-Index: configure.in
+# Revision 2815
+Index: src/http_auth_digest.c
===================================================================
-Index: src/configfile-glue.c
+--- src/http_auth_digest.c (.../tags/lighttpd-1.4.29)
++++ src/http_auth_digest.c (.../branches/lighttpd-1.4.x)
+@@ -1,26 +0,0 @@
+-#include "buffer.h"
+-
+-#include "http_auth_digest.h"
+-
+-#include <string.h>
+-
+-#ifndef USE_OPENSSL
+-# include "md5.h"
+-
+-typedef li_MD5_CTX MD5_CTX;
+-#define MD5_Init li_MD5_Init
+-#define MD5_Update li_MD5_Update
+-#define MD5_Final li_MD5_Final
+-
+-#endif
+-
+-void CvtHex(IN HASH Bin, OUT HASHHEX Hex) {
+- unsigned short i;
+-
+- for (i = 0; i < HASHLEN; i++) {
+- Hex[i*2] = int2hex((Bin[i] >> 4) & 0xf);
+- Hex[i*2+1] = int2hex(Bin[i] & 0xf);
+- }
+- Hex[HASHHEXLEN] = '\0';
+-}
+-
+Index: src/http_auth_digest.h
===================================================================
---- src/configfile-glue.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/configfile-glue.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -181,7 +181,7 @@
- return config_insert_values_internal(srv, ca, cv);
- }
-
--unsigned short sock_addr_get_port(sock_addr *addr) {
-+static unsigned short sock_addr_get_port(sock_addr *addr) {
- #ifdef HAVE_IPV6
- return ntohs(addr->plain.sa_family ? addr->ipv6.sin6_port : addr->ipv4.sin_port);
- #else
-Index: src/mod_cgi.c
+--- src/http_auth_digest.h (.../tags/lighttpd-1.4.29)
++++ src/http_auth_digest.h (.../branches/lighttpd-1.4.x)
+@@ -1,24 +0,0 @@
+-#ifndef _DIGCALC_H_
+-#define _DIGCALC_H_
+-
+-#ifdef HAVE_CONFIG_H
+-# include "config.h"
+-#endif
+-
+-#define HASHLEN 16
+-typedef unsigned char HASH[HASHLEN];
+-#define HASHHEXLEN 32
+-typedef char HASHHEX[HASHHEXLEN+1];
+-#ifdef USE_OPENSSL
+-#define IN const
+-#else
+-#define IN
+-#endif
+-#define OUT
+-
+-void CvtHex(
+- IN HASH Bin,
+- OUT HASHHEX Hex
+- );
+-
+-#endif
+Index: src/network_write.c
===================================================================
---- src/mod_cgi.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_cgi.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -1369,6 +1369,7 @@
- }
+--- src/network_write.c (.../tags/lighttpd-1.4.29)
++++ src/network_write.c (.../branches/lighttpd-1.4.x)
+@@ -24,17 +24,16 @@
+ # include <sys/resource.h>
+ #endif
+-int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq) {
++int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) {
+ chunk *c;
+- size_t chunks_written = 0;
-+int mod_cgi_plugin_init(plugin *p);
- int mod_cgi_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("cgi");
-Index: src/mod_cml.c
-===================================================================
---- src/mod_cml.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_cml.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -178,7 +178,7 @@
- }
- #undef PATCH
+- for(c = cq->first; c; c = c->next) {
++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
+ int chunk_finished = 0;
--int cache_call_lua(server *srv, connection *con, plugin_data *p, buffer *cml_file) {
-+static int cache_call_lua(server *srv, connection *con, plugin_data *p, buffer *cml_file) {
- buffer *b;
- char *c;
+ switch(c->type) {
+ case MEM_CHUNK: {
+ char * offset;
+- size_t toSend;
++ off_t toSend;
+ ssize_t r;
-@@ -305,6 +305,7 @@
- }
- }
+ if (c->mem->used == 0) {
+@@ -44,6 +43,8 @@
-+int mod_cml_plugin_init(plugin *p);
- int mod_cml_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("cache");
-Index: src/mod_secure_download.c
-===================================================================
---- src/mod_secure_download.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_secure_download.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -138,7 +138,7 @@
- * @return if the supplied string is a valid MD5 string 1 is returned otherwise 0
- */
-
--int is_hex_len(const char *str, size_t len) {
-+static int is_hex_len(const char *str, size_t len) {
- size_t i;
+ offset = c->mem->ptr + c->offset;
+ toSend = c->mem->used - 1 - c->offset;
++ if (toSend > max_bytes) toSend = max_bytes;
++
+ #ifdef __WIN32
+ if ((r = send(fd, offset, toSend, 0)) < 0) {
+ /* no error handling for windows... */
+@@ -72,6 +73,7 @@
+
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ if (c->offset == (off_t)c->mem->used - 1) {
+ chunk_finished = 1;
+@@ -85,7 +87,7 @@
+ #endif
+ ssize_t r;
+ off_t offset;
+- size_t toSend;
++ off_t toSend;
+ stat_cache_entry *sce = NULL;
+ int ifd;
+
+@@ -98,6 +100,8 @@
+ offset = c->file.start + c->offset;
+ toSend = c->file.length - c->offset;
+
++ if (toSend > max_bytes) toSend = max_bytes;
++
+ if (offset > sce->st.st_size) {
+ log_error_write(srv, __FILE__, __LINE__, "sb", "file was shrinked:", c->file.name);
- if (NULL == str) return 0;
-@@ -293,6 +293,7 @@
+@@ -181,6 +185,7 @@
- /* this function is called at dlopen() time and inits the callbacks */
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
-+int mod_secdownload_plugin_init(plugin *p);
- int mod_secdownload_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("secdownload");
-Index: src/mod_rewrite.c
-===================================================================
---- src/mod_rewrite.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_rewrite.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -63,7 +63,7 @@
- free(hctx);
- }
+ if (c->offset == c->file.length) {
+ chunk_finished = 1;
+@@ -200,11 +205,9 @@
--rewrite_rule_buffer *rewrite_rule_buffer_init(void) {
-+static rewrite_rule_buffer *rewrite_rule_buffer_init(void) {
- rewrite_rule_buffer *kvb;
+ break;
+ }
+-
+- chunks_written++;
+ }
- kvb = calloc(1, sizeof(*kvb));
-@@ -71,7 +71,7 @@
- return kvb;
+- return chunks_written;
++ return 0;
}
--int rewrite_rule_buffer_append(rewrite_rule_buffer *kvb, buffer *key, buffer *value, int once) {
-+static int rewrite_rule_buffer_append(rewrite_rule_buffer *kvb, buffer *key, buffer *value, int once) {
- #ifdef HAVE_PCRE_H
- size_t i;
- const char *errptr;
-@@ -121,7 +121,7 @@
+ #if 0
+Index: src/mod_secure_download.c
+===================================================================
+--- src/mod_secure_download.c (.../tags/lighttpd-1.4.29)
++++ src/mod_secure_download.c (.../branches/lighttpd-1.4.x)
+@@ -8,18 +8,8 @@
+ #include <stdlib.h>
+ #include <string.h>
+
+-#ifdef USE_OPENSSL
+-# include <openssl/md5.h>
+-#else
+-# include "md5.h"
++#include "md5.h"
+
+-typedef li_MD5_CTX MD5_CTX;
+-#define MD5_Init li_MD5_Init
+-#define MD5_Update li_MD5_Update
+-#define MD5_Final li_MD5_Final
+-
+-#endif
+-
+ #define HASHLEN 16
+ typedef unsigned char HASH[HASHLEN];
+ #define HASHHEXLEN 32
+@@ -200,7 +190,7 @@
+
+ URIHANDLER_FUNC(mod_secdownload_uri_handler) {
+ plugin_data *p = p_d;
+- MD5_CTX Md5Ctx;
++ li_MD5_CTX Md5Ctx;
+ HASH HA1;
+ const char *rel_uri, *ts_str, *md5_str;
+ time_t ts = 0;
+@@ -266,9 +256,9 @@
+ buffer_append_string(p->md5, rel_uri);
+ buffer_append_string_len(p->md5, ts_str, 8);
+
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)p->md5->ptr, p->md5->used - 1);
+- MD5_Final(HA1, &Md5Ctx);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)p->md5->ptr, p->md5->used - 1);
++ li_MD5_Final(HA1, &Md5Ctx);
+
+ buffer_copy_string_hex(p->md5, (char *)HA1, 16);
+
+Index: src/base.h
+===================================================================
+--- src/base.h (.../tags/lighttpd-1.4.29)
++++ src/base.h (.../branches/lighttpd-1.4.x)
+@@ -277,6 +277,7 @@
+ buffer *ssl_cipher_list;
+ buffer *ssl_dh_file;
+ buffer *ssl_ec_curve;
++ unsigned short ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */
+ unsigned short ssl_use_sslv2;
+ unsigned short ssl_use_sslv3;
+ unsigned short ssl_verifyclient;
+@@ -284,6 +285,7 @@
+ unsigned short ssl_verifyclient_depth;
+ buffer *ssl_verifyclient_username;
+ unsigned short ssl_verifyclient_export_cert;
++ unsigned short ssl_disable_client_renegotiation;
+
+ unsigned short use_ipv6, set_v6only; /* set_v6only is only a temporary option */
+ unsigned short defer_accept;
+@@ -437,6 +439,7 @@
+ # ifndef OPENSSL_NO_TLSEXT
+ buffer *tlsext_server_name;
+ # endif
++ unsigned int renegotiations; /* count of SSL_CB_HANDSHAKE_START */
+ #endif
+ /* etag handling */
+ etag_flags_t etag_flags;
+@@ -647,11 +650,9 @@
+
+ fdevent_handler_t event_handler;
+
+- int (* network_backend_write)(struct server *srv, connection *con, int fd, chunkqueue *cq);
+- int (* network_backend_read)(struct server *srv, connection *con, int fd, chunkqueue *cq);
++ int (* network_backend_write)(struct server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes);
+ #ifdef USE_OPENSSL
+- int (* network_ssl_backend_write)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq);
+- int (* network_ssl_backend_read)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq);
++ int (* network_ssl_backend_write)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes);
#endif
- }
-
--void rewrite_rule_buffer_free(rewrite_rule_buffer *kvb) {
-+static void rewrite_rule_buffer_free(rewrite_rule_buffer *kvb) {
- #ifdef HAVE_PCRE_H
- size_t i;
-
-@@ -444,6 +444,7 @@
- return HANDLER_GO_ON;
- }
-+int mod_rewrite_plugin_init(plugin *p);
- int mod_rewrite_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("rewrite");
+ uid_t uid;
Index: src/connections.c
===================================================================
---- src/connections.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/connections.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -858,7 +858,7 @@
- *
- * we get called by the state-engine and by the fdevent-handler
- */
--int connection_handle_read_state(server *srv, connection *con) {
-+static int connection_handle_read_state(server *srv, connection *con) {
- connection_state_t ostate = con->state;
- chunk *c, *last_chunk;
- off_t last_offset;
-@@ -1156,7 +1156,7 @@
- return 0;
- }
+--- src/connections.c (.../tags/lighttpd-1.4.29)
++++ src/connections.c (.../branches/lighttpd-1.4.x)
+@@ -223,6 +223,12 @@
+
+ len = SSL_read(con->ssl, b->ptr + read_offset, toread);
--handler_t connection_handle_fdevent(void *s, void *context, int revents) {
-+static handler_t connection_handle_fdevent(void *s, void *context, int revents) {
- server *srv = (server *)s;
- connection *con = context;
++ if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
++ connection_set_state(srv, con, CON_STATE_ERROR);
++ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
++ return -1;
++ }
++
+ if (len > 0) {
+ if (b->used > 0) b->used--;
+ b->used += len;
+@@ -445,6 +451,7 @@
+ default:
+ switch(con->http_status) {
+ case 400: /* bad request */
++ case 401: /* authorization required */
+ case 414: /* overload request header */
+ case 505: /* unknown protocol */
+ case 207: /* this was webdav */
+@@ -617,8 +624,9 @@
+ }
+
+ static int connection_handle_write(server *srv, connection *con) {
+- switch(network_write_chunkqueue(srv, con, con->write_queue)) {
++ switch(network_write_chunkqueue(srv, con, con->write_queue, MAX_WRITE_LIMIT)) {
+ case 0:
++ con->write_request_ts = srv->cur_ts;
+ if (con->file_finished) {
+ connection_set_state(srv, con, CON_STATE_RESPONSE_END);
+ joblist_append(srv, con);
+@@ -635,6 +643,7 @@
+ joblist_append(srv, con);
+ break;
+ case 1:
++ con->write_request_ts = srv->cur_ts;
+ con->is_writable = 0;
+
+ /* not finished yet -> WRITE */
+@@ -1251,8 +1260,6 @@
+ log_error_write(srv, __FILE__, __LINE__, "ds",
+ con->fd,
+ "handle write failed.");
+- } else if (con->state == CON_STATE_WRITE) {
+- con->write_request_ts = srv->cur_ts;
+ }
+ }
+
+@@ -1352,6 +1359,7 @@
+ return NULL;
+ }
+
++ con->renegotiations = 0;
+ #ifndef OPENSSL_NO_TLSEXT
+ SSL_set_app_data(con->ssl, con);
+ #endif
+@@ -1667,8 +1675,6 @@
+ con->fd,
+ "handle write failed.");
+ connection_set_state(srv, con, CON_STATE_ERROR);
+- } else if (con->state == CON_STATE_WRITE) {
+- con->write_request_ts = srv->cur_ts;
+ }
+ }
Index: src/mod_staticfile.c
===================================================================
---- src/mod_staticfile.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_staticfile.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -532,6 +532,7 @@
+--- src/mod_staticfile.c (.../tags/lighttpd-1.4.29)
++++ src/mod_staticfile.c (.../branches/lighttpd-1.4.x)
+@@ -26,6 +26,7 @@
+ typedef struct {
+ array *exclude_ext;
+ unsigned short etags_used;
++ unsigned short disable_pathinfo;
+ } plugin_config;
+
+ typedef struct {
+@@ -84,6 +85,7 @@
+ config_values_t cv[] = {
+ { "static-file.exclude-extensions", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 0 */
+ { "static-file.etags", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 1 */
++ { "static-file.disable-pathinfo", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 2 */
+ { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
+ };
+
+@@ -97,9 +99,11 @@
+ s = calloc(1, sizeof(plugin_config));
+ s->exclude_ext = array_init();
+ s->etags_used = 1;
++ s->disable_pathinfo = 0;
+
+ cv[0].destination = s->exclude_ext;
+ cv[1].destination = &(s->etags_used);
++ cv[2].destination = &(s->disable_pathinfo);
+
+ p->config_storage[i] = s;
+
+@@ -119,6 +123,7 @@
+
+ PATCH(exclude_ext);
+ PATCH(etags_used);
++ PATCH(disable_pathinfo);
+
+ /* skip the first, the global context */
+ for (i = 1; i < srv->config_context->used; i++) {
+@@ -136,7 +141,9 @@
+ PATCH(exclude_ext);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("static-file.etags"))) {
+ PATCH(etags_used);
+- }
++ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("static-file.disable-pathinfo"))) {
++ PATCH(disable_pathinfo);
++ }
+ }
+ }
- /* this function is called at dlopen() time and inits the callbacks */
+@@ -350,7 +357,6 @@
+ URIHANDLER_FUNC(mod_staticfile_subrequest) {
+ plugin_data *p = p_d;
+ size_t k;
+- int s_len;
+ stat_cache_entry *sce = NULL;
+ buffer *mtime = NULL;
+ data_string *ds;
+@@ -376,7 +382,12 @@
-+int mod_staticfile_plugin_init(plugin *p);
- int mod_staticfile_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("staticfile");
-Index: src/mod_alias.c
