-Index: configure.in
+# Revision 2815
+Index: src/http_auth_digest.c
===================================================================
-Index: src/configfile-glue.c
+--- src/http_auth_digest.c (.../tags/lighttpd-1.4.29)
++++ src/http_auth_digest.c (.../branches/lighttpd-1.4.x)
+@@ -1,26 +0,0 @@
+-#include "buffer.h"
+-
+-#include "http_auth_digest.h"
+-
+-#include <string.h>
+-
+-#ifndef USE_OPENSSL
+-# include "md5.h"
+-
+-typedef li_MD5_CTX MD5_CTX;
+-#define MD5_Init li_MD5_Init
+-#define MD5_Update li_MD5_Update
+-#define MD5_Final li_MD5_Final
+-
+-#endif
+-
+-void CvtHex(IN HASH Bin, OUT HASHHEX Hex) {
+- unsigned short i;
+-
+- for (i = 0; i < HASHLEN; i++) {
+- Hex[i*2] = int2hex((Bin[i] >> 4) & 0xf);
+- Hex[i*2+1] = int2hex(Bin[i] & 0xf);
+- }
+- Hex[HASHHEXLEN] = '\0';
+-}
+-
+Index: src/http_auth_digest.h
===================================================================
---- src/configfile-glue.c (.../tags/lighttpd-1.4.20) (revision 2336)
-+++ src/configfile-glue.c (.../branches/lighttpd-1.4.x) (revision 2336)
-@@ -1,4 +1,5 @@
- #include <string.h>
-+#include <stdlib.h>
-
- #include "base.h"
- #include "buffer.h"
-@@ -90,6 +91,22 @@
- case TYPE_STRING: {
- data_string *ds = (data_string *)du;
-
-+ /* If the value came from an environment variable, then it is a
-+ * data_string, although it may contain a number in ASCII
-+ * decimal format. We try to interpret the string as a decimal
-+ * short before giving up, in order to support setting numeric
-+ * values with environment variables (eg, port number).
-+ */
-+ if (ds->value->ptr && *ds->value->ptr) {
-+ char *e;
-+ long l = strtol(ds->value->ptr, &e, 10);
-+ if (e != ds->value->ptr && !*e && l >=0 && l <= 65535) {
-+ *((unsigned short *)(cv[i].destination)) = l;
-+ break;
-+
-+ }
-+ }
-+
- log_error_write(srv, __FILE__, __LINE__, "ssb", "got a string but expected a short:", cv[i].key, ds->value);
-
- return -1;
-Index: src/mod_cgi.c
+--- src/http_auth_digest.h (.../tags/lighttpd-1.4.29)
++++ src/http_auth_digest.h (.../branches/lighttpd-1.4.x)
+@@ -1,24 +0,0 @@
+-#ifndef _DIGCALC_H_
+-#define _DIGCALC_H_
+-
+-#ifdef HAVE_CONFIG_H
+-# include "config.h"
+-#endif
+-
+-#define HASHLEN 16
+-typedef unsigned char HASH[HASHLEN];
+-#define HASHHEXLEN 32
+-typedef char HASHHEX[HASHHEXLEN+1];
+-#ifdef USE_OPENSSL
+-#define IN const
+-#else
+-#define IN
+-#endif
+-#define OUT
+-
+-void CvtHex(
+- IN HASH Bin,
+- OUT HASHHEX Hex
+- );
+-
+-#endif
+Index: src/network_write.c
===================================================================
---- src/mod_cgi.c (.../tags/lighttpd-1.4.20) (revision 2336)
-+++ src/mod_cgi.c (.../branches/lighttpd-1.4.x) (revision 2336)
-@@ -822,15 +822,27 @@
- );
- cgi_env_add(&env, CONST_STR_LEN("SERVER_PORT"), buf, strlen(buf));
-
-+ switch (srv_sock->addr.plain.sa_family) {
- #ifdef HAVE_IPV6
-- s = inet_ntop(srv_sock->addr.plain.sa_family,
-- srv_sock->addr.plain.sa_family == AF_INET6 ?
-- (const void *) &(srv_sock->addr.ipv6.sin6_addr) :
-- (const void *) &(srv_sock->addr.ipv4.sin_addr),
-- b2, sizeof(b2)-1);
-+ case AF_INET6:
-+ s = inet_ntop(srv_sock->addr.plain.sa_family,
-+ (const void *) &(srv_sock->addr.ipv6.sin6_addr),
-+ b2, sizeof(b2)-1);
-+ break;
-+ case AF_INET:
-+ s = inet_ntop(srv_sock->addr.plain.sa_family,
-+ (const void *) &(srv_sock->addr.ipv4.sin_addr),
-+ b2, sizeof(b2)-1);
-+ break;
- #else
-- s = inet_ntoa(srv_sock->addr.ipv4.sin_addr);
-+ case AF_INET:
-+ s = inet_ntoa(srv_sock->addr.ipv4.sin_addr);
-+ break;
+--- src/network_write.c (.../tags/lighttpd-1.4.29)
++++ src/network_write.c (.../branches/lighttpd-1.4.x)
+@@ -24,17 +24,16 @@
+ # include <sys/resource.h>
#endif
-+ default:
-+ s = "";
-+ break;
-+ }
- cgi_env_add(&env, CONST_STR_LEN("SERVER_ADDR"), s, strlen(s));
- s = get_http_method_name(con->request.http_method);
-@@ -848,15 +860,27 @@
- }
+-int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq) {
++int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) {
+ chunk *c;
+- size_t chunks_written = 0;
+
+- for(c = cq->first; c; c = c->next) {
++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
+ int chunk_finished = 0;
+
+ switch(c->type) {
+ case MEM_CHUNK: {
+ char * offset;
+- size_t toSend;
++ off_t toSend;
+ ssize_t r;
+
+ if (c->mem->used == 0) {
+@@ -44,6 +43,8 @@
+
+ offset = c->mem->ptr + c->offset;
+ toSend = c->mem->used - 1 - c->offset;
++ if (toSend > max_bytes) toSend = max_bytes;
++
+ #ifdef __WIN32
+ if ((r = send(fd, offset, toSend, 0)) < 0) {
+ /* no error handling for windows... */
+@@ -72,6 +73,7 @@
+
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ if (c->offset == (off_t)c->mem->used - 1) {
+ chunk_finished = 1;
+@@ -85,7 +87,7 @@
+ #endif
+ ssize_t r;
+ off_t offset;
+- size_t toSend;
++ off_t toSend;
+ stat_cache_entry *sce = NULL;
+ int ifd;
+@@ -98,6 +100,8 @@
+ offset = c->file.start + c->offset;
+ toSend = c->file.length - c->offset;
-+ switch (con->dst_addr.plain.sa_family) {
- #ifdef HAVE_IPV6
-- s = inet_ntop(con->dst_addr.plain.sa_family,
-- con->dst_addr.plain.sa_family == AF_INET6 ?
-- (const void *) &(con->dst_addr.ipv6.sin6_addr) :
-- (const void *) &(con->dst_addr.ipv4.sin_addr),
-- b2, sizeof(b2)-1);
-+ case AF_INET6:
-+ s = inet_ntop(con->dst_addr.plain.sa_family,
-+ (const void *) &(con->dst_addr.ipv6.sin6_addr),
-+ b2, sizeof(b2)-1);
-+ break;
-+ case AF_INET:
-+ s = inet_ntop(con->dst_addr.plain.sa_family,
-+ (const void *) &(con->dst_addr.ipv4.sin_addr),
-+ b2, sizeof(b2)-1);
-+ break;
- #else
-- s = inet_ntoa(con->dst_addr.ipv4.sin_addr);
-+ case AF_INET:
-+ s = inet_ntoa(con->dst_addr.ipv4.sin_addr);
-+ break;
- #endif
-+ default:
-+ s = "";
-+ break;
-+ }
- cgi_env_add(&env, CONST_STR_LEN("REMOTE_ADDR"), s, strlen(s));
++ if (toSend > max_bytes) toSend = max_bytes;
++
+ if (offset > sce->st.st_size) {
+ log_error_write(srv, __FILE__, __LINE__, "sb", "file was shrinked:", c->file.name);
- LI_ltostr(buf,
-Index: src/connections.c
-===================================================================
---- src/connections.c (.../tags/lighttpd-1.4.20) (revision 2336)
-+++ src/connections.c (.../branches/lighttpd-1.4.x) (revision 2336)
-@@ -330,15 +330,13 @@
- buffer_prepare_copy(b, 4 * 1024);
- len = recv(con->fd, b->ptr, b->size - 1, 0);
- #else
-- if (ioctl(con->fd, FIONREAD, &toread)) {
-- log_error_write(srv, __FILE__, __LINE__, "sd",
-- "unexpected end-of-file:",
-- con->fd);
-- return -1;
-+ if (ioctl(con->fd, FIONREAD, &toread) || toread == 0) {
-+ b = chunkqueue_get_append_buffer(con->read_queue);
-+ buffer_prepare_copy(b, 4 * 1024);
-+ } else {
-+ b = chunkqueue_get_append_buffer(con->read_queue);
-+ buffer_prepare_copy(b, toread + 1);
- }
-- b = chunkqueue_get_append_buffer(con->read_queue);
-- buffer_prepare_copy(b, toread + 1);
--
- len = read(con->fd, b->ptr, b->size - 1);
- #endif
+@@ -181,6 +185,7 @@
-Index: src/configfile.c
-===================================================================
---- src/configfile.c (.../tags/lighttpd-1.4.20) (revision 2336)
-+++ src/configfile.c (.../branches/lighttpd-1.4.x) (revision 2336)
-@@ -940,7 +940,6 @@
- }
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
- int config_parse_cmd(server *srv, config_t *context, const char *cmd) {
-- proc_handler_t proc;
- tokenizer_t t;
- int ret;
- buffer *source;
-@@ -960,7 +959,7 @@
- chdir(context->basedir->ptr);
- }
+ if (c->offset == c->file.length) {
+ chunk_finished = 1;
+@@ -200,11 +205,9 @@
-- if (0 != proc_open_buffer(&proc, cmd, NULL, out, NULL)) {
-+ if (0 != proc_open_buffer(cmd, NULL, out, NULL)) {
- log_error_write(srv, __FILE__, __LINE__, "sbss",
- "opening", source, "failed:", strerror(errno));
- ret = -1;
-Index: src/response.c
-===================================================================
---- src/response.c (.../tags/lighttpd-1.4.20) (revision 2336)
-+++ src/response.c (.../branches/lighttpd-1.4.x) (revision 2336)
-@@ -44,16 +44,15 @@
- buffer_append_string(b, get_http_status_name(con->http_status));
-
- if (con->request.http_version != HTTP_VERSION_1_1 || con->keep_alive == 0) {
-- buffer_append_string_len(b, CONST_STR_LEN("\r\nConnection: "));
- if (con->keep_alive) {
-- buffer_append_string_len(b, CONST_STR_LEN("keep-alive"));
-+ response_header_overwrite(srv, con, CONST_STR_LEN("Connection"), CONST_STR_LEN("keep-alive"));
- } else {
-- buffer_append_string_len(b, CONST_STR_LEN("close"));
-+ response_header_overwrite(srv, con, CONST_STR_LEN("Connection"), CONST_STR_LEN("close"));
+ break;
}
+-
+- chunks_written++;
}
- if (con->response.transfer_encoding & HTTP_TRANSFER_ENCODING_CHUNKED) {
-- buffer_append_string_len(b, CONST_STR_LEN("\r\nTransfer-Encoding: chunked"));
-+ response_header_overwrite(srv, con, CONST_STR_LEN("Transfer-Encoding"), CONST_STR_LEN("chunked"));
- }
-
+- return chunks_written;
++ return 0;
+ }
-Index: src/mod_simple_vhost.c
+ #if 0
+Index: src/mod_secure_download.c
===================================================================
---- src/mod_simple_vhost.c (.../tags/lighttpd-1.4.20) (revision 2336)
-+++ src/mod_simple_vhost.c (.../branches/lighttpd-1.4.x) (revision 2336)
-@@ -249,6 +249,8 @@
- return HANDLER_GO_ON;
- } else {
- buffer_copy_string_buffer(con->server_name, p->conf.default_host);
-+ /* do not cache default host */
-+ return HANDLER_GO_ON;
- }
- } else {
- buffer_copy_string_buffer(con->server_name, con->uri.authority);
-Index: src/mod_proxy.c
+--- src/mod_secure_download.c (.../tags/lighttpd-1.4.29)
++++ src/mod_secure_download.c (.../branches/lighttpd-1.4.x)
+@@ -8,18 +8,8 @@
+ #include <stdlib.h>
+ #include <string.h>
+
+-#ifdef USE_OPENSSL
+-# include <openssl/md5.h>
+-#else
+-# include "md5.h"
++#include "md5.h"
+
+-typedef li_MD5_CTX MD5_CTX;
+-#define MD5_Init li_MD5_Init
+-#define MD5_Update li_MD5_Update
+-#define MD5_Final li_MD5_Final
+-
+-#endif
+-
+ #define HASHLEN 16
+ typedef unsigned char HASH[HASHLEN];
+ #define HASHHEXLEN 32
+@@ -200,7 +190,7 @@
+
+ URIHANDLER_FUNC(mod_secdownload_uri_handler) {
+ plugin_data *p = p_d;
+- MD5_CTX Md5Ctx;
++ li_MD5_CTX Md5Ctx;
+ HASH HA1;
+ const char *rel_uri, *ts_str, *md5_str;
+ time_t ts = 0;
+@@ -266,9 +256,9 @@
+ buffer_append_string(p->md5, rel_uri);
+ buffer_append_string_len(p->md5, ts_str, 8);
+
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)p->md5->ptr, p->md5->used - 1);
+- MD5_Final(HA1, &Md5Ctx);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)p->md5->ptr, p->md5->used - 1);
++ li_MD5_Final(HA1, &Md5Ctx);
+
+ buffer_copy_string_hex(p->md5, (char *)HA1, 16);
+
+Index: src/base.h
===================================================================
---- src/mod_proxy.c (.../tags/lighttpd-1.4.20) (revision 2336)
-+++ src/mod_proxy.c (.../branches/lighttpd-1.4.x) (revision 2336)
-@@ -1198,7 +1198,8 @@
- host = (data_proxy *)extension->value->data[0];
-
- /* Use last_used_ndx from first host in list */
-- k = ndx = host->last_used_ndx;
-+ k = host->last_used_ndx;
-+ ndx = k + 1; /* use next host after the last one */
- if (ndx < 0) ndx = 0;
-
- /* Search first active host after last_used_ndx */
-Index: src/http_auth.c
+--- src/base.h (.../tags/lighttpd-1.4.29)
++++ src/base.h (.../branches/lighttpd-1.4.x)
+@@ -277,6 +277,7 @@
+ buffer *ssl_cipher_list;
+ buffer *ssl_dh_file;
+ buffer *ssl_ec_curve;
++ unsigned short ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */
+ unsigned short ssl_use_sslv2;
+ unsigned short ssl_use_sslv3;
+ unsigned short ssl_verifyclient;
+@@ -284,6 +285,7 @@
+ unsigned short ssl_verifyclient_depth;
+ buffer *ssl_verifyclient_username;
+ unsigned short ssl_verifyclient_export_cert;
++ unsigned short ssl_disable_client_renegotiation;
+
+ unsigned short use_ipv6, set_v6only; /* set_v6only is only a temporary option */
+ unsigned short defer_accept;
+@@ -437,6 +439,7 @@
+ # ifndef OPENSSL_NO_TLSEXT
+ buffer *tlsext_server_name;
+ # endif
++ unsigned int renegotiations; /* count of SSL_CB_HANDSHAKE_START */
+ #endif
+ /* etag handling */
+ etag_flags_t etag_flags;
+@@ -647,11 +650,9 @@
+
+ fdevent_handler_t event_handler;
+
+- int (* network_backend_write)(struct server *srv, connection *con, int fd, chunkqueue *cq);
