X-Git-Url: http://git.pld-linux.org/?p=packages%2Flighttpd.git;a=blobdiff_plain;f=lighttpd-branch.diff;h=76f06ce17cb591b31c716dc962d936cf96c36b2c;hp=4140c35477a42928df9288709be0e31cf4eaeeea;hb=2aca1085a89e62b4d3e3120492226ed7104039c8;hpb=cf0fe2e1c62db8273ff3e5b4b3a509b4ef85ec80 diff --git a/lighttpd-branch.diff b/lighttpd-branch.diff index 4140c35..76f06ce 100644 --- a/lighttpd-branch.diff +++ b/lighttpd-branch.diff @@ -1,1111 +1,1957 @@ -Index: configure.in +# Revision 2815 +Index: src/http_auth_digest.c =================================================================== ---- configure.in (.../tags/lighttpd-1.4.13) (revision 1706) -+++ configure.in (.../branches/lighttpd-1.4.x) (revision 1706) -@@ -398,7 +398,7 @@ - - AC_MSG_RESULT($WITH_LUA) - if test "$WITH_LUA" != "no"; then -- if test "$WITH_LUA" == "yes"; then -+ if test "$WITH_LUA" = "yes"; then - WITH_LUA=lua - fi - PKG_CHECK_MODULES(LUA, $WITH_LUA >= 5.1, [ -@@ -538,7 +538,7 @@ - AC_OUTPUT - - --do_build="mod_cgi mod_fastcgi mod_proxy mod_evhost mod_simple_vhost mod_access mod_alias mod_setenv mod_usertrack mod_auth mod_status mod_accesslog mod_rrdtool mod_secdownload mod_expire mod_compress mod_dirlisting mod_indexfiles mod_userdir mod_webdav mod_staticfile mod_scgi mod_flv_streaming" -+do_build="mod_cgi mod_fastcgi mod_extforward mod_proxy mod_evhost mod_simple_vhost mod_access mod_alias mod_setenv mod_usertrack mod_auth mod_status mod_accesslog mod_rrdtool mod_secdownload mod_expire mod_compress mod_dirlisting mod_indexfiles mod_userdir mod_webdav mod_staticfile mod_scgi mod_flv_streaming" - - plugins="mod_rewrite mod_redirect mod_ssi mod_trigger_b4_dl" - features="regex-conditionals" -Index: src/mod_cgi.c +--- src/http_auth_digest.c (.../tags/lighttpd-1.4.29) ++++ src/http_auth_digest.c (.../branches/lighttpd-1.4.x) +@@ -1,26 +0,0 @@ +-#include "buffer.h" +- +-#include "http_auth_digest.h" +- +-#include +- +-#ifndef USE_OPENSSL +-# include "md5.h" +- +-typedef li_MD5_CTX MD5_CTX; +-#define MD5_Init li_MD5_Init +-#define MD5_Update li_MD5_Update +-#define MD5_Final li_MD5_Final +- +-#endif +- +-void CvtHex(IN HASH Bin, OUT HASHHEX Hex) { +- unsigned short i; +- +- for (i = 0; i < HASHLEN; i++) { +- Hex[i*2] = int2hex((Bin[i] >> 4) & 0xf); +- Hex[i*2+1] = int2hex(Bin[i] & 0xf); +- } +- Hex[HASHHEXLEN] = '\0'; +-} +- +Index: src/http_auth_digest.h =================================================================== ---- src/mod_cgi.c (.../tags/lighttpd-1.4.13) (revision 1706) -+++ src/mod_cgi.c (.../branches/lighttpd-1.4.x) (revision 1706) -@@ -842,6 +842,12 @@ - CONST_BUF_LEN(con->authed_user)); - } +--- src/http_auth_digest.h (.../tags/lighttpd-1.4.29) ++++ src/http_auth_digest.h (.../branches/lighttpd-1.4.x) +@@ -1,24 +0,0 @@ +-#ifndef _DIGCALC_H_ +-#define _DIGCALC_H_ +- +-#ifdef HAVE_CONFIG_H +-# include "config.h" +-#endif +- +-#define HASHLEN 16 +-typedef unsigned char HASH[HASHLEN]; +-#define HASHHEXLEN 32 +-typedef char HASHHEX[HASHHEXLEN+1]; +-#ifdef USE_OPENSSL +-#define IN const +-#else +-#define IN +-#endif +-#define OUT +- +-void CvtHex( +- IN HASH Bin, +- OUT HASHHEX Hex +- ); +- +-#endif +Index: src/network_write.c +=================================================================== +--- src/network_write.c (.../tags/lighttpd-1.4.29) ++++ src/network_write.c (.../branches/lighttpd-1.4.x) +@@ -24,17 +24,16 @@ + # include + #endif -+#ifdef USE_OPENSSL -+ if (srv_sock->is_ssl) { -+ cgi_env_add(&env, CONST_STR_LEN("HTTPS"), CONST_STR_LEN("on")); -+ } -+#endif +-int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq) { ++int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { + chunk *c; +- size_t chunks_written = 0; + +- for(c = cq->first; c; c = c->next) { ++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { + int chunk_finished = 0; + + switch(c->type) { + case MEM_CHUNK: { + char * offset; +- size_t toSend; ++ off_t toSend; + ssize_t r; + + if (c->mem->used == 0) { +@@ -44,6 +43,8 @@ + + offset = c->mem->ptr + c->offset; + toSend = c->mem->used - 1 - c->offset; ++ if (toSend > max_bytes) toSend = max_bytes; ++ + #ifdef __WIN32 + if ((r = send(fd, offset, toSend, 0)) < 0) { + /* no error handling for windows... */ +@@ -72,6 +73,7 @@ + + c->offset += r; + cq->bytes_out += r; ++ max_bytes -= r; + + if (c->offset == (off_t)c->mem->used - 1) { + chunk_finished = 1; +@@ -85,7 +87,7 @@ + #endif + ssize_t r; + off_t offset; +- size_t toSend; ++ off_t toSend; + stat_cache_entry *sce = NULL; + int ifd; + +@@ -98,6 +100,8 @@ + offset = c->file.start + c->offset; + toSend = c->file.length - c->offset; + ++ if (toSend > max_bytes) toSend = max_bytes; + - /* request.content_length < SSIZE_MAX, see request.c */ - ltostr(buf, con->request.content_length); - cgi_env_add(&env, CONST_STR_LEN("CONTENT_LENGTH"), buf, strlen(buf)); -Index: src/base.h -=================================================================== ---- src/base.h (.../tags/lighttpd-1.4.13) (revision 1706) -+++ src/base.h (.../branches/lighttpd-1.4.x) (revision 1706) -@@ -481,7 +481,9 @@ - enum { STAT_CACHE_ENGINE_UNSET, - STAT_CACHE_ENGINE_NONE, - STAT_CACHE_ENGINE_SIMPLE, -+#ifdef HAVE_FAM_H - STAT_CACHE_ENGINE_FAM -+#endif - } stat_cache_engine; - unsigned short enable_cores; - } server_config; -Index: src/connections.c -=================================================================== ---- src/connections.c (.../tags/lighttpd-1.4.13) (revision 1706) -+++ src/connections.c (.../branches/lighttpd-1.4.x) (revision 1706) -@@ -500,6 +500,7 @@ - case 201: - case 301: - case 302: -+ case 303: - break; + if (offset > sce->st.st_size) { + log_error_write(srv, __FILE__, __LINE__, "sb", "file was shrinked:", c->file.name); - case 206: /* write_queue is already prepared */ -@@ -970,7 +971,7 @@ - } - } else { - /* a splited \r \n */ -- return -1; -+ break; - } - } - } -Index: src/configfile.c -=================================================================== ---- src/configfile.c (.../tags/lighttpd-1.4.13) (revision 1706) -+++ src/configfile.c (.../branches/lighttpd-1.4.x) (revision 1706) -@@ -218,13 +218,19 @@ - srv->srvconf.stat_cache_engine = STAT_CACHE_ENGINE_SIMPLE; - } else if (buffer_is_equal_string(stat_cache_string, CONST_STR_LEN("simple"))) { - srv->srvconf.stat_cache_engine = STAT_CACHE_ENGINE_SIMPLE; -+#ifdef HAVE_FAM_H - } else if (buffer_is_equal_string(stat_cache_string, CONST_STR_LEN("fam"))) { - srv->srvconf.stat_cache_engine = STAT_CACHE_ENGINE_FAM; -+#endif - } else if (buffer_is_equal_string(stat_cache_string, CONST_STR_LEN("disable"))) { - srv->srvconf.stat_cache_engine = STAT_CACHE_ENGINE_NONE; - } else { - log_error_write(srv, __FILE__, __LINE__, "sb", -- "server.stat-cache-engine can be one of \"disable\", \"simple\", \"fam\", but not:", stat_cache_string); -+ "server.stat-cache-engine can be one of \"disable\", \"simple\"," -+#ifdef HAVE_FAM_H -+ " \"fam\"," -+#endif -+ " but not:", stat_cache_string); - ret = HANDLER_ERROR; +@@ -181,6 +185,7 @@ + + c->offset += r; + cq->bytes_out += r; ++ max_bytes -= r; + + if (c->offset == c->file.length) { + chunk_finished = 1; +@@ -200,11 +205,9 @@ + + break; + } +- +- chunks_written++; } -Index: src/mod_scgi.c -=================================================================== ---- src/mod_scgi.c (.../tags/lighttpd-1.4.13) (revision 1706) -+++ src/mod_scgi.c (.../branches/lighttpd-1.4.x) (revision 1706) -@@ -2528,7 +2528,7 @@ - hctx->reconnects < 5) { - scgi_reconnect(srv, hctx); - -- log_error_write(srv, __FILE__, __LINE__, "sdsdsd", -+ log_error_write(srv, __FILE__, __LINE__, "ssdsd", - "response not sent, request not sent, reconnection.", - "connection-fd:", con->fd, - "fcgi-fd:", hctx->fd); -Index: src/request.c +- return chunks_written; ++ return 0; + } + + #if 0 +Index: src/mod_secure_download.c =================================================================== ---- src/request.c (.../tags/lighttpd-1.4.13) (revision 1706) -+++ src/request.c (.../branches/lighttpd-1.4.x) (revision 1706) -@@ -85,6 +85,9 @@ - /* Host is empty */ - if (host_len == 0) return -1; - -+ /* if the hostname ends in a "." strip it */ -+ if (host->ptr[host_len-1] == '.') host_len -= 1; -+ - /* scan from the right and skip the \0 */ - for (i = host_len - 1; i + 1 > 0; i--) { - const char c = host->ptr[i]; -Index: src/network_backends.h +--- src/mod_secure_download.c (.../tags/lighttpd-1.4.29) ++++ src/mod_secure_download.c (.../branches/lighttpd-1.4.x) +@@ -8,18 +8,8 @@ + #include + #include + +-#ifdef USE_OPENSSL +-# include +-#else +-# include "md5.h" ++#include "md5.h" + +-typedef li_MD5_CTX MD5_CTX; +-#define MD5_Init li_MD5_Init +-#define MD5_Update li_MD5_Update +-#define MD5_Final li_MD5_Final +- +-#endif +- + #define HASHLEN 16 + typedef unsigned char HASH[HASHLEN]; + #define HASHHEXLEN 32 +@@ -200,7 +190,7 @@ + + URIHANDLER_FUNC(mod_secdownload_uri_handler) { + plugin_data *p = p_d; +- MD5_CTX Md5Ctx; ++ li_MD5_CTX Md5Ctx; + HASH HA1; + const char *rel_uri, *ts_str, *md5_str; + time_t ts = 0; +@@ -266,9 +256,9 @@ + buffer_append_string(p->md5, rel_uri); + buffer_append_string_len(p->md5, ts_str, 8); + +- MD5_Init(&Md5Ctx); +- MD5_Update(&Md5Ctx, (unsigned char *)p->md5->ptr, p->md5->used - 1); +- MD5_Final(HA1, &Md5Ctx); ++ li_MD5_Init(&Md5Ctx); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)p->md5->ptr, p->md5->used - 1); ++ li_MD5_Final(HA1, &Md5Ctx); + + buffer_copy_string_hex(p->md5, (char *)HA1, 16); + +Index: src/base.h =================================================================== ---- src/network_backends.h (.../tags/lighttpd-1.4.13) (revision 1706) -+++ src/network_backends.h (.../branches/lighttpd-1.4.x) (revision 1706) -@@ -14,7 +14,7 @@ - # include +--- src/base.h (.../tags/lighttpd-1.4.29) ++++ src/base.h (.../branches/lighttpd-1.4.x) +@@ -277,6 +277,7 @@ + buffer *ssl_cipher_list; + buffer *ssl_dh_file; + buffer *ssl_ec_curve; ++ unsigned short ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */ + unsigned short ssl_use_sslv2; + unsigned short ssl_use_sslv3; + unsigned short ssl_verifyclient; +@@ -284,6 +285,7 @@ + unsigned short ssl_verifyclient_depth; + buffer *ssl_verifyclient_username; + unsigned short ssl_verifyclient_export_cert; ++ unsigned short ssl_disable_client_renegotiation; + + unsigned short use_ipv6, set_v6only; /* set_v6only is only a temporary option */ + unsigned short defer_accept; +@@ -437,6 +439,7 @@ + # ifndef OPENSSL_NO_TLSEXT + buffer *tlsext_server_name; + # endif ++ unsigned int renegotiations; /* count of SSL_CB_HANDSHAKE_START */ #endif + /* etag handling */ + etag_flags_t etag_flags; +@@ -647,11 +650,9 @@ --#if defined HAVE_SYS_UIO_H && defined HAVE_SENDFILE && defined HAVE_WRITEV && defined(__FreeBSD__) -+#if defined HAVE_SYS_UIO_H && defined HAVE_SENDFILE && defined HAVE_WRITEV && (defined(__FreeBSD__) || defined(__DragonFly__)) - # define USE_FREEBSD_SENDFILE - # include + fdevent_handler_t event_handler; + +- int (* network_backend_write)(struct server *srv, connection *con, int fd, chunkqueue *cq); +- int (* network_backend_read)(struct server *srv, connection *con, int fd, chunkqueue *cq); ++ int (* network_backend_write)(struct