-===================================================================
---- src/mod_alias.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_alias.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -187,6 +187,7 @@
+ mod_staticfile_patch_connection(srv, con, p);
- /* this function is called at dlopen() time and inits the callbacks */
+- s_len = con->uri.path->used - 1;
++ if (p->conf.disable_pathinfo && 0 != con->request.pathinfo->used) {
++ if (con->conf.log_request_handling) {
++ log_error_write(srv, __FILE__, __LINE__, "s", "-- NOT handling file as static file, pathinfo forbidden");
++ }
++ return HANDLER_GO_ON;
++ }
-+int mod_alias_plugin_init(plugin *p);
- int mod_alias_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("alias");
+ /* ignore certain extensions */
+ for (k = 0; k < p->conf.exclude_ext->used; k++) {
Index: src/network.c
===================================================================
---- src/network.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/network.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -26,7 +26,7 @@
+--- src/network.c (.../tags/lighttpd-1.4.29)
++++ src/network.c (.../branches/lighttpd-1.4.x)
+@@ -27,6 +27,19 @@
# include <openssl/rand.h>
#endif
--handler_t network_server_handle_fdevent(void *s, void *context, int revents) {
-+static handler_t network_server_handle_fdevent(void *s, void *context, int revents) {
- server *srv = (server *)s;
++#ifdef USE_OPENSSL
++static void ssl_info_callback(const SSL *ssl, int where, int ret) {
++ UNUSED(ret);
++
++ if (0 != (where & SSL_CB_HANDSHAKE_START)) {
++ connection *con = SSL_get_app_data(ssl);
++ ++con->renegotiations;
++ } else if (0 != (where & SSL_CB_HANDSHAKE_DONE)) {
++ ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
++ }
++}
++#endif
++
+ static handler_t network_server_handle_fdevent(server *srv, void *context, int revents) {
server_socket *srv_socket = (server_socket *)context;
connection *con;
-@@ -62,7 +62,7 @@
- return HANDLER_GO_ON;
- }
-
--int network_server_init(server *srv, buffer *host_token, specific_config *s) {
-+static int network_server_init(server *srv, buffer *host_token, specific_config *s) {
- int val;
- socklen_t addr_len;
- server_socket *srv_socket;
-Index: src/mod_trigger_b4_dl.c
-===================================================================
---- src/mod_trigger_b4_dl.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_trigger_b4_dl.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -576,6 +576,7 @@
-
- /* this function is called at dlopen() time and inits the callbacks */
+@@ -480,9 +493,11 @@
+ network_backend_t backend;
-+int mod_trigger_b4_dl_plugin_init(plugin *p);
- int mod_trigger_b4_dl_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("trigger_b4_dl");
-Index: src/mod_evhost.c
-===================================================================
---- src/mod_evhost.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_evhost.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -318,6 +318,7 @@
- return HANDLER_GO_ON;
- }
-
-+int mod_evhost_plugin_init(plugin *p);
- int mod_evhost_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("evhost");
-Index: src/splaytree.c
-===================================================================
---- src/splaytree.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/splaytree.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -187,7 +187,8 @@
- }
- }
-
--splay_tree *find_rank(int r, splay_tree *t) {
-+#if 0
-+static splay_tree *find_rank(int r, splay_tree *t) {
- /* Returns a pointer to the node in the tree with the given rank. */
- /* Returns NULL if there is no such node. */
- /* Does not change the tree. To guarantee logarithmic behavior, */
-@@ -206,5 +207,4 @@
- }
- }
- }
--
--
+ #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
++#ifndef OPENSSL_NO_ECDH
+ EC_KEY *ecdh;
+ int nid;
+ #endif
+#endif
-Index: src/mod_scgi.c
-===================================================================
---- src/mod_scgi.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_scgi.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -372,7 +372,7 @@
- free(hctx);
- }
-
--scgi_proc *scgi_process_init() {
-+static scgi_proc *scgi_process_init() {
- scgi_proc *f;
-
- f = calloc(1, sizeof(*f));
-@@ -384,7 +384,7 @@
- return f;
- }
-
--void scgi_process_free(scgi_proc *f) {
-+static void scgi_process_free(scgi_proc *f) {
- if (!f) return;
- scgi_process_free(f->next);
-@@ -394,7 +394,7 @@
- free(f);
- }
-
--scgi_extension_host *scgi_host_init() {
-+static scgi_extension_host *scgi_host_init() {
- scgi_extension_host *f;
-
- f = calloc(1, sizeof(*f));
-@@ -409,7 +409,7 @@
- return f;
- }
-
--void scgi_host_free(scgi_extension_host *h) {
-+static void scgi_host_free(scgi_extension_host *h) {
- if (!h) return;
-
- buffer_free(h->host);
-@@ -426,7 +426,7 @@
+ #ifdef USE_OPENSSL
+ DH *dh;
+@@ -553,6 +568,11 @@
+ /* load SSL certificates */
+ for (i = 0; i < srv->config_context->used; i++) {
+ specific_config *s = srv->config_storage[i];
++#ifndef SSL_OP_NO_COMPRESSION
++# define SSL_OP_NO_COMPRESSION 0
++#endif
++ long ssloptions =
++ SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_COMPRESSION;
- }
+ if (buffer_is_empty(s->ssl_pemfile)) continue;
--scgi_exts *scgi_extensions_init() {
-+static scgi_exts *scgi_extensions_init() {
- scgi_exts *f;
+@@ -586,6 +606,9 @@
+ return -1;
+ }
- f = calloc(1, sizeof(*f));
-@@ -434,7 +434,7 @@
- return f;
- }
-
--void scgi_extensions_free(scgi_exts *f) {
-+static void scgi_extensions_free(scgi_exts *f) {
- size_t i;
++ SSL_CTX_set_options(s->ssl_ctx, ssloptions);
++ SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback);
++
+ if (!s->ssl_use_sslv2) {
+ /* disable SSLv2 */
+ if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) {
+@@ -611,6 +634,10 @@
+ ERR_error_string(ERR_get_error(), NULL));
+ return -1;
+ }
++
++ if (s->ssl_honor_cipher_order) {
++ SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
++ }
+ }
- if (!f) return;
-@@ -464,7 +464,7 @@
- free(f);
+ /* Support for Diffie-Hellman key exchange */
+@@ -847,7 +874,7 @@
+ return 0;
}
--int scgi_extension_insert(scgi_exts *ext, buffer *key, scgi_extension_host *fh) {
-+static int scgi_extension_insert(scgi_exts *ext, buffer *key, scgi_extension_host *fh) {
- scgi_extension *fe;
- size_t i;
-
-@@ -1178,7 +1178,7 @@
- }
+-int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq) {
++int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq, off_t max_bytes) {
+ int ret = -1;
+ off_t written = 0;
+ #ifdef TCP_CORK
+@@ -855,16 +882,34 @@
+ #endif
+ server_socket *srv_socket = con->srv_socket;
+
+- if (con->conf.global_kbytes_per_second &&
+- *(con->conf.global_bytes_per_second_cnt_ptr) > con->conf.global_kbytes_per_second * 1024) {
+- /* we reached the global traffic limit */
++ if (con->conf.global_kbytes_per_second) {
++ off_t limit = con->conf.global_kbytes_per_second * 1024 - *(con->conf.global_bytes_per_second_cnt_ptr);
++ if (limit <= 0) {
++ /* we reached the global traffic limit */
+
+- con->traffic_limit_reached = 1;
+- joblist_append(srv, con);
++ con->traffic_limit_reached = 1;
++ joblist_append(srv, con);
+
+- return 1;
++ return 1;
++ } else {
++ if (max_bytes > limit) max_bytes = limit;
++ }
+ }
++ if (con->conf.kbytes_per_second) {
++ off_t limit = con->conf.kbytes_per_second * 1024 - con->bytes_written_cur_second;
++ if (limit <= 0) {
++ /* we reached the traffic limit */
++
++ con->traffic_limit_reached = 1;
++ joblist_append(srv, con);
++
++ return 1;
++ } else {
++ if (max_bytes > limit) max_bytes = limit;
++ }
++ }
++
+ written = cq->bytes_out;
--void scgi_connection_cleanup(server *srv, handler_ctx *hctx) {
-+static void scgi_connection_cleanup(server *srv, handler_ctx *hctx) {
- plugin_data *p;
- connection *con;
+ #ifdef TCP_CORK
+@@ -879,10 +924,10 @@
-@@ -1915,7 +1915,7 @@
- }
+ if (srv_socket->is_ssl) {
+ #ifdef USE_OPENSSL
+- ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq);
++ ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq, max_bytes);
+ #endif
+ } else {
+- ret = srv->network_backend_write(srv, con, con->fd, cq);
++ ret = srv->network_backend_write(srv, con, con->fd, cq, max_bytes);
+ }
+ if (ret >= 0) {
+@@ -903,12 +948,5 @@
--int scgi_proclist_sort_up(server *srv, scgi_extension_host *host, scgi_proc *proc) {
-+static int scgi_proclist_sort_up(server *srv, scgi_extension_host *host, scgi_proc *proc) {
- scgi_proc *p;
+ *(con->conf.global_bytes_per_second_cnt_ptr) += written;
- UNUSED(srv);
-@@ -3105,6 +3105,7 @@
+- if (con->conf.kbytes_per_second &&
+- (con->bytes_written_cur_second > con->conf.kbytes_per_second * 1024)) {
+- /* we reached the traffic limit */
+-
+- con->traffic_limit_reached = 1;
+- joblist_append(srv, con);
+- }
+ return ret;
}
+Index: src/network.h
+===================================================================
+--- src/network.h (.../tags/lighttpd-1.4.29)
++++ src/network.h (.../branches/lighttpd-1.4.x)
+@@ -3,7 +3,7 @@
+ #include "server.h"
-+int mod_scgi_plugin_init(plugin *p);
- int mod_scgi_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("scgi");
-Index: src/mod_mysql_vhost.c
-===================================================================
---- src/mod_mysql_vhost.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_mysql_vhost.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -422,6 +422,7 @@
- }
+-int network_write_chunkqueue(server *srv, connection *con, chunkqueue *c);
++int network_write_chunkqueue(server *srv, connection *con, chunkqueue *c, off_t max_bytes);
- /* this function is called at dlopen() time and inits the callbacks */
-+int mod_mysql_vhost_plugin_init(plugin *p);
- int mod_mysql_vhost_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("mysql_vhost");
-@@ -437,6 +438,7 @@
- }
- #else
- /* we don't have mysql support, this plugin does nothing */
-+int mod_mysql_vhost_plugin_init(plugin *p);
- int mod_mysql_vhost_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("mysql_vhost");
-Index: src/request.c
+ int network_init(server *srv);
+ int network_close(server *srv);
+Index: src/configfile.c
===================================================================
---- src/request.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/request.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -200,7 +200,7 @@
- #define DUMP_HEADER
- #endif
+--- src/configfile.c (.../tags/lighttpd-1.4.29)
++++ src/configfile.c (.../branches/lighttpd-1.4.x)
+@@ -105,6 +105,8 @@
+ { "ssl.use-sslv3", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 62 */
+ { "ssl.dh-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 63 */
+ { "ssl.ec-curve", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 64 */
++ { "ssl.disable-client-renegotiation", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },/* 65 */
++ { "ssl.honor-cipher-order", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 66 */
+
+ { "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
+ { "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
+@@ -176,6 +178,7 @@
+ s->max_write_idle = 360;
+ s->use_xattr = 0;
+ s->is_ssl = 0;
++ s->ssl_honor_cipher_order = 1;
+ s->ssl_use_sslv2 = 0;
+ s->ssl_use_sslv3 = 1;
+ s->use_ipv6 = 0;
+@@ -199,6 +202,7 @@
+ s->ssl_verifyclient_username = buffer_init();
+ s->ssl_verifyclient_depth = 9;
+ s->ssl_verifyclient_export_cert = 0;
++ s->ssl_disable_client_renegotiation = 1;
+
+ cv[2].destination = s->errorfile_prefix;
+
+@@ -245,6 +249,8 @@
+ cv[62].destination = &(s->ssl_use_sslv3);
+ cv[63].destination = s->ssl_dh_file;
+ cv[64].destination = s->ssl_ec_curve;
++ cv[66].destination = &(s->ssl_honor_cipher_order);
++
+ cv[49].destination = &(s->etag_use_inode);
+ cv[50].destination = &(s->etag_use_mtime);
+ cv[51].destination = &(s->etag_use_size);
+@@ -255,6 +261,7 @@
+ cv[58].destination = &(s->ssl_verifyclient_depth);
+ cv[59].destination = s->ssl_verifyclient_username;
+ cv[60].destination = &(s->ssl_verifyclient_export_cert);
++ cv[65].destination = &(s->ssl_disable_client_renegotiation);
+
+ srv->config_storage[i] = s;
+
+@@ -335,6 +342,7 @@
+ PATCH(ssl_cipher_list);
+ PATCH(ssl_dh_file);
+ PATCH(ssl_ec_curve);
++ PATCH(ssl_honor_cipher_order);
+ PATCH(ssl_use_sslv2);
+ PATCH(ssl_use_sslv3);
+ PATCH(etag_use_inode);
+@@ -346,6 +354,7 @@
+ PATCH(ssl_verifyclient_depth);
+ PATCH(ssl_verifyclient_username);
+ PATCH(ssl_verifyclient_export_cert);
++ PATCH(ssl_disable_client_renegotiation);
--int http_request_split_value(array *vals, buffer *b) {
-+static int http_request_split_value(array *vals, buffer *b) {
- char *s;
- size_t i;
- int state = 0;
-@@ -262,7 +262,7 @@
return 0;
}
-
--int request_uri_is_valid_char(unsigned char c) {
-+static int request_uri_is_valid_char(unsigned char c) {
- if (c <= 32) return 0;
- if (c == 127) return 0;
- if (c == 255) return 0;
-Index: src/mod_magnet_cache.c
+@@ -400,6 +409,8 @@
+ #endif
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
+ PATCH(ssl_ca_file);
++ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) {
++ PATCH(ssl_honor_cipher_order);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {
+ PATCH(ssl_use_sslv2);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv3"))) {
+@@ -454,6 +465,8 @@
+ PATCH(ssl_verifyclient_username);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.exportcert"))) {
+ PATCH(ssl_verifyclient_export_cert);
++ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.disable-client-renegotiation"))) {
++ PATCH(ssl_disable_client_renegotiation);
+ }
+ }
+ }
+Index: src/mod_scgi.c
===================================================================
---- src/mod_magnet_cache.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_magnet_cache.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -9,7 +9,7 @@
- #include <lualib.h>
- #include <lauxlib.h>
-
--script *script_init() {
-+static script *script_init() {
- script *sc;
-
- sc = calloc(1, sizeof(*sc));
-@@ -19,7 +19,7 @@
- return sc;
- }
-
--void script_free(script *sc) {