+- int (* network_backend_read)(struct server *srv, connection *con, int fd, chunkqueue *cq);
++ int (* network_backend_write)(struct server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes);
+ #ifdef USE_OPENSSL
+- int (* network_ssl_backend_write)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq);
+- int (* network_ssl_backend_read)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq);
++ int (* network_ssl_backend_write)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes);
+ #endif
+
+ uid_t uid;
+Index: src/connections.c
===================================================================
---- src/http_auth.c (.../tags/lighttpd-1.4.20) (revision 2336)
-+++ src/http_auth.c (.../branches/lighttpd-1.4.x) (revision 2336)
-@@ -57,22 +57,25 @@
-
- static const char base64_pad = '=';
-
-+/* "A-Z a-z 0-9 + /" maps to 0-63 */
- static const short base64_reverse_table[256] = {
-- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63,
-- 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -1, -1, -1,
-- -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
-- 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1,
-- -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,
-- 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1,
-- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1
-+/* 0 1 2 3 4 5 6 7 8 9 A B C D E F */
-+ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x00 - 0x0F */
-+ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x10 - 0x1F */
-+ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63, /* 0x20 - 0x2F */
-+ 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -1, -1, -1, /* 0x30 - 0x3F */
-+ -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, /* 0x40 - 0x4F */
-+ 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1, /* 0x50 - 0x5F */
-+ -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, /* 0x60 - 0x6F */
-+ 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1, /* 0x70 - 0x7F */
-+ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x80 - 0x8F */
-+ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x90 - 0x9F */
-+ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xA0 - 0xAF */
-+ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xB0 - 0xBF */
-+ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xC0 - 0xCF */
-+ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xD0 - 0xDF */
-+ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xE0 - 0xEF */
-+ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xF0 - 0xFF */
- };
-
-
-@@ -697,7 +700,7 @@
- }
- } else if (p->conf.auth_backend == AUTH_BACKEND_LDAP) {
- #ifdef USE_LDAP
-- LDAP *ldap = NULL;
-+ LDAP *ldap;
- LDAPMessage *lm, *first;
- char *dn;
- int ret;
-@@ -742,56 +745,45 @@
- buffer_append_string_buffer(p->ldap_filter, username);
- buffer_append_string_buffer(p->ldap_filter, p->conf.ldap_filter_post);
+--- src/connections.c (.../tags/lighttpd-1.4.29)
++++ src/connections.c (.../branches/lighttpd-1.4.x)
+@@ -223,6 +223,12 @@
+ len = SSL_read(con->ssl, b->ptr + read_offset, toread);
+
++ if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
++ connection_set_state(srv, con, CON_STATE_ERROR);
++ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
++ return -1;
++ }
+
- /* 2. */
-- if (p->conf.ldap == NULL ||
-- LDAP_SUCCESS != (ret = ldap_search_s(p->conf.ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
-- /* try again if ldap was only temporary down */
-- if (p->conf.ldap == NULL || ret != LDAP_SERVER_DOWN || LDAP_SUCCESS != (ret = ldap_search_s(p->conf.ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
-- if (auth_ldap_init(srv, &p->conf) != HANDLER_GO_ON)
-+ if (p->anon_conf->ldap == NULL ||
-+ LDAP_SUCCESS != (ret = ldap_search_s(p->anon_conf->ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
-+
-+ /* try again; the ldap library sometimes fails for the first call but reconnects */
-+ if (p->anon_conf->ldap == NULL || ret != LDAP_SERVER_DOWN ||
-+ LDAP_SUCCESS != (ret = ldap_search_s(p->anon_conf->ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
-+
-+ if (auth_ldap_init(srv, p->anon_conf) != HANDLER_GO_ON)
- return -1;
+ if (len > 0) {
+ if (b->used > 0) b->used--;
+ b->used += len;
+@@ -445,6 +451,7 @@
+ default:
+ switch(con->http_status) {
+ case 400: /* bad request */
++ case 401: /* authorization required */
+ case 414: /* overload request header */
+ case 505: /* unknown protocol */
+ case 207: /* this was webdav */
+@@ -617,8 +624,9 @@
+ }
-- ldap = p->conf.ldap; /* save temporary ldap connection (TODO: redo ldap) */
-- if (LDAP_SUCCESS != (ret = ldap_search_s(p->conf.ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
-+ if (p->anon_conf->ldap == NULL ||
-+ LDAP_SUCCESS != (ret = ldap_search_s(p->anon_conf->ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
- log_error_write(srv, __FILE__, __LINE__, "sssb",
- "ldap:", ldap_err2string(ret), "filter:", p->ldap_filter);
-- /* destroy temporary ldap connection (TODO: redo ldap) */
-- ldap_unbind_s(ldap);
- return -1;
- }
- }
+ static int connection_handle_write(server *srv, connection *con) {
+- switch(network_write_chunkqueue(srv, con, con->write_queue)) {
++ switch(network_write_chunkqueue(srv, con, con->write_queue, MAX_WRITE_LIMIT)) {
+ case 0:
++ con->write_request_ts = srv->cur_ts;
+ if (con->file_finished) {
+ connection_set_state(srv, con, CON_STATE_RESPONSE_END);
+ joblist_append(srv, con);
+@@ -635,6 +643,7 @@
+ joblist_append(srv, con);
+ break;
+ case 1:
++ con->write_request_ts = srv->cur_ts;
+ con->is_writable = 0;
+
+ /* not finished yet -> WRITE */
+@@ -1251,8 +1260,6 @@
+ log_error_write(srv, __FILE__, __LINE__, "ds",
+ con->fd,
+ "handle write failed.");
+- } else if (con->state == CON_STATE_WRITE) {
+- con->write_request_ts = srv->cur_ts;
}
+ }
-- if (NULL == (first = ldap_first_entry(p->conf.ldap, lm))) {
-- /* No matching entry is not an error */
-- /* log_error_write(srv, __FILE__, __LINE__, "s", "ldap ..."); */
-+ if (NULL == (first = ldap_first_entry(p->anon_conf->ldap, lm))) {
-+ log_error_write(srv, __FILE__, __LINE__, "s", "ldap ...");
+@@ -1352,6 +1359,7 @@
+ return NULL;
+ }
- ldap_msgfree(lm);
++ con->renegotiations = 0;
+ #ifndef OPENSSL_NO_TLSEXT
+ SSL_set_app_data(con->ssl, con);
+ #endif
+@@ -1667,8 +1675,6 @@
+ con->fd,
+ "handle write failed.");
+ connection_set_state(srv, con, CON_STATE_ERROR);
+- } else if (con->state == CON_STATE_WRITE) {
+- con->write_request_ts = srv->cur_ts;
+ }
+ }
-- /* destroy temporary ldap connection (TODO: redo ldap) */
-- if (NULL != ldap) {
-- ldap_unbind_s(ldap);
-- }
- return -1;
- }
+Index: src/mod_staticfile.c
+===================================================================
+--- src/mod_staticfile.c (.../tags/lighttpd-1.4.29)
++++ src/mod_staticfile.c (.../branches/lighttpd-1.4.x)
+@@ -26,6 +26,7 @@
+ typedef struct {
+ array *exclude_ext;
+ unsigned short etags_used;
++ unsigned short disable_pathinfo;
+ } plugin_config;
-- if (NULL == (dn = ldap_get_dn(p->conf.ldap, first))) {
-- log_error_write(srv, __FILE__, __LINE__, "s", "ldap: ldap_get_dn failed");
-+ if (NULL == (dn = ldap_get_dn(p->anon_conf->ldap, first))) {
-+ log_error_write(srv, __FILE__, __LINE__, "s", "ldap ...");
+ typedef struct {
+@@ -84,6 +85,7 @@
+ config_values_t cv[] = {
+ { "static-file.exclude-extensions", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 0 */
+ { "static-file.etags", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 1 */
++ { "static-file.disable-pathinfo", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 2 */
+ { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
+ };
- ldap_msgfree(lm);
+@@ -97,9 +99,11 @@
+ s = calloc(1, sizeof(plugin_config));
+ s->exclude_ext = array_init();
+ s->etags_used = 1;
++ s->disable_pathinfo = 0;
-- /* destroy temporary ldap connection (TODO: redo ldap) */
-- if (NULL != ldap) {
-- ldap_unbind_s(ldap);
-- }
- return -1;
- }
+ cv[0].destination = s->exclude_ext;
+ cv[1].destination = &(s->etags_used);
++ cv[2].destination = &(s->disable_pathinfo);
- ldap_msgfree(lm);
+ p->config_storage[i] = s;
-- /* destroy temporary ldap connection (TODO: redo ldap) */
-- if (NULL != ldap) {
-- ldap_unbind_s(ldap);
-- }
+@@ -119,6 +123,7 @@
- /* 3. */
- if (NULL == (ldap = ldap_init(p->conf.auth_ldap_hostname->ptr, LDAP_PORT))) {
-Index: src/http_auth.h
-===================================================================
---- src/http_auth.h (.../tags/lighttpd-1.4.20) (revision 2336)
-+++ src/http_auth.h (.../branches/lighttpd-1.4.x) (revision 2336)
-@@ -63,7 +63,7 @@
+ PATCH(exclude_ext);
+ PATCH(etags_used);
++ PATCH(disable_pathinfo);
- mod_auth_plugin_config **config_storage;
+ /* skip the first, the global context */
+ for (i = 1; i < srv->config_context->used; i++) {
+@@ -136,7 +141,9 @@
+ PATCH(exclude_ext);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("static-file.etags"))) {
+ PATCH(etags_used);
+- }
++ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("static-file.disable-pathinfo"))) {
++ PATCH(disable_pathinfo);
++ }
+ }
+ }
-- mod_auth_plugin_config conf; /* this is only used as long as no handler_ctx is setup */
-+ mod_auth_plugin_config conf, *anon_conf; /* this is only used as long as no handler_ctx is setup */
- } mod_auth_plugin_data;
+@@ -350,7 +357,6 @@
+ URIHANDLER_FUNC(mod_staticfile_subrequest) {
+ plugin_data *p = p_d;
+ size_t k;
+- int s_len;
+ stat_cache_entry *sce = NULL;
+ buffer *mtime = NULL;
+ data_string *ds;
+@@ -376,7 +382,12 @@
+
+ mod_staticfile_patch_connection(srv, con, p);
+
+- s_len = con->uri.path->used - 1;
++ if (p->conf.disable_pathinfo && 0 != con->request.pathinfo->used) {
++ if (con->conf.log_request_handling) {
++ log_error_write(srv, __FILE__, __LINE__, "s", "-- NOT handling file as static file, pathinfo forbidden");
++ }
++ return HANDLER_GO_ON;
++ }
- int http_auth_basic_check(server *srv, connection *con, mod_auth_plugin_data *p, array *req, buffer *url, const char *realm_str);
-Index: src/mod_compress.c
+ /* ignore certain extensions */
+ for (k = 0; k < p->conf.exclude_ext->used; k++) {
+Index: src/network.c
===================================================================
---- src/mod_compress.c (.../tags/lighttpd-1.4.20) (revision 2336)
-+++ src/mod_compress.c (.../branches/lighttpd-1.4.x) (revision 2336)
-@@ -49,6 +49,7 @@
- buffer *compress_cache_dir;
- array *compress;
- off_t compress_max_filesize; /** max filesize in kb */
-+ int allowed_encodings;
- } plugin_config;
+--- src/network.c (.../tags/lighttpd-1.4.29)
++++ src/network.c (.../branches/lighttpd-1.4.x)
+@@ -27,6 +27,19 @@
+ # include <openssl/rand.h>
+ #endif
- typedef struct {
-@@ -154,6 +155,7 @@
- { "compress.cache-dir", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
- { "compress.filetype", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION },
- { "compress.max-filesize", NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_CONNECTION },
-+ { "compress.allowed-encodings", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION },
- { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
- };
++#ifdef USE_OPENSSL
++static void ssl_info_callback(const SSL *ssl, int where, int ret) {
++ UNUSED(ret);
++
++ if (0 != (where & SSL_CB_HANDSHAKE_START)) {
++ connection *con = SSL_get_app_data(ssl);
++ ++con->renegotiations;
++ } else if (0 != (where & SSL_CB_HANDSHAKE_DONE)) {
++ ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
++ }
++}
++#endif
++
+ static handler_t network_server_handle_fdevent(server *srv, void *context, int revents) {
+ server_socket *srv_socket = (server_socket *)context;
+ connection *con;
+@@ -480,9 +493,11 @@
+ network_backend_t backend;
-@@ -161,15 +163,18 @@
+ #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
++#ifndef OPENSSL_NO_ECDH
+ EC_KEY *ecdh;
+ int nid;
+ #endif
++#endif
+ #ifdef USE_OPENSSL
+ DH *dh;
+@@ -553,6 +568,11 @@
+ /* load SSL certificates */
for (i = 0; i < srv->config_context->used; i++) {
- plugin_config *s;
-+ array *encodings_arr = array_init();
-
- s = calloc(1, sizeof(plugin_config));
- s->compress_cache_dir = buffer_init();
- s->compress = array_init();
