30) - 1) ?
+- ((1 << 30) - 1) : c->file.length - c->offset;
++ toSend = c->file.length - c->offset;
++ if (toSend > max_bytes) toSend = max_bytes;
+
+ /* open file if not already opened */
+ if (-1 == c->file.fd) {
+@@ -215,6 +211,7 @@
+
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ if (c->offset == c->file.length) {
+ chunk_finished = 1;
+@@ -243,7 +240,7 @@
+ }
}
- return 0;
-Index: tests/mod-ssi.t
-===================================================================
---- tests/mod-ssi.t (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/mod-ssi.t (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1,9 +1,9 @@
- #!/usr/bin/env perl
- BEGIN {
-- # add current source dir to the include-path
-- # we need this for make distcheck
-- (my $srcdir = $0) =~ s#/[^/]+$#/#;
-- unshift @INC, $srcdir;
-+ # add current source dir to the include-path
-+ # we need this for make distcheck
-+ (my $srcdir = $0) =~ s,/[^/]+$,/,;
-+ unshift @INC, $srcdir;
+- return chunks_written;
++ return 0;
}
- use strict;
-Index: tests/core-condition.t
+ #endif
+Index: tests/mod-auth.t
===================================================================
---- tests/core-condition.t (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/core-condition.t (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1,9 +1,9 @@
- #!/usr/bin/env perl
- BEGIN {
-- # add current source dir to the include-path
-- # we need this for make distcheck
-- (my $srcdir = $0) =~ s#/[^/]+$#/#;
-- unshift @INC, $srcdir;
-+ # add current source dir to the include-path
-+ # we need this for make distcheck
-+ (my $srcdir = $0) =~ s,/[^/]+$,/,;
-+ unshift @INC, $srcdir;
- }
+--- tests/mod-auth.t (.../tags/lighttpd-1.4.29)
++++ tests/mod-auth.t (.../branches/lighttpd-1.4.x)
+@@ -8,7 +8,7 @@
use strict;
-Index: tests/run-tests.pl
+ use IO::Socket;
+-use Test::More tests => 14;
++use Test::More tests => 15;
+ use LightyTest;
+
+ my $tf = LightyTest->new();
+@@ -25,6 +25,14 @@
+
+ $t->{REQUEST} = ( <<EOF
+ GET /server-status HTTP/1.0
++Authorization: Basic \x80mFuOmphb
++EOF
++ );
++$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ];
++ok($tf->handle_http($t) == 0, 'Basic-Auth: Invalid base64 Auth-token');
++
++$t->{REQUEST} = ( <<EOF
++GET /server-status HTTP/1.0
+ Authorization: Basic amFuOmphb
+ EOF
+ );
+Index: tests/request.t
===================================================================
---- tests/run-tests.pl (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ tests/run-tests.pl (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -3,7 +3,7 @@
+--- tests/request.t (.../tags/lighttpd-1.4.29)
++++ tests/request.t (.../branches/lighttpd-1.4.x)
+@@ -8,7 +8,7 @@
+
use strict;
+ use IO::Socket;
+-use Test::More tests => 44;
++use Test::More tests => 46;
+ use LightyTest;
- use Test::Harness qw(&runtests $verbose);
--$verbose=0;
-+$verbose = (defined $ENV{'VERBOSE'} ? $ENV{'VERBOSE'} : 0);;
+ my $tf = LightyTest->new();
+@@ -413,5 +413,21 @@
+ $t->{SLOWREQUEST} = 1;
+ ok($tf->handle_http($t) == 0, 'GET, slow \\r\\n\\r\\n (#2105)');
- my $srcdir = (defined $ENV{'srcdir'} ? $ENV{'srcdir'} : '.');
++print "\nPathinfo for static files\n";
++$t->{REQUEST} = ( <<EOF
++GET /image.jpg/index.php HTTP/1.0
++EOF
++ );
++$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'Content-Type' => 'image/jpeg' } ];
++ok($tf->handle_http($t) == 0, 'static file accepting pathinfo by default');
++
++$t->{REQUEST} = ( <<EOF
++GET /image.jpg/index.php HTTP/1.0
++Host: zzz.example.org
++EOF
++ );
++$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 403 } ];