-+static void script_free(script *sc) {
- if (!sc) return;
+--- src/mod_scgi.c (.../tags/lighttpd-1.4.29)
++++ src/mod_scgi.c (.../branches/lighttpd-1.4.x)
+@@ -2296,7 +2296,7 @@
- lua_pop(sc->L, 1); /* the function copy */
-Index: src/mod_flv_streaming.c
-===================================================================
---- src/mod_flv_streaming.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_flv_streaming.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -265,6 +265,7 @@
+ /* fall through */
+ case FCGI_STATE_WRITE:
+- ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb);
++ ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT);
- /* this function is called at dlopen() time and inits the callbacks */
+ chunkqueue_remove_finished_chunks(hctx->wb);
-+int mod_flv_streaming_plugin_init(plugin *p);
- int mod_flv_streaming_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("flv_streaming");
-Index: src/mod_rrdtool.c
+Index: src/request.c
===================================================================
---- src/mod_rrdtool.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_rrdtool.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -91,7 +91,7 @@
- return HANDLER_GO_ON;
- }
-
--int mod_rrd_create_pipe(server *srv, plugin_data *p) {
-+static int mod_rrd_create_pipe(server *srv, plugin_data *p) {
- #ifdef HAVE_FORK
- pid_t pid;
+--- src/request.c (.../tags/lighttpd-1.4.29)
++++ src/request.c (.../branches/lighttpd-1.4.x)
+@@ -49,7 +49,7 @@
+ if (++colon_cnt > 7) {
+ return -1;
+ }
+- } else if (!light_isxdigit(*c)) {
++ } else if (!light_isxdigit(*c) && '.' != *c) {
+ return -1;
+ }
+ }
+Index: src/network_backends.h
+===================================================================
+--- src/network_backends.h (.../tags/lighttpd-1.4.29)
++++ src/network_backends.h (.../branches/lighttpd-1.4.x)
+@@ -47,18 +47,18 @@
+ #include "base.h"
+
+ /* return values:
+- * >= 0 : chunks completed
++ * >= 0 : no error
+ * -1 : error (on our side)
+ * -2 : remote close
+ */
-@@ -477,6 +477,7 @@
- return HANDLER_GO_ON;
- }
+-int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq);
+-int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq);
+-int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq);
+-int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq);
+-int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq);
++int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes);
++int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes);
++int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes);
++int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes);
++int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes);
+ #ifdef USE_OPENSSL
+-int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq);
++int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes);
+ #endif
-+int mod_rrdtool_plugin_init(plugin *p);
- int mod_rrdtool_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("rrd");
+ #endif
+Index: src/SConscript
+===================================================================
+--- src/SConscript (.../tags/lighttpd-1.4.29)
++++ src/SConscript (.../branches/lighttpd-1.4.x)
+@@ -12,7 +12,8 @@
+ data_integer.c md5.c data_fastcgi.c \
+ fdevent_select.c fdevent_libev.c \
+ fdevent_poll.c fdevent_linux_sysepoll.c \
+- fdevent_solaris_devpoll.c fdevent_freebsd_kqueue.c \
++ fdevent_solaris_devpoll.c fdevent_solaris_port.c \
++ fdevent_freebsd_kqueue.c \
+ data_config.c bitset.c \
+ inet_ntop_cache.c crc32.c \
+ connections-glue.c \
+@@ -62,7 +63,7 @@
+ 'mod_redirect' : { 'src' : [ 'mod_redirect.c' ], 'lib' : [ env['LIBPCRE'] ] },
+ 'mod_rewrite' : { 'src' : [ 'mod_rewrite.c' ], 'lib' : [ env['LIBPCRE'] ] },
+ 'mod_auth' : {
+- 'src' : [ 'mod_auth.c', 'http_auth_digest.c', 'http_auth.c' ],
++ 'src' : [ 'mod_auth.c', 'http_auth.c' ],
+ 'lib' : [ env['LIBCRYPT'], env['LIBLDAP'], env['LIBLBER'] ] },
+ 'mod_webdav' : { 'src' : [ 'mod_webdav.c' ], 'lib' : [ env['LIBXML2'], env['LIBSQLITE3'], env['LIBUUID'] ] },
+ 'mod_mysql_vhost' : { 'src' : [ 'mod_mysql_vhost.c' ], 'lib' : [ env['LIBMYSQL'] ] },
Index: src/mod_cml_funcs.c
===================================================================
---- src/mod_cml_funcs.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_cml_funcs.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -93,7 +93,7 @@
- return 1;
- }
-
--int f_dir_files_iter(lua_State *L) {
-+static int f_dir_files_iter(lua_State *L) {
- DIR *d;
- struct dirent *de;
-
-@@ -211,7 +211,7 @@
- }
-
- if (NULL == (r = mc_aget(mc,
-- lua_tostring(L, 1), lua_strlen(L, 1)))) {
-+ (char*) lua_tostring(L, 1), lua_strlen(L, 1)))) {
-
- lua_pushboolean(L, 0);
- return 1;
-@@ -248,7 +248,7 @@
- }
-
- if (NULL == (r = mc_aget(mc,
-- lua_tostring(L, 1), lua_strlen(L, 1)))) {
-+ (char*) lua_tostring(L, 1), lua_strlen(L, 1)))) {
- lua_pushnil(L);
- return 1;
- }
-@@ -285,7 +285,7 @@
+--- src/mod_cml_funcs.c (.../tags/lighttpd-1.4.29)
++++ src/mod_cml_funcs.c (.../branches/lighttpd-1.4.x)
+@@ -17,18 +17,8 @@
+ #include <dirent.h>
+ #include <stdio.h>
+
+-#ifdef USE_OPENSSL
+-# include <openssl/md5.h>
+-#else
+-# include "md5.h"
++#include "md5.h"
+
+-typedef li_MD5_CTX MD5_CTX;
+-#define MD5_Init li_MD5_Init
+-#define MD5_Update li_MD5_Update
+-#define MD5_Final li_MD5_Final
+-
+-#endif
+-
+ #define HASHLEN 16
+ typedef unsigned char HASH[HASHLEN];
+ #define HASHHEXLEN 32
+@@ -43,7 +33,7 @@
+ #ifdef HAVE_LUA_H
+
+ int f_crypto_md5(lua_State *L) {
+- MD5_CTX Md5Ctx;
++ li_MD5_CTX Md5Ctx;
+ HASH HA1;
+ buffer b;
+ char hex[33];
+@@ -63,9 +53,9 @@
+ lua_error(L);
}
- if (NULL == (r = mc_aget(mc,
-- lua_tostring(L, 1), lua_strlen(L, 1)))) {
-+ (char*) lua_tostring(L, 1), lua_strlen(L, 1)))) {
- lua_pushnil(L);
- return 1;
- }
-Index: src/mod_simple_vhost.c
-===================================================================
---- src/mod_simple_vhost.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_simple_vhost.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -270,6 +270,7 @@
- }
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)lua_tostring(L, 1), lua_strlen(L, 1));
+- MD5_Final(HA1, &Md5Ctx);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)lua_tostring(L, 1), lua_strlen(L, 1));
++ li_MD5_Final(HA1, &Md5Ctx);
+ buffer_copy_string_hex(&b, (char *)HA1, 16);
-+int mod_simple_vhost_plugin_init(plugin *p);
- int mod_simple_vhost_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("simple_vhost");
Index: src/mod_userdir.c
===================================================================
---- src/mod_userdir.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_userdir.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -314,6 +314,7 @@
-
- /* this function is called at dlopen() time and inits the callbacks */
+--- src/mod_userdir.c (.../tags/lighttpd-1.4.29)
++++ src/mod_userdir.c (.../branches/lighttpd-1.4.x)
+@@ -166,7 +166,6 @@
+
+ URIHANDLER_FUNC(mod_userdir_docroot_handler) {
+ plugin_data *p = p_d;
+- int uri_len;
+ size_t k;
+ char *rel_url;
+ #ifdef HAVE_PWD_H
+@@ -182,8 +181,6 @@
+ */
+ if (p->conf.path->used == 0) return HANDLER_GO_ON;
+
+- uri_len = con->uri.path->used - 1;
+-
+ /* /~user/foo.html -> /home/user/public_html/foo.html */
-+int mod_userdir_plugin_init(plugin *p);
- int mod_userdir_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("userdir");
+ if (con->uri.path->ptr[0] != '/' ||
Index: src/mod_proxy.c
===================================================================
---- src/mod_proxy.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_proxy.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -332,7 +332,7 @@
- return HANDLER_GO_ON;
- }
-
--void proxy_connection_close(server *srv, handler_ctx *hctx) {
-+static void proxy_connection_close(server *srv, handler_ctx *hctx) {
- plugin_data *p;
- connection *con;
-
-@@ -395,7 +395,7 @@
- return 0;
- }
-
--void proxy_set_header(connection *con, const char *key, const char *value) {
-+static void proxy_set_header(connection *con, const char *key, const char *value) {
- data_string *ds_dst;
+--- src/mod_proxy.c (.../tags/lighttpd-1.4.29)
++++ src/mod_proxy.c (.../branches/lighttpd-1.4.x)
+@@ -825,7 +825,7 @@
- if (NULL == (ds_dst = (data_string *)array_get_unused_element(con->request.headers, TYPE_STRING))) {
-@@ -407,7 +407,7 @@
- array_insert_unique(con->request.headers, (data_unset *)ds_dst);
- }
-
--void proxy_append_header(connection *con, const char *key, const char *value) {
-+static void proxy_append_header(connection *con, const char *key, const char *value) {
- data_string *ds_dst;
+ /* fall through */
+ case PROXY_STATE_WRITE:;
+- ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb);
++ ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT);
- if (NULL == (ds_dst = (data_string *)array_get_unused_element(con->request.headers, TYPE_STRING))) {
-@@ -1321,6 +1321,7 @@
- }
+ chunkqueue_remove_finished_chunks(hctx->wb);
-
-+int mod_proxy_plugin_init(plugin *p);
- int mod_proxy_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("proxy");
-Index: src/mod_extforward.c
+Index: src/Makefile.am
===================================================================
---- src/mod_extforward.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_extforward.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -294,7 +294,7 @@
- return NULL;
- }
-
--struct addrinfo *ipstr_to_sockaddr(const char *host)
-+static struct addrinfo *ipstr_to_sockaddr(const char *host)
- {
- struct addrinfo hints, *res0;
- int result;
-@@ -479,6 +479,7 @@
-
- /* this function is called at dlopen() time and inits the callbacks */
-
-+int mod_extforward_plugin_init(plugin *p);
- int mod_extforward_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("extforward");
-Index: src/mod_expire.c
+--- src/Makefile.am (.../tags/lighttpd-1.4.29)
++++ src/Makefile.am (.../branches/lighttpd-1.4.x)
+@@ -241,7 +241,7 @@
+ mod_compress_la_LIBADD = $(Z_LIB) $(BZ_LIB) $(common_libadd)
+
+ lib_LTLIBRARIES += mod_auth.la
+-mod_auth_la_SOURCES = mod_auth.c http_auth_digest.c http_auth.c
++mod_auth_la_SOURCES = mod_auth.c http_auth.c
+ mod_auth_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined
+ mod_auth_la_LIBADD = $(CRYPT_LIB) $(LDAP_LIB) $(LBER_LIB) $(common_libadd)
+
+@@ -268,7 +268,7 @@
+
+ hdr = server.h buffer.h network.h log.h keyvalue.h \
+ response.h request.h fastcgi.h chunk.h \
+- settings.h http_chunk.h http_auth_digest.h \
++ settings.h http_chunk.h \
+ md5.h http_auth.h stream.h \
+ fdevent.h connections.h base.h stat_cache.h \
+ plugin.h mod_auth.h \
+Index: src/network_writev.c
===================================================================
---- src/mod_expire.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_expire.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -354,6 +354,7 @@
-
- /* this function is called at dlopen() time and inits the callbacks */
-
-+int mod_expire_plugin_init(plugin *p);
- int mod_expire_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("expire");
-Index: src/mod_redirect.c
-===================================================================
---- src/mod_redirect.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_redirect.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -271,6 +271,7 @@
- }
-
-
-+int mod_redirect_plugin_init(plugin *p);
- int mod_redirect_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("redirect");
-Index: src/mod_usertrack.c
-===================================================================
---- src/mod_usertrack.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_usertrack.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -255,6 +255,7 @@
-
- /* this function is called at dlopen() time and inits the callbacks */
-
-+int mod_usertrack_plugin_init(plugin *p);
- int mod_usertrack_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("usertrack");
-Index: src/mod_webdav.c
-===================================================================
---- src/mod_webdav.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_webdav.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -1096,7 +1096,7 @@
- }
+--- src/network_writev.c (.../tags/lighttpd-1.4.29)
++++ src/network_writev.c (.../branches/lighttpd-1.4.x)
+@@ -30,17 +30,16 @@
+ #define LOCAL_BUFFERING 1
#endif
--int webdav_lockdiscovery(server *srv, connection *con,
-+static int webdav_lockdiscovery(server *srv, connection *con,
- buffer *locktoken, const char *lockscope, const char *locktype, int depth) {
-
- buffer *b;
-@@ -1156,7 +1156,7 @@
- *
- *
- */
--int webdav_has_lock(server *srv, connection *con, plugin_data *p, buffer *uri) {
-+static int webdav_has_lock(server *srv, connection *con, plugin_data *p, buffer *uri) {
- int has_lock = 1;
-
- #ifdef USE_LOCKS
-@@ -2474,6 +2474,7 @@
-
- /* this function is called at dlopen() time and inits the callbacks */
-
-+int mod_webdav_plugin_init(plugin *p);
- int mod_webdav_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("webdav");
-Index: src/mod_status.c
-===================================================================
---- src/mod_status.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_status.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -853,6 +853,7 @@
- return HANDLER_GO_ON;
- }
+-int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq) {
++int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) {
+ chunk *c;
+- size_t chunks_written = 0;
+
+- for(c = cq->first; c; c = c->next) {
++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
+ int chunk_finished = 0;
+
+ switch(c->type) {
+ case MEM_CHUNK: {
+ char * offset;
+- size_t toSend;
++ off_t toSend;
+ ssize_t r;
+
+ size_t num_chunks, i;
+@@ -65,12 +64,10 @@
+ #error "sysconf() doesnt return _SC_IOV_MAX ..., check the output of 'man writev' for the EINVAL error and send the output to jan@kneschke.de"
+ #endif
-+int mod_status_plugin_init(plugin *p);
- int mod_status_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("status");
-Index: src/mod_compress.c
