diff options
author | Glenn Strauss <gstrauss@gluelogic.com> | 2022-11-23 10:45:05 -0500 |
---|---|---|
committer | Glenn Strauss <gstrauss@gluelogic.com> | 2022-11-30 19:04:38 -0500 |
commit | fcf0dc3e336a5d62c58036cdb8fc9f4c099b178e (patch) | |
tree | a94e7c0cf42cbdbf8308c559e104f7e44f279c8e /tests | |
parent | 326ace4ffd93582b86effee23c1014477c495eaf (diff) | |
download | lighttpd-git-fcf0dc3e336a5d62c58036cdb8fc9f4c099b178e.tar.gz |
[multiple] remove deprecated modules
remove deprecated modules:
mod_evasive
mod_secdownload
mod_uploadprogress
mod_usertrack
These scheduled lighttpd behavior changes have been announced over
the past year:
* Continue gradual deprecation of "mini-application" lighttpd modules
for which mod_magnet lua implementations are better and more flexible.
Please post on lighttpd forums to share feedback if you use these modules.
Forums: https://redmine.lighttpd.net/projects/lighttpd/boards
* Deprecated: mod_evasive has been removed.
mod_evasive can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive
https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS
https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security
* Deprecated: mod_secdownload has been removed.
mod_secdownload can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload
mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available
* Deprecated: mod_uploadprogress has been removed.
mod_uploadprogress can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress
* Deprecated: mod_usertrack has been removed.
mod_usertrack can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack
mod_usertrack historically uses insecure MD5.
Diffstat (limited to 'tests')
-rw-r--r-- | tests/lighttpd.conf | 27 | ||||
-rwxr-xr-x | tests/request.t | 192 |
2 files changed, 1 insertions, 218 deletions
diff --git a/tests/lighttpd.conf b/tests/lighttpd.conf index 7b224173..b752ecc4 100644 --- a/tests/lighttpd.conf +++ b/tests/lighttpd.conf @@ -28,7 +28,6 @@ server.modules = ( "mod_simple_vhost", "mod_cgi", "mod_status", - "mod_secdownload", "mod_deflate", "mod_accesslog", ) @@ -251,29 +250,3 @@ $HTTP["host"] =~ "^auth-" { status.status-url = "/server-status" status.config-url = "/server-config" } - -$HTTP["host"] == "vvv.example.org" { - server.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/" - secdownload.secret = "verysecret" - secdownload.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/" - secdownload.uri-prefix = "/sec/" - secdownload.timeout = 120 - secdownload.algorithm = "md5" -} -$HTTP["host"] == "vvv-sha1.example.org" { - server.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/" - secdownload.secret = "verysecret" - secdownload.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/" - secdownload.uri-prefix = "/sec/" - secdownload.timeout = 120 - secdownload.algorithm = "hmac-sha1" -} -$HTTP["host"] == "vvv-sha256.example.org" { - server.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/" - secdownload.secret = "verysecret" - secdownload.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/" - secdownload.uri-prefix = "/sec/" - secdownload.timeout = 120 - secdownload.algorithm = "hmac-sha256" - secdownload.hash-querystr = "enable" -} diff --git a/tests/request.t b/tests/request.t index b25f4f96..3fdb1ab6 100755 --- a/tests/request.t +++ b/tests/request.t @@ -8,7 +8,7 @@ BEGIN { use strict; use IO::Socket; -use Test::More tests => 178; +use Test::More tests => 164; use LightyTest; my $tf = LightyTest->new(); @@ -1592,196 +1592,6 @@ ok($tf_proxy->stop_proc == 0, "Stopping lighttpd proxy"); } while (0); -## mod_secdownload - -use Digest::MD5 qw(md5_hex); -use Digest::SHA qw(hmac_sha1 hmac_sha256); -use MIME::Base64 qw(encode_base64url); - -my $secret = "verysecret"; -my ($f, $thex, $m); - -$t->{REQUEST} = ( <<EOF -GET /index.html HTTP/1.0 -Host: www.example.org -EOF - ); -$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ]; - -ok($tf->handle_http($t) == 0, 'skipping secdownload - direct access'); - -## MD5 -$f = "/index.html"; -$thex = sprintf("%08x", time); -$m = md5_hex($secret.