++ok($tf->handle_http($t) == 0, 'static file with forbidden pathinfo');
++
+ ok($tf->stop_proc == 0, "Stopping lighttpd");
+
+Index: tests/wrapper.sh
+===================================================================
+--- tests/wrapper.sh (.../tags/lighttpd-1.4.29)
++++ tests/wrapper.sh (.../branches/lighttpd-1.4.x)
+@@ -6,4 +6,4 @@
+ top_builddir=$2
+ export SHELL srcdir top_builddir
+
+-$3
++exec $3
+Index: tests/lighttpd.conf
+===================================================================
+--- tests/lighttpd.conf (.../tags/lighttpd-1.4.29)
++++ tests/lighttpd.conf (.../branches/lighttpd-1.4.x)
+@@ -149,6 +149,7 @@
+ $HTTP["host"] == "zzz.example.org" {
+ server.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/"
+ server.name = "zzz.example.org"
++ static-file.disable-pathinfo = "enable"
+ }
-Index: doc/configuration.txt
-===================================================================
---- doc/configuration.txt (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ doc/configuration.txt (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -85,6 +85,8 @@
-
- $HTTP["cookie"]
- match on cookie
-+$HTTP["scheme"]
-+ match on scheme
- $HTTP["host"]
- match on host
- $HTTP["useragent"]
-Index: doc/lighttpd.conf
-===================================================================
---- doc/lighttpd.conf (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ doc/lighttpd.conf (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -72,6 +72,7 @@
- ".ogg" => "application/ogg",
- ".wav" => "audio/x-wav",
- ".gif" => "image/gif",
-+ ".jar" => "application/x-java-archive",
- ".jpg" => "image/jpeg",
- ".jpeg" => "image/jpeg",
- ".png" => "image/png",
+ $HTTP["host"] == "symlink.example.org" {
+Index: configure.ac
+===================================================================
+Index: doc/config/lighttpd.conf
+===================================================================
+--- doc/config/lighttpd.conf (.../tags/lighttpd-1.4.29)
++++ doc/config/lighttpd.conf (.../branches/lighttpd-1.4.x)
+@@ -394,6 +394,25 @@
+ ## $SERVER["socket"] == "10.0.0.1:443" {
+ ## ssl.engine = "enable"
+ ## ssl.pemfile = "/etc/ssl/private/www.example.com.pem"
++## #
++## # Mitigate BEAST attack:
++## #
++## # A stricter base cipher suite. For details see:
++## # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
++## #
++## ssl.ciphers = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
++## #
++## # Make the server prefer the order of the server side cipher suite instead of the client suite.
++## # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms).
++## # This option is enabled by default, but only used if ssl.ciphers is set.
++## #
++## # ssl.honor-cipher-order = "enable"
++## #
++## # Mitigate CVE-2009-3555 by disabling client triggered renegotation
++## # This is enabled by default.
++## #
++## # ssl.disable-client-renegotiation = "enable"
++## #
+ ## server.name = "www.example.com"
+ ##
+ ## server.document-root = "/srv/www/vhosts/example.com/www/"
Index: SConstruct
===================================================================
-Index: Makefile.am
-===================================================================
---- Makefile.am (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ Makefile.am (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -1,3 +1,3 @@
- SUBDIRS=src doc tests cygwin openwrt
-
--EXTRA_DIST=lighttpd.spec
-+EXTRA_DIST=lighttpd.spec autogen.sh SConstruct
Index: NEWS
===================================================================