-===================================================================
---- src/mod_compress.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_compress.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -104,7 +104,7 @@
- }
+- /* we can't send more then SSIZE_MAX bytes in one chunk */
+-
+ /* build writev list
+ *
+ * 1. limit: num_chunks < max_chunks
+- * 2. limit: num_bytes < SSIZE_MAX
++ * 2. limit: num_bytes < max_bytes
+ */
+ for (num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < max_chunks; num_chunks++, tc = tc->next);
+
+@@ -87,9 +84,9 @@
+ chunks[i].iov_base = offset;
+
+ /* protect the return value of writev() */
+- if (toSend > SSIZE_MAX ||
+- num_bytes + toSend > SSIZE_MAX) {
+- chunks[i].iov_len = SSIZE_MAX - num_bytes;
++ if (toSend > max_bytes ||
++ (off_t) num_bytes + toSend > max_bytes) {
++ chunks[i].iov_len = max_bytes - num_bytes;
+
+ num_chunks = i + 1;
+ break;
+@@ -121,6 +118,7 @@
+ }
+
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ /* check which chunks have been written */
+
+@@ -132,11 +130,10 @@
+
+ if (chunk_finished) {
+ /* skip the chunks from further touches */
+- chunks_written++;
+ c = c->next;
+ } else {
+ /* chunks_written + c = c->next is done in the for()*/
+- chunk_finished++;
++ chunk_finished = 1;
+ }
+ } else {
+ /* partially written */
+@@ -284,6 +281,8 @@
+ assert(toSend < 0);
+ }
+
++ if (toSend > max_bytes) toSend = max_bytes;
++
+ #ifdef LOCAL_BUFFERING
+ start = c->mem->ptr;
+ #else
+@@ -309,6 +308,7 @@
- /* 0 on success, -1 for error */
--int mkdir_recursive(char *dir) {
-+static int mkdir_recursive(char *dir) {
- char *p = dir;
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
- if (!dir || !dir[0])
-@@ -126,7 +126,7 @@
- }
+ if (c->offset == c->file.length) {
+ chunk_finished = 1;
+@@ -334,11 +334,9 @@
- /* 0 on success, -1 for error */
--int mkdir_for_file(char *filename) {
-+static int mkdir_for_file(char *filename) {
- char *p = filename;
+ break;
+ }
+-
+- chunks_written++;
+ }
- if (!filename || !filename[0])
-@@ -815,6 +815,7 @@
- return HANDLER_GO_ON;
+- return chunks_written;
++ return 0;
}
-+int mod_compress_plugin_init(plugin *p);
- int mod_compress_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("compress");
-Index: src/mod_ssi.c
+ #endif
+Index: src/network_freebsd_sendfile.c
===================================================================
---- src/mod_ssi.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_ssi.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -139,7 +139,7 @@
- return HANDLER_GO_ON;
- }
-
--int ssi_env_add(array *env, const char *key, const char *val) {
-+static int ssi_env_add(array *env, const char *key, const char *val) {
- data_string *ds;
+--- src/network_freebsd_sendfile.c (.../tags/lighttpd-1.4.29)
++++ src/network_freebsd_sendfile.c (.../branches/lighttpd-1.4.x)
+@@ -31,17 +31,16 @@
+ # endif
+ #endif
- if (NULL == (ds = (data_string *)array_get_unused_element(env, TYPE_STRING))) {
-@@ -1125,6 +1125,7 @@
+-int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq) {
++int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) {
+ chunk *c;
+- size_t chunks_written = 0;
- /* this function is called at dlopen() time and inits the callbacks */
+- for(c = cq->first; c; c = c->next, chunks_written++) {
++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
+ int chunk_finished = 0;
-+int mod_ssi_plugin_init(plugin *p);
- int mod_ssi_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("ssi");
-Index: src/spawn-fcgi.c
-===================================================================
---- src/spawn-fcgi.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/spawn-fcgi.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -37,7 +37,7 @@
- #endif
+ switch(c->type) {
+ case MEM_CHUNK: {
+ char * offset;
+- size_t toSend;
++ off_t toSend;
+ ssize_t r;
- #ifdef HAVE_SYS_UN_H
--int fcgi_spawn_connection(char *appPath, char **appArgv, char *addr, unsigned short port, const char *unixsocket, int fork_count, int child_count, int pid_fd, int nofork) {
-+static int fcgi_spawn_connection(char *appPath, char **appArgv, char *addr, unsigned short port, const char *unixsocket, int fork_count, int child_count, int pid_fd, int nofork) {
- int fcgi_fd;
- int socket_type, status, rc = 0;
- struct timeval tv = { 0, 100 * 1000 };
-@@ -259,14 +259,14 @@
- }
+ size_t num_chunks, i;
+@@ -49,12 +48,10 @@
+ chunk *tc;
+ size_t num_bytes = 0;
+- /* we can't send more then SSIZE_MAX bytes in one chunk */
+-
+ /* build writev list
+ *
+ * 1. limit: num_chunks < UIO_MAXIOV
+- * 2. limit: num_bytes < SSIZE_MAX
++ * 2. limit: num_bytes < max_bytes
+ */
+ for(num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < UIO_MAXIOV; num_chunks++, tc = tc->next);
+
+@@ -69,9 +66,9 @@
+ chunks[i].iov_base = offset;
+
+ /* protect the return value of writev() */
+- if (toSend > SSIZE_MAX ||
+- num_bytes + toSend > SSIZE_MAX) {
+- chunks[i].iov_len = SSIZE_MAX - num_bytes;
++ if (toSend > max_bytes ||
++ (off_t) num_bytes + toSend > max_bytes) {
++ chunks[i].iov_len = max_bytes - num_bytes;
+
+ num_chunks = i + 1;
+ break;
+@@ -105,6 +102,7 @@
+
+ /* check which chunks have been written */
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ for(i = 0, tc = c; i < num_chunks; i++, tc = tc->next) {
+ if (r >= (ssize_t)chunks[i].iov_len) {
+@@ -114,11 +112,10 @@
+
+ if (chunk_finished) {
+ /* skip the chunks from further touches */
+- chunks_written++;
+ c = c->next;
+ } else {
+ /* chunks_written + c = c->next is done in the for()*/
+- chunk_finished++;
++ chunk_finished = 1;
+ }
+ } else {
+ /* partially written */
+@@ -134,7 +131,7 @@
+ }
+ case FILE_CHUNK: {
+ off_t offset, r;
+- size_t toSend;
++ off_t toSend;
+ stat_cache_entry *sce = NULL;
+
+ if (HANDLER_ERROR == stat_cache_get_entry(srv, con, c->file.name, &sce)) {
+@@ -144,9 +141,8 @@
+ }
+
+ offset = c->file.start + c->offset;
+- /* limit the toSend to 2^31-1 bytes in a chunk */
+- toSend = c->file.length - c->offset > ((1 << 30) - 1) ?
+- ((1 << 30) - 1) : c->file.length - c->offset;
++ toSend = c->file.length - c->offset;
++ if (toSend > max_bytes) toSend = max_bytes;
+
+ if (-1 == c->file.fd) {
+ if (-1 == (c->file.fd = open(c->file.name->ptr, O_RDONLY))) {
+@@ -197,6 +193,7 @@
+
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ if (c->offset == c->file.length) {
+ chunk_finished = 1;
+@@ -218,7 +215,7 @@
+ }
+ }
--void show_version () {
-+static void show_version () {
- char *b = "spawn-fcgi" "-" PACKAGE_VERSION \
- " - spawns fastcgi processes\n"
- ;
- write(1, b, strlen(b));
+- return chunks_written;
++ return 0;
}
--void show_help () {
-+static void show_help () {
- char *b = \
- "Usage: spawn-fcgi [options] -- <fcgiapp> [fcgi app arguments]\n" \
- "\n" \
-Index: src/mod_auth.c
-===================================================================
---- src/mod_auth.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_auth.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -614,6 +614,7 @@
#endif
- }
-
-+int mod_auth_plugin_init(plugin *p);
- int mod_auth_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("auth");
-Index: src/mod_cml_lua.c
+Index: src/network_openssl.c
===================================================================
---- src/mod_cml_lua.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_cml_lua.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -105,7 +105,7 @@
- }
+--- src/network_openssl.c (.../tags/lighttpd-1.4.29)
++++ src/network_openssl.c (.../branches/lighttpd-1.4.x)
+@@ -27,10 +27,9 @@
+ # include <openssl/ssl.h>
+ # include <openssl/err.h>
+
+-int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq) {
++int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes) {
+ int ssl_r;
+ chunk *c;
+- size_t chunks_written = 0;
+
+ /* this is a 64k sendbuffer
+ *
+@@ -59,13 +58,13 @@
+ SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
+ }
+- for(c = cq->first; c; c = c->next) {
++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
+ int chunk_finished = 0;
--int cache_export_get_params(lua_State *L, int tbl, buffer *qrystr) {
-+static int cache_export_get_params(lua_State *L, int tbl, buffer *qrystr) {
- size_t is_key = 1;
- size_t i;
- char *key = NULL, *val = NULL;
-Index: src/mod_evasive.c
-===================================================================
---- src/mod_evasive.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_evasive.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -186,6 +186,7 @@
- }
+ switch(c->type) {
+ case MEM_CHUNK: {
+ char * offset;
+- size_t toSend;
++ off_t toSend;
+ ssize_t r;
+ if (c->mem->used == 0 || c->mem->used == 1) {
+@@ -75,6 +74,7 @@
-+int mod_evasive_plugin_init(plugin *p);
- int mod_evasive_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("evasive");
-Index: src/mod_setenv.c
-===================================================================
---- src/mod_setenv.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_setenv.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -230,6 +230,7 @@
+ offset = c->mem->ptr + c->offset;
+ toSend = c->mem->used - 1 - c->offset;
++ if (toSend > max_bytes) toSend = max_bytes;
- /* this function is called at dlopen() time and inits the callbacks */
+ /**
+ * SSL_write man-page
+@@ -87,7 +87,14 @@
+ */
-+int mod_setenv_plugin_init(plugin *p);
- int mod_setenv_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("setenv");
-Index: src/mod_indexfile.c
-===================================================================
---- src/mod_indexfile.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_indexfile.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -206,6 +206,7 @@
+ ERR_clear_error();
+- if ((r = SSL_write(ssl, offset, toSend)) <= 0) {
++ r = SSL_write(ssl, offset, toSend);
++
++ if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
++ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
++ return -1;
++ }
++
++ if (r <= 0) {
+ unsigned long err;
+
+ switch ((ssl_r = SSL_get_error(ssl, r))) {
+@@ -139,6 +146,7 @@
+ } else {
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
+ }
+
+ if (c->offset == (off_t)c->mem->used - 1) {
+@@ -168,6 +176,7 @@
+ do {
+ off_t offset = c->file.start + c->offset;
+ off_t toSend = c->file.length - c->offset;
++ if (toSend > max_bytes) toSend = max_bytes;
+
+ if (toSend > LOCAL_SEND_BUFSIZE) toSend = LOCAL_SEND_BUFSIZE;
+
+@@ -190,7 +199,14 @@
+ close(ifd);
+
+ ERR_clear_error();
+- if ((r = SSL_write(ssl, s, toSend)) <= 0) {
++ r = SSL_write(ssl, s, toSend);
++
++ if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
++ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
++ return -1;
++ }
++
++ if (r <= 0) {
+ unsigned long err;
+
+ switch ((ssl_r = SSL_get_error(ssl, r))) {
+@@ -243,12 +259,13 @@
+ } else {
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
+ }
+
+ if (c->offset == c->file.length) {
+ chunk_finished = 1;
+ }
+- } while(!chunk_finished && !write_wait);
++ } while (!chunk_finished && !write_wait && max_bytes > 0);
+
+ break;
+ }
+@@ -263,11 +280,9 @@
+
+ break;
+ }
+-
+- chunks_written++;
+ }
- /* this function is called at dlopen() time and inits the callbacks */
+- return chunks_written;
++ return 0;
+ }
+ #endif
-+int mod_indexfile_plugin_init(plugin *p);
- int mod_indexfile_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("indexfile");
-Index: src/mod_uploadprogress.c
+Index: src/http_auth.c
===================================================================
---- src/mod_uploadprogress.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_uploadprogress.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -51,7 +51,7 @@
+--- src/http_auth.c (.../tags/lighttpd-1.4.29)
++++ src/http_auth.c (.../branches/lighttpd-1.4.x)
+@@ -1,7 +1,6 @@
+ #include "server.h"
+ #include "log.h"
+ #include "http_auth.h"
+-#include "http_auth_digest.h"
+ #include "inet_ntop_cache.h"
+ #include "stream.h"
+
+@@ -28,18 +27,23 @@
+ #include <unistd.h>
+ #include <ctype.h>
+
+-#ifdef USE_OPENSSL
+-# include <openssl/md5.h>
+-#else
+-# include "md5.h"
++#include "md5.h"
+
+-typedef li_MD5_CTX MD5_CTX;
+-#define MD5_Init li_MD5_Init
+-#define MD5_Update li_MD5_Update
+-#define MD5_Final li_MD5_Final
++#define HASHLEN 16
++#define HASHHEXLEN 32
++typedef unsigned char HASH[HASHLEN];
++typedef char HASHHEX[HASHHEXLEN+1];
+
+-#endif
++static void CvtHex(const HASH Bin, char Hex[33]) {
++ unsigned short i;
+
++ for (i = 0; i < 16; i++) {
++ Hex[i*2] = int2hex((Bin[i] >> 4) & 0xf);
++ Hex[i*2+1] = int2hex(Bin[i] & 0xf);
++ }
++ Hex[32] = '\0';
++}
++
+ /**
+ * the $apr1$ handling is taken from apache 1.3.x
*/
+@@ -95,7 +99,7 @@
+ ch = in[0];
+ /* run through the whole string, converting as we go */
+ for (i = 0; i < in_len; i++) {
+- ch = in[i];
++ ch = (unsigned char) in[i];
- /* init the plugin data */
--connection_map *connection_map_init() {
-+static connection_map *connection_map_init() {
- connection_map *cm;
-
- cm = calloc(1, sizeof(*cm));
-@@ -59,7 +59,7 @@
- return cm;
- }
+ if (ch == '\0') break;
--void connection_map_free(connection_map *cm) {
-+static void connection_map_free(connection_map *cm) {
- size_t i;
- for (i = 0; i < cm->size; i++) {
- connection_map_entry *cme = cm->ptr[i];
-@@ -75,7 +75,7 @@
- free(cm);
- }
+@@ -435,7 +439,7 @@
--int connection_map_insert(connection_map *cm, connection *con, buffer *con_id) {
-+static int connection_map_insert(connection_map *cm, connection *con, buffer *con_id) {
- connection_map_entry *cme;
- size_t i;
+ static void to64(char *s, unsigned long v, int n)
+ {
+- static unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */
++ static const unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */
+ "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+
+ while (--n >= 0) {
+@@ -455,7 +459,7 @@
+ const char *sp, *ep;
+ unsigned char final[APR_MD5_DIGESTSIZE];
+ ssize_t sl, pl, i;
+- MD5_CTX ctx, ctx1;
++ li_MD5_CTX ctx, ctx1;
+ unsigned long l;
+
+ /*
+@@ -487,33 +491,33 @@
+ /*
+ * 'Time to make the doughnuts..'