$f.$thex); - -$t->{REQUEST} = ( <<EOF -GET /sec/$m/$thex$f HTTP/1.0 -Host: vvv.example.org -EOF - ); -$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload (md5)'); - -$thex = sprintf("%08x", time - 1800); -$m = md5_hex($secret.$f.$thex); - -$t->{REQUEST} = ( <<EOF -GET /sec/$m/$thex$f HTTP/1.0 -Host: vvv.example.org -EOF - ); -$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 410 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload - gone (timeout) (md5)'); - -$t->{REQUEST} = ( <<EOF -GET /sec$f HTTP/1.0 -Host: vvv.example.org -EOF - ); -$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload - direct access (md5)'); - -$f = "/noexists"; -$thex = sprintf("%08x", time); -$m = md5_hex($secret.$f.$thex); - -$t->{REQUEST} = ( <<EOF -GET /sec/$m/$thex$f HTTP/1.0 -Host: vvv.example.org -EOF - ); -$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload - timeout (md5)'); - - -if (!$tf->has_crypto()) { - - for (1..4) { ok(1, "secdownload (hmac-sha1) (skipped) - (missing SSL support)"); } - for (1..5) { ok(1, "secdownload (hmac-sha256) (skipped) - (missing SSL support)"); } - -} -else { - -## HMAC-SHA1 -$f = "/index.html"; -$thex = sprintf("%08x", time); -$m = encode_base64url(hmac_sha1("/$thex$f", $secret)); - -$t->{REQUEST} = ( <<EOF -GET /sec/$m/$thex$f HTTP/1.0 -Host: vvv-sha1.example.org -EOF - ); -$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload (hmac-sha1)'); - -$thex = sprintf("%08x", time - 1800); -$m = encode_base64url(hmac_sha1("/$thex$f", $secret)); - -$t->{REQUEST} = ( <<EOF -GET /sec/$m/$thex$f HTTP/1.0 -Host: vvv-sha1.example.org -EOF - ); -$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 410 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload - gone (timeout) (hmac-sha1)'); - -$t->{REQUEST} = ( <<EOF -GET /sec$f HTTP/1.0 -Host: vvv-sha1.example.org -EOF - ); -$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload - direct access (hmac-sha1)'); - - -$f = "/noexists"; -$thex = sprintf("%08x", time); -$m = encode_base64url(hmac_sha1("/$thex$f", $secret)); - -$t->{REQUEST} = ( <<EOF -GET /sec/$m/$thex$f HTTP/1.0 -Host: vvv-sha1.example.org -EOF - ); -$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload - timeout (hmac-sha1)'); - -## HMAC-SHA256 -$f = "/index.html"; -$thex = sprintf("%08x", time); -$m = encode_base64url(hmac_sha256("/$thex$f", $secret)); - -$t->{REQUEST} = ( <<EOF -GET /sec/$m/$thex$f HTTP/1.0 -Host: vvv-sha256.example.org -EOF - ); -$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload (hmac-sha256)'); - -## HMAC-SHA256 -$f = "/index.html?qs=1"; -$thex = sprintf("%08x", time); -$m = encode_base64url(hmac_sha256("/$thex$f", $secret)); - -$t->{REQUEST} = ( <<EOF -GET /sec/$m/$thex$f HTTP/1.0 -Host: vvv-sha256.example.org -EOF - ); -$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload (hmac-sha256) with hash-querystr'); - -$thex = sprintf("%08x", time - 1800); -$m = encode_base64url(hmac_sha256("/$thex$f", $secret)); - -$t->{REQUEST} = ( <<EOF -GET /sec/$m/$thex$f HTTP/1.0 -Host: vvv-sha256.example.org -EOF - ); -$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 410 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload - gone (timeout) (hmac-sha256)'); - -$t->{REQUEST} = ( <<EOF -GET /sec$f HTTP/1.0 -Host: vvv-sha256.example.org -EOF - ); -$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload - direct access (hmac-sha256)'); - - -$f = "/noexists"; -$thex = sprintf("%08x", time); -$m = encode_base64url(hmac_sha256("/$thex$f", $secret)); - -$t->{REQUEST} = ( <<EOF -GET /sec/$m/$thex$f HTTP/1.0 -Host: vvv-sha256.example.org -EOF - ); -$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload - timeout (hmac-sha256)'); - -} # SKIP if lighttpd built without crypto algorithms (e.g. without openssl) - - ## mod_setenv $t->{REQUEST} = ( <<EOF |