---- NEWS (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ NEWS (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -3,6 +3,52 @@
+--- NEWS (.../tags/lighttpd-1.4.29)
++++ NEWS (.../branches/lighttpd-1.4.x)
+@@ -3,7 +3,20 @@
NEWS
====
-+- 1.4.19 -
-+
-+ * added support for If-Range: <date> (#1346)
-+ * added support for matching $HTTP["scheme"] in configs
-+ * fixed initgroups() called after chroot (#1384)
-+ * fixed case-sensitive check for Auth-Method (#1456)
-+ * execute fcgi app without /bin/sh if used as argument to spawn-fcgi (#1428)
-+ * fixed a bug that made /-prefixed extensions being handled also when
-+ matching the end of the uri in fcgi,scgi and proxy modules (#1489)
-+ * print error if X-LIGHTTPD-send-file cannot be done; reset header
-+ Content-Length for send-file. Patches by Stefan Buehler
-+ * prevent crash in certain php-fcgi configurations (#841)
-+ * add IdleServers and Scoreboard directives in ?auto mode for mod_status (#1507)
-+ * open log immediately after daemonizing, fixes SIGPIPEs on startup (#165)
-+ * HTTPS env var should be "on" when using mod_extforward and the X-Forwarded-Proto header is set. (#1499)
-+ * generate ETag and Last-Modified headers for mod_ssi based on newest modified include (#1491)
-+ * support letterhomes in mod_userdir (#1473)
-+ * support chained proxies in mod_extforward (#1528)
-+ * fixed bogus "cgi died ?" if we kill the CGI process on shutdown
-+ * fixed ECONNRESET handling in network-openssl
-+ * fixed handling of EAGAIN in network-linux-sendfile (#657)
-+ * reset conditional cache (#1164)
-+ * create directories in mod_compress (was broken with alias/userdir) (#1027)
-+ * fixed out of range access in fd array (#1562, #372)
-+ * mod_compress should check if the request is already handled, e.g. by fastcgi (#1565)
-+ * remove broken workaround for buggy Opera version with ssl/chunked encoding (#285)
-+ * generate etag/last-modified header for on-the-fly-compressed files (#1171)
-+ * req-method OPTIONS: do not insert default response if request was denied, do not deny OPTIONS by default (#1324)
-+ * fixed memory leak on windows (#1347)
-+ * fixed building outside of the src dir (#1349)
-+ * fixed including of stdint.h/inttypes.h in etag.c (#1413)
-+ * do not add Accept-Ranges header if range-request is disabled (#1449)
-+ * log the ip of failed auth tries in error.log (enhancement #1544)
-+ * fixed RoundRobin in mod_proxy (#516)
-+ * check for symlinks after successful pathinfo matching (#1574)
-+ * fixed mod-proxy.t to run with a builddir outside of the src dir
-+ * do not suppress content on "307 Temporary Redirect" (#1412)
-+ * fixed Content-Length header if response body gets removed in connections.c (#1412, part 2)
-+ * do not generate a "Content-Length: 0" header for HEAD requests, added test too
-+ * remove compress cache file if compression or write failed (#1150)
-+ * fixed body handling of status 300 requests
-+ * spawn-fcgi: only try to connect to unix socket (not tcp) before spawning (#1575)
-+ * fix sending source of cgi script instead of 500 error if fork fails
-+ * fix min-procs handling in mod_scgi.c, just set to max-procs (patch from #623)
-+ * fix sending "408 - Timeout" instead of "410 - Gone" for timedout urls in mod_secdownload (#1440)
-+
- - 1.4.18 - 2007-09-09
-
- * fixed compile error on IRIX 6.5.x on prctl() (#1333)
-Index: lighttpd.spec.in
+-- 1.4.29 -
++- 1.4.30 -
++ * Always use our 'own' md5 implementation, fixes linking issues on MacOS (fixes #2331)
++ * Limit amount of bytes we send in one go; fixes stalling in one connection and timeouts on slow systems.