+ */
+- MD5_Init(&ctx);
++ li_MD5_Init(&ctx);
+
+ /*
+ * The password first, since that is what is most unknown
+ */
+- MD5_Update(&ctx, pw, strlen(pw));
++ li_MD5_Update(&ctx, pw, strlen(pw));
+
+ /*
+ * Then our magic string
+ */
+- MD5_Update(&ctx, APR1_ID, strlen(APR1_ID));
++ li_MD5_Update(&ctx, APR1_ID, strlen(APR1_ID));
+
+ /*
+ * Then the raw salt
+ */
+- MD5_Update(&ctx, sp, sl);
++ li_MD5_Update(&ctx, sp, sl);
+
+ /*
+ * Then just as many characters of the MD5(pw, salt, pw)
+ */
+- MD5_Init(&ctx1);
+- MD5_Update(&ctx1, pw, strlen(pw));
+- MD5_Update(&ctx1, sp, sl);
+- MD5_Update(&ctx1, pw, strlen(pw));
+- MD5_Final(final, &ctx1);
++ li_MD5_Init(&ctx1);
++ li_MD5_Update(&ctx1, pw, strlen(pw));
++ li_MD5_Update(&ctx1, sp, sl);
++ li_MD5_Update(&ctx1, pw, strlen(pw));
++ li_MD5_Final(final, &ctx1);
+ for (pl = strlen(pw); pl > 0; pl -= APR_MD5_DIGESTSIZE) {
+- MD5_Update(&ctx, final,
++ li_MD5_Update(&ctx, final,
+ (pl > APR_MD5_DIGESTSIZE) ? APR_MD5_DIGESTSIZE : pl);
+ }
-@@ -108,7 +108,7 @@
- return 0;
- }
+@@ -527,10 +531,10 @@
+ */
+ for (i = strlen(pw); i != 0; i >>= 1) {
+ if (i & 1) {
+- MD5_Update(&ctx, final, 1);
++ li_MD5_Update(&ctx, final, 1);
+ }
+ else {
+- MD5_Update(&ctx, pw, 1);
++ li_MD5_Update(&ctx, pw, 1);
+ }
+ }
--connection *connection_map_get_connection(connection_map *cm, buffer *con_id) {
-+static connection *connection_map_get_connection(connection_map *cm, buffer *con_id) {
- size_t i;
+@@ -542,7 +546,7 @@
+ strncat(passwd, sp, sl);
+ strcat(passwd, "$");
+
+- MD5_Final(final, &ctx);
++ li_MD5_Final(final, &ctx);
+
+ /*
+ * And now, just to make sure things don't run too fast..
+@@ -550,28 +554,28 @@
+ * need 30 seconds to build a 1000 entry dictionary...
+ */
+ for (i = 0; i < 1000; i++) {
+- MD5_Init(&ctx1);
++ li_MD5_Init(&ctx1);
+ if (i & 1) {
+- MD5_Update(&ctx1, pw, strlen(pw));
++ li_MD5_Update(&ctx1, pw, strlen(pw));
+ }
+ else {
+- MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE);
++ li_MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE);
+ }
+ if (i % 3) {
+- MD5_Update(&ctx1, sp, sl);
++ li_MD5_Update(&ctx1, sp, sl);
+ }
+
+ if (i % 7) {
+- MD5_Update(&ctx1, pw, strlen(pw));
++ li_MD5_Update(&ctx1, pw, strlen(pw));
+ }
+
+ if (i & 1) {
+- MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE);
++ li_MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE);
+ }
+ else {
+- MD5_Update(&ctx1, pw, strlen(pw));
++ li_MD5_Update(&ctx1, pw, strlen(pw));
+ }
+- MD5_Final(final,&ctx1);
++ li_MD5_Final(final,&ctx1);
+ }
- for (i = 0; i < cm->used; i++) {
-@@ -123,7 +123,7 @@
- return NULL;
- }
+ p = passwd + strlen(passwd);
+@@ -614,17 +618,17 @@
+ * user:realm:md5(user:realm:password)
+ */
+
+- MD5_CTX Md5Ctx;
++ li_MD5_CTX Md5Ctx;
+ HASH HA1;
+ char a1[256];
+
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)username->ptr, username->used - 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)realm->ptr, realm->used - 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)pw, strlen(pw));
+- MD5_Final(HA1, &Md5Ctx);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)username->ptr, username->used - 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)realm->ptr, realm->used - 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)pw, strlen(pw));
++ li_MD5_Final(HA1, &Md5Ctx);
+
+ CvtHex(HA1, a1);
+
+@@ -930,7 +934,7 @@
+ int i;
+ buffer *password, *b, *username_buf, *realm_buf;
+
+- MD5_CTX Md5Ctx;
++ li_MD5_CTX Md5Ctx;
+ HASH HA1;
+ HASH HA2;
+ HASH RespHash;
+@@ -1067,13 +1071,13 @@
+
+ if (p->conf.auth_backend == AUTH_BACKEND_PLAIN) {
+ /* generate password from plain-text */
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)username, strlen(username));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)realm, strlen(realm));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)password->ptr, password->used - 1);
+- MD5_Final(HA1, &Md5Ctx);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)username, strlen(username));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)realm, strlen(realm));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)password->ptr, password->used - 1);
++ li_MD5_Final(HA1, &Md5Ctx);
+ } else if (p->conf.auth_backend == AUTH_BACKEND_HTDIGEST) {
+ /* HA1 */
+ /* transform the 32-byte-hex-md5 to a 16-byte-md5 */
+@@ -1090,45 +1094,45 @@
+
+ if (algorithm &&
+ strcasecmp(algorithm, "md5-sess") == 0) {
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16);
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce));
+- MD5_Final(HA1, &Md5Ctx);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce));
++ li_MD5_Final(HA1, &Md5Ctx);
+ }
--int connection_map_remove_connection(connection_map *cm, connection *con) {
-+static int connection_map_remove_connection(connection_map *cm, connection *con) {
- size_t i;
+ CvtHex(HA1, a1);
+
+ /* calculate H(A2) */
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri));
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri));
+ if (qop && strcasecmp(qop, "auth-int") == 0) {
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN);
+ }
+- MD5_Final(HA2, &Md5Ctx);
++ li_MD5_Final(HA2, &Md5Ctx);
+ CvtHex(HA2, HA2Hex);
+
+ /* calculate response */
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN);
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+ if (qop && *qop) {
+- MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)qop, strlen(qop));
+- MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)qop, strlen(qop));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+ };
+- MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN);
+- MD5_Final(RespHash, &Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN);
++ li_MD5_Final(RespHash, &Md5Ctx);
+ CvtHex(RespHash, a2);
+
+ if (0 != strcmp(a2, respons)) {
+@@ -1171,24 +1175,24 @@
+
+ int http_auth_digest_generate_nonce(server *srv, mod_auth_plugin_data *p, buffer *fn, char out[33]) {
+ HASH h;
+- MD5_CTX Md5Ctx;
++ li_MD5_CTX Md5Ctx;
+ char hh[32];
- for (i = 0; i < cm->used; i++) {
-@@ -418,6 +418,7 @@
+ UNUSED(p);
- /* this function is called at dlopen() time and inits the callbacks */
+ /* generate shared-secret */
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)fn->ptr, fn->used - 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)"+", 1);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)fn->ptr, fn->used - 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)"+", 1);
+
+ /* we assume sizeof(time_t) == 4 here, but if not it ain't a problem at all */
+ LI_ltostr(hh, srv->cur_ts);
+- MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
+- MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy));
+ LI_ltostr(hh, rand());
+- MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
+
+- MD5_Final(h, &Md5Ctx);
++ li_MD5_Final(h, &Md5Ctx);
+
+ CvtHex(h, out);
-+int mod_uploadprogress_plugin_init(plugin *p);
- int mod_uploadprogress_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("uploadprogress");
-Index: src/mod_fastcgi.c
+Index: src/mod_usertrack.c
===================================================================
---- src/mod_fastcgi.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_fastcgi.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -389,7 +389,7 @@
- /* ok, we need a prototype */
- static handler_t fcgi_handle_fdevent(void *s, void *ctx, int revents);
-
--int fastcgi_status_copy_procname(buffer *b, fcgi_extension_host *host, fcgi_proc *proc) {
-+static int fastcgi_status_copy_procname(buffer *b, fcgi_extension_host *host, fcgi_proc *proc) {
- buffer_copy_string_len(b, CONST_STR_LEN("fastcgi.backend."));
- buffer_append_string_buffer(b, host->id);
- if (proc) {
-@@ -400,7 +400,7 @@
- return 0;
- }
-
--int fastcgi_status_init(server *srv, buffer *b, fcgi_extension_host *host, fcgi_proc *proc) {
-+static int fastcgi_status_init(server *srv, buffer *b, fcgi_extension_host *host, fcgi_proc *proc) {
- #define CLEAN(x) \
- fastcgi_status_copy_procname(b, host, proc); \
- buffer_append_string_len(b, CONST_STR_LEN(x)); \
-@@ -465,7 +465,7 @@
- free(hctx);
- }
-
--fcgi_proc *fastcgi_process_init() {
-+static fcgi_proc *fastcgi_process_init() {
- fcgi_proc *f;
-
- f = calloc(1, sizeof(*f));
-@@ -478,7 +478,7 @@
- return f;
- }
-
--void fastcgi_process_free(fcgi_proc *f) {
-+static void fastcgi_process_free(fcgi_proc *f) {
- if (!f) return;
-
- fastcgi_process_free(f->next);
-@@ -489,7 +489,7 @@
- free(f);
- }
-
--fcgi_extension_host *fastcgi_host_init() {
-+static fcgi_extension_host *fastcgi_host_init() {
- fcgi_extension_host *f;
-
- f = calloc(1, sizeof(*f));
-@@ -506,7 +506,7 @@
- return f;
- }
-
--void fastcgi_host_free(fcgi_extension_host *h) {
-+static void fastcgi_host_free(fcgi_extension_host *h) {
- if (!h) return;
-
- buffer_free(h->id);
-@@ -525,7 +525,7 @@
-
- }
-
--fcgi_exts *fastcgi_extensions_init() {
-+static fcgi_exts *fastcgi_extensions_init() {
- fcgi_exts *f;
-
- f = calloc(1, sizeof(*f));
-@@ -533,7 +533,7 @@
- return f;
- }
-
--void fastcgi_extensions_free(fcgi_exts *f) {
-+static void fastcgi_extensions_free(fcgi_exts *f) {
- size_t i;
-
- if (!f) return;
-@@ -563,7 +563,7 @@
- free(f);
- }
-
--int fastcgi_extension_insert(fcgi_exts *ext, buffer *key, fcgi_extension_host *fh) {
-+static int fastcgi_extension_insert(fcgi_exts *ext, buffer *key, fcgi_extension_host *fh) {
- fcgi_extension *fe;
- size_t i;
-
-@@ -1479,7 +1479,7 @@
-
- return 0;
- }
--void fcgi_connection_close(server *srv, handler_ctx *hctx) {
-+static void fcgi_connection_close(server *srv, handler_ctx *hctx) {
- plugin_data *p;
- connection *con;
-
-@@ -3916,6 +3916,7 @@
- }
-
+--- src/mod_usertrack.c (.../tags/lighttpd-1.4.29)
++++ src/mod_usertrack.c (.../branches/lighttpd-1.4.x)
+@@ -8,18 +8,8 @@
+ #include <stdlib.h>
+ #include <string.h>
+
+-#ifdef USE_OPENSSL
+-# include <openssl/md5.h>
+-#else
+-# include "md5.h"
++#include "md5.h"
+
+-typedef li_MD5_CTX MD5_CTX;
+-#define MD5_Init li_MD5_Init
+-#define MD5_Update li_MD5_Update
+-#define MD5_Final li_MD5_Final
+-
+-#endif
+-
+ /* plugin config for all request/connections */
-+int mod_fastcgi_plugin_init(plugin *p);
- int mod_fastcgi_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("fastcgi");
-Index: src/CMakeLists.txt
+ typedef struct {
+@@ -182,7 +172,7 @@
+ plugin_data *p = p_d;
+ data_string *ds;
+ unsigned char h[16];
+- MD5_CTX Md5Ctx;
++ li_MD5_CTX Md5Ctx;
+ char hh[32];
+
+ if (con->uri.path->used == 0) return HANDLER_GO_ON;
+@@ -228,18 +218,18 @@
+ /* taken from mod_auth.c */
+
+ /* generate shared-secret */
+- MD5_Init(&Md5Ctx);
+- MD5_Update(&Md5Ctx, (unsigned char *)con->uri.path->ptr, con->uri.path->used - 1);
+- MD5_Update(&Md5Ctx, (unsigned char *)"+", 1);
++ li_MD5_Init(&Md5Ctx);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)con->uri.path->ptr, con->uri.path->used - 1);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)"+", 1);
+
+ /* we assume sizeof(time_t) == 4 here, but if not it ain't a problem at all */
+ LI_ltostr(hh, srv->cur_ts);
+- MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
+- MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy));
+ LI_ltostr(hh, rand());
+- MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
++ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
+
+- MD5_Final(h, &Md5Ctx);
++ li_MD5_Final(h, &Md5Ctx);
+
+ buffer_append_string_encoded(ds->value, (char *)h, 16, ENCODING_HEX);
+ buffer_append_string_len(ds->value, CONST_STR_LEN("; Path=/"));
+Index: src/mod_status.c
===================================================================
---- src/CMakeLists.txt (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/CMakeLists.txt (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -29,6 +29,18 @@
- OPTION(WITH_GDBM "gdbm storage for mod_trigger_b4_dl [default: off]")
- OPTION(WITH_MEMCACHE "memcached storage for mod_trigger_b4_dl [default: off]")