- s->compress_max_filesize = 0;
-+ s->allowed_encodings = 0;
-
- cv[0].destination = s->compress_cache_dir;
- cv[1].destination = s->compress;
- cv[2].destination = &(s->compress_max_filesize);
-+ cv[3].destination = encodings_arr; /* temp array for allowed encodings list */
+ specific_config *s = srv->config_storage[i];
++#ifndef SSL_OP_NO_COMPRESSION
++# define SSL_OP_NO_COMPRESSION 0
++#endif
++ long ssloptions =
++ SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_COMPRESSION;
- p->config_storage[i] = s;
+ if (buffer_is_empty(s->ssl_pemfile)) continue;
-@@ -177,6 +182,39 @@
- return HANDLER_ERROR;
+@@ -586,6 +606,9 @@
+ return -1;
}
-+ if (encodings_arr->used) {
-+ size_t j = 0;
-+ for (j = 0; j < encodings_arr->used; j++) {
-+ data_string *ds = (data_string *)encodings_arr->data[j];
-+#ifdef USE_ZLIB
-+ if (NULL != strstr(ds->value->ptr, "gzip"))
-+ s->allowed_encodings |= HTTP_ACCEPT_ENCODING_GZIP;
-+ if (NULL != strstr(ds->value->ptr, "deflate"))
-+ s->allowed_encodings |= HTTP_ACCEPT_ENCODING_DEFLATE;
-+ /*
-+ if (NULL != strstr(ds->value->ptr, "compress"))
-+ s->allowed_encodings |= HTTP_ACCEPT_ENCODING_COMPRESS;
-+ */
-+#endif
-+#ifdef USE_BZ2LIB
-+ if (NULL != strstr(ds->value->ptr, "bzip2"))
-+ s->allowed_encodings |= HTTP_ACCEPT_ENCODING_BZIP2;
-+#endif
++ SSL_CTX_set_options(s->ssl_ctx, ssloptions);
++ SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback);
++
+ if (!s->ssl_use_sslv2) {
+ /* disable SSLv2 */
+ if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) {
+@@ -611,6 +634,10 @@
+ ERR_error_string(ERR_get_error(), NULL));
+ return -1;
+ }
++
++ if (s->ssl_honor_cipher_order) {
++ SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+ }
+ }
+
+ /* Support for Diffie-Hellman key exchange */
+@@ -847,7 +874,7 @@
+ return 0;
+ }
+
+-int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq) {
++int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq, off_t max_bytes) {
+ int ret = -1;
+ off_t written = 0;
+ #ifdef TCP_CORK
+@@ -855,16 +882,34 @@
+ #endif
+ server_socket *srv_socket = con->srv_socket;
+
+- if (con->conf.global_kbytes_per_second &&
+- *(con->conf.global_bytes_per_second_cnt_ptr) > con->conf.global_kbytes_per_second * 1024) {
+- /* we reached the global traffic limit */
++ if (con->conf.global_kbytes_per_second) {
++ off_t limit = con->conf.global_kbytes_per_second * 1024 - *(con->conf.global_bytes_per_second_cnt_ptr);
++ if (limit <= 0) {
++ /* we reached the global traffic limit */
+
+- con->traffic_limit_reached = 1;
+- joblist_append(srv, con);
++ con->traffic_limit_reached = 1;
++ joblist_append(srv, con);
+
+- return 1;
++ return 1;
+ } else {
-+ /* default encodings */
-+ s->allowed_encodings = 0
-+#ifdef USE_ZLIB
-+ | HTTP_ACCEPT_ENCODING_GZIP | HTTP_ACCEPT_ENCODING_DEFLATE
-+#endif
-+#ifdef USE_BZ2LIB
-+ | HTTP_ACCEPT_ENCODING_BZIP2
-+#endif
-+ ;
++ if (max_bytes > limit) max_bytes = limit;
+ }
+ }
+
++ if (con->conf.kbytes_per_second) {
++ off_t limit = con->conf.kbytes_per_second * 1024 - con->bytes_written_cur_second;
++ if (limit <= 0) {
++ /* we reached the traffic limit */
+
-+ array_free(encodings_arr);
++ con->traffic_limit_reached = 1;
++ joblist_append(srv, con);
+
- if (!buffer_is_empty(s->compress_cache_dir)) {
- struct stat st;
- mkdir_recursive(s->compress_cache_dir->ptr);
-@@ -587,6 +625,7 @@
- PATCH(compress_cache_dir);
- PATCH(compress);
- PATCH(compress_max_filesize);
-+ PATCH(allowed_encodings);
++ return 1;
++ } else {
++ if (max_bytes > limit) max_bytes = limit;
++ }
++ }
++
+ written = cq->bytes_out;
- /* skip the first, the global context */
- for (i = 1; i < srv->config_context->used; i++) {
-@@ -606,6 +645,8 @@
- PATCH(compress);
- } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("compress.max-filesize"))) {
- PATCH(compress_max_filesize);
-+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("compress.allowed-encodings"))) {
-+ PATCH(allowed_encodings);
- }
- }
+ #ifdef TCP_CORK
+@@ -879,10 +924,10 @@
+
+ if (srv_socket->is_ssl) {
+ #ifdef USE_OPENSSL
+- ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq);
++ ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq, max_bytes);
+ #endif
+ } else {
+- ret = srv->network_backend_write(srv, con, con->fd, cq);
++ ret = srv->network_backend_write(srv, con, con->fd, cq, max_bytes);
}
-@@ -668,27 +709,21 @@
- if (NULL != (ds = (data_string *)array_get_element(con->request.headers, "Accept-Encoding"))) {
- int accept_encoding = 0;
- char *value = ds->value->ptr;
-- int srv_encodings = 0;
- int matched_encodings = 0;
-
- /* get client side support encodings */
-+#ifdef USE_ZLIB
- if (NULL != strstr(value, "gzip")) accept_encoding |= HTTP_ACCEPT_ENCODING_GZIP;
- if (NULL != strstr(value, "deflate")) accept_encoding |= HTTP_ACCEPT_ENCODING_DEFLATE;
- if (NULL != strstr(value, "compress")) accept_encoding |= HTTP_ACCEPT_ENCODING_COMPRESS;
-+#endif
-+#ifdef USE_BZ2LIB
- if (NULL != strstr(value, "bzip2")) accept_encoding |= HTTP_ACCEPT_ENCODING_BZIP2;
-+#endif
- if (NULL != strstr(value, "identity")) accept_encoding |= HTTP_ACCEPT_ENCODING_IDENTITY;
-- /* get server side supported ones */
--#ifdef USE_BZ2LIB
-- srv_encodings |= HTTP_ACCEPT_ENCODING_BZIP2;
--#endif
--#ifdef USE_ZLIB
-- srv_encodings |= HTTP_ACCEPT_ENCODING_GZIP;
-- srv_encodings |= HTTP_ACCEPT_ENCODING_DEFLATE;
--#endif
+ if (ret >= 0) {
+@@ -903,12 +948,5 @@
+
+ *(con->conf.global_bytes_per_second_cnt_ptr) += written;
+
+- if (con->conf.kbytes_per_second &&
+- (con->bytes_written_cur_second > con->conf.kbytes_per_second * 1024)) {
+- /* we reached the traffic limit */
-
- /* find matching entries */
-- matched_encodings = accept_encoding & srv_encodings;
-+ matched_encodings = accept_encoding & p->conf.allowed_encodings;
+- con->traffic_limit_reached = 1;
+- joblist_append(srv, con);
+- }
+ return ret;
+ }
+Index: src/network.h
+===================================================================
+--- src/network.h (.../tags/lighttpd-1.4.29)
++++ src/network.h (.../branches/lighttpd-1.4.x)
+@@ -3,7 +3,7 @@
- if (matched_encodings) {
- const char *dflt_gzip = "gzip";
-Index: src/mod_auth.c
+ #include "server.h"
+
+-int network_write_chunkqueue(server *srv, connection *con, chunkqueue *c);
++int network_write_chunkqueue(server *srv, connection *con, chunkqueue *c, off_t max_bytes);
+
+ int network_init(server *srv);
+ int network_close(server *srv);
+Index: src/configfile.c
===================================================================
---- src/mod_auth.c (.../tags/lighttpd-1.4.20) (revision 2336)
-+++ src/mod_auth.c (.../branches/lighttpd-1.4.x) (revision 2336)
-@@ -115,7 +115,7 @@
- PATCH(auth_ldap_starttls);
- PATCH(auth_ldap_allow_empty_pw);
- #ifdef USE_LDAP
-- PATCH(ldap);
-+ p->anon_conf = s;
- PATCH(ldap_filter_pre);
- PATCH(ldap_filter_post);
- #endif
-@@ -149,7 +149,7 @@
- } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.hostname"))) {
- PATCH(auth_ldap_hostname);
- #ifdef USE_LDAP
-- PATCH(ldap);
-+ p->anon_conf = s;
+--- src/configfile.c (.../tags/lighttpd-1.4.29)
++++ src/configfile.c (.../branches/lighttpd-1.4.x)
+@@ -105,6 +105,8 @@
+ { "ssl.use-sslv3", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 62 */
+ { "ssl.dh-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 63 */
+ { "ssl.ec-curve", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 64 */
++ { "ssl.disable-client-renegotiation", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },/* 65 */
++ { "ssl.honor-cipher-order", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 66 */
+
+ { "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
+ { "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
+@@ -176,6 +178,7 @@
+ s->max_write_idle = 360;
+ s->use_xattr = 0;
+ s->is_ssl = 0;
++ s->ssl_honor_cipher_order = 1;
+ s->ssl_use_sslv2 = 0;
+ s->ssl_use_sslv3 = 1;
+ s->use_ipv6 = 0;
+@@ -199,6 +202,7 @@
+ s->ssl_verifyclient_username = buffer_init();
+ s->ssl_verifyclient_depth = 9;
+ s->ssl_verifyclient_export_cert = 0;
++ s->ssl_disable_client_renegotiation = 1;
+
+ cv[2].destination = s->errorfile_prefix;
+
+@@ -245,6 +249,8 @@
+ cv[62].destination = &(s->ssl_use_sslv3);
+ cv[63].destination = s->ssl_dh_file;
+ cv[64].destination = s->ssl_ec_curve;
++ cv[66].destination = &(s->ssl_honor_cipher_order);
++
+ cv[49].destination = &(s->etag_use_inode);
+ cv[50].destination = &(s->etag_use_mtime);
+ cv[51].destination = &(s->etag_use_size);
+@@ -255,6 +261,7 @@
+ cv[58].destination = &(s->ssl_verifyclient_depth);
+ cv[59].destination = s->ssl_verifyclient_username;
+ cv[60].destination = &(s->ssl_verifyclient_export_cert);
++ cv[65].destination = &(s->ssl_disable_client_renegotiation);
+
+ srv->config_storage[i] = s;
+
+@@ -335,6 +342,7 @@
+ PATCH(ssl_cipher_list);
+ PATCH(ssl_dh_file);
+ PATCH(ssl_ec_curve);
++ PATCH(ssl_honor_cipher_order);
+ PATCH(ssl_use_sslv2);
+ PATCH(ssl_use_sslv3);
+ PATCH(etag_use_inode);
+@@ -346,6 +354,7 @@
+ PATCH(ssl_verifyclient_depth);
+ PATCH(ssl_verifyclient_username);
+ PATCH(ssl_verifyclient_export_cert);
++ PATCH(ssl_disable_client_renegotiation);
+
+ return 0;
+ }
+@@ -400,6 +409,8 @@
#endif
- } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.base-dn"))) {
- PATCH(auth_ldap_basedn);
-@@ -527,7 +527,7 @@
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
+ PATCH(ssl_ca_file);
++ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) {
++ PATCH(ssl_honor_cipher_order);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {
+ PATCH(ssl_use_sslv2);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv3"))) {
+@@ -454,6 +465,8 @@
+ PATCH(ssl_verifyclient_username);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.exportcert"))) {
+ PATCH(ssl_verifyclient_export_cert);
++ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.disable-client-renegotiation"))) {
++ PATCH(ssl_disable_client_renegotiation);
}
}
+ }
+Index: src/mod_scgi.c
+===================================================================
+--- src/mod_scgi.c (.../tags/lighttpd-1.4.29)
++++ src/mod_scgi.c (.../branches/lighttpd-1.4.x)
+@@ -2296,7 +2296,7 @@
-- switch(s->auth_backend) {
-+ switch(s->auth_ldap_hostname->used) {
- case AUTH_BACKEND_LDAP: {
- handler_t ret = auth_ldap_init(srv, s);
- if (ret == HANDLER_ERROR)
-@@ -554,6 +554,9 @@
- #endif
+ /* fall through */
+ case FCGI_STATE_WRITE:
+- ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb);
++ ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT);
- if (s->auth_ldap_hostname->used) {
-+ /* free old context */
-+ if (NULL != s->ldap) ldap_unbind_s(s->ldap);
-+
- if (NULL == (s->ldap = ldap_init(s->auth_ldap_hostname->ptr, LDAP_PORT))) {
- log_error_write(srv, __FILE__, __LINE__, "ss", "ldap ...", strerror(errno));
+ chunkqueue_remove_finished_chunks(hctx->wb);
-Index: src/mod_fastcgi.c
+Index: src/request.c
===================================================================
---- src/mod_fastcgi.c (.../tags/lighttpd-1.4.20) (revision 2336)
-+++ src/mod_fastcgi.c (.../branches/lighttpd-1.4.x) (revision 2336)
-@@ -3608,47 +3608,50 @@
- "handling it in mod_fastcgi");
- }
-
-- /* the prefix is the SCRIPT_NAME,
-- * everything from start to the next slash
-- * this is important for check-local = "disable"
-- *
-- * if prefix = /admin.fcgi
-- *
-- * /admin.fcgi/foo/bar
-- *
-- * SCRIPT_NAME = /admin.fcgi
-- * PATH_INFO = /foo/bar
-- *
-- * if prefix = /fcgi-bin/
-- *
-- * /fcgi-bin/foo/bar
-- *
-- * SCRIPT_NAME = /fcgi-bin/foo
-- * PATH_INFO = /bar
-- *
-- * if prefix = /, and fix-root-path-name is enable
-- *
-- * /fcgi-bin/foo/bar
-- *
-- * SCRIPT_NAME = /fcgi-bin/foo
-- * PATH_INFO = /bar
-- *
-- */
-+ /* do not split path info for authorizer */
-+ if (host->mode != FCGI_AUTHORIZER) {
-+ /* the prefix is the SCRIPT_NAME,
-+ * everything from start to the next slash
-+ * this is important for check-local = "disable"
-+ *
-+ * if prefix = /admin.fcgi
-+ *
-+ * /admin.fcgi/foo/bar
-+ *
-+ * SCRIPT_NAME = /admin.fcgi
-+ * PATH_INFO = /foo/bar
-+ *
-+ * if prefix = /fcgi-bin/
-+ *
-+ * /fcgi-bin/foo/bar
-+ *
-+ * SCRIPT_NAME = /fcgi-bin/foo
-+ * PATH_INFO = /bar
-+ *
-+ * if prefix = /, and fix-root-path-name is enable