++ * [ssl] fix build errors when Elliptic-Curve Diffie-Hellman is disabled
++ * Add static-file.disable-pathinfo option to prevent handling of urls like .../secret.php/image.jpg as static file
++ * Don't overwrite 401 (auth required) with 501 (unknown method) (fixes #2341)
++ * Fix mod_status bug: always showed "0/0" in the "Read" column for uploads (fixes #2351)
++ * [mod_auth] Fix signedness error in http_auth (fixes #2370, CVE-2011-4362)
++ * [ssl] count renegotiations to prevent client renegotiations
++ * [ssl] add option to honor server cipher order (fixes #2364, BEAST attack)
++ * [core] accept dots in ipv6 addresses in host header (fixes #2359)
++ * [ssl] fix ssl connection aborts if files are larger than the MAX_WRITE_LIMIT (256kb)
++
++- 1.4.29 - 2011-07-03
+ * Fix mod_proxy waiting for response even if content-length is 0 (fixes #2259)
+ * Silence annoying "connection closed: poll() -> ERR" error.log message (fixes #2257)
+ * mod_cgi: make read buffer as big as incoming data block
+Index: CMakeLists.txt
===================================================================
---- lighttpd.spec.in (.../tags/lighttpd-1.4.18) (revision 2118)
-+++ lighttpd.spec.in (.../branches/lighttpd-1.4.x) (revision 2118)
-@@ -6,21 +6,19 @@
- Packager: Jan Kneschke <jan@kneschke.de>
- License: BSD
- Group: Networking/Daemons
--URL: http://jan.kneschke.de/projects/lighttpd/
-+URL: http://www.lighttpd.net/
- Requires: pcre >= 3.1 zlib
--BuildPrereq: libtool zlib-devel
-+BuildRequires: libtool zlib-devel
- BuildRoot: %{_tmppath}/%{name}-root
-
--
- %description
- lighttpd is intented to be a frontend for ad-servers which have to deliver
- small files concurrently to many connections.
-
--Available rpmbuild rebuild options :
----with : ssl mysql lua memcache
-+Available rpmbuild rebuild options:
-+--with: ssl mysql lua memcache
-
- %prep
--
- %setup -q
-
- %build
-@@ -33,14 +31,13 @@
- make
-
- %install
--
- %makeinstall
-
- mkdir -p %{buildroot}%{_sysconfdir}/{init.d,sysconfig}
--if test -f /etc/redhat-release -o -f /etc/fedora-release; then
-- install -m 755 doc/rc.lighttpd.redhat %{buildroot}%{_sysconfdir}/init.d/lighttpd
-+if [ -f /etc/redhat-release -o -f /etc/fedora-release ]; then
-+ install -m 755 doc/rc.lighttpd.redhat %{buildroot}%{_sysconfdir}/init.d/lighttpd
- else
-- install -m 755 doc/rc.lighttpd %{buildroot}%{_sysconfdir}/init.d/lighttpd
-+ install -m 755 doc/rc.lighttpd %{buildroot}%{_sysconfdir}/init.d/lighttpd
- fi
- install -m 644 doc/sysconfig.lighttpd %{buildroot}%{_sysconfdir}/sysconfig/lighttpd
-
-@@ -49,16 +46,16 @@
-
- %post
- ## read http://www.fedora.us/docs/spec.html next time :)
--if test "$1" = "1"; then
-- # real install, not upgrade
-- /sbin/chkconfig --add lighttpd
-+if [ "$1" = "1" ]; then
-+ # real install, not upgrade
-+ /sbin/chkconfig --add lighttpd
- fi
-
- %preun
--if test "$1" = "0"; then
-- # real uninstall, not upgrade
-- %{_sysconfdir}/init.d/lighttpd stop
-- /sbin/chkconfig --del lighttpd
-+if [ "$1" = "0"]; then
-+ # real uninstall, not upgrade
-+ %{_sysconfdir}/init.d/lighttpd stop
-+ /sbin/chkconfig --del lighttpd
- fi
-
- %files
-
-Property changes on: .
-___________________________________________________________________
-Name: svk:merge
- - a98e19e4-a712-0410-8832-6551a15ffc53:/local/branches/lighttpd-1.4.x:1557
- + 152afb58-edef-0310-8abb-c4023f1b3aa9:/branches/lighttpd-1.3.x:499
-152afb58-edef-0310-8abb-c4023f1b3aa9:/branches/lighttpd-1.4.11-ssl-fixes:1346
-152afb58-edef-0310-8abb-c4023f1b3aa9:/branches/lighttpd-merge-1.4.x:1041
-152afb58-edef-0310-8abb-c4023f1b3aa9:/tags/lighttpd-1.4.11:1042
-152afb58-edef-0310-8abb-c4023f1b3aa9:/tags/release-1.3.13:105
-152afb58-edef-0310-8abb-c4023f1b3aa9:/trunk:104
-a98e19e4-a712-0410-8832-6551a15ffc53:/local/branches/lighttpd-1.4.x:1557
-ebd0e9cf-3e47-4385-9dd4-f0e25e97baa2:/local/lighttpd/branches/lighttpd-1.4.x:2154
-