-
-+IF(CMAKE_COMPILER_IS_GNUCC)
-+ OPTION(BUILD_EXTRA_WARNINGS "extra warnings")
-+
-+ IF(BUILD_EXTRA_WARNINGS)
-+ SET(WARN_FLAGS "-g -O2 -g2 -Wall -Wmissing-declarations -Wdeclaration-after-statement -Wno-pointer-sign -Wcast-align -Winline -Wsign-compare -Wnested-externs -Wpointer-arith -Wformat-security")
-+ # -Wl,--as-needed
-+ # -Werror -Wbad-function-cast -Wmissing-prototypes
-+ ELSE(BUILD_EXTRA_WARNINGS)
-+ SET(WARN_FLAGS "")
-+ ENDIF(BUILD_EXTRA_WARNINGS)
-+ENDIF(CMAKE_COMPILER_IS_GNUCC)
-+
- OPTION(BUILD_STATIC "build a static lighttpd with all modules added")
-
- IF(BUILD_STATIC)
-@@ -424,6 +436,10 @@
- ADD_EXECUTABLE(spawn-fcgi spawn-fcgi.c)
- SET(L_INSTALL_TARGETS ${L_INSTALL_TARGETS} spawn-fcgi)
+--- src/mod_status.c (.../tags/lighttpd-1.4.29)
++++ src/mod_status.c (.../branches/lighttpd-1.4.x)
+@@ -487,7 +487,7 @@
+
+ buffer_append_string_len(b, CONST_STR_LEN("</td><td class=\"int\">"));
+
+- if (con->request.content_length) {
++ if (c->request.content_length) {
+ buffer_append_long(b, c->request_content_queue->bytes_in);
+ buffer_append_string_len(b, CONST_STR_LEN("/"));
+ buffer_append_long(b, c->request.content_length);
+Index: src/settings.h
+===================================================================
+--- src/settings.h (.../tags/lighttpd-1.4.29)
++++ src/settings.h (.../branches/lighttpd-1.4.x)
+@@ -21,8 +21,11 @@
+ * 64kB (no real reason, just a guess)
+ */
+ #define BUFFER_MAX_REUSE_SIZE (4 * 1024)
+-#define MAX_READ_LIMIT (4*1024*1024)
-+ADD_EXECUTABLE(lighttpd-angel lighttpd-angel.c)
-+SET(L_INSTALL_TARGETS ${L_INSTALL_TARGETS} lighttpd-angel)
-+ADD_TARGET_PROPERTIES(lighttpd-angel COMPILE_FLAGS "-DSBIN_DIR=\\\\\"${CMAKE_INSTALL_PREFIX}/${SBINDIR}\\\\\"")
++/* both should be way smaller than SSIZE_MAX :) */
++#define MAX_READ_LIMIT (256*1024)
++#define MAX_WRITE_LIMIT (256*1024)
+
- ADD_EXECUTABLE(lighttpd
- server.c
- response.c
-@@ -545,7 +561,7 @@
- ENDIF(HAVE_MEMCACHE_H)
-
- IF(CMAKE_COMPILER_IS_GNUCC)
-- SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=gnu99 -Wall -g -Wshadow -W -pedantic")
-+ SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=gnu99 -Wall -g -Wshadow -W -pedantic ${WARN_FLAGS}")
- SET(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE} -O2")
- SET(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -O0")
- SET(CMAKE_C_FLAGS_RELWITHDEBINFO "${CMAKE_C_FLAGS_WITHDEBINFO} -O2")
-Index: src/mod_access.c
+ /**
+ * max size of the HTTP request header
+ *
+Index: src/mod_cml_lua.c
===================================================================
---- src/mod_access.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_access.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -175,6 +175,7 @@
- }
-
-
-+int mod_access_plugin_init(plugin *p);
- int mod_access_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("access");
-Index: src/mod_accesslog.c
+--- src/mod_cml_lua.c (.../tags/lighttpd-1.4.29)
++++ src/mod_cml_lua.c (.../branches/lighttpd-1.4.x)
+@@ -11,18 +11,6 @@
+ #include <time.h>
+ #include <string.h>
+
+-#ifdef USE_OPENSSL
+-# include <openssl/md5.h>
+-#else
+-# include "md5.h"
+-
+-typedef li_MD5_CTX MD5_CTX;
+-#define MD5_Init li_MD5_Init
+-#define MD5_Update li_MD5_Update
+-#define MD5_Final li_MD5_Final
+-
+-#endif
+-
+ #define HASHLEN 16
+ typedef unsigned char HASH[HASHLEN];
+ #define HASHHEXLEN 32
+Index: src/mod_fastcgi.c
===================================================================
---- src/mod_accesslog.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_accesslog.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -156,7 +156,7 @@
- return p;
- }
-
--int accesslog_parse_format(server *srv, format_fields *fields, buffer *format) {
-+static int accesslog_parse_format(server *srv, format_fields *fields, buffer *format) {
- size_t i, j, k = 0, start = 0;
+--- src/mod_fastcgi.c (.../tags/lighttpd-1.4.29)
++++ src/mod_fastcgi.c (.../branches/lighttpd-1.4.x)
+@@ -3075,7 +3075,7 @@
+ fcgi_set_state(srv, hctx, FCGI_STATE_WRITE);
+ /* fall through */
+ case FCGI_STATE_WRITE:
+- ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb);
++ ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT);
+
+ chunkqueue_remove_finished_chunks(hctx->wb);
+
+@@ -3132,7 +3132,6 @@
+ plugin_data *p = p_d;
+
+ handler_ctx *hctx = con->plugin_ctx[p->id];
+- fcgi_proc *proc;
+ fcgi_extension_host *host;
+
+ if (NULL == hctx) return HANDLER_GO_ON;
+@@ -3201,7 +3200,6 @@
+ /* ok, create the request */
+ switch(fcgi_write_request(srv, hctx)) {
+ case HANDLER_ERROR:
+- proc = hctx->proc;
+ host = hctx->host;
+
+ if (hctx->state == FCGI_STATE_INIT ||
+Index: src/network_solaris_sendfilev.c
+===================================================================
+--- src/network_solaris_sendfilev.c (.../tags/lighttpd-1.4.29)
++++ src/network_solaris_sendfilev.c (.../branches/lighttpd-1.4.x)
+@@ -38,17 +38,16 @@
+ */
- if (format->used == 0) return -1;
-@@ -876,6 +876,7 @@
- }
+-int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq) {
++int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) {
+ chunk *c;
+- size_t chunks_written = 0;
+
+- for(c = cq->first; c; c = c->next, chunks_written++) {
++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
+ int chunk_finished = 0;
+
+ switch(c->type) {
+ case MEM_CHUNK: {
+ char * offset;
+- size_t toSend;
++ off_t toSend;
+ ssize_t r;
+
+ size_t num_chunks, i;
+@@ -77,9 +76,9 @@
+ chunks[i].iov_base = offset;
+
+ /* protect the return value of writev() */
+- if (toSend > SSIZE_MAX ||
+- num_bytes + toSend > SSIZE_MAX) {
+- chunks[i].iov_len = SSIZE_MAX - num_bytes;
++ if (toSend > max_bytes ||
++ (off_t) num_bytes + toSend > max_bytes) {
++ chunks[i].iov_len = max_bytes - num_bytes;
+
+ num_chunks = i + 1;
+ break;
+@@ -119,11 +118,10 @@
+
+ if (chunk_finished) {
+ /* skip the chunks from further touches */
+- chunks_written++;
+ c = c->next;
+ } else {
+ /* chunks_written + c = c->next is done in the for()*/
+- chunk_finished++;
++ chunk_finished = 1;
+ }
+ } else {
+ /* partially written */
+@@ -139,8 +137,8 @@
+ }
+ case FILE_CHUNK: {
+ ssize_t r;
+- off_t offset;
+- size_t toSend, written;
++ off_t offset, toSend;
++ size_t written;
+ sendfilevec_t fvec;
+ stat_cache_entry *sce = NULL;
+ int ifd;
+@@ -153,6 +151,7 @@
+
+ offset = c->file.start + c->offset;
+ toSend = c->file.length - c->offset;
++ if (toSend > max_bytes) toSend = max_bytes;
+
+ if (offset > sce->st.st_size) {
+ log_error_write(srv, __FILE__, __LINE__, "sb", "file was shrinked:", c->file.name);
+@@ -186,6 +185,7 @@
+ close(ifd);
+ c->offset += written;
+ cq->bytes_out += written;
++ max_bytes -= written;
+
+ if (c->offset == c->file.length) {
+ chunk_finished = 1;
+@@ -207,7 +207,7 @@
+ }
+ }
-+int mod_accesslog_plugin_init(plugin *p);
- int mod_accesslog_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("accesslog");
-Index: src/mod_dirlisting.c
-===================================================================
---- src/mod_dirlisting.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_dirlisting.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -73,7 +73,7 @@
- plugin_config conf;
- } plugin_data;
-
--excludes_buffer *excludes_buffer_init(void) {
-+static excludes_buffer *excludes_buffer_init(void) {
- excludes_buffer *exb;
-
- exb = calloc(1, sizeof(*exb));
-@@ -81,7 +81,7 @@
- return exb;
+- return chunks_written;
++ return 0;
}
--int excludes_buffer_append(excludes_buffer *exb, buffer *string) {
-+static int excludes_buffer_append(excludes_buffer *exb, buffer *string) {
- #ifdef HAVE_PCRE_H
- size_t i;
- const char *errptr;
-@@ -128,7 +128,7 @@
#endif
- }
-
--void excludes_buffer_free(excludes_buffer *exb) {
-+static void excludes_buffer_free(excludes_buffer *exb) {
- #ifdef HAVE_PCRE_H
- size_t i;
-
-@@ -904,6 +904,7 @@
-
- /* this function is called at dlopen() time and inits the callbacks */
-
-+int mod_dirlisting_plugin_init(plugin *p);
- int mod_dirlisting_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("dirlisting");
-Index: src/mod_magnet.c
+Index: src/CMakeLists.txt
===================================================================
---- src/mod_magnet.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/mod_magnet.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -840,6 +840,7 @@
-
- /* this function is called at dlopen() time and inits the callbacks */
-
-+int mod_magnet_plugin_init(plugin *p);
- int mod_magnet_plugin_init(plugin *p) {
- p->version = LIGHTTPD_VERSION_ID;
- p->name = buffer_init_string("magnet");
-@@ -856,6 +857,7 @@
- }
-
+Index: src/mod_dirlisting.c
+===================================================================
+--- src/mod_dirlisting.c (.../tags/lighttpd-1.4.29)
++++ src/mod_dirlisting.c (.../branches/lighttpd-1.4.x)
+@@ -657,7 +657,8 @@
+ i = dir->used - 1;
+
+ #ifdef HAVE_PATHCONF
+- if (-1 == (name_max = pathconf(dir->ptr, _PC_NAME_MAX))) {
++ if (0 >= (name_max = pathconf(dir->ptr, _PC_NAME_MAX))) {
++ /* some broken fs (fuse) return 0 instead of -1 */
+ #ifdef NAME_MAX
+ name_max = NAME_MAX;
#else
-+int mod_magnet_plugin_init(plugin *p);
- int mod_magnet_plugin_init(plugin *p) {
- UNUSED(p);
- return -1;
-Index: src/fdevent.c
+Index: src/network_linux_sendfile.c
===================================================================
---- src/fdevent.c (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ src/fdevent.c (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -92,7 +92,7 @@
- return 0;
- }
-
--fdnode *fdnode_init() {
-+static fdnode *fdnode_init() {
- fdnode *fdn;
-
- fdn = calloc(1, sizeof(*fdn));
-@@ -100,7 +100,7 @@
- return fdn;
- }
+--- src/network_linux_sendfile.c (.../tags/lighttpd-1.4.29)
++++ src/network_linux_sendfile.c (.../branches/lighttpd-1.4.x)
+@@ -27,17 +27,16 @@
+ /* on linux 2.4.29 + debian/ubuntu we have crashes if this is enabled */
+ #undef HAVE_POSIX_FADVISE
+
+-int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq) {
++int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) {
+ chunk *c;
+- size_t chunks_written = 0;
+
+- for(c = cq->first; c; c = c->next, chunks_written++) {
++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
+ int chunk_finished = 0;
+
+ switch(c->type) {
+ case MEM_CHUNK: {
+ char * offset;
+- size_t toSend;
++ off_t toSend;
+ ssize_t r;
+
+ size_t num_chunks, i;
+@@ -45,12 +44,10 @@
+ chunk *tc;
+ size_t num_bytes = 0;
+
+- /* we can't send more then SSIZE_MAX bytes in one chunk */
+-
+ /* build writev list
+ *
+ * 1. limit: num_chunks < UIO_MAXIOV
+- * 2. limit: num_bytes < SSIZE_MAX
++ * 2. limit: num_bytes < max_bytes
+ */
+ for (num_chunks = 0, tc = c;
+ tc && tc->type == MEM_CHUNK && num_chunks < UIO_MAXIOV;
+@@ -67,9 +64,9 @@
+ chunks[i].iov_base = offset;
+
+ /* protect the return value of writev() */
+- if (toSend > SSIZE_MAX ||
+- num_bytes + toSend > SSIZE_MAX) {
+- chunks[i].iov_len = SSIZE_MAX - num_bytes;
++ if (toSend > max_bytes ||
++ (off_t) num_bytes + toSend > max_bytes) {
++ chunks[i].iov_len = max_bytes - num_bytes;
+
+ num_chunks = i + 1;
+ break;
+@@ -100,6 +97,7 @@
+
+ /* check which chunks have been written */
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ for(i = 0, tc = c; i < num_chunks; i++, tc = tc->next) {
+ if (r >= (ssize_t)chunks[i].iov_len) {
+@@ -109,11 +107,10 @@
+
+ if (chunk_finished) {
+ /* skip the chunks from further touches */
+- chunks_written++;
+ c = c->next;
+ } else {
+ /* chunks_written + c = c->next is done in the for()*/
+- chunk_finished++;
++ chunk_finished = 1;
+ }
+ } else {
+ /* partially written */
+@@ -130,13 +127,12 @@
+ case FILE_CHUNK: {
+ ssize_t r;
+ off_t offset;
+- size_t toSend;
++ off_t toSend;
+ stat_cache_entry *sce = NULL;
+
+ offset = c->file.start + c->offset;
+- /* limit the toSend to 2^31-1 bytes in a chunk */
+- toSend = c->file.length - c->offset > ((1 << 30) - 1) ?