-+ *
-+ * /fcgi-bin/foo/bar
-+ *
-+ * SCRIPT_NAME = /fcgi-bin/foo
-+ * PATH_INFO = /bar
-+ *
-+ */
-
-- /* the rewrite is only done for /prefix/? matches */
-- if (extension->key->ptr[0] == '/' &&
-- con->uri.path->used > extension->key->used &&
-- NULL != (pathinfo = strchr(con->uri.path->ptr + extension->key->used - 1, '/'))) {
-- /* rewrite uri.path and pathinfo */
-+ /* the rewrite is only done for /prefix/? matches */
-+ if (extension->key->ptr[0] == '/' &&
-+ con->uri.path->used > extension->key->used &&
-+ NULL != (pathinfo = strchr(con->uri.path->ptr + extension->key->used - 1, '/'))) {
-+ /* rewrite uri.path and pathinfo */
-
-- buffer_copy_string(con->request.pathinfo, pathinfo);
-+ buffer_copy_string(con->request.pathinfo, pathinfo);
-
-- con->uri.path->used -= con->request.pathinfo->used - 1;
-- con->uri.path->ptr[con->uri.path->used - 1] = '\0';
-- } else if (host->fix_root_path_name && extension->key->ptr[0] == '/' && extension->key->ptr[1] == '\0') {
-- buffer_copy_string(con->request.pathinfo, con->uri.path->ptr);
-- con->uri.path->used = 1;
-- con->uri.path->ptr[con->uri.path->used - 1] = '\0';
-+ con->uri.path->used -= con->request.pathinfo->used - 1;
-+ con->uri.path->ptr[con->uri.path->used - 1] = '\0';
-+ } else if (host->fix_root_path_name && extension->key->ptr[0] == '/' && extension->key->ptr[1] == '\0') {
-+ buffer_copy_string(con->request.pathinfo, con->uri.path->ptr);
-+ con->uri.path->used = 1;
-+ con->uri.path->ptr[con->uri.path->used - 1] = '\0';
-+ }
+--- src/request.c (.../tags/lighttpd-1.4.29)
++++ src/request.c (.../branches/lighttpd-1.4.x)
+@@ -49,7 +49,7 @@
+ if (++colon_cnt > 7) {
+ return -1;
+ }
+- } else if (!light_isxdigit(*c)) {
++ } else if (!light_isxdigit(*c) && '.' != *c) {
+ return -1;
}
}
- } else {
-Index: src/proc_open.c
+Index: src/network_backends.h
===================================================================
---- src/proc_open.c (.../tags/lighttpd-1.4.20) (revision 2336)
-+++ src/proc_open.c (.../branches/lighttpd-1.4.x) (revision 2336)
-@@ -287,32 +287,33 @@
- }
- /* }}} */
- /* {{{ proc_open_buffer */
--int proc_open_buffer(proc_handler_t *proc, const char *command, buffer *in, buffer *out, buffer *err) {
-+int proc_open_buffer(const char *command, buffer *in, buffer *out, buffer *err) {
-+ proc_handler_t proc;
+--- src/network_backends.h (.../tags/lighttpd-1.4.29)
++++ src/network_backends.h (.../branches/lighttpd-1.4.x)
+@@ -47,18 +47,18 @@
+ #include "base.h"
-- UNUSED(err);
+ /* return values:
+- * >= 0 : chunks completed
++ * >= 0 : no error
+ * -1 : error (on our side)
+ * -2 : remote close
+ */
+
+-int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq);
+-int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq);
+-int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq);
+-int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq);
+-int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq);
++int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes);
++int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes);
++int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes);
++int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes);
++int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes);
+ #ifdef USE_OPENSSL
+-int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq);
++int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes);
+ #endif
+
+ #endif
+Index: src/SConscript
+===================================================================
+--- src/SConscript (.../tags/lighttpd-1.4.29)
++++ src/SConscript (.../branches/lighttpd-1.4.x)
+@@ -12,7 +12,8 @@
+ data_integer.c md5.c data_fastcgi.c \
+ fdevent_select.c fdevent_libev.c \
+ fdevent_poll.c fdevent_linux_sysepoll.c \
+- fdevent_solaris_devpoll.c fdevent_freebsd_kqueue.c \
++ fdevent_solaris_devpoll.c fdevent_solaris_port.c \
++ fdevent_freebsd_kqueue.c \
+ data_config.c bitset.c \
+ inet_ntop_cache.c crc32.c \
+ connections-glue.c \
+@@ -62,7 +63,7 @@
+ 'mod_redirect' : { 'src' : [ 'mod_redirect.c' ], 'lib' : [ env['LIBPCRE'] ] },
+ 'mod_rewrite' : { 'src' : [ 'mod_rewrite.c' ], 'lib' : [ env['LIBPCRE'] ] },
+ 'mod_auth' : {
+- 'src' : [ 'mod_auth.c', 'http_auth_digest.c', 'http_auth.c' ],
++ 'src' : [ 'mod_auth.c', 'http_auth.c' ],
+ 'lib' : [ env['LIBCRYPT'], env['LIBLDAP'], env['LIBLBER'] ] },
+ 'mod_webdav' : { 'src' : [ 'mod_webdav.c' ], 'lib' : [ env['LIBXML2'], env['LIBSQLITE3'], env['LIBUUID'] ] },
+ 'mod_mysql_vhost' : { 'src' : [ 'mod_mysql_vhost.c' ], 'lib' : [ env['LIBMYSQL'] ] },
+Index: src/mod_cml_funcs.c
+===================================================================
+--- src/mod_cml_funcs.c (.../tags/lighttpd-1.4.29)
++++ src/mod_cml_funcs.c (.../branches/lighttpd-1.4.x)
+@@ -17,18 +17,8 @@
+ #include <dirent.h>
+ #include <stdio.h>
+
+-#ifdef USE_OPENSSL
+-# include <openssl/md5.h>
+-#else
+-# include "md5.h"
++#include "md5.h"
+
+-typedef li_MD5_CTX MD5_CTX;
+-#define MD5_Init li_MD5_Init
+-#define MD5_Update li_MD5_Update
+-#define MD5_Final li_MD5_Final
+-
+-#endif
-
-- if (proc_open(proc, command) != 0) {
-+ if (proc_open(&proc, command) != 0) {
- return -1;
+ #define HASHLEN 16
+ typedef unsigned char HASH[HASHLEN];
+ #define HASHHEXLEN 32
+@@ -43,7 +33,7 @@
+ #ifdef HAVE_LUA_H
+
+ int f_crypto_md5(lua_State *L) {
+- MD5_CTX Md5Ctx;
++ li_MD5_CTX Md5Ctx;
+ HASH HA1;
+ buffer b;
+ char hex[33];
+@@ -63,9 +53,9 @@
+ lua_error(L);
}
- if (in) {
-- if (write(proc->in.fd, (void *)in->ptr, in->used) < 0) {
-+ if (write(proc.in.fd, (void *)in->ptr, in->used) < 0) {
- perror("error writing pipe");
- return -1;
- }
- }
-- pipe_close(&proc->in);
-+ pipe_close(&proc.in);
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)lua_tostring(L, 1), lua_strlen(L, 1));
+- MD5_Final(HA1, &Md5Ctx);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)lua_tostring(L, 1), lua_strlen(L, 1));
++ li_MD5_Final(HA1, &Md5Ctx);
- if (out) {
-- proc_read_fd_to_buffer(proc->out.fd, out);
-+ proc_read_fd_to_buffer(proc.out.fd, out);
- }
-- pipe_close(&proc->out);
-+ pipe_close(&proc.out);
+ buffer_copy_string_hex(&b, (char *)HA1, 16);
- if (err) {
-- proc_read_fd_to_buffer(proc->err.fd, err);
-+ proc_read_fd_to_buffer(proc.err.fd, err);
- }
-- pipe_close(&proc->err);
-+ pipe_close(&proc.err);
+Index: src/mod_userdir.c
+===================================================================
+--- src/mod_userdir.c (.../tags/lighttpd-1.4.29)
++++ src/mod_userdir.c (.../branches/lighttpd-1.4.x)
+@@ -166,7 +166,6 @@
+
+ URIHANDLER_FUNC(mod_userdir_docroot_handler) {
+ plugin_data *p = p_d;
+- int uri_len;
+ size_t k;
+ char *rel_url;
+ #ifdef HAVE_PWD_H
+@@ -182,8 +181,6 @@
+ */
+ if (p->conf.path->used == 0) return HANDLER_GO_ON;
+
+- uri_len = con->uri.path->used - 1;
+-
+ /* /~user/foo.html -> /home/user/public_html/foo.html */
-+ proc_close(&proc);
-+
- return 0;
- }
- /* }}} */
-@@ -366,7 +367,7 @@
- RESET();
-
- fprintf(stdout, "test: echo 321 with read\n"); fflush(stdout);
-- if (proc_open_buffer(&proc, "echo 321", NULL, out, err) != 0) {
-+ if (proc_open_buffer("echo 321", NULL, out, err) != 0) {
- ERROR_OUT();
- }
- fprintf(stdout, "result: ->%s<-\n\n", out->ptr); fflush(stdout);
-@@ -374,7 +375,7 @@
-
- fprintf(stdout, "test: echo 123 | " CMD_CAT "\n"); fflush(stdout);
- buffer_copy_string_len(in, CONST_STR_LEN("123\n"));
-- if (proc_open_buffer(&proc, CMD_CAT, in, out, err) != 0) {
-+ if (proc_open_buffer(CMD_CAT, in, out, err) != 0) {
- ERROR_OUT();
- }
- fprintf(stdout, "result: ->%s<-\n\n", out->ptr); fflush(stdout);
-Index: src/proc_open.h
+ if (con->uri.path->ptr[0] != '/' ||
+Index: src/mod_proxy.c
===================================================================
---- src/proc_open.h (.../tags/lighttpd-1.4.20) (revision 2336)
-+++ src/proc_open.h (.../branches/lighttpd-1.4.x) (revision 2336)
-@@ -22,4 +22,4 @@
-
- int proc_close(proc_handler_t *ht);
- int proc_open(proc_handler_t *ht, const char *command);
--int proc_open_buffer(proc_handler_t *ht, const char *command, buffer *in, buffer *out, buffer *err);
-+int proc_open_buffer(const char *command, buffer *in, buffer *out, buffer *err);
-Index: tests/mod-compress.conf
+--- src/mod_proxy.c (.../tags/lighttpd-1.4.29)
++++ src/mod_proxy.c (.../branches/lighttpd-1.4.x)
+@@ -825,7 +825,7 @@
+
+ /* fall through */
+ case PROXY_STATE_WRITE:;
+- ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb);
++ ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT);
+
+ chunkqueue_remove_finished_chunks(hctx->wb);
+
+Index: src/Makefile.am
===================================================================
---- tests/mod-compress.conf (.../tags/lighttpd-1.4.20) (revision 0)
-+++ tests/mod-compress.conf (.../branches/lighttpd-1.4.x) (revision 2336)
-@@ -0,0 +1,32 @@
-+debug.log-request-handling = "enable"
-+debug.log-response-header = "disable"
-+debug.log-request-header = "disable"
-+
-+server.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/"
-+server.pid-file = env.SRCDIR + "/tmp/lighttpd/lighttpd.pid"
-+
-+## bind to port (default: 80)
-+server.port = 2048
-+
-+## bind to localhost (default: all interfaces)
-+server.bind = "localhost"
-+server.errorlog = env.SRCDIR + "/tmp/lighttpd/logs/lighttpd.error.log"
-+server.name = "www.example.org"
-+
-+server.modules = (
-+ "mod_compress"
-+)
-+
-+######################## MODULE CONFIG ############################
-+
-+mimetype.assign = (
-+ ".html" => "text/html",
-+ ".txt" => "text/plain",
-+)
-+
-+$HTTP["host"] == "cache.example.org" {
-+ compress.cache-dir = env.SRCDIR + "/tmp/lighttpd/cache/compress/"
-+}
-+compress.filetype = ("text/plain", "text/html")
-+
-+compress.allowed-encodings = ( "gzip", "deflate" )
-Index: tests/mod-fastcgi.t
+--- src/Makefile.am (.../tags/lighttpd-1.4.29)
++++ src/Makefile.am (.../branches/lighttpd-1.4.x)
+@@ -241,7 +241,7 @@
+ mod_compress_la_LIBADD = $(Z_LIB) $(BZ_LIB) $(common_libadd)
+
+ lib_LTLIBRARIES += mod_auth.la
+-mod_auth_la_SOURCES = mod_auth.c http_auth_digest.c http_auth.c
++mod_auth_la_SOURCES = mod_auth.c http_auth.c
+ mod_auth_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined
+ mod_auth_la_LIBADD = $(CRYPT_LIB) $(LDAP_LIB) $(LBER_LIB) $(common_libadd)
+
+@@ -268,7 +268,7 @@
+
+ hdr = server.h buffer.h network.h log.h keyvalue.h \
+ response.h request.h fastcgi.h chunk.h \
+- settings.h http_chunk.h http_auth_digest.h \
++ settings.h http_chunk.h \
+ md5.h http_auth.h stream.h \
+ fdevent.h connections.h base.h stat_cache.h \
+ plugin.h mod_auth.h \
+Index: src/network_writev.c
===================================================================
---- tests/mod-fastcgi.t (.../tags/lighttpd-1.4.20) (revision 2336)
-+++ tests/mod-fastcgi.t (.../branches/lighttpd-1.4.x) (revision 2336)
-@@ -7,7 +7,7 @@
- }
-
- use strict;
--use Test::More tests => 49;
-+use Test::More tests => 50;
- use LightyTest;
+--- src/network_writev.c (.../tags/lighttpd-1.4.29)
++++ src/network_writev.c (.../branches/lighttpd-1.4.x)
+@@ -30,17 +30,16 @@
+ #define LOCAL_BUFFERING 1
+ #endif
- my $tf = LightyTest->new();
-@@ -215,7 +215,7 @@
- }
+-int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq) {
++int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) {
+ chunk *c;
+- size_t chunks_written = 0;
+
+- for(c = cq->first; c; c = c->next) {
++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
+ int chunk_finished = 0;
+
+ switch(c->type) {
+ case MEM_CHUNK: {
+ char * offset;
+- size_t toSend;
++ off_t toSend;
+ ssize_t r;
+
+ size_t num_chunks, i;
+@@ -65,12 +64,10 @@
+ #error "sysconf() doesnt return _SC_IOV_MAX ..., check the output of 'man writev' for the EINVAL error and send the output to jan@kneschke.de"
+ #endif
- SKIP: {
-- skip "no fcgi-auth found", 4 unless -x $tf->{BASEDIR}."/tests/fcgi-auth" || -x $tf->{BASEDIR}."/tests/fcgi-auth.exe";
-+ skip "no fcgi-auth found", 5 unless -x $tf->{BASEDIR}."/tests/fcgi-auth" || -x $tf->{BASEDIR}."/tests/fcgi-auth.exe";
+- /* we can't send more then SSIZE_MAX bytes in one chunk */
+-
+ /* build writev list
+ *
+ * 1. limit: num_chunks < max_chunks
+- * 2. limit: num_bytes < SSIZE_MAX
++ * 2. limit: num_bytes < max_bytes
+ */
