| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
| |
"nonce_secret" option to validate nonce was generated by the server
Marginally hardens HTTP Digest Auth. Necessary piece, but not
sufficient, to restrict re-use of nonce (mitigations for replay
or limiting nonce count reuse via nc=... are not implemented)
x-ref:
"Digest auth nonces are not validated"
https://redmine.lighttpd.net/issues/2976
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NB: r->tmp_buf == srv->tmp_buf (pointer is copied for quicker access)
NB: request read and write chunkqueues currently point to connection
chunkqueues; per-request and per-connection chunkqueues are
not distinct from one another
con->read_queue == r->read_queue
con->write_queue == r->write_queue
NB: in the future, a separate connection config may be needed for
connection-level module hooks. Similarly, might need to have
per-request chunkqueues separate from per-connection chunkqueues.
Should probably also have a request_reset() which is distinct from
connection_reset().
|
| |
|
|
| |
when patching config
|
| |
|
|
| |
store pointer to module in handler_module instead of con->mode id
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
replace srv->cur_ts
|
| | |
|
| |
|
|
|
|
|
| |
use global rather than passing around (server *) just for that
li_itostrn() and li_utostrn() return string length
(rather than requiring subsequent strlen() to find length)
|
| |
|
|
| |
(explicit (server *) not passed; available in con->srv)
|
| |
|
|
|
|
|
|
| |
convert all log_error_write() to log_error() and pass (log_error_st *)
use con->errh in preference to srv->errh (even though currently same)
avoid passing (server *) when previously used only for logging (errh)
|
| | |
|
| |
|
|
| |
also, keep ptr to const buffer *realm rather than copy
|
| |
|
|
| |
(simpler for modules; less boilerplate to cut-n-paste)
|
| | |
|
| |
|
|
|
|
|
|
| |
put void *data (always used) as first member of struct plugin
add int nconfig member to PLUGIN_DATA
calloc() inits p->data to NULL
|
| |
|
|
|
|
|
| |
optimize for common case where condition has been evaluated for
the request and a cached result exists
(also: begin isolating data_config)
|
| |
|
|
| |
(instead of value being (array *))
|
| |
|
|
| |
(The few places where value is modified in-place were not made const)
|
| |
|
|
| |
(instead of value being (buffer *))
|
| |
|
|
|
| |
handle buffer key as part of DATA_UNSET in *_patch_connection()
(instead of key being (buffer *))
|
| |
|
|
| |
(instead of key being (buffer *))
|
| |
|
|
|
|
| |
array_get_element_klen() is now intended for read-only access
array_get_data_unset() is used by config processing for r/w access
array_get_buf_ptr() is used for r/w access to ds->value (string buffer)
|
| | |
|
| |
|
|
|
|
|
|
| |
mitigation slows down brute force password attacks
x-ref:
"Possible feature: authentication brute force hardening"
https://redmine.lighttpd.net/boards/3/topics/8885
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
use constant time comparison when comparing digests
(mitigation for brute-force timing attacks against digests
generated using the same nonce)
x-ref:
"Digest auth nonces are not validated"
https://redmine.lighttpd.net/issues/2976
"safe_memcmp new function proposal"
https://redmine.lighttpd.net/issues/2975
|
| |
|
|
| |
send Authentication-Info nextnonce when nonce is approaching expiration
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
lighttpd requires a strict match between the request URI and the uri=
auth-param provided in the Authenticate header. lighttpd does not
attempt to determine if different URIs are semantically equivalent.
This commit removes a condition which permitted an Authenticate header
with a uri= containing a query-string to be used with the request-uri
which did not contain any query-string. The condition was likely added
in the original implementation which operated on lighttpd request.uri
instead of the correct request.orig_uri (original URI sent to lighttpd).
.
HTTP Digest Access Authentication
https://www.rfc-editor.org/rfc/rfc7616.txt
3.4.6. Various Considerations
The authenticating server MUST assure that the resource designated by
the "uri" parameter is the same as the resource specified in the
Request-Line; if they are not, the server SHOULD return a 400 Bad
Request error. (Since this may be a symptom of an attack, server
implementers may want to consider logging such errors.) The purpose
of duplicating information from the request URL in this field is to
deal with the possibility that an intermediate proxy may alter the
client's Request-Line. This altered (but presumably semantically
equivalent) request would not result in the same digest as that
calculated by the client.
x-ref:
"HTTP Digest Access Authentication"
https://www.rfc-editor.org/rfc/rfc7616.txt
"HTTP digest authentication not compatible with some clients"
https://redmine.lighttpd.net/issues/2974
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://www.rfc-editor.org/rfc/rfc7616.txt
3.3. The WWW-Authenticate Response Header Field
...
For historical reasons, a sender MUST only generate the quoted string
syntax values for the following parameters: realm, domain, nonce,
opaque, and qop.
For historical reasons, a sender MUST NOT generate the quoted string
syntax values for the following parameters: stale and algorithm.
|
| |
|
|
|
|
|
|
|
| |
specialized buffer_eq_icase_ssn func replace strncasecmp()
in cases where string lengths are not known to be at least
as large as the len being compared case-insensitively.
(Separate commit in case any future changes modify the
implementation to be unsafe for shorter strings, where
strncasecmp() would stop at '\0' in either string)
|
| | |
|
| |
|
|
|
|
|
|
| |
github: closes #99
x-ref:
"cleaner calloc use in SETDEFAULTS_FUNC"
https://github.com/lighttpd/lighttpd1.4/pull/99
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(also support Digest algorithm=SHA-512-256 if library support present)
enable additional algorithms by configuring lighttpd.conf auth.require
with new optional keyword "algorithm" => "MD5|SHA-256"
default algorithm remains MD5 if "algorithm" not specified
Tested with: curl --digest -u "user:pass" ... (which supports SHA-256)
x-ref:
"HTTP Digest Access Authentication"
https://tools.ietf.org/html/rfc7616
|
| |
|
|
|
| |
pass (http_auth_require_t *) to mod_auth_send_401_unauthorized_digest()
for configured digest algorithms for 401 Unauthorized
|
| | |
|
| |
|
|
|
|
|
| |
x-ref:
"PVS-Studio Analysis Results"
https://redmine.lighttpd.net/boards/3/topics/8459
http://www.fly-server.ru/pvs-studio/lighttpd/
|
| |
|
|
|
| |
prefer buffer_append_string_len() when string len is known
(instead of buffer_append_string() which will recalculate strlen)
|
| |
|
|
|
|
| |
save 40 bytes (64-bit), or 16 bytes (32-bit) per data_* element
at the cost of going through indirect function pointer to execute
methods. At runtime, the reset() method is most used among them.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
x-ref:
"Lighttpd responds with 400 not 401"
https://redmine.lighttpd.net/issues/2906
|
| |
|
|
|
|
| |
http_header.[ch]
convert existing calls to manip request/response headers
convert existing calls to manip environment array (often header-related)
|
| |
|
|
|
|
|
|
|
| |
provide standard types in first.h instead of base.h
provide lighttpd types in base_decls.h instead of settings.h
reduce headers exposed by headers for core data structures
do not expose <pcre.h> or <stdlib.h> in headers
move stat_cache_entry to stat_cache.h
reduce use of "server.h" and "base.h" in headers
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
On systems with time prior to Jul 4 1978 21:24:15,
the hex string of the timestamp is fewer than 8 chars.
(thx daveoman)
|