+- ((1 << 30) - 1) : c->file.length - c->offset;
++ toSend = c->file.length - c->offset;
++ if (toSend > max_bytes) toSend = max_bytes;
+
+ /* open file if not already opened */
+ if (-1 == c->file.fd) {
+@@ -215,6 +211,7 @@
+
+ c->offset += r;
+ cq->bytes_out += r;
++ max_bytes -= r;
+
+ if (c->offset == c->file.length) {
+ chunk_finished = 1;
+@@ -243,7 +240,7 @@
+ }
+ }
--void fdnode_free(fdnode *fdn) {
-+static void fdnode_free(fdnode *fdn) {
- free(fdn);
+- return chunks_written;
++ return 0;
}
-Index: doc/lighttpd.1
+ #endif
+Index: tests/mod-auth.t
+===================================================================
+--- tests/mod-auth.t (.../tags/lighttpd-1.4.29)
++++ tests/mod-auth.t (.../branches/lighttpd-1.4.x)
+@@ -8,7 +8,7 @@
+
+ use strict;
+ use IO::Socket;
+-use Test::More tests => 14;
++use Test::More tests => 15;
+ use LightyTest;
+
+ my $tf = LightyTest->new();
+@@ -25,6 +25,14 @@
+
+ $t->{REQUEST} = ( <<EOF
+ GET /server-status HTTP/1.0
++Authorization: Basic \x80mFuOmphb
++EOF
++ );
++$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ];
++ok($tf->handle_http($t) == 0, 'Basic-Auth: Invalid base64 Auth-token');
++
++$t->{REQUEST} = ( <<EOF
++GET /server-status HTTP/1.0
+ Authorization: Basic amFuOmphb
+ EOF
+ );
+Index: tests/request.t
===================================================================
---- doc/lighttpd.1 (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ doc/lighttpd.1 (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -1,18 +0,0 @@
--.TH LIGHTTPD 1 2003-12-21
--.SH NAME
--lighttpd - a fast, secure and flexible webserver
--.SH SYNOPSIS
--lighttpd -D -f <configfile>
--.SH DESCRIPTION
--.SH FILES
--/etc/lighttpd/lighttpd.conf
--.SH CONFORMING TO
--HTTP/1.0
--HTTP/1.0
--HTTP-Authentification - Basic, Digest
--FastCGI
--CGI/1.1
--.SH SEE ALSO
--spawn-fcgi(1)
--.SH AUTHOR
--jan@kneschke.de
-Index: doc/lighttpd.8
+--- tests/request.t (.../tags/lighttpd-1.4.29)
++++ tests/request.t (.../branches/lighttpd-1.4.x)
+@@ -8,7 +8,7 @@
+
+ use strict;
+ use IO::Socket;
+-use Test::More tests => 44;
++use Test::More tests => 46;
+ use LightyTest;
+
+ my $tf = LightyTest->new();
+@@ -413,5 +413,21 @@
+ $t->{SLOWREQUEST} = 1;
+ ok($tf->handle_http($t) == 0, 'GET, slow \\r\\n\\r\\n (#2105)');
+
++print "\nPathinfo for static files\n";
++$t->{REQUEST} = ( <<EOF
++GET /image.jpg/index.php HTTP/1.0
++EOF
++ );
++$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'Content-Type' => 'image/jpeg' } ];
++ok($tf->handle_http($t) == 0, 'static file accepting pathinfo by default');
++
++$t->{REQUEST} = ( <<EOF
++GET /image.jpg/index.php HTTP/1.0
++Host: zzz.example.org
++EOF
++ );
++$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 403 } ];
++ok($tf->handle_http($t) == 0, 'static file with forbidden pathinfo');
++
+ ok($tf->stop_proc == 0, "Stopping lighttpd");
+
+Index: tests/wrapper.sh
===================================================================
---- doc/lighttpd.8 (.../tags/lighttpd-1.4.22) (revision 0)
-+++ doc/lighttpd.8 (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -0,0 +1,70 @@
-+.TH LIGHTTPD "8" "2009-03-07" "" ""
-+.
-+.SH NAME
-+lighttpd \- a fast, secure and flexible web server
-+.
-+.SH SYNOPSIS
-+\fBlighttpd\fP [\fB\-ptDvVh\fP] \fB\-f\fP \fIconfigfile\fP [\fB\-m\fP \fImoduledir\fP]
-+.
-+.SH DESCRIPTION
-+\fBlighttpd\fP (pronounced 'lighty') is an advanced HTTP daemon that aims
-+to be secure, fast, compliant and very flexible. It has been optimized for
-+high performance. Its feature set includes, but is not limited to, FastCGI,
-+CGI, basic and digest HTTP authentication, output compression, URL rewriting.
-+.PP
-+This manual page only lists the command line arguments. For details
-+on how to configure \fBlighttpd\fP and its modules see the files in the
-+doc-directory.
-+.
-+.SH OPTIONS
-+The following options are supported:
-+.TP 8
-+\fB\-f\ \fP \fIconfigfile\fP
-+Load configuration file \fIconfigfile\fP.
-+.TP 8
-+\fB\-m\ \fP \fImoduledir\fP
-+Use
-+\fImoduledir\fP
-+as the directory that contains modules, instead of the default.
-+.TP 8
-+\fB\-p\fP
-+Print the parsed configuration file in its internal form and exit.
-+.TP 8
-+\fB\-t\fP
-+Test the configuration file for syntax errors and exit.
-+.TP 8
-+\fB\-D\fP
-+Do not daemonize (go into background). The default is to daemonize.
-+.TP 8
-+\fB\-v\fP
-+Show version and exit.
-+.TP 8
-+\fB\-V\fP
-+Show compile-time features and exit.
-+.TP 8
-+\fB\-h\fP
-+Show a brief help message and exit.
-+.
-+.SH FILES
-+.TP 8
-+/etc/lighttpd/lighttpd.conf
-+The standard location for the configuration file.
-+.TP 8
-+/var/run/lighttpd.pid
-+The standard location for the PID of the running \fBlighttpd\fP process.
-+.
-+.SH SEE ALSO
-+Online Documentation: http://wiki.lighttpd.net/
-+.PP
-+spawn-fcgi(1)
-+.PP
-+\fIHypertext Transfer Protocol -- HTTP/1.1\fP, RFC 2616.
-+.PP
-+\fIHTTP Authentication: Basic and Digest Access Authentication\fP, RFC 2617.
-+.PP
-+\fIThe Common Gateway Interface Version 1.1\fP, RFC 3875.
-+.PP
-+\fIThe FastCGI specification\fP.
-+.
-+.SH AUTHOR
-+Jan Kneschke <jan@kneschke.de>
-Index: doc/Makefile.am
+--- tests/wrapper.sh (.../tags/lighttpd-1.4.29)
++++ tests/wrapper.sh (.../branches/lighttpd-1.4.x)
+@@ -6,4 +6,4 @@
+ top_builddir=$2
+ export SHELL srcdir top_builddir
+
+-$3
++exec $3
+Index: tests/lighttpd.conf
===================================================================
---- doc/Makefile.am (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ doc/Makefile.am (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -1,6 +1,6 @@
--dist_man1_MANS=lighttpd.1 spawn-fcgi.1
-+dist_man1_MANS=spawn-fcgi.1
-+dist_man8_MANS=lighttpd.8
+--- tests/lighttpd.conf (.../tags/lighttpd-1.4.29)
++++ tests/lighttpd.conf (.../branches/lighttpd-1.4.x)
+@@ -149,6 +149,7 @@
+ $HTTP["host"] == "zzz.example.org" {
+ server.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/"
+ server.name = "zzz.example.org"
++ static-file.disable-pathinfo = "enable"
+ }
--
- DOCS=accesslog.txt \
- authentication.txt \
- cgi.txt \
+ $HTTP["host"] == "symlink.example.org" {
+Index: configure.ac
+===================================================================
+Index: doc/config/lighttpd.conf
+===================================================================
+--- doc/config/lighttpd.conf (.../tags/lighttpd-1.4.29)
++++ doc/config/lighttpd.conf (.../branches/lighttpd-1.4.x)
+@@ -394,6 +394,25 @@
+ ## $SERVER["socket"] == "10.0.0.1:443" {
+ ## ssl.engine = "enable"
+ ## ssl.pemfile = "/etc/ssl/private/www.example.com.pem"
++## #
++## # Mitigate BEAST attack:
++## #
++## # A stricter base cipher suite. For details see:
++## # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
++## #
++## ssl.ciphers = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
++## #
++## # Make the server prefer the order of the server side cipher suite instead of the client suite.
++## # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms).
++## # This option is enabled by default, but only used if ssl.ciphers is set.
++## #
++## # ssl.honor-cipher-order = "enable"
++## #
++## # Mitigate CVE-2009-3555 by disabling client triggered renegotation
++## # This is enabled by default.
++## #
++## # ssl.disable-client-renegotiation = "enable"
++## #
+ ## server.name = "www.example.com"
+ ##
+ ## server.document-root = "/srv/www/vhosts/example.com/www/"
Index: SConstruct
===================================================================
Index: NEWS
===================================================================
---- NEWS (.../tags/lighttpd-1.4.22) (revision 2417)
-+++ NEWS (.../branches/lighttpd-1.4.x) (revision 2417)
-@@ -3,7 +3,11 @@
+--- NEWS (.../tags/lighttpd-1.4.29)
++++ NEWS (.../branches/lighttpd-1.4.x)
+@@ -3,7 +3,20 @@
NEWS
====
--- 1.4.22 -
-+- 1.4.23 -
-+ * Added some extra warning options in cmake and fix the resulting warnings (unused/static functions)
-+ * New lighttpd man page (moved it to section 8) (fixes #1875)
+-- 1.4.29 -
++- 1.4.30 -
++ * Always use our 'own' md5 implementation, fixes linking issues on MacOS (fixes #2331)
++ * Limit amount of bytes we send in one go; fixes stalling in one connection and timeouts on slow systems.
++ * [ssl] fix build errors when Elliptic-Curve Diffie-Hellman is disabled
++ * Add static-file.disable-pathinfo option to prevent handling of urls like .../secret.php/image.jpg as static file
++ * Don't overwrite 401 (auth required) with 501 (unknown method) (fixes #2341)
++ * Fix mod_status bug: always showed "0/0" in the "Read" column for uploads (fixes #2351)
++ * [mod_auth] Fix signedness error in http_auth (fixes #2370, CVE-2011-4362)
++ * [ssl] count renegotiations to prevent client renegotiations
++ * [ssl] add option to honor server cipher order (fixes #2364, BEAST attack)
++ * [core] accept dots in ipv6 addresses in host header (fixes #2359)
++ * [ssl] fix ssl connection aborts if files are larger than the MAX_WRITE_LIMIT (256kb)
+
-+- 1.4.22 - 2009-03-07
- * Fix wrong lua type for CACHE_MISS/CACHE_HIT in mod_cml (fixes #533)
- * Fix default vhost in mod_simple_vhost (fixes #1905)
- * Handle EINTR in mod_rrdtool (fixes #604)
++- 1.4.29 - 2011-07-03
+ * Fix mod_proxy waiting for response even if content-length is 0 (fixes #2259)
+ * Silence annoying "connection closed: poll() -> ERR" error.log message (fixes #2257)
+ * mod_cgi: make read buffer as big as incoming data block
Index: CMakeLists.txt
===================================================================
-
-Property changes on: .