+ for (num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < max_chunks; num_chunks++, tc = tc->next);
+
+@@ -87,9 +84,9 @@
+ chunks[i].iov_base = offset;
+
+ /* protect the return value of writev() */
+- if (toSend > SSIZE_MAX ||
+- num_bytes + toSend > SSIZE_MAX) {
+- chunks[i].iov_len = SSIZE_MAX - num_bytes;
++ if (toSend > max_bytes ||
++ (off_t) num_bytes + toSend > max_bytes) {
++ chunks[i].iov_len = max_bytes - num_bytes;
+
+ num_chunks = i + 1;
+ break;
+@@ -121,6 +118,7 @@
+ }
- $tf->{CONFIGFILE} = 'fastcgi-auth.conf';
- ok($tf->start_proc == 0, "Starting lighttpd with $tf->{CONFIGFILE}") or die();
-@@ -235,6 +235,14 @@
- $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 403 } ];
- ok($tf->handle_http($t) == 0, 'FastCGI - Auth');
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ /* check which chunks have been written */
+
+@@ -132,11 +130,10 @@
+
+ if (chunk_finished) {
+ /* skip the chunks from further touches */
+- chunks_written++;
+ c = c->next;
+ } else {
+ /* chunks_written + c = c->next is done in the for()*/
+- chunk_finished++;
++ chunk_finished = 1;
+ }
+ } else {
+ /* partially written */
+@@ -284,6 +281,8 @@
+ assert(toSend < 0);
+ }
-+ $t->{REQUEST} = ( <<EOF
-+GET /expire/access.txt?ok HTTP/1.0
-+Host: www.example.org
-+EOF
-+ );
-+ $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
-+ ok($tf->handle_http($t) == 0, 'FastCGI - Auth in subdirectory');
++ if (toSend > max_bytes) toSend = max_bytes;
+
- ok($tf->stop_proc == 0, "Stopping lighttpd");
+ #ifdef LOCAL_BUFFERING
+ start = c->mem->ptr;
+ #else
+@@ -309,6 +308,7 @@
+
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ if (c->offset == c->file.length) {
+ chunk_finished = 1;
+@@ -334,11 +334,9 @@
+
+ break;
+ }
+-
+- chunks_written++;
+ }
+
+- return chunks_written;
++ return 0;
}
-Index: tests/fastcgi-auth.conf
-===================================================================
---- tests/fastcgi-auth.conf (.../tags/lighttpd-1.4.20) (revision 2336)
-+++ tests/fastcgi-auth.conf (.../branches/lighttpd-1.4.x) (revision 2336)
-@@ -89,6 +89,7 @@
- "bin-path" => env.SRCDIR + "/fcgi-auth",
- "mode" => "authorizer",
- "docroot" => env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/",
-+ "check-local" => "disable",
-
- )
- )
-Index: tests/mod-compress.t
+ #endif
+Index: src/network_freebsd_sendfile.c
===================================================================
---- tests/mod-compress.t (.../tags/lighttpd-1.4.20) (revision 2336)
-+++ tests/mod-compress.t (.../branches/lighttpd-1.4.x) (revision 2336)
-@@ -8,12 +8,14 @@
+--- src/network_freebsd_sendfile.c (.../tags/lighttpd-1.4.29)
++++ src/network_freebsd_sendfile.c (.../branches/lighttpd-1.4.x)
+@@ -31,17 +31,16 @@
+ # endif
+ #endif
- use strict;
- use IO::Socket;
--use Test::More tests => 10;
-+use Test::More tests => 11;
- use LightyTest;
+-int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq) {
++int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) {
+ chunk *c;
+- size_t chunks_written = 0;
- my $tf = LightyTest->new();
- my $t;
+- for(c = cq->first; c; c = c->next, chunks_written++) {
++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
+ int chunk_finished = 0;
-+$tf->{CONFIGFILE} = 'mod-compress.conf';
-+
- ok($tf->start_proc == 0, "Starting lighttpd") or die();
+ switch(c->type) {
+ case MEM_CHUNK: {
+ char * offset;
+- size_t toSend;
++ off_t toSend;
+ ssize_t r;
- $t->{REQUEST} = ( <<EOF
-@@ -88,5 +90,14 @@
- $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, '+Vary' => '', 'Content-Type' => "text/plain" } ];
- ok($tf->handle_http($t) == 0, 'Empty Accept-Encoding');
+ size_t num_chunks, i;
+@@ -49,12 +48,10 @@
+ chunk *tc;
+ size_t num_bytes = 0;
-+$t->{REQUEST} = ( <<EOF
-+GET /index.txt HTTP/1.0
-+Accept-Encoding: bzip2, gzip, deflate
-+Host: cache.example.org
-+EOF
-+ );
-+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, '+Vary' => '', 'Content-Encoding' => 'gzip', 'Content-Type' => "text/plain" } ];
-+ok($tf->handle_http($t) == 0, 'bzip2 requested but disabled');
+- /* we can't send more then SSIZE_MAX bytes in one chunk */
+-
+ /* build writev list
+ *
+ * 1. limit: num_chunks < UIO_MAXIOV
+- * 2. limit: num_bytes < SSIZE_MAX
++ * 2. limit: num_bytes < max_bytes
+ */
+ for(num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < UIO_MAXIOV; num_chunks++, tc = tc->next);
+
+@@ -69,9 +66,9 @@
+ chunks[i].iov_base = offset;
+
+ /* protect the return value of writev() */
+- if (toSend > SSIZE_MAX ||
+- num_bytes + toSend > SSIZE_MAX) {
+- chunks[i].iov_len = SSIZE_MAX - num_bytes;
++ if (toSend > max_bytes ||
++ (off_t) num_bytes + toSend > max_bytes) {
++ chunks[i].iov_len = max_bytes - num_bytes;
+
+ num_chunks = i + 1;
+ break;
+@@ -105,6 +102,7 @@
+
+ /* check which chunks have been written */
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ for(i = 0, tc = c; i < num_chunks; i++, tc = tc->next) {
+ if (r >= (ssize_t)chunks[i].iov_len) {
+@@ -114,11 +112,10 @@
+
+ if (chunk_finished) {
+ /* skip the chunks from further touches */
+- chunks_written++;
+ c = c->next;
+ } else {
+ /* chunks_written + c = c->next is done in the for()*/
+- chunk_finished++;
++ chunk_finished = 1;
+ }
+ } else {
+ /* partially written */
+@@ -134,7 +131,7 @@
+ }
+ case FILE_CHUNK: {
+ off_t offset, r;
+- size_t toSend;
++ off_t toSend;
+ stat_cache_entry *sce = NULL;
+
+ if (HANDLER_ERROR == stat_cache_get_entry(srv, con, c->file.name, &sce)) {
+@@ -144,9 +141,8 @@
+ }
-+
- ok($tf->stop_proc == 0, "Stopping lighttpd");
-Index: doc/compress.txt
+ offset = c->file.start + c->offset;
+- /* limit the toSend to 2^31-1 bytes in a chunk */
+- toSend = c->file.length - c->offset > ((1 << 30) - 1) ?
+- ((1 << 30) - 1) : c->file.length - c->offset;
++ toSend = c->file.length - c->offset;
++ if (toSend > max_bytes) toSend = max_bytes;
+
+ if (-1 == c->file.fd) {
+ if (-1 == (c->file.fd = open(c->file.name->ptr, O_RDONLY))) {
+@@ -197,6 +193,7 @@
+
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ if (c->offset == c->file.length) {
+ chunk_finished = 1;
+@@ -218,7 +215,7 @@
+ }
+ }
+
+- return chunks_written;
++ return 0;
+ }
+
+ #endif
+Index: src/network_openssl.c
===================================================================
---- doc/compress.txt (.../tags/lighttpd-1.4.20) (revision 2336)
-+++ doc/compress.txt (.../branches/lighttpd-1.4.x) (revision 2336)
-@@ -6,13 +6,7 @@
- Module: mod_compress
- --------------------
-
--:Author: Jan Kneschke
--:Date: $Date$
--:Revision: $Revision$
-
--:abstract:
-- a nice, short abstrace about the module
--
- .. meta::
- :keywords: lighttpd, compress
+--- src/network_openssl.c (.../tags/lighttpd-1.4.29)
++++ src/network_openssl.c (.../branches/lighttpd-1.4.x)
+@@ -27,10 +27,9 @@
+ # include <openssl/ssl.h>
+ # include <openssl/err.h>
+
+-int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq) {
++int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes) {
+ int ssl_r;
+ chunk *c;
+- size_t chunks_written = 0;
+
+ /* this is a 64k sendbuffer
+ *
+@@ -59,13 +58,13 @@
+ SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
+ }
-@@ -22,16 +16,57 @@
- ===========
+- for(c = cq->first; c; c = c->next) {
++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
+ int chunk_finished = 0;
- Output compression reduces the network load and can improve the overall
--throughput of the webserver.
-+throughput of the webserver. All major http-clients support compression by
-+announcing it in the Accept-Encoding header. This is used to negotiate the
-+most suitable compression method. We support deflate, gzip and bzip2.
+ switch(c->type) {
+ case MEM_CHUNK: {
+ char * offset;
+- size_t toSend;
++ off_t toSend;
+ ssize_t r;
--Only static content is supported up to now.
-+deflate (RFC1950, RFC1951) and gzip (RFC1952) depend on zlib while bzip2
-+depends on libbzip2. bzip2 is only supported by lynx and some other console
-+text-browsers.
+ if (c->mem->used == 0 || c->mem->used == 1) {
+@@ -75,6 +74,7 @@
--The server negotiates automaticly which compression method is used.
--Supported are gzip, deflate, bzip.
-+We currently limit to compression support to static files.
+ offset = c->mem->ptr + c->offset;
+ toSend = c->mem->used - 1 - c->offset;
++ if (toSend > max_bytes) toSend = max_bytes;
-+Caching
-+-------
-+
-+mod_compress can store compressed files on disk to optimize the compression
-+on a second request away. As soon as compress.cache-dir is set the files are
-+compressed.
-+
-+(You will need to create the cache directory if it doesn't already exist. The web server will not do this for you. The directory will also need the proper ownership. For Debian/Ubuntu the user and group ids should both be www-data.)
-+
-+The names of the cache files are made of the filename, the compression method
-+and the etag associated to the file.
-+
-+Cleaning the cache is left to the user. A cron job deleting files older than
-+10 days could do it: ::
-+
-+ find /var/www/cache -type f -mtime +10 | xargs -r rm
-+
-+Limitations
-+-----------
-+
-+The module limits the compression of files to files smaller than 128 MByte and
-+larger than 128 Byte.
-+
-+The lower limit is set as small files tend to become larger by compressing due
-+to the compression headers, the upper limit is set to work sensibly with
-+memory and cpu-time.
-+
-+Directories containing a tilde ('~') are not created automatically (See ticket
-+#113). To enable compression for user dirs you have to create the directories
-+by hand in the cache directory.
-+
- Options
- =======
+ /**
+ * SSL_write man-page
+@@ -87,7 +87,14 @@
+ */
-+compress.allowed-encodings
-+ override default set of allowed encodings
-+
-+ e.g.: ::
+ ERR_clear_error();
+- if ((r = SSL_write(ssl, offset, toSend)) <= 0) {
++ r = SSL_write(ssl, offset, toSend);
+
-+ compress.allowed-encodings = ("bzip2", "gzip", "deflate")
++ if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
++ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
++ return -1;
++ }
+
- compress.cache-dir
- name of the directory where compressed content will be cached
++ if (r <= 0) {
+ unsigned long err;
-@@ -47,20 +82,111 @@
- Default: not set, compress the file for every request
+ switch ((ssl_r = SSL_get_error(ssl, r))) {
+@@ -139,6 +146,7 @@
+ } else {
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
+ }
- compress.filetype
-- mimetypes where might get compressed
-+ mimetypes which might get compressed
+ if (c->offset == (off_t)c->mem->used - 1) {
+@@ -168,6 +176,7 @@
+ do {
+ off_t offset = c->file.start + c->offset;
+ off_t toSend = c->file.length - c->offset;
++ if (toSend > max_bytes) toSend = max_bytes;
- e.g.: ::
+ if (toSend > LOCAL_SEND_BUFSIZE) toSend = LOCAL_SEND_BUFSIZE;
- compress.filetype = ("text/plain", "text/html")
+@@ -190,7 +199,14 @@
+ close(ifd);
-+ Keep in mind that compressed JavaScript and CSS files are broken in some
-+ browsers. Not setting any filetypes will result in no files being compressed.
+ ERR_clear_error();
+- if ((r = SSL_write(ssl, s, toSend)) <= 0) {
++ r = SSL_write(ssl, s, toSend);
+
-+ NOTE: You have to specify the full mime-type! If you also define a charset, for example, you have to use "text/plain; charset=utf-8" instead of just "text/plain".
++ if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
++ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
++ return -1;
++ }
+
- Default: not set
++ if (r <= 0) {
+ unsigned long err;
-+compress.max-filesize
-+ maximum size of the original file to be compressed kBytes.
+ switch ((ssl_r = SSL_get_error(ssl, r))) {
+@@ -243,12 +259,13 @@
+ } else {
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
+ }
-+ This is meant to protect the server against DoSing as compressing large
-+ (let's say 1Gbyte) takes a lot of time and would delay the whole operation
-+ of the server.
-+
-+ There is a hard upper limit of 128Mbyte.
-+
-+ Default: unlimited (== hard-limit of 128MByte)
-+
-+Display compressed files
-+========================
-+
-+If you enable mod_compress, and you want to force clients to uncompress and display compressed text files, please force mimetype to nothing.
