| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
_WIN32 __declspec(dllexport) on mod_*_plugin_init()
|
| |
|
|
|
|
|
| |
check WSAGetLastError() after socket operations return non-zero
Notably, MS winsock2 returns WSAEWOULDBLOCK instead of WSAEINPROGRESS
for connect() if socket is configured nonblocking
|
| |
|
|
|
|
|
|
|
| |
recognize unix domain sockets starting with '/' in extforward.forwarder
before attempting to parse netmask after last '/' in string
x-ref:
"Add support for unix domain sockets in extforward.forwarder"
https://redmine.lighttpd.net/issues/3198
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
manage remote addr per request for HTTP/2 requests,
rather than remote addr per connection.
Modern load balancers often provide options to reuse connections for
*different* clients, and therefore mod_extforward might change the
remote addr per request.
x-ref:
"RFE: mod_extforward and multiplexed requests via HTTP/2"
https://redmine.lighttpd.net/issues/3192
"Evaluation of remote_addr for mod_maxminddb for multiplexed connections"
https://redmine.lighttpd.net/issues/3191
|
| | |
|
| |
|
|
|
| |
employ ck_calloc(), ck_malloc() shared code to slightly reduce code size
(centralize the ck_assert() to check that memory allocation succeeded)
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
unix domain socket pedantic checks when received via HAProxy PROXY
protocol (and should already be enabled only from trusted upstreams)
UNIX_PATH_MAX might be different sizes in some OS, and might not be
defined. It is 108 on Linux, but might be 104 on BSD, MacOS, so be
a bit more pendantic about checking structure sizes and assigning
the path to the sock_addr.
|
| |
|
|
|
| |
support addtl IPv6 syntax w/ "[...]" in extforward.forwarder
when used with CIDR masks (n.b. only support "[]" with CIDR masks)
|
| |
|
|
|
|
| |
adjust trust check for HTTP/2 streams, as trust is cached at the
connection level, but headers and scheme may need to be overwritten
per-request
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(thx povcfe)
(edited: gstrauss)
There is a potential remote denial of service in lighttpd mod_extforward
under specific, non-default and uncommon 32-bit lighttpd mod_extforward
configurations.
Under specific, non-default and uncommon lighttpd mod_extforward
configurations, a remote attacker can trigger a 4-byte out-of-bounds
write of value '-1' to the stack. This is not believed to be exploitable
in any way beyond triggering a crash of the lighttpd server on systems
where the lighttpd server has been built 32-bit and with compiler flags
which enable a stack canary -- gcc/clang -fstack-protector-strong or
-fstack-protector-all, but bug not visible with only -fstack-protector.
With standard lighttpd builds using -O2 optimization on 64-bit x86_64,
this bug has not been observed to cause adverse behavior, even with
gcc/clang -fstack-protector-strong.
For the bug to be reachable, the user must be using a non-default
lighttpd configuration which enables mod_extforward and configures
mod_extforward to accept and parse the "Forwarded" header from a trusted
proxy. At this time, support for RFC7239 Forwarded is not common in CDN
providers or popular web server reverse proxies. It bears repeating that
for the user to desire to configure lighttpd mod_extforward to accept
"Forwarded", the user must also be using a trusted proxy (in front of
lighttpd) which understands and actively modifies the "Forwarded" header
sent to lighttpd.
lighttpd natively supports RFC7239 "Forwarded"
hiawatha natively supports RFC7239 "Forwarded"
nginx can be manually configured to add a "Forwarded" header
https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/
A 64-bit build of lighttpd on x86_64 (not known to be affected by bug)
in front of another 32-bit lighttpd will detect and reject a malicious
"Forwarded" request header, thereby thwarting an attempt to trigger
this bug in an upstream 32-bit lighttpd.
The following servers currently do not natively support RFC7239 Forwarded:
nginx
apache2
caddy
node.js
haproxy
squid
varnish-cache
litespeed
Given the general dearth of support for RFC7239 Forwarded in popular
CDNs and web server reverse proxies, and given the prerequisites in
lighttpd mod_extforward needed to reach this bug, the number of lighttpd
servers vulnerable to this bug is estimated to be vanishingly small.
Large systems using reverse proxies are likely running 64-bit lighttpd,
which is not known to be adversely affected by this bug.