-___________________________________________________________________
-Modified: bzr:revision-info
- - timestamp: 2009-03-07 14:58:05.338000059 +0100
-committer: Stefan Bühler <stbuehler@web.de>
-properties:
- branch-nick: lighttpd-1.4.x
-
- + timestamp: 2009-03-07 22:04:32.213999987 +0100
-committer: Stefan Bühler <stbuehler@web.de>
-properties:
- branch-nick: lighttpd-1.4.x
-
-Modified: bzr:file-ids
- -
- + doc/lighttpd.8 lighttpd.8-20090307205615-mc312p5ocjwthwte-1
-
-Modified: bzr:revision-id:v3-trunk0
- - 1127 stbuehler@web.de-20080728081644-j4cxnhduw8kbt8um
-1128 stbuehler@web.de-20080728084246-axvxdtjsrratxixs
-1129 stbuehler@web.de-20080729211700-s8v6nq2cu06qesls
-1130 stbuehler@web.de-20080729211726-4yxb6e5dva1cn0lz
-1131 stbuehler@web.de-20080729211750-4ulzigswx17uciyu
-1132 stbuehler@web.de-20080729211850-nliz3kd0m576ztuu
-1133 stbuehler@web.de-20080730163440-dg2y2sbf0u4grmn4
-1134 stbuehler@web.de-20080730173952-kiutzg6geqy7mick
-1135 stbuehler@web.de-20080730193616-9kc2ms7rrhv1lkn7
-1136 stbuehler@web.de-20080730211457-z4a6uth1y29glbqh
-1137 stbuehler@web.de-20080730213517-b6sjcrdwbmipl334
-1138 stbuehler@web.de-20080731102617-2xw8unjfqic7lsew
-1139 stbuehler@web.de-20080731102703-q4tu5a6em9y8xdg0
-1140 stbuehler@web.de-20080731102729-l6vn5b05w9swqbg5
-1141 stbuehler@web.de-20080731102756-oj3d4tnk0l90mj77
-1142 stbuehler@web.de-20080731204442-blw14cj2fkr3l8ly
-1143 stbuehler@web.de-20080731204508-imtfnurf922mg7tj
-1144 stbuehler@web.de-20080801112347-girnwswdkwm8wuip
-1145 stbuehler@web.de-20080801161245-kx1temr529o7xko9
-1146 stbuehler@web.de-20080801175332-oc9e7x8edn1owcc0
-1147 stbuehler@web.de-20080801183454-5i66v0gsdv0cgmia
-1148 stbuehler@web.de-20080801192849-6zklfbb832sx0hvr
-1149 stbuehler@web.de-20080801203119-o16elp8w854s6lol
-1150 stbuehler@web.de-20080802162146-a4v57svc788pwdsv
-1151 stbuehler@web.de-20080802162202-9udlc1wuwt09pyh2
-1152 stbuehler@web.de-20080804135803-yuor9ze06px7qta4
-1153 stbuehler@web.de-20080812194728-fupt781o6q058unh
-1154 stbuehler@web.de-20080818162116-piz0ukqsaecv2li2
-1155 stbuehler@web.de-20080818235700-94t0xc6ml70zojwq
-1156 stbuehler@web.de-20080819163650-1qhwsqszr78cr4xx
-1157 stbuehler@web.de-20080819163757-1qq3t1f1wj69t8xs
-1158 stbuehler@web.de-20080819163914-rklhkurg8apv85l2
-1159 stbuehler@web.de-20080819163953-tlqew751e43phf5b
-1160 stbuehler@web.de-20080819164108-8ogh68sm1uyteawe
-1161 stbuehler@web.de-20080819173911-w5bqpb7cp9jmdqye
-1162 stbuehler@web.de-20080819222242-c0ta5gnli9p3j35a
-1163 stbuehler@web.de-20080820100730-g1bwdh4nqb53ag9u
-1164 stbuehler@web.de-20080820100752-9pggugdyfnnps8qu
-1165 stbuehler@web.de-20080820164258-v2j00motsrsc5esp
-1166 stbuehler@web.de-20080827144628-hi9hf4ch3n1wf9ao
-1167 stbuehler@web.de-20080827144903-tfxu4yehlyu5kegc
-1168 stbuehler@web.de-20080827155155-7mt92orehbxkh2lh
-1169 stbuehler@web.de-20080917142048-zbcwpk39q9ewd516
-1170 stbuehler@web.de-20080917142300-16gzt21x4nbjtj87
-1171 stbuehler@web.de-20080919160134-385anjnd3txxdw3x
-1172 stbuehler@web.de-20080920134142-fvvwaw2ys51dg4rj
-1173 stbuehler@web.de-20080921153311-1f7rn01atdilmxmy
-1174 stbuehler@web.de-20080922101346-wel327kjmykkpvmp
-1175 stbuehler@web.de-20080923190422-uow06l38ndue36o4
-1176 stbuehler@web.de-20080930112012-53jby2m8xslmd1hm
-1177 stbuehler@web.de-20080930134824-j9q72rwuiczzof5k
-1178 stbuehler@web.de-20080930142037-32pb6m3zjcwryw1w
-1179 stbuehler@web.de-20080930142756-ueovgoshyb996bce
-1180 stbuehler@web.de-20080930152935-1zfy67brol3xdbc0
-1181 stbuehler@web.de-20080930193919-13n2q4c6fbgw0dkx
-1182 stbuehler@web.de-20080930211152-4hmgs95wyg2deol7
-1183 stbuehler@web.de-20081001132402-hxnyu6yzyk3mjf4d
-1184 stbuehler@web.de-20081001155102-qf0mmu2kkpgr7xf0
-1185 stbuehler@web.de-20081001160009-n67ss0vzlac2y60k
-1186 stbuehler@web.de-20081001200802-l5og517etnneitk0
-1188 stbuehler@web.de-20081004160711-ygaohrecmutiqlla
-1189 stbuehler@web.de-20081004211932-vq16u26mthbeed7d
-1191 stbuehler@web.de-20081005224446-1bztt6zqrjh8w8fd
-1192 stbuehler@web.de-20081012114652-ihgz590f0gl5gxpw
-1193 stbuehler@web.de-20081012114716-jnzljhexi4z2gh92
-1195 stbuehler@web.de-20081016120614-kz39vxtz1pebho0o
-1196 stbuehler@web.de-20081016121103-trug4hts0o62d1ut
-1197 stbuehler@web.de-20081016121114-65quosenmso8frf8
-1198 stbuehler@web.de-20081016121421-xjjb7fb53pxu6odj
-1199 stbuehler@web.de-20081205222033-6qok7y19pwp3kxm9
-1200 stbuehler@web.de-20081205222811-49izmzxui0y9ncq6
-1201 stbuehler@web.de-20081205233903-708beaujtf26gprx
-1202 stbuehler@web.de-20081207151631-yv9bdf94zw83jxpv
-1203 stbuehler@web.de-20081207151822-mhyg0gkedmttdqvd
-1204 stbuehler@web.de-20081207151835-1m3yta2fjc4pgb8y
-1205 stbuehler@web.de-20081218221139-w8los43bjbhy9urh
-1206 stbuehler@web.de-20081218222305-5wz7000a62iqa81r
-1208 stbuehler@web.de-20090203201352-ivan8lsb3nkv1go5
-1209 stbuehler@web.de-20090203204231-03zjmk7qiol9yxgq
-1210 stbuehler@web.de-20090203210157-bx1e59fqple5oj3v
-1211 stbuehler@web.de-20090203221006-qd6w80m7lmeqgrjh
-1212 stbuehler@web.de-20090203225303-3dwmialad2u720h8
-1213 stbuehler@web.de-20090204102521-jl3vo2ftp5rsbx9y
-1214 stbuehler@web.de-20090204151616-n56of74dydkqdkgh
-1215 stbuehler@web.de-20090204172956-6wzsv0nm5nxcgfym
-1216 stbuehler@web.de-20090205105134-6i5key9439wspueq
-1217 stbuehler@web.de-20090205114017-0voscqjd5bdm9mwv
-1218 stbuehler@web.de-20090205114442-peekxwpevjl3t7j3
-1219 stbuehler@web.de-20090205215425-vicbc6hzb3at7gj9
-1220 stbuehler@web.de-20090205220741-vqz9l1eui3dwnulq
-1221 stbuehler@web.de-20090205222705-8179v6jkv2x38l70
-1222 stbuehler@web.de-20090210194631-6epujtpen9xfxx5j
-1223 stbuehler@web.de-20090216134207-fg99ikt1ds21hx25
-1224 stbuehler@web.de-20090217085833-9g5c7j7zdylvezl5
-1225 stbuehler@web.de-20090217133414-y80hydn9raqgkgto
-1226 stbuehler@web.de-20090217224447-ve7ns45c9otbgz9h
-1227 stbuehler@web.de-20090219130703-117t93t4hr4j0e8d
-1228 stbuehler@web.de-20090219130728-m8nui64vin0w95b2
-1229 stbuehler@web.de-20090219131550-exi19tbqyd8fpa0d
-1230 stbuehler@web.de-20090224133046-toewpee0ybw5tuay
-1231 stbuehler@web.de-20090228205351-yqjhutdqf30jr66o
-1232 stbuehler@web.de-20090228213824-gnwuf6by8705g6zk
-1233 stbuehler@web.de-20090303100525-kamra70ocxpji0l5
-1234 stbuehler@web.de-20090303100929-p4w2995k61yhxws2
-1235 stbuehler@web.de-20090307135056-02q8f6l1e5jehu9y
-1236 stbuehler@web.de-20090307135805-z488kad68sgcjtzz
-
- + 1127 stbuehler@web.de-20080728081644-j4cxnhduw8kbt8um
-1128 stbuehler@web.de-20080728084246-axvxdtjsrratxixs
-1129 stbuehler@web.de-20080729211700-s8v6nq2cu06qesls
-1130 stbuehler@web.de-20080729211726-4yxb6e5dva1cn0lz
-1131 stbuehler@web.de-20080729211750-4ulzigswx17uciyu
-1132 stbuehler@web.de-20080729211850-nliz3kd0m576ztuu
-1133 stbuehler@web.de-20080730163440-dg2y2sbf0u4grmn4
-1134 stbuehler@web.de-20080730173952-kiutzg6geqy7mick
-1135 stbuehler@web.de-20080730193616-9kc2ms7rrhv1lkn7
-1136 stbuehler@web.de-20080730211457-z4a6uth1y29glbqh
-1137 stbuehler@web.de-20080730213517-b6sjcrdwbmipl334
-1138 stbuehler@web.de-20080731102617-2xw8unjfqic7lsew
-1139 stbuehler@web.de-20080731102703-q4tu5a6em9y8xdg0
-1140 stbuehler@web.de-20080731102729-l6vn5b05w9swqbg5
-1141 stbuehler@web.de-20080731102756-oj3d4tnk0l90mj77
-1142 stbuehler@web.de-20080731204442-blw14cj2fkr3l8ly
-1143 stbuehler@web.de-20080731204508-imtfnurf922mg7tj
-1144 stbuehler@web.de-20080801112347-girnwswdkwm8wuip
-1145 stbuehler@web.de-20080801161245-kx1temr529o7xko9
-1146 stbuehler@web.de-20080801175332-oc9e7x8edn1owcc0
-1147 stbuehler@web.de-20080801183454-5i66v0gsdv0cgmia
-1148 stbuehler@web.de-20080801192849-6zklfbb832sx0hvr
-1149 stbuehler@web.de-20080801203119-o16elp8w854s6lol
-1150 stbuehler@web.de-20080802162146-a4v57svc788pwdsv
-1151 stbuehler@web.de-20080802162202-9udlc1wuwt09pyh2
-1152 stbuehler@web.de-20080804135803-yuor9ze06px7qta4
-1153 stbuehler@web.de-20080812194728-fupt781o6q058unh
-1154 stbuehler@web.de-20080818162116-piz0ukqsaecv2li2
-1155 stbuehler@web.de-20080818235700-94t0xc6ml70zojwq
-1156 stbuehler@web.de-20080819163650-1qhwsqszr78cr4xx
-1157 stbuehler@web.de-20080819163757-1qq3t1f1wj69t8xs
-1158 stbuehler@web.de-20080819163914-rklhkurg8apv85l2
-1159 stbuehler@web.de-20080819163953-tlqew751e43phf5b
-1160 stbuehler@web.de-20080819164108-8ogh68sm1uyteawe
-1161 stbuehler@web.de-20080819173911-w5bqpb7cp9jmdqye
-1162 stbuehler@web.de-20080819222242-c0ta5gnli9p3j35a
-1163 stbuehler@web.de-20080820100730-g1bwdh4nqb53ag9u
-1164 stbuehler@web.de-20080820100752-9pggugdyfnnps8qu
-1165 stbuehler@web.de-20080820164258-v2j00motsrsc5esp
-1166 stbuehler@web.de-20080827144628-hi9hf4ch3n1wf9ao
-1167 stbuehler@web.de-20080827144903-tfxu4yehlyu5kegc
-1168 stbuehler@web.de-20080827155155-7mt92orehbxkh2lh
-1169 stbuehler@web.de-20080917142048-zbcwpk39q9ewd516
-1170 stbuehler@web.de-20080917142300-16gzt21x4nbjtj87
-1171 stbuehler@web.de-20080919160134-385anjnd3txxdw3x
-1172 stbuehler@web.de-20080920134142-fvvwaw2ys51dg4rj
-1173 stbuehler@web.de-20080921153311-1f7rn01atdilmxmy
-1174 stbuehler@web.de-20080922101346-wel327kjmykkpvmp
-1175 stbuehler@web.de-20080923190422-uow06l38ndue36o4
-1176 stbuehler@web.de-20080930112012-53jby2m8xslmd1hm
-1177 stbuehler@web.de-20080930134824-j9q72rwuiczzof5k
-1178 stbuehler@web.de-20080930142037-32pb6m3zjcwryw1w
-1179 stbuehler@web.de-20080930142756-ueovgoshyb996bce
-1180 stbuehler@web.de-20080930152935-1zfy67brol3xdbc0
-1181 stbuehler@web.de-20080930193919-13n2q4c6fbgw0dkx
-1182 stbuehler@web.de-20080930211152-4hmgs95wyg2deol7
-1183 stbuehler@web.de-20081001132402-hxnyu6yzyk3mjf4d
-1184 stbuehler@web.de-20081001155102-qf0mmu2kkpgr7xf0
-1185 stbuehler@web.de-20081001160009-n67ss0vzlac2y60k
-1186 stbuehler@web.de-20081001200802-l5og517etnneitk0
-1188 stbuehler@web.de-20081004160711-ygaohrecmutiqlla
-1189 stbuehler@web.de-20081004211932-vq16u26mthbeed7d
-1191 stbuehler@web.de-20081005224446-1bztt6zqrjh8w8fd
-1192 stbuehler@web.de-20081012114652-ihgz590f0gl5gxpw
-1193 stbuehler@web.de-20081012114716-jnzljhexi4z2gh92
-1195 stbuehler@web.de-20081016120614-kz39vxtz1pebho0o
-1196 stbuehler@web.de-20081016121103-trug4hts0o62d1ut
-1197 stbuehler@web.de-20081016121114-65quosenmso8frf8
-1198 stbuehler@web.de-20081016121421-xjjb7fb53pxu6odj
-1199 stbuehler@web.de-20081205222033-6qok7y19pwp3kxm9
-1200 stbuehler@web.de-20081205222811-49izmzxui0y9ncq6
-1201 stbuehler@web.de-20081205233903-708beaujtf26gprx
-1202 stbuehler@web.de-20081207151631-yv9bdf94zw83jxpv
-1203 stbuehler@web.de-20081207151822-mhyg0gkedmttdqvd
-1204 stbuehler@web.de-20081207151835-1m3yta2fjc4pgb8y
-1205 stbuehler@web.de-20081218221139-w8los43bjbhy9urh
-1206 stbuehler@web.de-20081218222305-5wz7000a62iqa81r
-1208 stbuehler@web.de-20090203201352-ivan8lsb3nkv1go5
-1209 stbuehler@web.de-20090203204231-03zjmk7qiol9yxgq
-1210 stbuehler@web.de-20090203210157-bx1e59fqple5oj3v
-1211 stbuehler@web.de-20090203221006-qd6w80m7lmeqgrjh
-1212 stbuehler@web.de-20090203225303-3dwmialad2u720h8
-1213 stbuehler@web.de-20090204102521-jl3vo2ftp5rsbx9y
-1214 stbuehler@web.de-20090204151616-n56of74dydkqdkgh
-1215 stbuehler@web.de-20090204172956-6wzsv0nm5nxcgfym
-1216 stbuehler@web.de-20090205105134-6i5key9439wspueq
-1217 stbuehler@web.de-20090205114017-0voscqjd5bdm9mwv
-1218 stbuehler@web.de-20090205114442-peekxwpevjl3t7j3
-1219 stbuehler@web.de-20090205215425-vicbc6hzb3at7gj9
-1220 stbuehler@web.de-20090205220741-vqz9l1eui3dwnulq
-1221 stbuehler@web.de-20090205222705-8179v6jkv2x38l70
-1222 stbuehler@web.de-20090210194631-6epujtpen9xfxx5j
-1223 stbuehler@web.de-20090216134207-fg99ikt1ds21hx25
-1224 stbuehler@web.de-20090217085833-9g5c7j7zdylvezl5
-1225 stbuehler@web.de-20090217133414-y80hydn9raqgkgto
-1226 stbuehler@web.de-20090217224447-ve7ns45c9otbgz9h
-1227 stbuehler@web.de-20090219130703-117t93t4hr4j0e8d
-1228 stbuehler@web.de-20090219130728-m8nui64vin0w95b2
-1229 stbuehler@web.de-20090219131550-exi19tbqyd8fpa0d
-1230 stbuehler@web.de-20090224133046-toewpee0ybw5tuay
-1231 stbuehler@web.de-20090228205351-yqjhutdqf30jr66o
-1232 stbuehler@web.de-20090228213824-gnwuf6by8705g6zk
-1233 stbuehler@web.de-20090303100525-kamra70ocxpji0l5
-1234 stbuehler@web.de-20090303100929-p4w2995k61yhxws2
-1235 stbuehler@web.de-20090307135056-02q8f6l1e5jehu9y
-1236 stbuehler@web.de-20090307135805-z488kad68sgcjtzz
-1237 stbuehler@web.de-20090307154555-xybvl7sxrha6vhds
-1238 stbuehler@web.de-20090307204326-10m0681831yvhi3k
-1239 stbuehler@web.de-20090307204846-seq3cmzn6dy9927i
-1240 stbuehler@web.de-20090307205519-ha3s58fcum106yl0
-1241 stbuehler@web.de-20090307210432-jdlv5pp9m519vyv2
-
-