-+Exemple :
-+If you want to add headers for uncompress and display diff.gz files , add this section in your conf : ::
-+
-+ $HTTP["url"] =~ "\.diff\.gz" {
-+ setenv.add-response-header = ( "Content-Encoding" => "gzip" )
-+ mimetype.assign = ()
-+ }
-+
-+
- Compressing Dynamic Content
- ===========================
+ if (c->offset == c->file.length) {
+ chunk_finished = 1;
+ }
+- } while(!chunk_finished && !write_wait);
++ } while (!chunk_finished && !write_wait && max_bytes > 0);
-+PHP
-+---
-+
- To compress dynamic content with PHP please enable ::
+ break;
+ }
+@@ -263,11 +280,9 @@
- zlib.output_compression = 1
-+ zlib.output_handler = On
+ break;
+ }
+-
+- chunks_written++;
+ }
- in the php.ini as PHP provides compression support by itself.
-+
-+mod_compress of lighttpd 1.5 r1992 may not set correct Content-Encoding with php-fcgi. A solution to that problem would be:
-+
-+1.disable mod_compress when request a php file::
-+
-+ $HTTP["url"] !~ "\.php$" {
-+ compress.filetype = ("text/plain", "text/html", "text/javascript", "text/css", "text/xml")
-+ }
-+
-+2.enable mod_setenv of your lighttpd::
-+
-+ server.modules += ( "mod_setenv" )
-+
-+3.manually set Content-Encoding::
-+
-+ $HTTP["url"] =~ "\.php$" {
-+ setenv.add-response-header = ( "Content-Encoding" => "gzip")
-+ }
-+
-+
-+TurboGears
-+----------
-+
-+To compress dynamic content with TurboGears please enable ::
-+
-+ [/]
-+ gzip_filter.on = True
-+ gzip_filter.mime_types = ["application/x-javascript", "text/javascript", "text/html", "text/css", "text/plain"]
-+
-+in the config/app.cfg file in your TurboGears application. The above lines should already be in the file. You just need to remove the comment symbol in front of the lines to make them active.
-+
-+Django
-+------
-+
-+To compress dynamic content with Django please enable the GZipMiddleware ::
-+
-+ MIDDLEWARE_CLASSES = (
-+ 'django.middleware.gzip.GZipMiddleware',
-+ ...
-+ )
-+
-+in the settings.py file in your Django project.
-+
-+Catalyst
-+--------
-+
-+To compress dynamic content with Perl/Catalyst, simply use the Catalyst::Plugin::Compress::Gzip module available on CPAN ::
-+
-+ use Catalyst qw(
-+ Compress::Gzip
-+ ...
-+ );
-+
-+in your main package (MyApp.pm). Further configuration is not required.
+- return chunks_written;
++ return 0;
+ }
+ #endif
+
+Index: src/http_auth.c
+===================================================================
+--- src/http_auth.c (.../tags/lighttpd-1.4.29)
++++ src/http_auth.c (.../branches/lighttpd-1.4.x)
+@@ -1,7 +1,6 @@
+ #include "server.h"
+ #include "log.h"
+ #include "http_auth.h"
+-#include "http_auth_digest.h"
+ #include "inet_ntop_cache.h"
+ #include "stream.h"
+
+@@ -28,18 +27,23 @@
+ #include <unistd.h>
+ #include <ctype.h>
+
+-#ifdef USE_OPENSSL
+-# include <openssl/md5.h>
+-#else
+-# include "md5.h"
++#include "md5.h"
+
+-typedef li_MD5_CTX MD5_CTX;
+-#define MD5_Init li_MD5_Init
+-#define MD5_Update li_MD5_Update
+-#define MD5_Final li_MD5_Final
++#define HASHLEN 16
++#define HASHHEXLEN 32
++typedef unsigned char HASH[HASHLEN];
++typedef char HASHHEX[HASHHEXLEN+1];
+
+-#endif
++static void CvtHex(const HASH Bin, char Hex[33]) {
++ unsigned short i;
+
++ for (i = 0; i < 16; i++) {
++ Hex[i*2] = int2hex((Bin[i] >> 4) & 0xf);
++ Hex[i*2+1] = int2hex(Bin[i] & 0xf);
++ }
++ Hex[32] = '\0';
++}
+
-+}}}
+ /**
+ * the $apr1$ handling is taken from apache 1.3.x
+ */
+@@ -95,7 +99,7 @@
+ ch = in[0];
+ /* run through the whole string, converting as we go */
+ for (i = 0; i < in_len; i++) {
+- ch = in[i];
++ ch = (unsigned char) in[i];
+
+ if (ch == '\0') break;
+
+@@ -435,7 +439,7 @@
+
+ static void to64(char *s, unsigned long v, int n)
+ {
+- static unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */
++ static const unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */
+ "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+
+ while (--n >= 0) {
+@@ -455,7 +459,7 @@
+ const char *sp, *ep;
+ unsigned char final[APR_MD5_DIGESTSIZE];
+ ssize_t sl, pl, i;
+- MD5_CTX ctx, ctx1;
++ li_MD5_CTX ctx, ctx1;
+ unsigned long l;
+
+ /*
+@@ -487,33 +491,33 @@
+ /*
+ * 'Time to make the doughnuts..'
+ */
+- MD5_Init(&ctx);
++ li_MD5_Init(&ctx);
+
+ /*
+ * The password first, since that is what is most unknown
+ */
+- MD5_Update(&ctx, pw, strlen(pw));
++ li_MD5_Update(&ctx, pw, strlen(pw));
+
+ /*
+ * Then our magic string
+ */
+- MD5_Update(&ctx, APR1_ID, strlen(APR1_ID));
++ li_MD5_Update(&ctx, APR1_ID, strlen(APR1_ID));
+
+ /*
+ * Then the raw salt
+ */
+- MD5_Update(&ctx, sp, sl);
++ li_MD5_Update(&ctx, sp, sl);
+
+ /*
+ * Then just as many characters of the MD5(pw, salt, pw)
+ */
+- MD5_Init(&ctx1);
+- MD5_Update(&ctx1, pw, strlen(pw));
+- MD5_Update(&ctx1, sp, sl);
+- MD5_Update(&ctx1, pw, strlen(pw));
+- MD5_Final(final, &ctx1);
++ li_MD5_Init(&ctx1);
++ li_MD5_Update(&ctx1, pw, strlen(pw));
++ li_MD5_Update(&ctx1, sp, sl);
++ li_MD5_Update(&ctx1, pw, strlen(pw));
++ li_MD5_Final(final, &ctx1);
+ for (pl = strlen(pw); pl > 0; pl -= APR_MD5_DIGESTSIZE) {
+- MD5_Update(&ctx, final,
++ li_MD5_Update(&ctx, final,
+ (pl > APR_MD5_DIGESTSIZE) ? APR_MD5_DIGESTSIZE : pl);
+ }
+
+@@ -527,10 +531,10 @@
+ */
+ for (i = strlen(pw); i != 0; i >>= 1) {
+ if (i & 1) {
+- MD5_Update(&ctx, final, 1);
++ li_MD5_Update(&ctx, final, 1);
+ }
+ else {
+- MD5_Update(&ctx, pw, 1);
++ li_MD5_Update(&ctx, pw, 1);
+ }
+ }
+
+@@ -542,7 +546,7 @@
+ strncat(passwd, sp, sl);
+ strcat(passwd, "$");
+
+- MD5_Final(final, &ctx);
++ li_MD5_Final(final, &ctx);
+
+ /*
+ * And now, just to make sure things don't run too fast..
+@@ -550,28 +554,28 @@
+ * need 30 seconds to build a 1000 entry dictionary...
+ */
+ for (i = 0; i < 1000; i++) {
+- MD5_Init(&ctx1);
++ li_MD5_Init(&ctx1);
+ if (i & 1) {
+- MD5_Update(&ctx1, pw, strlen(pw));
++ li_MD5_Update(&ctx1, pw, strlen(pw));
+ }
+ else {
+- MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE);
++ li_MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE);
+ }
+ if (i % 3) {
+- MD5_Update(&ctx1, sp, sl);
++ li_MD5_Update(&ctx1, sp, sl);
+ }
+
+ if (i % 7) {
+- MD5_Update(&ctx1, pw, strlen(pw));
++ li_MD5_Update(&ctx1, pw, strlen(pw));
+ }
+
+ if (i & 1) {
+- MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE);
++ li_MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE);
+ }
+ else {
+- MD5_Update(&ctx1, pw, strlen(pw));
++ li_MD5_Update(&ctx1, pw, strlen(pw));
+ }
+- MD5_Final(final,&ctx1);
++ li_MD5_Final(final,&ctx1);
+ }
+
+ p = passwd + strlen(passwd);
+@@ -614,17 +618,17 @@
+ * user:realm:md5(user:realm:password)
+ */
+
+- MD5_CTX Md5Ctx;
++ li_MD5_CTX Md5Ctx;
+ HASH HA1;
+ char a1[256];
+
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)username->ptr, username->used - 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)realm->ptr, realm->used - 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)pw, strlen(pw));
+- MD5_Final(HA1, &Md5Ctx);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)username->ptr, username->used - 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)realm->ptr, realm->used - 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)pw, strlen(pw));
++ li_MD5_Final(HA1, &Md5Ctx);
+
+ CvtHex(HA1, a1);
+
+@@ -930,7 +934,7 @@
+ int i;
+ buffer *password, *b, *username_buf, *realm_buf;
+
+- MD5_CTX Md5Ctx;
++ li_MD5_CTX Md5Ctx;
+ HASH HA1;
+ HASH HA2;
+ HASH RespHash;
+@@ -1067,13 +1071,13 @@
+
+ if (p->conf.auth_backend == AUTH_BACKEND_PLAIN) {
+ /* generate password from plain-text */
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)username, strlen(username));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)realm, strlen(realm));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)password->ptr, password->used - 1);
+- MD5_Final(HA1, &Md5Ctx);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)username, strlen(username));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)realm, strlen(realm));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)password->ptr, password->used - 1);
++ li_MD5_Final(HA1, &Md5Ctx);
+ } else if (p->conf.auth_backend == AUTH_BACKEND_HTDIGEST) {
+ /* HA1 */
+ /* transform the 32-byte-hex-md5 to a 16-byte-md5 */
+@@ -1090,45 +1094,45 @@
+
+ if (algorithm &&
+ strcasecmp(algorithm, "md5-sess") == 0) {
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16);
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce));
+- MD5_Final(HA1, &Md5Ctx);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce));
++ li_MD5_Final(HA1, &Md5Ctx);
+ }
+
+ CvtHex(HA1, a1);
+
+ /* calculate H(A2) */
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri));
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri));
+ if (qop && strcasecmp(qop, "auth-int") == 0) {
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN);
+ }
+- MD5_Final(HA2, &Md5Ctx);
++ li_MD5_Final(HA2, &Md5Ctx);
+ CvtHex(HA2, HA2Hex);
+
+ /* calculate response */
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN);
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+ if (qop && *qop) {
+- MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)qop, strlen(qop));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)qop, strlen(qop));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+ };
+- MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN);
+- MD5_Final(RespHash, &Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN);
++ li_MD5_Final(RespHash, &Md5Ctx);
+ CvtHex(RespHash, a2);
+
+ if (0 != strcmp(a2, respons)) {
+@@ -1171,24 +1175,24 @@
+
+ int http_auth_digest_generate_nonce(server *srv, mod_auth_plugin_data *p, buffer *fn, char out[33]) {
+ HASH h;
+- MD5_CTX Md5Ctx;
++ li_MD5_CTX Md5Ctx;
+ char hh[32];
+
+ UNUSED(p);
+
+ /* generate shared-secret */
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)fn->ptr, fn->used - 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)"+", 1);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)fn->ptr, fn->used - 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)"+", 1);
+
+ /* we assume sizeof(time_t) == 4 here, but if not it ain't a problem at all */
+ LI_ltostr(hh, srv->cur_ts);
+- MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
+- MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy));
+ LI_ltostr(hh, rand());
+- MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
+
+- MD5_Final(h, &Md5Ctx);
++ li_MD5_Final(h, &Md5Ctx);
+
+ CvtHex(h, out);
+
+Index: src/mod_usertrack.c
+===================================================================
+--- src/mod_usertrack.c (.../tags/lighttpd-1.4.29)
++++ src/mod_usertrack.c (.../branches/lighttpd-1.4.x)
+@@ -8,18 +8,8 @@
+ #include <stdlib.h>
+ #include <string.h>
+
+-#ifdef USE_OPENSSL
+-# include <openssl/md5.h>
+-#else
+-# include "md5.h"
++#include "md5.h"
+
+-typedef li_MD5_CTX MD5_CTX;
+-#define MD5_Init li_MD5_Init
+-#define MD5_Update li_MD5_Update
+-#define MD5_Final li_MD5_Final
+-
+-#endif
+-
+ /* plugin config for all request/connections */
+
+ typedef struct {
+@@ -182,7 +172,7 @@
+ plugin_data *p = p_d;
+ data_string *ds;
+ unsigned char h[16];
+- MD5_CTX Md5Ctx;
++ li_MD5_CTX Md5Ctx;
+ char hh[32];
+
+ if (con->uri.path->used == 0) return HANDLER_GO_ON;
+@@ -228,18 +218,18 @@
+ /* taken from mod_auth.c */
+
+ /* generate shared-secret */
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)con->uri.path->ptr, con->uri.path->used - 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)"+", 1);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)con->uri.path->ptr, con->uri.path->used - 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)"+", 1);
+
+ /* we assume sizeof(time_t) == 4 here, but if not it ain't a problem at all */
+ LI_ltostr(hh, srv->cur_ts);
+- MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
+- MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy));
+ LI_ltostr(hh, rand());
+- MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
+
+- MD5_Final(h, &Md5Ctx);
++ li_MD5_Final(h, &Md5Ctx);
+
+ buffer_append_string_encoded(ds->value, (char *)h, 16, ENCODING_HEX);
+ buffer_append_string_len(ds->value, CONST_STR_LEN("; Path=/"));
+Index: src/mod_status.c