server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); + #ifdef USE_OPENSSL +- int (* network_ssl_backend_write)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq); +- int (* network_ssl_backend_read)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq); ++ int (* network_ssl_backend_write)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes); #endif -Index: src/mod_proxy.c -=================================================================== ---- src/mod_proxy.c (.../tags/lighttpd-1.4.13) (revision 1706) -+++ src/mod_proxy.c (.../branches/lighttpd-1.4.x) (revision 1706) -@@ -656,6 +656,7 @@ - } - if (-1 == (r = read(hctx->fd, hctx->response->ptr + hctx->response->used - 1, b))) { -+ if (errno == EAGAIN) return 0; - log_error_write(srv, __FILE__, __LINE__, "sds", - "unexpected end-of-file (perhaps the proxy process died):", - proxy_fd, strerror(errno)); -Index: src/mod_extforward.c + uid_t uid; +Index: src/connections.c =================================================================== ---- src/mod_extforward.c (.../tags/lighttpd-1.4.13) (revision 0) -+++ src/mod_extforward.c (.../branches/lighttpd-1.4.x) (revision 1706) -@@ -0,0 +1,490 @@ -+#include -+#include -+#include -+#include -+#include -+ -+#include "base.h" -+#include "log.h" -+#include "buffer.h" -+ -+#include "plugin.h" -+ -+#include "inet_ntop_cache.h" -+#ifdef HAVE_CONFIG_H -+#include "config.h" -+#endif -+ -+/** -+ * mod_extforward.c for lighttpd, by comman.kang gmail com -+ * extended, modified by Lionel Elie Mamane (LEM), lionel mamane lu -+ * -+ * Config example: -+ * -+ * Trust proxy 10.0.0.232 and 10.0.0.232 -+ * extforward.forwarder = ( "10.0.0.232" => "trust", -+ * "10.0.0.233" => "trust" ) -+ * -+ * Trust all proxies (NOT RECOMMENDED!) -+ * extforward.forwarder = ( "all" => "trust") -+ * -+ * Note that "all" has precedence over specific entries, -+ * so "all except" setups will not work. -+ * -+ * Note: The effect of this module is variable on $HTTP["remotip"] directives and -+ * other module's remote ip dependent actions. -+ * Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP. -+ * Things done in between these two moments will match on the real client's IP. -+ * The moment things are done by a module depends on in which hook it does things and within the same hook -+ * on whether they are before/after us in the module loading order -+ * (order in the server.modules directive in the config file). -+ * -+ * Tested behaviours: -+ * -+ * mod_access: Will match on the real client. -+ * -+ * mod_accesslog: -+ * In order to see the "real" ip address in access log , -+ * you'll have to load mod_extforward after mod_accesslog. -+ * like this: -+ * -+ * server.modules = ( -+ * ..... -+ * mod_accesslog, -+ * mod_extforward -+ * ) -+ * -+ * Known issues: -+ * seems causing segfault with mod_ssl and $HTTP{"socket"} directives -+ * LEM 2006.05.26: Fixed segfault $SERVER["socket"] directive. Untested with SSL. -+ * -+ * ChangeLog: -+ * 2005.12.19 Initial Version -+ * 2005.12.19 fixed conflict with conditional directives -+ * 2006.05.26 LEM: IPv6 support -+ * 2006.05.26 LEM: Fix a segfault with $SERVER["socket"] directive. -+ * 2006.05.26 LEM: Run at uri_raw time, as we don't need to see the URI -+ * In this manner, we run before mod_access and $HTTP["remoteip"] directives work! -+ * 2006.05.26 LEM: Clean config_cond cache of tests whose result we probably change. -+ */ -+ -+ -+/* plugin config for all request/connections */ -+ -+typedef struct { -+ array *forwarder; -+} plugin_config; -+ -+typedef struct { -+ PLUGIN_DATA; -+ -+ plugin_config **config_storage; -+ -+ plugin_config conf; -+} plugin_data; -+ -+ -+/* context , used for restore remote ip */ -+ -+typedef struct { -+ sock_addr saved_remote_addr; -+ buffer *saved_remote_addr_buf; -+} handler_ctx; -+ -+ -+static handler_ctx * handler_ctx_init(sock_addr oldaddr, buffer *oldaddr_buf) { -+ handler_ctx * hctx; -+ hctx = calloc(1, sizeof(*hctx)); -+ hctx->saved_remote_addr = oldaddr; -+ hctx->saved_remote_addr_buf = oldaddr_buf; -+ return hctx; -+} -+ -+static void handler_ctx_free(handler_ctx *hctx) { -+ free(hctx); -+} -+ -+/* init the plugin data */ -+INIT_FUNC(mod_extforward_init) { -+ plugin_data *p; -+ p = calloc(1, sizeof(*p)); -+ return p; -+} -+ -+/* destroy the plugin data */ -+FREE_FUNC(mod_extforward_free) { -+ plugin_data *p = p_d; -+ -+ UNUSED(srv); -+ -+ if (!p) return HANDLER_GO_ON; -+ -+ if (p->config_storage) { -+ size_t i; -+ -+ for (i = 0; i < srv->config_context->used; i++) { -+ plugin_config *s = p->config_storage[i]; -+ -+ if (!s) continue; -+ -+ array_free(s->forwarder); -+ -+ free(s); -+ } -+ free(p->config_storage); -+ } -+ -+ -+ free(p); -+ -+ return HANDLER_GO_ON; -+} -+ -+/* handle plugin config and check values */ -+ -+SETDEFAULTS_FUNC(mod_extforward_set_defaults) { -+ plugin_data *p = p_d; -+ size_t i = 0; -+ -+ config_values_t cv[] = { -+ { "extforward.forwarder", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 0 */ -+ { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET } -+ }; -+ -+ if (!p) return HANDLER_ERROR; -+ -+ p->config_storage = calloc(1, srv->config_context->used * sizeof(specific_config *)); -+ -+ for (i = 0; i < srv->config_context->used; i++) { -+ plugin_config *s; -+ -+ s = calloc(1, sizeof(plugin_config)); -+ s->forwarder = array_init(); -+ -+ cv[0].destination = s->forwarder; -+ -+ p->config_storage[i] = s; -+ -+ if (0 != config_insert_values_global(srv, ((data_config *)srv->config_context->data[i])->value, cv)) { -+ return HANDLER_ERROR; -+ } -+ } -+ -+ return HANDLER_GO_ON; -+} -+ -+#define PATCH(x) \ -+ p->conf.x = s->x; -+static int mod_extforward_patch_connection(server *srv, connection *con, plugin_data *p) { -+ size_t i, j; -+ plugin_config *s = p->config_storage[0]; -+ -+ PATCH(forwarder); -+ -+ /* LEM: The purpose of this seems to match extforward configuration -+ stanzas that are not in the global context, but in some sub-context. -+ I fear this will break contexts of the form HTTP['remote'] = . -+ (in the form that they do not work with the real remote, but matching on -+ the proxy instead). -+ -+ I'm not sure this this is all thread-safe. Is the p we are passed different -+ for each connection or is it global? -+ -+ mod_fastcgi does the same, so it must be safe. -+ */ -+ /* skip the first, the global context */ -+ for (i = 1; i < srv->config_context->used; i++) { -+ data_config *dc = (data_config *)srv->config_context->data[i]; -+ s = p->config_storage[i]; -+ -+ /* condition didn't match */ -+ if (!config_check_cond(srv, con, dc)) continue; -+ -+ /* merge config */ -+ for (j = 0; j < dc->value->used; j++) { -+ data_unset *du = dc->value->data[j]; -+ -+ if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.forwarder"))) { -+ PATCH(forwarder); -+ } +--- src/connections.c (.../tags/lighttpd-1.4.29) ++++ src/connections.c (.../branches/lighttpd-1.4.x) +@@ -223,6 +223,12 @@ + + len = SSL_read(con->ssl, b->ptr + read_offset, toread); + ++ if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { ++ connection_set_state(srv, con, CON_STATE_ERROR); ++ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); ++ return -1; + } -+ } + -+ return 0; -+} -+#undef PATCH -+ -+ -+static void put_string_into_array_len(array *ary, const char *str, int len) -+{ -+ data_string *tempdata; -+ if (len == 0) -+ return; -+ tempdata = data_string_init(); -+ buffer_copy_string_len(tempdata->value,str,len); -+ array_insert_unique(ary,(data_unset *)tempdata); -+} -+/* -+ extract a forward array from the environment -+*/ -+static array *extract_forward_array(buffer *pbuffer) -+{ -+ array *result = array_init(); -+ if (pbuffer->used > 0) { -+ char *base, *curr; -+ /* state variable, 0 means not in string, 1 means in string */ -+ int in_str = 0; -+ for (base = pbuffer->ptr, curr = pbuffer->ptr; *curr; curr++) -+ { -+ if (in_str) { -+ if ( (*curr > '9' || *curr < '0') && *curr != '.' && *curr != ':' ) { -+ /* found an separator , insert value into result array */ -+ put_string_into_array_len(result, base, curr-base); -+ /* change state to not in string */ -+ in_str = 0; -+ } -+ } else { -+ if (*curr >= '0' && *curr <= '9') -+ { -+ /* found leading char of an IP address, move base pointer and change state */ -+ base = curr; -+ in_str = 1; -+ } + if (len > 0) { + if (b->used > 0) b->used--; + b->used += len; +@@ -445,6 +451,7 @@ + default: + switch(con->http_status) { + case 400: /* bad request */ ++ case 401: /* authorization required */ + case 414: /* overload request header */ + case 505: /* unknown protocol */ + case 207: /* this was webdav */ +@@ -617,8 +624,9 @@ + } + + static int connection_handle_write(server *srv, connection *con) { +- switch(network_write_chunkqueue(srv, con, con->write_queue)) { ++ switch(network_write_chunkqueue(srv, con, con->write_queue, MAX_WRITE_LIMIT)) { + case 0: ++ con->write_request_ts = srv->cur_ts; + if (con->file_finished) { + connection_set_state(srv, con, CON_STATE_RESPONSE_END); + joblist_append(srv, con); +@@ -635,6 +643,7 @@ + joblist_append(srv, con); + break; + case 1: ++ con->write_request_ts = srv->cur_ts; + con->is_writable = 0; + + /* not finished yet -> WRITE */ +@@ -1251,8 +1260,6 @@ + log_error_write(srv, __FILE__, __LINE__, "ds", + con->fd, + "handle write failed."); +- } else if (con->state == CON_STATE_WRITE) { +- con->write_request_ts = srv->cur_ts; + } + } + +@@ -1352,6 +1359,7 @@ + return NULL; + } + ++ con->renegotiations = 0; + #ifndef OPENSSL_NO_TLSEXT + SSL_set_app_data(con->ssl, con); + #endif +@@ -1667,8 +1675,6 @@ + con->fd, + "handle write failed."); + connection_set_state(srv, con, CON_STATE_ERROR); +- } else if (con->state == CON_STATE_WRITE) { +- con->write_request_ts = srv->cur_ts; + } + } + +Index: src/mod_staticfile.c +=================================================================== +--- src/mod_staticfile.c (.../tags/lighttpd-1.4.29) ++++ src/mod_staticfile.c (.../branches/lighttpd-1.4.x) +@@ -26,6 +26,7 @@ + typedef struct { + array *exclude_ext; + unsigned short etags_used; ++ unsigned short disable_pathinfo; + } plugin_config; + + typedef struct { +@@ -84,6 +85,7 @@ + config_values_t cv[] = { + { "static-file.exclude-extensions", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 0 */ + { "static-file.etags", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 1 */ ++ { "static-file.disable-pathinfo", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 2 */ + { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET } + }; + +@@ -97,9 +99,11 @@ + s = calloc(1, sizeof(plugin_config)); + s->exclude_ext = array_init(); + s->etags_used = 1; ++ s->disable_pathinfo = 0; + + cv[0].destination = s->exclude_ext; + cv[1].destination = &(s->etags_used); ++ cv[2].destination = &(s->disable_pathinfo); + + p->config_storage[i] = s; + +@@ -119,6 +123,7 @@ + + PATCH(exclude_ext); + PATCH(etags_used); ++ PATCH(disable_pathinfo); + + /* skip the first, the global context */ + for (i = 1; i < srv->config_context->used; i++) { +@@ -136,7 +141,9 @@ + PATCH(exclude_ext); + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("static-file.etags"))) { + PATCH(etags_used); +- } ++ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("static-file.disable-pathinfo"))) { ++ PATCH(disable_pathinfo); + } + } + } + +@@ -350,7 +357,6 @@ + URIHANDLER_FUNC(mod_staticfile_subrequest) { + plugin_data *p = p_d; + size_t k; +- int s_len; + stat_cache_entry *sce = NULL; + buffer *mtime = NULL; + data_string *ds; +@@ -376,7 +382,12 @@ + + mod_staticfile_patch_connection(srv, con, p); + +- s_len = con->uri.path->used - 1; ++ if (p->conf.disable_pathinfo && 0 != con->request.pathinfo->used) { ++ if (con->conf.log_request_handling) { ++ log_error_write(srv, __FILE__, __LINE__, "s", "-- NOT handling file as static file, pathinfo forbidden"); + } -+ /* if breaking out while in str, we got to the end of string, so add it */ -+ if (in_str) -+ { -+ put_string_into_array_len(result, base, curr-base); -+ } -+ } -+ return result; -+} -+ -+#define IP_TRUSTED 1 -+#define IP_UNTRUSTED 0 -+/* -+ check whether ip is trusted, return 1 for trusted , 0 for untrusted -+*/ -+static int is_proxy_trusted(const char *ipstr, plugin_data *p) -+{ -+ data_string* allds = (data_string *) array_get_element(p->conf.forwarder,"all"); -+ if (allds) { -+ if (strcasecmp(allds->value->ptr,"trust") == 0) -+ return IP_TRUSTED; -+ else -+ return IP_UNTRUSTED; ++ return HANDLER_GO_ON; + } -+ return (data_string *)array_get_element(p->conf.forwarder,ipstr) ? IP_TRUSTED : IP_UNTRUSTED ; -+} -+ -+struct addrinfo *ipstr_to_sockaddr(const char *host) -+{ -+ struct addrinfo hints, *res0; -+ int result; -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_flags = AI_NUMERICHOST | AI_NUMERICSERV; -+ -+ result = getaddrinfo(host, NULL, &hints, &res0); -+ if ( result != 0 ) -+ { -+ fprintf(stderr,"could not resolve hostname %s because %s\n", host,gai_strerror(result)); -+ if (result == EAI_SYSTEM) -+ perror("The system error is "); -+ return NULL; -+ } -+ else -+ if (res0==0) -+ fprintf(stderr, "Problem in resolving hostname %s: succeeded, but no information returned\n", host); -+ -+ return res0; -+} -+ -+ -+static void clean_cond_cache(server *srv, connection *con) -+{ -+ size_t i; -+ -+ for (i = 0; i < srv->config_context->used; i++) { -+ data_config *dc = (data_config *)srv->config_context->data[i]; -+ -+ if (dc->comp == COMP_HTTP_REMOTEIP) -+ { -+ con->cond_cache[i].result = COND_RESULT_UNSET; -+ con->cond_cache[i].patterncount = 0; -+ } + + /* ignore certain extensions */ + for (k = 0; k < p->conf.exclude_ext->used; k++) { +Index: src/network.c +=================================================================== +--- src/network.c (.../tags/lighttpd-1.4.29) ++++ src/network.c (.../branches/lighttpd-1.4.x) +@@ -27,6 +27,19 @@ + # include + #endif + ++#ifdef USE_OPENSSL ++static void ssl_info_callback(const SSL *ssl, int where, int ret) { ++ UNUSED(ret); ++ ++ if (0 != (where & SSL_CB_HANDSHAKE_START)) { ++ connection *con = SSL_get_app_data(ssl); ++ ++con->renegotiations; ++ } else if (0 != (where & SSL_CB_HANDSHAKE_DONE)) { ++ ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; + } +} -+ -+URIHANDLER_FUNC(mod_extforward_uri_handler) { -+ plugin_data *p = p_d; -+ data_string *forwarded = NULL; -+#ifdef HAVE_IPV6 -+ char b2[INET6_ADDRSTRLEN + 1]; +#endif -+ const char *s; -+ UNUSED(srv); -+ mod_extforward_patch_connection(srv, con, p); -+ -+/* log_error_write(srv, __FILE__, __LINE__,"s","mod_extforward_uri_handler called\n"); */ + -+ /* if the remote ip itself is not trusted , then do nothing */ -+#ifdef HAVE_IPV6 -+ s = inet_ntop(con->dst_addr.plain.sa_family, -+ con->dst_addr.plain.sa_family == AF_INET6 ? -+ &(con->dst_addr.ipv6.sin6_addr) : -+ &(con->dst_addr.ipv4.sin_addr), -+ b2, -+ (sizeof b2) - 1); -+#else -+ s = inet_ntoa(con->dst_addr.ipv4.sin_addr); + static handler_t network_server_handle_fdevent(server *srv, void *context, int revents) { + server_socket *srv_socket = (server_socket *)context; + connection *con; +@@ -480,9 +493,11 @@ + network_backend_t backend; + + #if OPENSSL_VERSION_NUMBER >= 0x0090800fL ++#ifndef OPENSSL_NO_ECDH + EC_KEY *ecdh; + int nid; + #endif +#endif -+ if (IP_UNTRUSTED == is_proxy_trusted (s, p) ) -+ return HANDLER_GO_ON; -+ -+ /* log_error_write(srv, __FILE__, __LINE__,"s","remote address is trusted proxy, go on\n");*/ -+ if (con->request.headers && -+ ((forwarded = (data_string *) array_get_element(con->request.headers,"X-Forwarded-For")) || -+ (forwarded = (data_string *) array_get_element(con->request.headers, "Forwarded-For")))) -+ { -+ /* log_error_write(srv, __FILE__, __LINE__,"s","found forwarded header\n");*/ -+ /* found forwarded for header */ -+ int i; -+ array *forward_array = extract_forward_array(forwarded->value); -+ char *real_remote_addr = NULL; -+#ifdef HAVE_IPV6 -+ struct addrinfo *addrlist = NULL; + + #ifdef USE_OPENSSL + DH *dh; +@@ -553,6 +568,11 @@ + /* load SSL certificates */ + for (i = 0; i < srv->config_context->used; i++) { + specific_config *s = srv->config_storage[i]; ++#ifndef SSL_OP_NO_COMPRESSION ++# define SSL_OP_NO_COMPRESSION 0 +#endif -+ /* Testing shows that multiple headers and multiple values in one header -+ come in _reverse_ order. So the first one we get is the last one in the request. */ -+ for (i = forward_array->used - 1; i >= 0; i--) -+ { -+ data_string *ds = (data_string *) forward_array->data[i]; -+ if (ds) { -+/* log_error_write(srv, __FILE__, __LINE__,"ss","forward",ds->value->ptr); */ -+ real_remote_addr = ds->value->ptr; -+ break; -+ /* LEM: What the hell is this about? -+ We test whether the forwarded for IP is trusted? -+ This looks like an ugly hack to handle multiple Forwarded-For's -+ and avoid those set to our proxies, or something like that. -+ My testing shows that reverse proxies add a new X-Forwarded-For header, -+ and we should thus take the last one, which is the first one we see. -+ -+ The net result of the old code is that we use the first untrusted IP, -+ or if all are trusted, the last trusted IP. -+ That's crazy. So I've disabled this. -+ */ -+ /* check whether it is trusted */ -+/* if (IP_UNTRUSTED == is_proxy_trusted(ds->value->ptr,p) ) */ -+/* break; */ -+/* log_error_write(srv, __FILE__, __LINE__,"ss",ds->value->ptr," is trusted."); */ ++ long ssloptions = ++ SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_COMPRESSION; + + if (buffer_is_empty(s->ssl_pemfile)) continue; + +@@ -586,6 +606,9 @@ + return -1; + } + ++ SSL_CTX_set_options(s->ssl_ctx, ssloptions); ++ SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback); ++ + if (!s->ssl_use_sslv2) { + /* disable SSLv2 */ + if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) { +@@ -611,6 +634,10 @@ + ERR_error_string(ERR_get_error(), NULL)); + return -1; + } + ++ if (s->ssl_honor_cipher_order) { ++ SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + } -+ else { -+ /* bug ? bailing out here */ -+ break; -+ } -+ } -+ if (real_remote_addr != NULL) /* parsed */ -+ { -+ sock_addr s; -+ struct addrinfo *addrs_left; -+/* log_error_write(srv, __FILE__, __LINE__,"ss","use forward",real_remote_addr); */ -+#ifdef HAVE_IPV6 -+ addrlist = ipstr_to_sockaddr(real_remote_addr); -+ s.plain.sa_family = AF_UNSPEC; -+ for (addrs_left = addrlist; addrs_left != NULL; -+ addrs_left = addrs_left -> ai_next) -+ { -+ s.plain.sa_family = addrs_left->ai_family; -+ if ( s.plain.sa_family == AF_INET ) -+ { -+ s.ipv4.sin_addr = ((struct sockaddr_in*)addrs_left->ai_addr)->sin_addr; -+ break; -+ } -+ else if ( s.plain.sa_family == AF_INET6 ) -+ { -+ s.ipv6.sin6_addr = ((struct sockaddr_in6*)addrs_left->ai_addr)->sin6_addr; -+ break; -+ } -+ } -+#else -+ s.ipv4.sin_addr.s_addr = inet_addr(real_remote_addr); -+ s.plain.sa_family = (s.ipv4.sin_addr.s_addr == 0xFFFFFFFF) ? AF_UNSPEC : AF_INET; -+#endif -+ if (s.plain.sa_family != AF_UNSPEC) -+ { -+ /* we found the remote address, modify current connection and save the old address */ -+ if (con->plugin_ctx[p->id]) { -+ log_error_write(srv, __FILE__, __LINE__,"patching an already patched connection!"); -+ handler_ctx_free(con->plugin_ctx[p->id]); -+ con->plugin_ctx[p->id] = NULL; -+ } -+ /* save old address */ -+ con->plugin_ctx[p->id] = handler_ctx_init(con->dst_addr, con->dst_addr_buf); -+ /* patch connection address */ -+ con->dst_addr = s; -+ con->dst_addr_buf = buffer_init(); -+ buffer_copy_string(con->dst_addr_buf, real_remote_addr); -+/* log_error_write(srv, __FILE__, __LINE__,"ss","Set dst_addr_buf to ", real_remote_addr); */ -+ /* Now, clean the conf_cond cache, because we may have changed the results of tests */ -+ clean_cond_cache(srv, con); -+ } -+#ifdef HAVE_IPV6 -+ if (addrlist != NULL ) freeaddrinfo(addrlist); -+#endif + } + + /* Support for Diffie-Hellman key exchange */ +@@ -847,7 +874,7 @@ + return 0; + } + +-int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq) { ++int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq, off_t max_bytes) { + int ret = -1; + off_t written = 0; + #ifdef TCP_CORK +@@ -855,16 +882,34 @@ + #endif + server_socket *srv_socket = con->srv_socket; + +- if (con->conf.global_kbytes_per_second && +- *(con->conf.global_bytes_per_second_cnt_ptr) > con->conf.global_kbytes_per_second * 1024) { +- /* we reached the global traffic limit */ ++ if (con->conf.global_kbytes_per_second) { ++ off_t limit = con->conf.global_kbytes_per_second * 1024 - *(con->conf.global_bytes_per_second_cnt_ptr); ++ if (limit <= 0) { ++ /* we reached the global traffic limit */ + +- con->traffic_limit_reached = 1; +- joblist_append(srv, con); ++ con->traffic_limit_reached = 1; ++ joblist_append(srv, con); + +- return 1; ++ return 1; ++ } else { ++ if (max_bytes > limit) max_bytes = limit; + } -+ array_free(forward_array); -+ } -+ -+ /* not found */ -+ return HANDLER_GO_ON; -+} -+ -+CONNECTION_FUNC(mod_extforward_restore) { -+ plugin_data *p = p_d; -+ UNUSED(srv); + } + ++ if (con->conf.kbytes_per_second) { ++ off_t limit = con->conf.kbytes_per_second * 1024 - con->bytes_written_cur_second; ++ if (limit <= 0) { ++ /* we reached the traffic limit */ + -+ /* LEM: This seems completely unuseful, as we are not using -+ p->conf in this function. Furthermore, it brings a -+ segfault if one of the conditional configuration -+ blocks is "SERVER['socket'] == foo", because the -+ socket is not known yet in the srv/con structure. -+ */ -+ /* mod_extforward_patch_connection(srv, con, p); */ ++ con->traffic_limit_reached = 1; ++ joblist_append(srv, con); + -+ /* restore this connection's remote ip */ -+ if (con->plugin_ctx[p->id]) { -+ handler_ctx *hctx = con->plugin_ctx[p->id]; -+ con->dst_addr = hctx->saved_remote_addr; -+ buffer_free(con->dst_addr_buf); -+ con->dst_addr_buf = hctx->saved_remote_addr_buf; -+/* log_error_write(srv, __FILE__, __LINE__,"s","LEM: Reset dst_addr_buf"); */ -+ handler_ctx_free(hctx); -+ con->plugin_ctx[p->id] = NULL; -+ /* Now, clean the conf_cond cache, because we may have changed the results of tests */ -+ clean_cond_cache(srv, con); ++ return 1; ++ } else { ++ if (max_bytes > limit) max_bytes = limit; ++ } + } -+ return HANDLER_GO_ON; -+} -+ -+ -+/* this function is called at dlopen() time and inits the callbacks */ + -+int mod_extforward_plugin_init(plugin *p) { -+ p->version = LIGHTTPD_VERSION_ID; -+ p->name = buffer_init_string("extforward"); -+ -+ p->init = mod_extforward_init; -+ p->handle_uri_raw = mod_extforward_uri_handler; -+ p->handle_request_done = mod_extforward_restore; -+ p->connection_reset = mod_extforward_restore; -+ p->set_defaults = mod_extforward_set_defaults; -+ p->cleanup = mod_extforward_free; -+ -+ p->data = NULL; -+ -+ return 0; -+} -+ - -Property changes on: src/mod_extforward.c -___________________________________________________________________ -Name: svn:eol-style - + native - + written = cq->bytes_out; + + #ifdef TCP_CORK +@@ -879,10 +924,10 @@ + + if (srv_socket->is_ssl) { + #ifdef USE_OPENSSL +- ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq); ++ ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq, max_bytes); + #endif + } else { +- ret = srv->network_backend_write(srv, con, con->fd, cq); ++ ret = srv->network_backend_write(srv, con, con->fd, cq, max_bytes); + } + + if (ret >= 0) { +@@ -903,12 +948,5 @@ + + *(con->conf.global_bytes_per_second_cnt_ptr) += written; + +- if (con->conf.kbytes_per_second && +- (con->bytes_written_cur_second > con->conf.kbytes_per_second * 1024)) { +- /* we reached the traffic limit */ +- +- con->traffic_limit_reached = 1; +- joblist_append(srv, con); +- } + return ret; + } +Index: src/network.h +=================================================================== +--- src/network.h (.../tags/lighttpd-1.4.29) ++++ src/network.h (.../branches/lighttpd-1.4.x) +@@ -3,7 +3,7 @@ + + #include "server.h" + +-int network_write_chunkqueue(server *srv, connection *con, chunkqueue *c); ++int network_write_chunkqueue(server *srv, connection *con, chunkqueue *c, off_t max_bytes); + + int network_init(server *srv); + int network_close(server *srv); +Index: src/configfile.c +=================================================================== +--- src/configfile.c (.../tags/lighttpd-1.4.29) ++++ src/configfile.c (.../branches/lighttpd-1.4.x) +@@ -105,6 +105,8 @@ + { "ssl.use-sslv3", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 62 */ + { "ssl.dh-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 63 */ + { "ssl.ec-curve", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 64 */ ++ { "ssl.disable-client-renegotiation", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },/* 65 */ ++ { "ssl.honor-cipher-order", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 66 */ + + { "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET }, + { "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET }, +@@ -176,6 +178,7 @@ + s->max_write_idle = 360; + s->use_xattr = 0; + s->is_ssl = 0; ++ s->ssl_honor_cipher_order = 1; + s->ssl_use_sslv2 = 0; + s->ssl_use_sslv3 = 1; + s->use_ipv6 = 0; +@@ -199,6 +202,7 @@ + s->ssl_verifyclient_username = buffer_init(); + s->ssl_verifyclient_depth = 9; + s->ssl_verifyclient_export_cert = 0; ++ s->ssl_disable_client_renegotiation = 1; + + cv[2].destination = s->errorfile_prefix; + +@@ -245,6 +249,8 @@ + cv[62].destination = &(s->ssl_use_sslv3); + cv[63].destination = s->ssl_dh_file; + cv[64].destination = s->ssl_ec_curve; ++ cv[66].destination = &(s->ssl_honor_cipher_order); ++ + cv[49].destination = &(s->etag_use_inode); + cv[50].destination = &(s->etag_use_mtime); + cv[51].destination = &(s->etag_use_size); +@@ -255,6 +261,7 @@ + cv[58].destination = &(s->ssl_verifyclient_depth); + cv[59].destination = s->ssl_verifyclient_username; + cv[60].destination = &(s->ssl_verifyclient_export_cert); ++ cv[65].destination = &(s->ssl_disable_client_renegotiation); + + srv->config_storage[i] = s; + +@@ -335,6 +342,7 @@ + PATCH(ssl_cipher_list); + PATCH(ssl_dh_file); + PATCH(ssl_ec_curve); ++ PATCH(ssl_honor_cipher_order); + PATCH(ssl_use_sslv2); + PATCH(ssl_use_sslv3); + PATCH(etag_use_inode); +@@ -346,6 +354,7 @@ + PATCH(ssl_verifyclient_depth); + PATCH(ssl_verifyclient_username); + PATCH(ssl_verifyclient_export_cert); ++ PATCH(ssl_disable_client_renegotiation); + + return 0; + } +@@ -400,6 +409,8 @@ + #endif + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) { + PATCH(ssl_ca_file); ++ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) { ++ PATCH(ssl_honor_cipher_order); + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) { + PATCH(ssl_use_sslv2); + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv3"))) { +@@ -454,6 +465,8 @@ + PATCH(ssl_verifyclient_username); + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.exportcert"))) { + PATCH(ssl_verifyclient_export_cert); ++ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.disable-client-renegotiation"))) { ++ PATCH(ssl_disable_client_renegotiation); + } + } + } +Index: src/mod_scgi.c +=================================================================== +--- src/mod_scgi.c (.../tags/lighttpd-1.4.29) ++++ src/mod_scgi.c (.../branches/lighttpd-1.4.x) +@@ -2296,7 +2296,7 @@ + + /* fall through */ + case FCGI_STATE_WRITE: +- ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb); ++ ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT); + + chunkqueue_remove_finished_chunks(hctx->wb); + +Index: src/request.c +=================================================================== +--- src/request.c (.../tags/lighttpd-1.4.29) ++++ src/request.c (.../branches/lighttpd-1.4.x) +@@ -49,7 +49,7 @@ + if (++colon_cnt > 7) { + return -1; + } +- } else if (!light_isxdigit(*c)) { ++ } else if (!light_isxdigit(*c) && '.' != *c) { + return -1; + } + } +Index: src/network_backends.h +=================================================================== +--- src/network_backends.h (.../tags/lighttpd-1.4.29) ++++ src/network_backends.h (.../branches/lighttpd-1.4.x) +@@ -47,18 +47,18 @@ + #include "base.h" + + /* return values: +- * >= 0 : chunks completed ++ * >= 0 : no error + * -1 : error (on our side) + * -2 : remote close + */ + +-int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq); +-int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq); +-int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq); +-int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq); +-int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq); ++int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); ++int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); ++int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); ++int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); ++int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); + #ifdef USE_OPENSSL +-int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq); ++int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes); + #endif + + #endif +Index: src/SConscript +=================================================================== +--- src/SConscript (.../tags/lighttpd-1.4.29) ++++ src/SConscript (.../branches/lighttpd-1.4.x) +@@ -12,7 +12,8 @@ + data_integer.c md5.c data_fastcgi.c \ + fdevent_select.c fdevent_libev.c \ + fdevent_poll.c fdevent_linux_sysepoll.c \ +- fdevent_solaris_devpoll.c fdevent_freebsd_kqueue.c \ ++ fdevent_solaris_devpoll.c fdevent_solaris_port.c \ ++ fdevent_freebsd_kqueue.c \ + data_config.c bitset.c \ + inet_ntop_cache.c crc32.c \ + connections-glue.c \ +@@ -62,7 +63,7 @@ + 'mod_redirect' : { 'src' : [ 'mod_redirect.c' ], 'lib' : [ env['LIBPCRE'] ] }, + 'mod_rewrite' : { 'src' : [ 'mod_rewrite.c' ], 'lib' : [ env['LIBPCRE'] ] }, + 'mod_auth' : { +- 'src' : [ 'mod_auth.c', 'http_auth_digest.c', 'http_auth.c' ], ++ 'src' : [ 'mod_auth.c', 'http_auth.c' ], + 'lib' : [ env['LIBCRYPT'], env['LIBLDAP'], env['LIBLBER'] ] }, + 'mod_webdav' : { 'src' : [ 'mod_webdav.c' ], 'lib' : [ env['LIBXML2'], env['LIBSQLITE3'], env['LIBUUID'] ] }, + 'mod_mysql_vhost' : { 'src' : [ 'mod_mysql_vhost.c' ], 'lib' : [ env['LIBMYSQL'] ] }, +Index: src/mod_cml_funcs.c +=================================================================== +--- src/mod_cml_funcs.c (.../tags/lighttpd-1.4.29) ++++ src/mod_cml_funcs.c (.../branches/lighttpd-1.4.x) +@@ -17,18 +17,8 @@ + #include + #include + +-#ifdef USE_OPENSSL +-# include +-#else +-# include "md5.h" ++#include "md5.h" + +-typedef li_MD5_CTX MD5_CTX; +-#define MD5_Init li_MD5_Init +-#define MD5_Update li_MD5_Update +-#define MD5_Final li_MD5_Final +- +-#endif +- + #define HASHLEN 16 + typedef unsigned char HASH[HASHLEN]; + #define HASHHEXLEN 32 +@@ -43,7 +33,7 @@ + #ifdef HAVE_LUA_H + + int f_crypto_md5(lua_State *L) { +- MD5_CTX Md5Ctx; ++ li_MD5_CTX Md5Ctx; + HASH HA1; + buffer b; + char hex[33]; +@@ -63,9 +53,9 @@ + lua_error(L); + } + +- MD5_Init(&Md5Ctx); +- MD5_Update(&Md5Ctx, (unsigned char *)lua_tostring(L, 1), lua_strlen(L, 1)); +- MD5_Final(HA1, &Md5Ctx); ++ li_MD5_Init(&Md5Ctx); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)lua_tostring(L, 1), lua_strlen(L, 1)); ++ li_MD5_Final(HA1, &Md5Ctx); + + buffer_copy_string_hex(&b, (char *)HA1, 16); + +Index: src/mod_userdir.c +=================================================================== +--- src/mod_userdir.c (.../tags/lighttpd-1.4.29) ++++ src/mod_userdir.c (.../branches/lighttpd-1.4.x) +@@ -166,7 +166,6 @@ + + URIHANDLER_FUNC(mod_userdir_docroot_handler) { + plugin_data *p = p_d; +- int uri_len; + size_t k; + char *rel_url; + #ifdef HAVE_PWD_H +@@ -182,8 +181,6 @@ + */ + if (p->conf.path->used == 0) return HANDLER_GO_ON; + +- uri_len = con->uri.path->used - 1; +- + /* /~user/foo.html -> /home/user/public_html/foo.html */ + + if (con->uri.path->ptr[0] != '/' || +Index: src/mod_proxy.c +=================================================================== +--- src/mod_proxy.c (.../tags/lighttpd-1.4.29) ++++ src/mod_proxy.c (.../branches/lighttpd-1.4.x) +@@ -825,7 +825,7 @@ + + /* fall through */ + case PROXY_STATE_WRITE:; +- ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb); ++ ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT); + + chunkqueue_remove_finished_chunks(hctx->wb); + Index: src/Makefile.am =================================================================== ---- src/Makefile.am (.../tags/lighttpd-1.4.13) (revision 1706) -+++ src/Makefile.am (.../branches/lighttpd-1.4.x) (revision 1706) -@@ -199,6 +199,11 @@ - mod_fastcgi_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined - mod_fastcgi_la_LIBADD = $(common_libadd) - -+lib_LTLIBRARIES += mod_extforward.la -+mod_extforward_la_SOURCES = mod_extforward.c -+mod_extforward_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined -+mod_extforward_la_LIBADD = $(common_libadd) -+ - lib_LTLIBRARIES += mod_access.la - mod_access_la_SOURCES = mod_access.c - mod_access_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined +--- src/Makefile.am (.../tags/lighttpd-1.4.29) ++++ src/Makefile.am (.../branches/lighttpd-1.4.x) +@@ -241,7 +241,7 @@ + mod_compress_la_LIBADD = $(Z_LIB) $(BZ_LIB) $(common_libadd) + + lib_LTLIBRARIES += mod_auth.la +-mod_auth_la_SOURCES = mod_auth.c http_auth_digest.c http_auth.c ++mod_auth_la_SOURCES = mod_auth.c http_auth.c + mod_auth_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined + mod_auth_la_LIBADD = $(CRYPT_LIB) $(LDAP_LIB) $(LBER_LIB) $(common_libadd) + +@@ -268,7 +268,7 @@ + + hdr = server.h buffer.h network.h log.h keyvalue.h \ + response.h request.h fastcgi.h chunk.h \ +- settings.h http_chunk.h http_auth_digest.h \ ++ settings.h http_chunk.h \ + md5.h http_auth.h stream.h \ + fdevent.h connections.h base.h stat_cache.h \ + plugin.h mod_auth.h \ Index: src/network_writev.c =================================================================== ---- src/network_writev.c (.../tags/lighttpd-1.4.13) (revision 1706) -+++ src/network_writev.c (.../branches/lighttpd-1.4.x) (revision 1706) -@@ -55,7 +55,7 @@ - const size_t max_chunks = MAX_IOVEC; - #elif defined(UIO_MAXIOV) /* Linux x86 (glibc-2.2.5-233) */ - const size_t max_chunks = UIO_MAXIOV; --#elif (defined(__FreeBSD__) && __FreeBSD_version < 500000) /* FreeBSD 4.x */ -+#elif (defined(__FreeBSD__) && __FreeBSD_version < 500000) || defined(__DragonFly__) /* FreeBSD 4.x */ - const size_t max_chunks = 1024; /* UIO_MAXIOV value from sys/uio.h */ - #else +--- src/network_writev.c (.../tags/lighttpd-1.4.29) ++++ src/network_writev.c (.../branches/lighttpd-1.4.x) +@@ -30,17 +30,16 @@ + #define LOCAL_BUFFERING 1 + #endif + +-int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq) { ++int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { + chunk *c; +- size_t chunks_written = 0; + +- for(c = cq->first; c; c = c->next) { ++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { + int chunk_finished = 0; + + switch(c->type) { + case MEM_CHUNK: { + char * offset; +- size_t toSend; ++ off_t toSend; + ssize_t r; + + size_t num_chunks, i; +@@ -65,12 +64,10 @@ #error "sysconf() doesnt return _SC_IOV_MAX ..., check the output of 'man writev' for the EINVAL error and send the output to jan@kneschke.de" -Index: src/mod_expire.c -=================================================================== ---- src/mod_expire.c (.../tags/lighttpd-1.4.13) (revision 1706) -+++ src/mod_expire.c (.../branches/lighttpd-1.4.x) (revision 1706) -@@ -85,7 +85,7 @@ - /* - * parse - * -- * '(access|modification) [plus] { }*' -+ * '(access|now|modification) [plus] { }*' - * - * e.g. 'access 1 years' - */ -@@ -101,6 +101,9 @@ - if (0 == strncmp(ts, "access ", 7)) { - type = 0; - ts += 7; -+ } else if (0 == strncmp(ts, "now ", 4)) { -+ type = 0; -+ ts += 4; - } else if (0 == strncmp(ts, "modification ", 13)) { - type = 1; - ts += 13; -@@ -116,7 +119,7 @@ - ts += 5; + #endif + +- /* we can't send more then SSIZE_MAX bytes in one chunk */ +- + /* build writev list + * + * 1. limit: num_chunks < max_chunks +- * 2. limit: num_bytes < SSIZE_MAX ++ * 2. limit: num_bytes < max_bytes + */ + for (num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < max_chunks; num_chunks++, tc = tc->next); + +@@ -87,9 +84,9 @@ + chunks[i].iov_base = offset; + + /* protect the return value of writev() */ +- if (toSend > SSIZE_MAX || +- num_bytes + toSend > SSIZE_MAX) { +- chunks[i].iov_len = SSIZE_MAX - num_bytes; ++ if (toSend > max_bytes || ++ (off_t) num_bytes + toSend > max_bytes) { ++ chunks[i].iov_len = max_bytes - num_bytes; + + num_chunks = i + 1; + break; +@@ -121,6 +118,7 @@ + } + + cq->bytes_out += r; ++ max_bytes -= r; + + /* check which chunks have been written */ + +@@ -132,11 +130,10 @@ + + if (chunk_finished) { + /* skip the chunks from further touches */ +- chunks_written++; + c = c->next; + } else { + /* chunks_written + c = c->next is done in the for()*/ +- chunk_finished++; ++ chunk_finished = 1; + } + } else { + /* partially written */ +@@ -284,6 +281,8 @@ + assert(toSend < 0); + } + ++ if (toSend > max_bytes) toSend = max_bytes; ++ + #ifdef LOCAL_BUFFERING + start = c->mem->ptr; + #else +@@ -309,6 +308,7 @@ + + c->offset += r; + cq->bytes_out += r; ++ max_bytes -= r; + + if (c->offset == c->file.length) { + chunk_finished = 1; +@@ -334,11 +334,9 @@ + + break; + } +- +- chunks_written++; } -- /* the rest is just (years|months|days|hours|minutes|seconds) */ -+ /* the rest is just (years|months|weeks|days|hours|minutes|seconds) */ - while (1) { - char *space, *err; - int num; -@@ -148,6 +151,9 @@ - } else if (slen == 6 && - 0 == strncmp(ts, "months", slen)) { - num *= 60 * 60 * 24 * 30; -+ } else if (slen == 5 && -+ 0 == strncmp(ts, "weeks", slen)) { -+ num *= 60 * 60 * 24 * 7; - } else if (slen == 4 && - 0 == strncmp(ts, "days", slen)) { - num *= 60 * 60 * 24; -@@ -174,6 +180,8 @@ - num *= 60 * 60 * 24 * 30 * 12; - } else if (0 == strcmp(ts, "months")) { - num *= 60 * 60 * 24 * 30; -+ } else if (0 == strcmp(ts, "weeks")) { -+ num *= 60 * 60 * 24 * 7; - } else if (0 == strcmp(ts, "days")) { - num *= 60 * 60 * 24; - } else if (0 == strcmp(ts, "hours")) { +- return chunks_written; ++ return 0; + } + + #endif Index: src/network_freebsd_sendfile.c =================================================================== ---- src/network_freebsd_sendfile.c (.../tags/lighttpd-1.4.13) (revision 1706) -+++ src/network_freebsd_sendfile.c (.../branches/lighttpd-1.4.x) (revision 1706) -@@ -25,7 +25,7 @@ +--- src/network_freebsd_sendfile.c (.../tags/lighttpd-1.4.29) ++++ src/network_freebsd_sendfile.c (.../branches/lighttpd-1.4.x) +@@ -31,17 +31,16 @@ + # endif + #endif +-int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq) { ++int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { + chunk *c; +- size_t chunks_written = 0; - #ifndef UIO_MAXIOV --# ifdef __FreeBSD__ -+# if defined(__FreeBSD__) || defined(__DragonFly__) - /* FreeBSD 4.7, 4.9 defined it in sys/uio.h only if _KERNEL is specified */ - # define UIO_MAXIOV 1024 - # endif -Index: src/http_auth.c -=================================================================== ---- src/http_auth.c (.../tags/lighttpd-1.4.13) (revision 1706) -+++ src/http_auth.c (.../branches/lighttpd-1.4.x) (revision 1706) -@@ -733,8 +733,9 @@ - } - } +- for(c = cq->first; c; c = c->next, chunks_written++) { ++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { + int chunk_finished = 0; -+ if (p->conf.auth_ldap_allow_empty_pw != 1 && pw[0] == '\0') -+ return -1; + switch(c->type) { + case MEM_CHUNK: { + char * offset; +- size_t toSend; ++ off_t toSend; + ssize_t r; + + size_t num_chunks, i; +@@ -49,12 +48,10 @@ + chunk *tc; + size_t num_bytes = 0; +- /* we can't send more then SSIZE_MAX bytes in one chunk */ - - /* build filter */ - buffer_copy_string_buffer(p->ldap_filter, p->conf.ldap_filter_pre); - buffer_append_string_buffer(p->ldap_filter, username); -Index: src/http_auth.h -=================================================================== ---- src/http_auth.h (.../tags/lighttpd-1.4.13) (revision 1706) -+++ src/http_auth.h (.../branches/lighttpd-1.4.x) (revision 1706) -@@ -36,6 +36,7 @@ - buffer *auth_ldap_filter; - buffer *auth_ldap_cafile; - unsigned short auth_ldap_starttls; -+ unsigned short auth_ldap_allow_empty_pw; + /* build writev list + * + * 1. limit: num_chunks < UIO_MAXIOV +- * 2. limit: num_bytes < SSIZE_MAX ++ * 2. limit: num_bytes < max_bytes + */ + for(num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < UIO_MAXIOV; num_chunks++, tc = tc->next); - unsigned short auth_debug; +@@ -69,9 +66,9 @@ + chunks[i].iov_base = offset; -Index: src/mod_auth.c -=================================================================== ---- src/mod_auth.c (.../tags/lighttpd-1.4.13) (revision 1706) -+++ src/mod_auth.c (.../branches/lighttpd-1.4.x) (revision 1706) -@@ -113,6 +113,7 @@ - PATCH(auth_ldap_filter); - PATCH(auth_ldap_cafile); - PATCH(auth_ldap_starttls); -+ PATCH(auth_ldap_allow_empty_pw); - #ifdef USE_LDAP - PATCH(ldap); - PATCH(ldap_filter_pre); -@@ -160,6 +161,8 @@ - PATCH(auth_ldap_cafile); - } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.starttls"))) { - PATCH(auth_ldap_starttls); -+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.allow-empty-pw"))) { -+ PATCH(auth_ldap_allow_empty_pw); + /* protect the return value of writev() */ +- if (toSend > SSIZE_MAX || +- num_bytes + toSend > SSIZE_MAX) { +- chunks[i].iov_len = SSIZE_MAX - num_bytes; ++ if (toSend > max_bytes || ++ (off_t) num_bytes + toSend > max_bytes) { ++ chunks[i].iov_len = max_bytes - num_bytes; + + num_chunks = i + 1; + break; +@@ -105,6 +102,7 @@ + + /* check which chunks have been written */ + cq->bytes_out += r; ++ max_bytes -= r; + + for(i = 0, tc = c; i < num_chunks; i++, tc = tc->next) { + if (r >= (ssize_t)chunks[i].iov_len) { +@@ -114,11 +112,10 @@ + + if (chunk_finished) { + /* skip the chunks from further touches */ +- chunks_written++; + c = c->next; + } else { + /* chunks_written + c = c->next is done in the for()*/ +- chunk_finished++; ++ chunk_finished = 1; + } + } else { + /* partially written */ +@@ -134,7 +131,7 @@ + } + case FILE_CHUNK: { + off_t offset, r; +- size_t toSend; ++ off_t toSend; + stat_cache_entry *sce = NULL; + + if (HANDLER_ERROR == stat_cache_get_entry(srv, con, c->file.name, &sce)) { +@@ -144,9 +141,8 @@ } + + offset = c->file.start + c->offset; +- /* limit the toSend to 2^31-1 bytes in a chunk */ +- toSend = c->file.length - c->offset > ((1 << 30) - 1) ? +- ((1 << 30) - 1) : c->file.length - c->offset; ++ toSend = c->file.length - c->offset; ++ if (toSend > max_bytes) toSend = max_bytes; + + if (-1 == c->file.fd) { + if (-1 == (c->file.fd = open(c->file.name->ptr, O_RDONLY))) { +@@ -197,6 +193,7 @@ + + c->offset += r; + cq->bytes_out += r; ++ max_bytes -= r; + + if (c->offset == c->file.length) { + chunk_finished = 1; +@@ -218,7 +215,7 @@ } } -@@ -312,6 +315,7 @@ - { "auth.backend.ldap.starttls", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, - { "auth.backend.ldap.bind-dn", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, - { "auth.backend.ldap.bind-pw", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 10 */ -+ { "auth.backend.ldap.allow-empty-pw", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, - { "auth.backend.htdigest.userfile", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, - { "auth.backend.htpasswd.userfile", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, - { "auth.debug", NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_CONNECTION }, /* 13 */ -@@ -359,11 +363,12 @@ - cv[6].destination = s->auth_ldap_filter; - cv[7].destination = s->auth_ldap_cafile; - cv[8].destination = &(s->auth_ldap_starttls); -- cv[9].destination = s->auth_ldap_binddn; -- cv[10].destination = s->auth_ldap_bindpw; -- cv[11].destination = s->auth_htdigest_userfile; -- cv[12].destination = s->auth_htpasswd_userfile; -- cv[13].destination = &(s->auth_debug); -+ cv[9].destination = s->auth_ldap_binddn; -+ cv[10].destination = s->auth_ldap_bindpw; -+ cv[11].destination = &(s->auth_ldap_allow_empty_pw); -+ cv[12].destination = s->auth_htdigest_userfile; -+ cv[13].destination = s->auth_htpasswd_userfile; -+ cv[14].destination = &(s->auth_debug); - p->config_storage[i] = s; - ca = ((data_config *)srv->config_context->data[i])->value; -Index: src/mod_fastcgi.c +- return chunks_written; ++ return 0; + } + + #endif +Index: src/network_openssl.c =================================================================== ---- src/mod_fastcgi.c (.../tags/lighttpd-1.4.13) (revision 1706) -+++ src/mod_fastcgi.c (.../branches/lighttpd-1.4.x) (revision 1706) -@@ -275,6 +275,7 @@ - buffer *key; /* like .php */ - - int note_is_sent; -+ int last_used_ndx; - - fcgi_extension_host **hosts; - -@@ -563,6 +564,7 @@ - fe = calloc(1, sizeof(*fe)); - assert(fe); - fe->key = buffer_init(); -+ fe->last_used_ndx = -1; - buffer_copy_string_buffer(fe->key, key); - - /* */ -@@ -2365,6 +2367,7 @@ - * check how much we have to read - */ - if (ioctl(hctx->fd, FIONREAD, &toread)) { -+ if (errno == EAGAIN) return 0; - log_error_write(srv, __FILE__, __LINE__, "sd", - "unexpected end-of-file (perhaps the fastcgi process died):", - fcgi_fd); -@@ -2375,12 +2378,23 @@ - - if (toread > 0) { - buffer *b; -+ chunk *cq_first = hctx->rb->first; -+ chunk *cq_last = hctx->rb->last; - - b = chunkqueue_get_append_buffer(hctx->rb); - buffer_prepare_copy(b, toread + 1); - - /* append to read-buffer */ - if (-1 == (r = read(hctx->fd, b->ptr, toread))) { -+ if (errno == EAGAIN) { -+ /* roll back the last chunk allocation, -+ and continue on next iteration */ -+ buffer_free(hctx->rb->last->mem); -+ free(hctx->rb->last); -+ hctx->rb->first = cq_first; -+ hctx->rb->last = cq_last; -+ return 0; +--- src/network_openssl.c (.../tags/lighttpd-1.4.29) ++++ src/network_openssl.c (.../branches/lighttpd-1.4.x) +@@ -27,10 +27,9 @@ + # include + # include + +-int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq) { ++int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes) { + int ssl_r; + chunk *c; +- size_t chunks_written = 0; + + /* this is a 64k sendbuffer + * +@@ -59,13 +58,13 @@ + SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN); + } + +- for(c = cq->first; c; c = c->next) { ++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { + int chunk_finished = 0; + + switch(c->type) { + case MEM_CHUNK: { + char * offset; +- size_t toSend; ++ off_t toSend; + ssize_t r; + + if (c->mem->used == 0 || c->mem->used == 1) { +@@ -75,6 +74,7 @@ + + offset = c->mem->ptr + c->offset; + toSend = c->mem->used - 1 - c->offset; ++ if (toSend > max_bytes) toSend = max_bytes; + + /** + * SSL_write man-page +@@ -87,7 +87,14 @@ + */ + + ERR_clear_error(); +- if ((r = SSL_write(ssl, offset, toSend)) <= 0) { ++ r = SSL_write(ssl, offset, toSend); ++ ++ if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { ++ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); ++ return -1; + } - log_error_write(srv, __FILE__, __LINE__, "sds", - "unexpected end-of-file (perhaps the fastcgi process died):", - fcgi_fd, strerror(errno)); -@@ -2393,6 +2407,7 @@ - b->used = r + 1; /* one extra for the fake \0 */ - b->ptr[b->used - 1] = '\0'; - } else { -+ if (errno == EAGAIN) return 0; - log_error_write(srv, __FILE__, __LINE__, "ssdsb", - "unexpected end-of-file (perhaps the fastcgi process died):", - "pid:", proc->pid, -@@ -2499,6 +2514,8 @@ ++ ++ if (r <= 0) { + unsigned long err; + + switch ((ssl_r = SSL_get_error(ssl, r))) { +@@ -139,6 +146,7 @@ + } else { + c->offset += r; + cq->bytes_out += r; ++ max_bytes -= r; } - break; - case FCGI_STDERR: -+ if (packet.len == 0) break; + + if (c->offset == (off_t)c->mem->used - 1) { +@@ -168,6 +176,7 @@ + do { + off_t offset = c->file.start + c->offset; + off_t toSend = c->file.length - c->offset; ++ if (toSend > max_bytes) toSend = max_bytes; + + if (toSend > LOCAL_SEND_BUFSIZE) toSend = LOCAL_SEND_BUFSIZE; + +@@ -190,7 +199,14 @@ + close(ifd); + + ERR_clear_error(); +- if ((r = SSL_write(ssl, s, toSend)) <= 0) { ++ r = SSL_write(ssl, s, toSend); + - log_error_write(srv, __FILE__, __LINE__, "sb", - "FastCGI-stderr:", packet.b); - -@@ -2979,17 +2996,23 @@ - size_t k; - int ndx, used = -1; - -- /* get best server */ -- for (k = 0, ndx = -1; k < hctx->ext->used; k++) { -- host = hctx->ext->hosts[k]; -+ /* check if the next server has no load. */ -+ ndx = hctx->ext->last_used_ndx + 1; -+ if(ndx >= hctx->ext->used || ndx < 0) ndx = 0; -+ host = hctx->ext->hosts[ndx]; -+ if (host->load > 0) { -+ /* get backend with the least load. */ -+ for (k = 0, ndx = -1; k < hctx->ext->used; k++) { -+ host = hctx->ext->hosts[k]; - -- /* we should have at least one proc that can do something */ -- if (host->active_procs == 0) continue; -+ /* we should have at least one proc that can do something */ -+ if (host->active_procs == 0) continue; - -- if (used == -1 || host->load < used) { -- used = host->load; -+ if (used == -1 || host->load < used) { -+ used = host->load; - -- ndx = k; -+ ndx = k; ++ if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { ++ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); ++ return -1; + } - } ++ ++ if (r <= 0) { + unsigned long err; + + switch ((ssl_r = SSL_get_error(ssl, r))) { +@@ -243,12 +259,13 @@ + } else { + c->offset += r; + cq->bytes_out += r; ++ max_bytes -= r; + } + + if (c->offset == c->file.length) { + chunk_finished = 1; + } +- } while(!chunk_finished && !write_wait); ++ } while (!chunk_finished && !write_wait && max_bytes > 0); + + break; } +@@ -263,11 +280,9 @@ -@@ -3005,6 +3028,7 @@ - return HANDLER_FINISHED; + break; } +- +- chunks_written++; + } -+ hctx->ext->last_used_ndx = ndx; - host = hctx->ext->hosts[ndx]; +- return chunks_written; ++ return 0; + } + #endif - /* -Index: src/server.c +Index: src/http_auth.c =================================================================== ---- src/server.c (.../tags/lighttpd-1.4.13) (revision 1706) -+++ src/server.c (.../branches/lighttpd-1.4.x) (revision 1706) -@@ -163,6 +163,7 @@ - #undef CLEAN - - for (i = 0; i < FILE_CACHE_MAX; i++) { -+ srv->mtime_cache[i].mtime = (time_t)-1; - srv->mtime_cache[i].str = buffer_init(); - } +--- src/http_auth.c (.../tags/lighttpd-1.4.29) ++++ src/http_auth.c (.../branches/lighttpd-1.4.x) +@@ -1,7 +1,6 @@ + #include "server.h" + #include "log.h" + #include "http_auth.h" +-#include "http_auth_digest.h" + #include "inet_ntop_cache.h" + #include "stream.h" + +@@ -28,18 +27,23 @@ + #include + #include + +-#ifdef USE_OPENSSL +-# include +-#else +-# include "md5.h" ++#include "md5.h" + +-typedef li_MD5_CTX MD5_CTX; +-#define MD5_Init li_MD5_Init +-#define MD5_Update li_MD5_Update +-#define MD5_Final li_MD5_Final ++#define HASHLEN 16 ++#define HASHHEXLEN 32 ++typedef unsigned char HASH[HASHLEN]; ++typedef char HASHHEX[HASHHEXLEN+1]; -@@ -1231,6 +1232,19 @@ - srv_socket->fd = -1; +-#endif ++static void CvtHex(const HASH Bin, char Hex[33]) { ++ unsigned short i; - /* network_close() will cleanup after us */ ++ for (i = 0; i < 16; i++) { ++ Hex[i*2] = int2hex((Bin[i] >> 4) & 0xf); ++ Hex[i*2+1] = int2hex(Bin[i] & 0xf); ++ } ++ Hex[32] = '\0'; ++} + -+ if (srv->srvconf.pid_file->used && -+ srv->srvconf.changeroot->used == 0) { -+ if (0 != unlink(srv->srvconf.pid_file->ptr)) { -+ if (errno != EACCES && errno != EPERM) { -+ log_error_write(srv, __FILE__, __LINE__, "sbds", -+ "unlink failed for:", -+ srv->srvconf.pid_file, -+ errno, -+ strerror(errno)); -+ } -+ } -+ } + /** + * the $apr1$ handling is taken from apache 1.3.x + */ +@@ -95,7 +99,7 @@ + ch = in[0]; + /* run through the whole string, converting as we go */ + for (i = 0; i < in_len; i++) { +- ch = in[i]; ++ ch = (unsigned char) in[i]; + + if (ch == '\0') break; + +@@ -435,7 +439,7 @@ + + static void to64(char *s, unsigned long v, int n) + { +- static unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */ ++ static const unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */ + "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; + + while (--n >= 0) { +@@ -455,7 +459,7 @@ + const char *sp, *ep; + unsigned char final[APR_MD5_DIGESTSIZE]; + ssize_t sl, pl, i; +- MD5_CTX ctx, ctx1; ++ li_MD5_CTX ctx, ctx1; + unsigned long l; + + /* +@@ -487,33 +491,33 @@ + /* + * 'Time to make the doughnuts..' + */ +- MD5_Init(&ctx); ++ li_MD5_Init(&ctx); + + /* + * The password first, since that is what is most unknown + */ +- MD5_Update(&ctx, pw, strlen(pw)); ++ li_MD5_Update(&ctx, pw, strlen(pw)); + + /* + * Then our magic string + */ +- MD5_Update(&ctx, APR1_ID, strlen(APR1_ID)); ++ li_MD5_Update(&ctx, APR1_ID, strlen(APR1_ID)); + + /* + * Then the raw salt + */ +- MD5_Update(&ctx, sp, sl); ++ li_MD5_Update(&ctx, sp, sl); + + /* + * Then just as many characters of the MD5(pw, salt, pw) + */ +- MD5_Init(&ctx1); +- MD5_Update(&ctx1, pw, strlen(pw)); +- MD5_Update(&ctx1, sp, sl); +- MD5_Update(&ctx1, pw, strlen(pw)); +- MD5_Final(final, &ctx1); ++ li_MD5_Init(&ctx1); ++ li_MD5_Update(&ctx1, pw, strlen(pw)); ++ li_MD5_Update(&ctx1, sp, sl); ++ li_MD5_Update(&ctx1, pw, strlen(pw)); ++ li_MD5_Final(final, &ctx1); + for (pl = strlen(pw); pl > 0; pl -= APR_MD5_DIGESTSIZE) { +- MD5_Update(&ctx, final, ++ li_MD5_Update(&ctx, final, + (pl > APR_MD5_DIGESTSIZE) ? APR_MD5_DIGESTSIZE : pl); + } + +@@ -527,10 +531,10 @@ + */ + for (i = strlen(pw); i != 0; i >>= 1) { + if (i & 1) { +- MD5_Update(&ctx, final, 1); ++ li_MD5_Update(&ctx, final, 1); + } + else { +- MD5_Update(&ctx, pw, 1); ++ li_MD5_Update(&ctx, pw, 1); + } + } + +@@ -542,7 +546,7 @@ + strncat(passwd, sp, sl); + strcat(passwd, "$"); + +- MD5_Final(final, &ctx); ++ li_MD5_Final(final, &ctx); + + /* + * And now, just to make sure things don't run too fast.. +@@ -550,28 +554,28 @@ + * need 30 seconds to build a 1000 entry dictionary... + */ + for (i = 0; i < 1000; i++) { +- MD5_Init(&ctx1); ++ li_MD5_Init(&ctx1); + if (i & 1) { +- MD5_Update(&ctx1, pw, strlen(pw)); ++ li_MD5_Update(&ctx1, pw, strlen(pw)); + } + else { +- MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); ++ li_MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); + } + if (i % 3) { +- MD5_Update(&ctx1, sp, sl); ++ li_MD5_Update(&ctx1, sp, sl); + } + + if (i % 7) { +- MD5_Update(&ctx1, pw, strlen(pw)); ++ li_MD5_Update(&ctx1, pw, strlen(pw)); + } + + if (i & 1) { +- MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); ++ li_MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); + } + else { +- MD5_Update(&ctx1, pw, strlen(pw)); ++ li_MD5_Update(&ctx1, pw, strlen(pw)); + } +- MD5_Final(final,&ctx1); ++ li_MD5_Final(final,&ctx1); + } + + p = passwd + strlen(passwd); +@@ -614,17 +618,17 @@ + * user:realm:md5(user:realm:password) + */ + +- MD5_CTX Md5Ctx; ++ li_MD5_CTX Md5Ctx; + HASH HA1; + char a1[256]; + +- MD5_Init(&Md5Ctx); +- MD5_Update(&Md5Ctx, (unsigned char *)username->ptr, username->used - 1); +- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); +- MD5_Update(&Md5Ctx, (unsigned char *)realm->ptr, realm->used - 1); +- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); +- MD5_Update(&Md5Ctx, (unsigned char *)pw, strlen(pw)); +- MD5_Final(HA1, &Md5Ctx); ++ li_MD5_Init(&Md5Ctx); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)username->ptr, username->used - 1); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)realm->ptr, realm->used - 1); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)pw, strlen(pw)); ++ li_MD5_Final(HA1, &Md5Ctx); + + CvtHex(HA1, a1); + +@@ -930,7 +934,7 @@ + int i; + buffer *password, *b, *username_buf, *realm_buf; + +- MD5_CTX Md5Ctx; ++ li_MD5_CTX Md5Ctx; + HASH HA1; + HASH HA2; + HASH RespHash; +@@ -1067,13 +1071,13 @@ + + if (p->conf.auth_backend == AUTH_BACKEND_PLAIN) { + /* generate password from plain-text */ +- MD5_Init(&Md5Ctx); +- MD5_Update(&Md5Ctx, (unsigned char *)username, strlen(username)); +- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); +- MD5_Update(&Md5Ctx, (unsigned char *)realm, strlen(realm)); +- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); +- MD5_Update(&Md5Ctx, (unsigned