+===================================================================
+--- src/mod_status.c (.../tags/lighttpd-1.4.29)
++++ src/mod_status.c (.../branches/lighttpd-1.4.x)
+@@ -487,7 +487,7 @@
+
+ buffer_append_string_len(b, CONST_STR_LEN("</td><td class=\"int\">"));
+
+- if (con->request.content_length) {
++ if (c->request.content_length) {
+ buffer_append_long(b, c->request_content_queue->bytes_in);
+ buffer_append_string_len(b, CONST_STR_LEN("/"));
+ buffer_append_long(b, c->request.content_length);
+Index: src/settings.h
+===================================================================
+--- src/settings.h (.../tags/lighttpd-1.4.29)
++++ src/settings.h (.../branches/lighttpd-1.4.x)
+@@ -21,8 +21,11 @@
+ * 64kB (no real reason, just a guess)
+ */
+ #define BUFFER_MAX_REUSE_SIZE (4 * 1024)
+-#define MAX_READ_LIMIT (4*1024*1024)
+
++/* both should be way smaller than SSIZE_MAX :) */
++#define MAX_READ_LIMIT (256*1024)
++#define MAX_WRITE_LIMIT (256*1024)
++
+ /**
+ * max size of the HTTP request header
+ *
+Index: src/mod_cml_lua.c
+===================================================================
+--- src/mod_cml_lua.c (.../tags/lighttpd-1.4.29)
++++ src/mod_cml_lua.c (.../branches/lighttpd-1.4.x)
+@@ -11,18 +11,6 @@
+ #include <time.h>
+ #include <string.h>
+
+-#ifdef USE_OPENSSL
+-# include <openssl/md5.h>
+-#else
+-# include "md5.h"
+-
+-typedef li_MD5_CTX MD5_CTX;
+-#define MD5_Init li_MD5_Init
+-#define MD5_Update li_MD5_Update
+-#define MD5_Final li_MD5_Final
+-
+-#endif
+-
+ #define HASHLEN 16
+ typedef unsigned char HASH[HASHLEN];
+ #define HASHHEXLEN 32
+Index: src/mod_fastcgi.c
+===================================================================
+--- src/mod_fastcgi.c (.../tags/lighttpd-1.4.29)
++++ src/mod_fastcgi.c (.../branches/lighttpd-1.4.x)
+@@ -3075,7 +3075,7 @@
+ fcgi_set_state(srv, hctx, FCGI_STATE_WRITE);
+ /* fall through */
+ case FCGI_STATE_WRITE:
+- ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb);
++ ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT);
+
+ chunkqueue_remove_finished_chunks(hctx->wb);
+
+@@ -3132,7 +3132,6 @@
+ plugin_data *p = p_d;
+
+ handler_ctx *hctx = con->plugin_ctx[p->id];
+- fcgi_proc *proc;
+ fcgi_extension_host *host;
+
+ if (NULL == hctx) return HANDLER_GO_ON;
+@@ -3201,7 +3200,6 @@
+ /* ok, create the request */
+ switch(fcgi_write_request(srv, hctx)) {
+ case HANDLER_ERROR:
+- proc = hctx->proc;
+ host = hctx->host;
+
+ if (hctx->state == FCGI_STATE_INIT ||
+Index: src/network_solaris_sendfilev.c
+===================================================================
+--- src/network_solaris_sendfilev.c (.../tags/lighttpd-1.4.29)
++++ src/network_solaris_sendfilev.c (.../branches/lighttpd-1.4.x)
+@@ -38,17 +38,16 @@
+ */
+
+
+-int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq) {
++int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) {
+ chunk *c;
+- size_t chunks_written = 0;
+
+- for(c = cq->first; c; c = c->next, chunks_written++) {
++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
+ int chunk_finished = 0;
+
+ switch(c->type) {
+ case MEM_CHUNK: {
+ char * offset;
+- size_t toSend;
++ off_t toSend;
+ ssize_t r;
+
+ size_t num_chunks, i;
+@@ -77,9 +76,9 @@
+ chunks[i].iov_base = offset;
+
+ /* protect the return value of writev() */
+- if (toSend > SSIZE_MAX ||
+- num_bytes + toSend > SSIZE_MAX) {
+- chunks[i].iov_len = SSIZE_MAX - num_bytes;
++ if (toSend > max_bytes ||
++ (off_t) num_bytes + toSend > max_bytes) {
++ chunks[i].iov_len = max_bytes - num_bytes;
+
+ num_chunks = i + 1;
+ break;
+@@ -119,11 +118,10 @@
+
+ if (chunk_finished) {
+ /* skip the chunks from further touches */
+- chunks_written++;
+ c = c->next;
+ } else {
+ /* chunks_written + c = c->next is done in the for()*/
+- chunk_finished++;
++ chunk_finished = 1;
+ }
+ } else {
+ /* partially written */
+@@ -139,8 +137,8 @@
+ }
+ case FILE_CHUNK: {
+ ssize_t r;
+- off_t offset;
+- size_t toSend, written;
++ off_t offset, toSend;
++ size_t written;
+ sendfilevec_t fvec;
+ stat_cache_entry *sce = NULL;
+ int ifd;
+@@ -153,6 +151,7 @@
+
+ offset = c->file.start + c->offset;
+ toSend = c->file.length - c->offset;
++ if (toSend > max_bytes) toSend = max_bytes;
+
+ if (offset > sce->st.st_size) {
+ log_error_write(srv, __FILE__, __LINE__, "sb", "file was shrinked:", c->file.name);
+@@ -186,6 +185,7 @@
+ close(ifd);
+ c->offset += written;
+ cq->bytes_out += written;
++ max_bytes -= written;
+
+ if (c->offset == c->file.length) {
+ chunk_finished = 1;
+@@ -207,7 +207,7 @@
+ }
+ }
+
+- return chunks_written;
++ return 0;
+ }
+
+ #endif
+Index: src/CMakeLists.txt
+===================================================================
+Index: src/mod_dirlisting.c
+===================================================================
+--- src/mod_dirlisting.c (.../tags/lighttpd-1.4.29)
++++ src/mod_dirlisting.c (.../branches/lighttpd-1.4.x)
+@@ -657,7 +657,8 @@
+ i = dir->used - 1;
+
+ #ifdef HAVE_PATHCONF
+- if (-1 == (name_max = pathconf(dir->ptr, _PC_NAME_MAX))) {
++ if (0 >= (name_max = pathconf(dir->ptr, _PC_NAME_MAX))) {
++ /* some broken fs (fuse) return 0 instead of -1 */
+ #ifdef NAME_MAX
+ name_max = NAME_MAX;
+ #else
+Index: src/network_linux_sendfile.c
+===================================================================
+--- src/network_linux_sendfile.c (.../tags/lighttpd-1.4.29)
++++ src/network_linux_sendfile.c (.../branches/lighttpd-1.4.x)
+@@ -27,17 +27,16 @@
+ /* on linux 2.4.29 + debian/ubuntu we have crashes if this is enabled */
+ #undef HAVE_POSIX_FADVISE
+
+-int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq) {
++int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) {
+ chunk *c;
+- size_t chunks_written = 0;
+
+- for(c = cq->first; c; c = c->next, chunks_written++) {
++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
+ int chunk_finished = 0;
+
+ switch(c->type) {
+ case MEM_CHUNK: {
+ char * offset;
+- size_t toSend;
++ off_t toSend;
+ ssize_t r;
+
+ size_t num_chunks, i;
+@@ -45,12 +44,10 @@
+ chunk *tc;
+ size_t num_bytes = 0;
+
+- /* we can't send more then SSIZE_MAX bytes in one chunk */
+-
+ /* build writev list
+ *
+ * 1. limit: num_chunks < UIO_MAXIOV
+- * 2. limit: num_bytes < SSIZE_MAX
++ * 2. limit: num_bytes < max_bytes
+ */
+ for (num_chunks = 0, tc = c;
+ tc && tc->type == MEM_CHUNK && num_chunks < UIO_MAXIOV;
+@@ -67,9 +64,9 @@
+ chunks[i].iov_base = offset;
+
+ /* protect the return value of writev() */
+- if (toSend > SSIZE_MAX ||
+- num_bytes + toSend > SSIZE_MAX) {
+- chunks[i].iov_len = SSIZE_MAX - num_bytes;
++ if (toSend > max_bytes ||
++ (off_t) num_bytes + toSend > max_bytes) {
++ chunks[i].iov_len = max_bytes - num_bytes;
+
+ num_chunks = i + 1;
+ break;
+@@ -100,6 +97,7 @@
+
+ /* check which chunks have been written */
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ for(i = 0, tc = c; i < num_chunks; i++, tc = tc->next) {
+ if (r >= (ssize_t)chunks[i].iov_len) {
+@@ -109,11 +107,10 @@
+
+ if (chunk_finished) {
+ /* skip the chunks from further touches */
+- chunks_written++;
+ c = c->next;
+ } else {
+ /* chunks_written + c = c->next is done in the for()*/
+- chunk_finished++;
++ chunk_finished = 1;
+ }
+ } else {
+ /* partially written */
+@@ -130,13 +127,12 @@
+ case FILE_CHUNK: {
+ ssize_t r;
+ off_t offset;
+- size_t toSend;
++ off_t toSend;
+ stat_cache_entry *sce = NULL;
+
+ offset = c->file.start + c->offset;
+- /* limit the toSend to 2^31-1 bytes in a chunk */
+- toSend = c->file.length - c->offset > ((1 << 30) - 1) ?
+- ((1 << 30) - 1) : c->file.length - c->offset;
++ toSend = c->file.length - c->offset;
++ if (toSend > max_bytes) toSend = max_bytes;
+
+ /* open file if not already opened */
+ if (-1 == c->file.fd) {
+@@ -215,6 +211,7 @@
+
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ if (c->offset == c->file.length) {
+ chunk_finished = 1;
+@@ -243,7 +240,7 @@
+ }
+ }
+
+- return chunks_written;
++ return 0;
+ }
+
+ #endif
+Index: tests/mod-auth.t
+===================================================================
+--- tests/mod-auth.t (.../tags/lighttpd-1.4.29)
++++ tests/mod-auth.t (.../branches/lighttpd-1.4.x)
+@@ -8,7 +8,7 @@
+
+ use strict;
+ use IO::Socket;
+-use Test::More tests => 14;
++use Test::More tests => 15;
+ use LightyTest;
+
+ my $tf = LightyTest->new();
+@@ -25,6 +25,14 @@
+
+ $t->{REQUEST} = ( <<EOF
+ GET /server-status HTTP/1.0
++Authorization: Basic \x80mFuOmphb
++EOF
++ );
++$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ];
++ok($tf->handle_http($t) == 0, 'Basic-Auth: Invalid base64 Auth-token');
+
++$t->{REQUEST} = ( <<EOF
++GET /server-status HTTP/1.0
+ Authorization: Basic amFuOmphb
+ EOF
+ );
+Index: tests/request.t
+===================================================================
+--- tests/request.t (.../tags/lighttpd-1.4.29)
++++ tests/request.t (.../branches/lighttpd-1.4.x)
+@@ -8,7 +8,7 @@
+
+ use strict;
+ use IO::Socket;
+-use Test::More tests => 44;
++use Test::More tests => 46;
+ use LightyTest;
+
+ my $tf = LightyTest->new();
+@@ -413,5 +413,21 @@
+ $t->{SLOWREQUEST} = 1;
+ ok($tf->handle_http($t) == 0, 'GET, slow \\r\\n\\r\\n (#2105)');
+
++print "\nPathinfo for static files\n";
++$t->{REQUEST} = ( <<EOF
++GET /image.jpg/index.php HTTP/1.0
++EOF
++ );
++$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'Content-Type' => 'image/jpeg' } ];
++ok($tf->handle_http($t) == 0, 'static file accepting pathinfo by default');
+
++$t->{REQUEST} = ( <<EOF
++GET /image.jpg/index.php HTTP/1.0
++Host: zzz.example.org
++EOF
++ );
++$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 403 } ];
++ok($tf->handle_http($t) == 0, 'static file with forbidden pathinfo');
+
-Index: SConstruct
+ ok($tf->stop_proc == 0, "Stopping lighttpd");
+
+Index: tests/wrapper.sh
===================================================================
---- SConstruct (.../tags/lighttpd-1.4.20) (revision 2336)
-+++ SConstruct (.../branches/lighttpd-1.4.x) (revision 2336)
-@@ -5,7 +5,7 @@
- from stat import *
-
- package = 'lighttpd'
--version = '1.4.20'
-+version = '1.4.21'
-
- def checkCHeaders(autoconf, hdrs):
- p = re.compile('[^A-Z0-9]')
-Index: Makefile.am
+--- tests/wrapper.sh (.../tags/lighttpd-1.4.29)
++++ tests/wrapper.sh (.../branches/lighttpd-1.4.x)
+@@ -6,4 +6,4 @@
+ top_builddir=$2
+ export SHELL srcdir top_builddir
+
+-$3
++exec $3
+Index: tests/lighttpd.conf
===================================================================
---- Makefile.am (.../tags/lighttpd-1.4.20) (revision 2336)
-+++ Makefile.am (.../branches/lighttpd-1.4.x) (revision 2336)
-@@ -1,4 +1,4 @@
--SUBDIRS=src doc tests cygwin openwrt
-+SUBDIRS=src doc tests
-
- EXTRA_DIST=autogen.sh SConstruct
+--- tests/lighttpd.conf (.../tags/lighttpd-1.4.29)
++++ tests/lighttpd.conf (.../branches/lighttpd-1.4.x)
+@@ -149,6 +149,7 @@
+ $HTTP["host"] == "zzz.example.org" {
+ server.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/"
+ server.name = "zzz.example.org"
++ static-file.disable-pathinfo = "enable"
+ }
+ $HTTP["host"] == "symlink.example.org" {
+Index: configure.ac
+===================================================================
+Index: doc/config/lighttpd.conf
+===================================================================
+--- doc/config/lighttpd.conf (.../tags/lighttpd-1.4.29)
++++ doc/config/lighttpd.conf (.../branches/lighttpd-1.4.x)
+@@ -394,6 +394,25 @@
+ ## $SERVER["socket"] == "10.0.0.1:443" {
+ ## ssl.engine = "enable"
+ ## ssl.pemfile = "/etc/ssl/private/www.example.com.pem"
++## #
++## # Mitigate BEAST attack:
++## #
++## # A stricter base cipher suite. For details see:
++## # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
++## #
++## ssl.ciphers = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
++## #
++## # Make the server prefer the order of the server side cipher suite instead of the client suite.
++## # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms).
++## # This option is enabled by default, but only used if ssl.ciphers is set.
++## #
++## # ssl.honor-cipher-order = "enable"
++## #
++## # Mitigate CVE-2009-3555 by disabling client triggered renegotation
++## # This is enabled by default.
++## #
++## # ssl.disable-client-renegotiation = "enable"
++## #
+ ## server.name = "www.example.com"
+ ##
+ ## server.document-root = "/srv/www/vhosts/example.com/www/"
+Index: SConstruct
+===================================================================
Index: NEWS
===================================================================
---- NEWS (.../tags/lighttpd-1.4.20) (revision 2336)
-+++ NEWS (.../branches/lighttpd-1.4.x) (revision 2336)
-@@ -3,8 +3,24 @@
+--- NEWS (.../tags/lighttpd-1.4.29)
++++ NEWS (.../branches/lighttpd-1.4.x)
+@@ -3,7 +3,20 @@
NEWS
====
--- 1.4.20 -
-+- 1.4.21 -
-
-+ * Fix base64 decoding in mod_auth (#1757, thx guido)
-+ * Fix mod_cgi segfault when bound to unix domain socket (#653)
-+ * Do not rely on ioctl FIONREAD (#673)
-+ * Now really fix mod auth ldap (#1066)
-+ * Fix leaving zombie process with include_shell (#1777)
-+ * Removed debian/, openwrt/ and cygwin/; they weren't kept up-to-date, and we decided to remove dist. specific stuff
-+ * Try to convert string options to shorts for numeric options in config file; allows to use env-vars for numeric options. (#1159, thx andrewb)
-+ * Do not cache default vhost in mod_simple_vhost (#709)
-+ * Trust pcre-config, do not check for pcre manually (#1769)
-+ * Fix fastcgi authorization in subdirectories with check-local=disabled; don't split pathinfo for authorizer. (#963)
-+ * Add possibility to disable methods in mod_compress (#1773)
-+ * Fix duplicate connection keep-alive/transfer-encoding headers (#960)
-+ * Fixed fix for round-robin in mod_proxy (forgot to increment the index) (#1715)
-+
-+- 1.4.20 - 2008-09-30
-+
- * Fix mod_compress to compile with old gcc version (#1592)
- * Fix mod_extforward to compile with old gcc version (#1591)
- * Update documentation for #1587
-@@ -52,7 +68,7 @@
- * decode url before matching in mod_rewrite (#1720)
- * fixed conditional patching of ldap filter (#1564)
- * Match headers case insensitive in response (removing of X-{Sendfile,LIGHTTPD-*}, catching Date/Server)
-- * fixed bug with case-insensitive filenames in mod_userdir (#1589), spotted by "anders1"
-+ * fixed bug with case-insensitive filenames in mod_userdir (#1589), spotted by "anders1" (CVE-2008-4360)
- * fixed format string bugs in mod_accesslog for SYSLOG
- * replaced fprintf with log_error_write in fastcgi debug
- * fixed mem leak in ssi expression parser (#1753), thx Take5k
-@@ -62,9 +78,9 @@
- * fix splitting of auth-ldap filter
- * workaround ldap connection leak if a ldap connection failed (restarting ldap)
- * fix auth.backend.ldap.bind-dn/pw problems (only read from global context for temporary ldap reconnects, thx ruskie)
-- * fix memleak in request header parsing (#1774, thx qhy)
-+ * fix memleak in request header parsing (#1774, thx qhy) (CVE-2008-4298)
- * fix mod_rewrite memleak/endless loop detection (#1775, thx phy - again!)
-- * use decoded url for matching in mod_redirect (#1720)
-+ * use decoded url for matching in mod_redirect (#1720) (CVE-2008-4359)
-
- - 1.4.19 - 2008-03-10
-
-
-Property changes on: .
-___________________________________________________________________
-Modified: bzr:revision-info
- - timestamp: 2008-09-23 21:04:22.819999933 +0200
-committer: Stefan Bühler <stbuehler@web.de>
-properties:
- branch-nick: lighttpd-1.4.x
-
- + timestamp: 2008-10-06 00:44:46.096999884 +0200
-committer: Stefan Bühler <stbuehler@web.de>
-properties:
- branch-nick: lighttpd-1.4.x
- rebase-of: stbuehler@web.de-20081005224446-yvb2zjumu0opxywc
-
-Modified: bzr:revision-id:v3-trunk0
- - 1127 stbuehler@web.de-20080728081644-j4cxnhduw8kbt8um
-1128 stbuehler@web.de-20080728084246-axvxdtjsrratxixs
-1129 stbuehler@web.de-20080729211700-s8v6nq2cu06qesls
-1130 stbuehler@web.de-20080729211726-4yxb6e5dva1cn0lz
-1131 stbuehler@web.de-20080729211750-4ulzigswx17uciyu
-1132 stbuehler@web.de-20080729211850-nliz3kd0m576ztuu
-1133 stbuehler@web.de-20080730163440-dg2y2sbf0u4grmn4
-1134 stbuehler@web.de-20080730173952-kiutzg6geqy7mick
-1135 stbuehler@web.de-20080730193616-9kc2ms7rrhv1lkn7
-1136 stbuehler@web.de-20080730211457-z4a6uth1y29glbqh
-1137 stbuehler@web.de-20080730213517-b6sjcrdwbmipl334
-1138 stbuehler@web.de-20080731102617-2xw8unjfqic7lsew
-1139 stbuehler@web.de-20080731102703-q4tu5a6em9y8xdg0
-1140 stbuehler@web.de-20080731102729-l6vn5b05w9swqbg5
-1141 stbuehler@web.de-20080731102756-oj3d4tnk0l90mj77
-1142 stbuehler@web.de-20080731204442-blw14cj2fkr3l8ly
-1143 stbuehler@web.de-20080731204508-imtfnurf922mg7tj
-1144 stbuehler@web.de-20080801112347-girnwswdkwm8wuip
-1145 stbuehler@web.de-20080801161245-kx1temr529o7xko9
-1146 stbuehler@web.de-20080801175332-oc9e7x8edn1owcc0
-1147 stbuehler@web.de-20080801183454-5i66v0gsdv0cgmia
-1148 stbuehler@web.de-20080801192849-6zklfbb832sx0hvr
-1149 stbuehler@web.de-20080801203119-o16elp8w854s6lol
-1150 stbuehler@web.de-20080802162146-a4v57svc788pwdsv
-1151 stbuehler@web.de-20080802162202-9udlc1wuwt09pyh2
-1152 stbuehler@web.de-20080804135803-yuor9ze06px7qta4
-1153 stbuehler@web.de-20080812194728-fupt781o6q058unh
-1154 stbuehler@web.de-20080818162116-piz0ukqsaecv2li2
-1155 stbuehler@web.de-20080818235700-94t0xc6ml70zojwq
-1156 stbuehler@web.de-20080819163650-1qhwsqszr78cr4xx
-1157 stbuehler@web.de-20080819163757-1qq3t1f1wj69t8xs
-1158 stbuehler@web.de-20080819163914-rklhkurg8apv85l2
-1159 stbuehler@web.de-20080819163953-tlqew751e43phf5b
-1160 stbuehler@web.de-20080819164108-8ogh68sm1uyteawe
-1161 stbuehler@web.de-20080819173911-w5bqpb7cp9jmdqye
-1162 stbuehler@web.de-20080819222242-c0ta5gnli9p3j35a
-1163 stbuehler@web.de-20080820100730-g1bwdh4nqb53ag9u
-1164 stbuehler@web.de-20080820100752-9pggugdyfnnps8qu
-1165 stbuehler@web.de-20080820164258-v2j00motsrsc5esp
-1166 stbuehler@web.de-20080827144628-hi9hf4ch3n1wf9ao
-1167 stbuehler@web.de-20080827144903-tfxu4yehlyu5kegc
-1168 stbuehler@web.de-20080827155155-7mt92orehbxkh2lh
-1169 stbuehler@web.de-20080917142048-zbcwpk39q9ewd516
-1170 stbuehler@web.de-20080917142300-16gzt21x4nbjtj87
-1171 stbuehler@web.de-20080919160134-385anjnd3txxdw3x
-1172 stbuehler@web.de-20080920134142-fvvwaw2ys51dg4rj
-1173 stbuehler@web.de-20080921153311-1f7rn01atdilmxmy
-1174 stbuehler@web.de-20080922101346-wel327kjmykkpvmp
-1175 stbuehler@web.de-20080923190422-uow06l38ndue36o4
-
- + 1127 stbuehler@web.de-20080728081644-j4cxnhduw8kbt8um
-1128 stbuehler@web.de-20080728084246-axvxdtjsrratxixs
-1129 stbuehler@web.de-20080729211700-s8v6nq2cu06qesls
-1130 stbuehler@web.de-20080729211726-4yxb6e5dva1cn0lz
-1131 stbuehler@web.de-20080729211750-4ulzigswx17uciyu
-1132 stbuehler@web.de-20080729211850-nliz3kd0m576ztuu
-1133 stbuehler@web.de-20080730163440-dg2y2sbf0u4grmn4
-1134 stbuehler@web.de-20080730173952-kiutzg6geqy7mick
-1135 stbuehler@web.de-20080730193616-9kc2ms7rrhv1lkn7
-1136 stbuehler@web.de-20080730211457-z4a6uth1y29glbqh
-1137 stbuehler@web.de-20080730213517-b6sjcrdwbmipl334
-1138 stbuehler@web.de-20080731102617-2xw8unjfqic7lsew
-1139 stbuehler@web.de-20080731102703-q4tu5a6em9y8xdg0
-1140 stbuehler@web.de-20080731102729-l6vn5b05w9swqbg5
-1141 stbuehler@web.de-20080731102756-oj3d4tnk0l90mj77
-1142 stbuehler@web.de-20080731204442-blw14cj2fkr3l8ly
-1143 stbuehler@web.de-20080731204508-imtfnurf922mg7tj
-1144 stbuehler@web.de-20080801112347-girnwswdkwm8wuip
-1145 stbuehler@web.de-20080801161245-kx1temr529o7xko9
-1146 stbuehler@web.de-20080801175332-oc9e7x8edn1owcc0
-1147 stbuehler@web.de-20080801183454-5i66v0gsdv0cgmia
-1148 stbuehler@web.de-20080801192849-6zklfbb832sx0hvr
-1149 stbuehler@web.de-20080801203119-o16elp8w854s6lol
-1150 stbuehler@web.de-20080802162146-a4v57svc788pwdsv
-1151 stbuehler@web.de-20080802162202-9udlc1wuwt09pyh2
-1152 stbuehler@web.de-20080804135803-yuor9ze06px7qta4
-1153 stbuehler@web.de-20080812194728-fupt781o6q058unh
-1154 stbuehler@web.de-20080818162116-piz0ukqsaecv2li2
-1155 stbuehler@web.de-20080818235700-94t0xc6ml70zojwq
-1156 stbuehler@web.de-20080819163650-1qhwsqszr78cr4xx
-1157 stbuehler@web.de-20080819163757-1qq3t1f1wj69t8xs
-1158 stbuehler@web.de-20080819163914-rklhkurg8apv85l2
-1159 stbuehler@web.de-20080819163953-tlqew751e43phf5b
-1160 stbuehler@web.de-20080819164108-8ogh68sm1uyteawe
-1161 stbuehler@web.de-20080819173911-w5bqpb7cp9jmdqye
-1162 stbuehler@web.de-20080819222242-c0ta5gnli9p3j35a
-1163 stbuehler@web.de-20080820100730-g1bwdh4nqb53ag9u
-1164 stbuehler@web.de-20080820100752-9pggugdyfnnps8qu
-1165 stbuehler@web.de-20080820164258-v2j00motsrsc5esp
-1166 stbuehler@web.de-20080827144628-hi9hf4ch3n1wf9ao
-1167 stbuehler@web.de-20080827144903-tfxu4yehlyu5kegc
-1168 stbuehler@web.de-20080827155155-7mt92orehbxkh2lh
-1169 stbuehler@web.de-20080917142048-zbcwpk39q9ewd516
-1170 stbuehler@web.de-20080917142300-16gzt21x4nbjtj87
-1171 stbuehler@web.de-20080919160134-385anjnd3txxdw3x
-1172 stbuehler@web.de-20080920134142-fvvwaw2ys51dg4rj
-1173 stbuehler@web.de-20080921153311-1f7rn01atdilmxmy
-1174 stbuehler@web.de-20080922101346-wel327kjmykkpvmp
-1175 stbuehler@web.de-20080923190422-uow06l38ndue36o4
-1176 stbuehler@web.de-20080930112012-53jby2m8xslmd1hm
-1177 stbuehler@web.de-20080930134824-j9q72rwuiczzof5k
-1178 stbuehler@web.de-20080930142037-32pb6m3zjcwryw1w
-1179 stbuehler@web.de-20080930142756-ueovgoshyb996bce
-1180 stbuehler@web.de-20080930152935-1zfy67brol3xdbc0
-1181 stbuehler@web.de-20080930193919-13n2q4c6fbgw0dkx
-1182 stbuehler@web.de-20080930211152-4hmgs95wyg2deol7
-1183 stbuehler@web.de-20081001132402-hxnyu6yzyk3mjf4d
-1184 stbuehler@web.de-20081001155102-qf0mmu2kkpgr7xf0
-1185 stbuehler@web.de-20081001160009-n67ss0vzlac2y60k
-1186 stbuehler@web.de-20081001200802-l5og517etnneitk0
-1188 stbuehler@web.de-20081004160711-ygaohrecmutiqlla
-1189 stbuehler@web.de-20081004211932-vq16u26mthbeed7d
-1191 stbuehler@web.de-20081005224446-1bztt6zqrjh8w8fd
-
-
+-- 1.4.29 -
++- 1.4.30 -
++ * Always use our 'own' md5 implementation, fixes linking issues on MacOS (fixes #2331)
++ * Limit amount of bytes we send in one go; fixes stalling in one connection and timeouts on slow systems.
++ * [ssl] fix build errors when Elliptic-Curve Diffie-Hellman is disabled
++ * Add static-file.disable-pathinfo option to prevent handling of urls like .../secret.php/image.jpg as static file
++ * Don't overwrite 401 (auth required) with 501 (unknown method) (fixes #2341)
++ * Fix mod_status bug: always showed "0/0" in the "Read" column for uploads (fixes #2351)
++ * [mod_auth] Fix signedness error in http_auth (fixes #2370, CVE-2011-4362)
++ * [ssl] count renegotiations to prevent client renegotiations
++ * [ssl] add option to honor server cipher order (fixes #2364, BEAST attack)
++ * [core] accept dots in ipv6 addresses in host header (fixes #2359)
++ * [ssl] fix ssl connection aborts if files are larger than the MAX_WRITE_LIMIT (256kb)
++
++- 1.4.29 - 2011-07-03
+ * Fix mod_proxy waiting for response even if content-length is 0 (fixes #2259)
+ * Silence annoying "connection closed: poll() -> ERR" error.log message (fixes #2257)
+ * mod_cgi: make read buffer as big as incoming data block
+Index: CMakeLists.txt
+===================================================================
projects / packages / lighttpd.git / blobdiff