char *)password->ptr, password->used - 1); +- MD5_Final(HA1, &Md5Ctx); ++ li_MD5_Init(&Md5Ctx); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)username, strlen(username)); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)realm, strlen(realm)); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)password->ptr, password->used - 1); ++ li_MD5_Final(HA1, &Md5Ctx); + } else if (p->conf.auth_backend == AUTH_BACKEND_HTDIGEST) { + /* HA1 */ + /* transform the 32-byte-hex-md5 to a 16-byte-md5 */ +@@ -1090,45 +1094,45 @@ + + if (algorithm && + strcasecmp(algorithm, "md5-sess") == 0) { +- MD5_Init(&Md5Ctx); +- MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16); +- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); +- MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); +- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); +- MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); +- MD5_Final(HA1, &Md5Ctx); ++ li_MD5_Init(&Md5Ctx); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); ++ li_MD5_Final(HA1, &Md5Ctx); + } + + CvtHex(HA1, a1); + + /* calculate H(A2) */ +- MD5_Init(&Md5Ctx); +- MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m)); +- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); +- MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri)); ++ li_MD5_Init(&Md5Ctx); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m)); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri)); + if (qop && strcasecmp(qop, "auth-int") == 0) { +- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); +- MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN); + } +- MD5_Final(HA2, &Md5Ctx); ++ li_MD5_Final(HA2, &Md5Ctx); + CvtHex(HA2, HA2Hex); + + /* calculate response */ +- MD5_Init(&Md5Ctx); +- MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN); +- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); +- MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); +- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); ++ li_MD5_Init(&Md5Ctx); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + if (qop && *qop) { +- MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc)); +- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); +- MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); +- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); +- MD5_Update(&Md5Ctx, (unsigned char *)qop, strlen(qop)); +- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc)); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)qop, strlen(qop)); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + }; +- MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN); +- MD5_Final(RespHash, &Md5Ctx); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN); ++ li_MD5_Final(RespHash, &Md5Ctx); + CvtHex(RespHash, a2); + + if (0 != strcmp(a2, respons)) { +@@ -1171,24 +1175,24 @@ + + int http_auth_digest_generate_nonce(server *srv, mod_auth_plugin_data *p, buffer *fn, char out[33]) { + HASH h; +- MD5_CTX Md5Ctx; ++ li_MD5_CTX Md5Ctx; + char hh[32]; + + UNUSED(p); + + /* generate shared-secret */ +- MD5_Init(&Md5Ctx); +- MD5_Update(&Md5Ctx, (unsigned char *)fn->ptr, fn->used - 1); +- MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); ++ li_MD5_Init(&Md5Ctx); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)fn->ptr, fn->used - 1); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); + + /* we assume sizeof(time_t) == 4 here, but if not it ain't a problem at all */ + LI_ltostr(hh, srv->cur_ts); +- MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); +- MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); + LI_ltostr(hh, rand()); +- MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); + +- MD5_Final(h, &Md5Ctx); ++ li_MD5_Final(h, &Md5Ctx); + + CvtHex(h, out); + +Index: src/mod_usertrack.c +=================================================================== +--- src/mod_usertrack.c (.../tags/lighttpd-1.4.29) ++++ src/mod_usertrack.c (.../branches/lighttpd-1.4.x) +@@ -8,18 +8,8 @@ + #include + #include + +-#ifdef USE_OPENSSL +-# include +-#else +-# include "md5.h" ++#include "md5.h" + +-typedef li_MD5_CTX MD5_CTX; +-#define MD5_Init li_MD5_Init +-#define MD5_Update li_MD5_Update +-#define MD5_Final li_MD5_Final +- +-#endif +- + /* plugin config for all request/connections */ + + typedef struct { +@@ -182,7 +172,7 @@ + plugin_data *p = p_d; + data_string *ds; + unsigned char h[16]; +- MD5_CTX Md5Ctx; ++ li_MD5_CTX Md5Ctx; + char hh[32]; + + if (con->uri.path->used == 0) return HANDLER_GO_ON; +@@ -228,18 +218,18 @@ + /* taken from mod_auth.c */ + + /* generate shared-secret */ +- MD5_Init(&Md5Ctx); +- MD5_Update(&Md5Ctx, (unsigned char *)con->uri.path->ptr, con->uri.path->used - 1); +- MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); ++ li_MD5_Init(&Md5Ctx); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)con->uri.path->ptr, con->uri.path->used - 1); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); + + /* we assume sizeof(time_t) == 4 here, but if not it ain't a problem at all */ + LI_ltostr(hh, srv->cur_ts); +- MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); +- MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); + LI_ltostr(hh, rand()); +- MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); + +- MD5_Final(h, &Md5Ctx); ++ li_MD5_Final(h, &Md5Ctx); + + buffer_append_string_encoded(ds->value, (char *)h, 16, ENCODING_HEX); + buffer_append_string_len(ds->value, CONST_STR_LEN("; Path=/")); +Index: src/mod_status.c +=================================================================== +--- src/mod_status.c (.../tags/lighttpd-1.4.29) ++++ src/mod_status.c (.../branches/lighttpd-1.4.x) +@@ -487,7 +487,7 @@ + + buffer_append_string_len(b, CONST_STR_LEN("")); + +- if (con->request.content_length) { ++ if (c->request.content_length) { + buffer_append_long(b, c->request_content_queue->bytes_in); + buffer_append_string_len(b, CONST_STR_LEN("/")); + buffer_append_long(b, c->request.content_length); +Index: src/settings.h +=================================================================== +--- src/settings.h (.../tags/lighttpd-1.4.29) ++++ src/settings.h (.../branches/lighttpd-1.4.x) +@@ -21,8 +21,11 @@ + * 64kB (no real reason, just a guess) + */ + #define BUFFER_MAX_REUSE_SIZE (4 * 1024) +-#define MAX_READ_LIMIT (4*1024*1024) + ++/* both should be way smaller than SSIZE_MAX :) */ ++#define MAX_READ_LIMIT (256*1024) ++#define MAX_WRITE_LIMIT (256*1024) ++ + /** + * max size of the HTTP request header + * +Index: src/mod_cml_lua.c +=================================================================== +--- src/mod_cml_lua.c (.../tags/lighttpd-1.4.29) ++++ src/mod_cml_lua.c (.../branches/lighttpd-1.4.x) +@@ -11,18 +11,6 @@ + #include + #include + +-#ifdef USE_OPENSSL +-# include +-#else +-# include "md5.h" +- +-typedef li_MD5_CTX MD5_CTX; +-#define MD5_Init li_MD5_Init +-#define MD5_Update li_MD5_Update +-#define MD5_Final li_MD5_Final +- +-#endif +- + #define HASHLEN 16 + typedef unsigned char HASH[HASHLEN]; + #define HASHHEXLEN 32 +Index: src/mod_fastcgi.c +=================================================================== +--- src/mod_fastcgi.c (.../tags/lighttpd-1.4.29) ++++ src/mod_fastcgi.c (.../branches/lighttpd-1.4.x) +@@ -3075,7 +3075,7 @@ + fcgi_set_state(srv, hctx, FCGI_STATE_WRITE); + /* fall through */ + case FCGI_STATE_WRITE: +- ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb); ++ ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT); + + chunkqueue_remove_finished_chunks(hctx->wb); + +@@ -3132,7 +3132,6 @@ + plugin_data *p = p_d; + + handler_ctx *hctx = con->plugin_ctx[p->id]; +- fcgi_proc *proc; + fcgi_extension_host *host; + + if (NULL == hctx) return HANDLER_GO_ON; +@@ -3201,7 +3200,6 @@ + /* ok, create the request */ + switch(fcgi_write_request(srv, hctx)) { + case HANDLER_ERROR: +- proc = hctx->proc; + host = hctx->host; + + if (hctx->state == FCGI_STATE_INIT || +Index: src/network_solaris_sendfilev.c +=================================================================== +--- src/network_solaris_sendfilev.c (.../tags/lighttpd-1.4.29) ++++ src/network_solaris_sendfilev.c (.../branches/lighttpd-1.4.x) +@@ -38,17 +38,16 @@ + */ + + +-int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq) { ++int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { + chunk *c; +- size_t chunks_written = 0; + +- for(c = cq->first; c; c = c->next, chunks_written++) { ++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { + int chunk_finished = 0; + + switch(c->type) { + case MEM_CHUNK: { + char * offset; +- size_t toSend; ++ off_t toSend; + ssize_t r; + + size_t num_chunks, i; +@@ -77,9 +76,9 @@ + chunks[i].iov_base = offset; + + /* protect the return value of writev() */ +- if (toSend > SSIZE_MAX || +- num_bytes + toSend > SSIZE_MAX) { +- chunks[i].iov_len = SSIZE_MAX - num_bytes; ++ if (toSend > max_bytes || ++ (off_t) num_bytes + toSend > max_bytes) { ++ chunks[i].iov_len = max_bytes - num_bytes; + + num_chunks = i + 1; + break; +@@ -119,11 +118,10 @@ + + if (chunk_finished) { + /* skip the chunks from further touches */ +- chunks_written++; + c = c->next; + } else { + /* chunks_written + c = c->next is done in the for()*/ +- chunk_finished++; ++ chunk_finished = 1; } - } + } else { + /* partially written */ +@@ -139,8 +137,8 @@ + } + case FILE_CHUNK: { + ssize_t r; +- off_t offset; +- size_t toSend, written; ++ off_t offset, toSend; ++ size_t written; + sendfilevec_t fvec; + stat_cache_entry *sce = NULL; + int ifd; +@@ -153,6 +151,7 @@ + + offset = c->file.start + c->offset; + toSend = c->file.length - c->offset; ++ if (toSend > max_bytes) toSend = max_bytes; -@@ -1335,7 +1349,8 @@ + if (offset > sce->st.st_size) { + log_error_write(srv, __FILE__, __LINE__, "sb", "file was shrinked:", c->file.name); +@@ -186,6 +185,7 @@ + close(ifd); + c->offset += written; + cq->bytes_out += written; ++ max_bytes -= written; + + if (c->offset == c->file.length) { + chunk_finished = 1; +@@ -207,7 +207,7 @@ + } } - if (srv->srvconf.pid_file->used && -- srv->srvconf.changeroot->used == 0) { -+ srv->srvconf.changeroot->used == 0 && -+ 0 == graceful_shutdown) { - if (0 != unlink(srv->srvconf.pid_file->ptr)) { - if (errno != EACCES && errno != EPERM) { - log_error_write(srv, __FILE__, __LINE__, "sbds", -Index: doc/extforward.txt +- return chunks_written; ++ return 0; + } + + #endif +Index: src/CMakeLists.txt =================================================================== ---- doc/extforward.txt (.../tags/lighttpd-1.4.13) (revision 0) -+++ doc/extforward.txt (.../branches/lighttpd-1.4.x) (revision 1706) -@@ -0,0 +1,96 @@ -+============== -+mod_extforward -+============== -+ -+.. contents:: -+ -+Overview -+======== -+ -+Comman Kang sent me: :: -+ -+ Hello jan. -+ -+ I've made something rough but similar to mod_extract_forwarded for -+ Apache. This module will extract the client's "real" ip from -+ X-Forwarded-For header which is added by squid or other proxies. It might be -+ useful for servers behind reverse proxy servers. -+ -+ However, this module is causing segfault with mod_ssl or -+ $HTTP{''socket"} directive, crashing in config_check_cond while patching -+ connection , I do not understand architecture of the lighttpd well, does it -+ need to call patch_connection in either handle_request_done and -+ connection_reset ? -+ -+Lionel Elie Mamane improved the patch: :: -+ -+ I've taken lighttpd-1.4.10-mod_extforward.c from the wiki and I've -+ extended it. Here is the result. -+ -+ Major changes: -+ -+ - IPv6 support -+ -+ - Fixed at least one segfault with SERVER['socket'] -+ -+ - Arrange things so that a url.access-deny under scope of a -+ HTTP['remoteip'] condition works well :) -+ -+ I've commented the code in some places, mostly where I wasn't sure -+ what was going on, or I didn't see what the original author meant to -+ do. -+ -+Options -+======= -+ -+extforward.forwarder -+ Sets trust level of proxy IP's. -+ -+ Default: empty -+ -+ Example: :: -+ -+ extforward.forwarder = ("10.0.0.232" => "trust") -+ -+ will translate ip addresses coming from 10.0.0.232 to real ip addresses extracted from X-Forwarded-For: HTTP request header. -+ -+Note -+======= -+ -+The effect of this module is variable on $HTTP["remotip"] directives and other module's remote ip dependent actions. -+Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP. -+Things done in between these two moments will match on the real client's IP. -+The moment things are done by a module depends on in which hook it does things and within the same hook -+on whether they are before/after us in the module loading order -+(order in the server.modules directive in the config file). -+ -+Tested behaviours: -+ -+ mod_access: Will match on the real client. -+ -+ mod_accesslog: -+ In order to see the "real" ip address in access log , -+ you'll have to load mod_extforward after mod_accesslog. -+ like this: :: -+ -+ server.modules = ( -+ ..... -+ mod_accesslog, -+ mod_extforward -+ ) -+ -+Samples -+======= -+ -+Trust proxy 10.0.0.232 and 10.0.0.232 :: -+ -+ extforward.forwarder = ( -+ "10.0.0.232" => "trust", -+ "10.0.0.233" => "trust", -+ ) -+ -+Trust all proxies (NOT RECOMMENDED!) :: -+ -+ extforward.forwarder = ( "all" => "trust") -+ -+Note that "all" has precedence over specific entries, so "all except" setups will not work. -Index: doc/Makefile.am +Index: src/mod_dirlisting.c +=================================================================== +--- src/mod_dirlisting.c (.../tags/lighttpd-1.4.29) ++++ src/mod_dirlisting.c (.../branches/lighttpd-1.4.x) +@@ -657,7 +657,8 @@ + i = dir->used - 1; + + #ifdef HAVE_PATHCONF +- if (-1 == (name_max = pathconf(dir->ptr, _PC_NAME_MAX))) { ++ if (0 >= (name_max = pathconf(dir->ptr, _PC_NAME_MAX))) { ++ /* some broken fs (fuse) return 0 instead of -1 */ + #ifdef NAME_MAX + name_max = NAME_MAX; + #else +Index: src/network_linux_sendfile.c +=================================================================== +--- src/network_linux_sendfile.c (.../tags/lighttpd-1.4.29) ++++ src/network_linux_sendfile.c (.../branches/lighttpd-1.4.x) +@@ -27,17 +27,16 @@ + /* on linux 2.4.29 + debian/ubuntu we have crashes if this is enabled */ + #undef HAVE_POSIX_FADVISE + +-int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq) { ++int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { + chunk *c; +- size_t chunks_written = 0; + +- for(c = cq->first; c; c = c->next, chunks_written++) { ++ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { + int chunk_finished = 0; + + switch(c->type) { + case MEM_CHUNK: { + char * offset; +- size_t toSend; ++ off_t toSend; + ssize_t r; + + size_t num_chunks, i; +@@ -45,12 +44,10 @@ + chunk *tc; + size_t num_bytes = 0; + +- /* we can't send more then SSIZE_MAX bytes in one chunk */ +- + /* build writev list + * + * 1. limit: num_chunks < UIO_MAXIOV +- * 2. limit: num_bytes < SSIZE_MAX ++ * 2. limit: num_bytes < max_bytes + */ + for (num_chunks = 0, tc = c; + tc && tc->type == MEM_CHUNK && num_chunks < UIO_MAXIOV; +@@ -67,9 +64,9 @@ + chunks[i].iov_base = offset; + + /* protect the return value of writev() */ +- if (toSend > SSIZE_MAX || +- num_bytes + toSend > SSIZE_MAX) { +- chunks[i].iov_len = SSIZE_MAX - num_bytes; ++ if (toSend > max_bytes || ++ (off_t) num_bytes + toSend > max_bytes) { ++ chunks[i].iov_len = max_bytes - num_bytes; + + num_chunks = i + 1; + break; +@@ -100,6 +97,7 @@ + + /* check which chunks have been written */ + cq->bytes_out += r; ++ max_bytes -= r; + + for(i = 0, tc = c; i < num_chunks; i++, tc = tc->next) { + if (r >= (ssize_t)chunks[i].iov_len) { +@@ -109,11 +107,10 @@ + + if (chunk_finished) { + /* skip the chunks from further touches */ +- chunks_written++; + c = c->next; + } else { + /* chunks_written + c = c->next is done in the for()*/ +- chunk_finished++; ++ chunk_finished = 1; + } + } else { + /* partially written */ +@@ -130,13 +127,12 @@ + case FILE_CHUNK: { + ssize_t r; + off_t offset; +- size_t toSend; ++ off_t toSend; + stat_cache_entry *sce = NULL; + + offset = c->file.start + c->offset; +- /* limit the toSend to 2^31-1 bytes in a chunk */ +- toSend = c->file.length - c->offset > ((1 << 30) - 1) ? +- ((1 << 30) - 1) : c->file.length - c->offset; ++ toSend = c->file.length - c->offset; ++ if (toSend > max_bytes) toSend = max_bytes; + + /* open file if not already opened */ + if (-1 == c->file.fd) { +@@ -215,6 +211,7 @@ + + c->offset += r; + cq->bytes_out += r; ++ max_bytes -= r; + + if (c->offset == c->file.length) { + chunk_finished = 1; +@@ -243,7 +240,7 @@ + } + } + +- return chunks_written; ++ return 0; + } + + #endif +Index: tests/mod-auth.t +=================================================================== +--- tests/mod-auth.t (.../tags/lighttpd-1.4.29) ++++ tests/mod-auth.t (.../branches/lighttpd-1.4.x) +@@ -8,7 +8,7 @@ + + use strict; + use IO::Socket; +-use Test::More tests => 14; ++use Test::More tests => 15; + use LightyTest; + + my $tf = LightyTest->new(); +@@ -25,6 +25,14 @@ + + $t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ]; ++ok($tf->handle_http($t) == 0, 'Basic-Auth: Invalid base64 Auth-token'); ++ ++$t->{REQUEST} = ( < 44; ++use Test::More tests => 46; + use LightyTest; + + my $tf = LightyTest->new(); +@@ -413,5 +413,21 @@ + $t->{SLOWREQUEST} = 1; + ok($tf->handle_http($t) == 0, 'GET, slow \\r\\n\\r\\n (#2105)'); + ++print "\nPathinfo for static files\n"; ++$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'Content-Type' => 'image/jpeg' } ]; ++ok($tf->handle_http($t) == 0, 'static file accepting pathinfo by default'); ++ ++$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 403 } ]; ++ok($tf->handle_http($t) == 0, 'static file with forbidden pathinfo'); ++ + ok($tf->stop_proc == 0, "Stopping lighttpd"); + +Index: tests/wrapper.sh +=================================================================== +--- tests/wrapper.sh (.../tags/lighttpd-1.4.29) ++++ tests/wrapper.sh (.../branches/lighttpd-1.4.x) +@@ -6,4 +6,4 @@ + top_builddir=$2 + export SHELL srcdir top_builddir + +-$3 ++exec $3 +Index: tests/lighttpd.conf +=================================================================== +--- tests/lighttpd.conf (.../tags/lighttpd-1.4.29) ++++ tests/lighttpd.conf (.../branches/lighttpd-1.4.x) +@@ -149,6 +149,7 @@ + $HTTP["host"] == "zzz.example.org" { + server.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/" + server.name = "zzz.example.org" ++ static-file.disable-pathinfo = "enable" + } + + $HTTP["host"] == "symlink.example.org" { +Index: configure.ac +=================================================================== +Index: doc/config/lighttpd.conf +=================================================================== +--- doc/config/lighttpd.conf (.../tags/lighttpd-1.4.29) ++++ doc/config/lighttpd.conf (.../branches/lighttpd-1.4.x) +@@ -394,6 +394,25 @@ + ## $SERVER["socket"] == "10.0.0.1:443" { + ## ssl.engine = "enable" + ## ssl.pemfile = "/etc/ssl/private/www.example.com.pem" ++## # ++## # Mitigate BEAST attack: ++## # ++## # A stricter base cipher suite. For details see: ++## # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html ++## # ++## ssl.ciphers = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" ++## # ++## # Make the server prefer the order of the server side cipher suite instead of the client suite. ++## # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms). ++## # This option is enabled by default, but only used if ssl.ciphers is set. ++## # ++## # ssl.honor-cipher-order = "enable" ++## # ++## # Mitigate CVE-2009-3555 by disabling client triggered renegotation ++## # This is enabled by default. ++## # ++## # ssl.disable-client-renegotiation = "enable" ++## # + ## server.name = "www.example.com" + ## + ## server.document-root = "/srv/www/vhosts/example.com/www/" +Index: SConstruct =================================================================== ---- doc/Makefile.am (.../tags/lighttpd-1.4.13) (revision 1706) -+++ doc/Makefile.am (.../branches/lighttpd-1.4.x) (revision 1706) -@@ -6,6 +6,7 @@ - cgi.txt \ - compress.txt \ - configuration.txt \ -+extforward.txt \ - fastcgi-state.txt \ - fastcgi.txt \ - features.txt \ -@@ -43,6 +44,7 @@ - cgi.html \ - compress.html \ - configuration.html \ -+ extforward.html \ - fastcgi-state.html \ - fastcgi.html \ - features.html \ Index: NEWS =================================================================== ---- NEWS (.../tags/lighttpd-1.4.13) (revision 1706) -+++ NEWS (.../branches/lighttpd-1.4.x) (revision 1706) -@@ -3,6 +3,9 @@ +--- NEWS (.../tags/lighttpd-1.4.29) ++++ NEWS (.../branches/lighttpd-1.4.x) +@@ -3,7 +3,20 @@ NEWS ==== -+- 1.4.14 - ??? -+ * added mod_extforward module [1665] -+ - - 1.4.13 - 2006-10-09 - - * added initgroups in spawn-fcgi (#871) - -Property changes on: . -___________________________________________________________________ -Name: svk:merge - + a98e19e4-a712-0410-8832-6551a15ffc53:/local/branches/lighttpd-1.4.x:1557 - +-- 1.4.29 - ++- 1.4.30 - ++ * Always use our 'own' md5 implementation, fixes linking issues on MacOS (fixes #2331) ++ * Limit amount of bytes we send in one go; fixes stalling in one connection and timeouts on slow systems. ++ * [ssl] fix build errors when Elliptic-Curve Diffie-Hellman is disabled ++ * Add static-file.disable-pathinfo option to prevent handling of urls like .../secret.php/image.jpg as static file ++ * Don't overwrite 401 (auth required) with 501 (unknown method) (fixes #2341) ++ * Fix mod_status bug: always showed "0/0" in the "Read" column for uploads (fixes #2351) ++ * [mod_auth] Fix signedness error in http_auth (fixes #2370, CVE-2011-4362) ++ * [ssl] count renegotiations to prevent client renegotiations ++ * [ssl] add option to honor server cipher order (fixes #2364, BEAST attack) ++ * [core] accept dots in ipv6 addresses in host header (fixes #2359) ++ * [ssl] fix ssl connection aborts if files are larger than the MAX_WRITE_LIMIT (256kb) ++ ++- 1.4.29 - 2011-07-03 + * Fix mod_proxy waiting for response even if content-length is 0 (fixes #2259) + * Silence annoying "connection closed: poll() -> ERR" error.log message (fixes #2257) + * mod_cgi: make read buffer as big as incoming data block +Index: CMakeLists.txt +===================================================================