In the future, it is desirable for more servers to implement RFC7239
Forwarded. lighttpd developers would like to thank povcfe for reporting
this bug so that it can be fixed before more CDNs and web servers
implement RFC7239 Forwarded.
x-ref:
"mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1"
https://redmine.lighttpd.net/issues/3134
(not yet written or published)
CVE-2022-22707
|
| |
|
|
|
|
| |
support longer HAProxy PROXY protocol v2 TLV vector
(allow up to 2k total for header + TLVs, saved on stack,
and expecting <= MTU size (typically 1536 bytes))
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
preserve remote IP until request reset
(historical IP restore in request_done hook was obsoleted by
commit fea5bdc8 in which request plugin context was split from
connection plugin context, and by much older commits which
ensured that request_reset hook was always run)
x-ref:
"Remote address behind reverse proxy not logged"
https://redmine.lighttpd.net/boards/2/topics/10041
|
| |
|
|
| |
propagate PP2_TYPE_UNIQUE_ID into request env as PP2_UNIQUE_ID
|
| |
|
|
|
|
|
|
|
|
| |
cast away signedness warning in request_check_hostname()
mod_gnutls https_add_ssl_client_entries crts allocated if crt_size != 0
(which is already checked earlier in routine)
report from FaceBook Infer static analysis tool (https://fbinfer.com/)
- quiet dead store warnings
- check return != NULL from allocation funcs
|
| |
|
|
|
| |
(mod_extforward recently changed to use buffer_move() to save addr
instead of swapping pointers)
|
| | |
|
| |
|
|
|
|
|
| |
convenience wrapper combining
buffer_copy_string_len()
buffer_to_lower()
and making a single pass over string
|
| |
|
|
| |
always lowercase r->http_host, r->uri.authority for consistency
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit is a large set of code changes and results in removal of
hundreds, perhaps thousands, of CPU instructions, a portion of which
are on hot code paths.
Most (buffer *) used by lighttpd are not NULL, especially since buffers
were inlined into numerous larger structs such as request_st and chunk.
In the small number of instances where that is not the case, a NULL
check is often performed earlier in a function where that buffer is
later used with a buffer_* func. In the handful of cases that remained,
a NULL check was added, e.g. with r->http_host and r->conf.server_tag.
- check for empty strings at config time and set value to NULL if blank
string will be ignored at runtime; at runtime, simple pointer check
for NULL can be used to check for a value that has been set and is not
blank ("")
- use buffer_is_blank() instead of buffer_string_is_empty(),
and use buffer_is_unset() instead of buffer_is_empty(),
where buffer is known not to be NULL so that NULL check can be skipped
- use buffer_clen() instead of buffer_string_length() when buffer is
known not to be NULL (to avoid NULL check at runtime)
- use buffer_truncate() instead of buffer_string_set_length() to
truncate string, and use buffer_extend() to extend
Examples where buffer known not to be NULL:
- cpv->v.b from config_plugin_values_init is not NULL if T_CONFIG_BOOL
(though we might set it to NULL if buffer_is_blank(cpv->v.b))
- address of buffer is arg (&foo)
(compiler optimizer detects this in most, but not all, cases)
- buffer is checked for NULL earlier in func
- buffer is accessed in same scope without a NULL check (e.g. b->ptr)
internal behavior change:
callers must not pass a NULL buffer to some funcs.
- buffer_init_buffer() requires non-null args
- buffer_copy_buffer() requires non-null args
- buffer_append_string_buffer() requires non-null args
- buffer_string_space() requires non-null arg
|
| |
|
|
|
|
|
| |
faster to use http_header_request_set_ptr() and buffer_copy_string_len()
than to use http_header_request_set() and http_header_request_get()
check r->http_host for NULL instead of relying on buffer_copy_* to do so
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
buffer_is_equal_caseless_string() -> buffer_eq_icase_slen()
|
| |
|
|
| |
When known, use HTTP_HEADER_* enum before string comparisons
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
(thx glen)
Regression in lighttpd 1.4.56 - 1.4.58 when extforward.headers is
not set in lighttpd.conf.
Workaround: extforward.headers = ("X-Forwarded-For")
(or appropriate value depending on header sent by upstream proxy)
x-ref:
"mod_extforward regression 1.4.56"
https://redmine.lighttpd.net/issues/3051
|
| |
|
|
| |
expand config warning for module load order to include other TLS modules
|
| |
|
|
|
|
|
|
|
| |
replace /* fall through */ comment with __attribute_fallthrough__ macro
Note: not adding attribute to code with external origins:
xxhash.h (algo_xxhash.h)
ls-hpack/lshpack.c
so to avoid warnings, may need to compile with -Wno-implicit-fallthrough
|
| |
|
|
|
|
|
|
|
|
| |
more consistent use of shared code config_plugin_value_tobool()
(thx tow-conf)
x-ref:
"The on/off keywords in boolean configuration options is inconsistent, which might be misleading and error-prone."
https://redmine.lighttpd.net/issues/3036
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(optional addition to (data_string *), used by http_header.[ch])
extend (data_string *) instead of creating another data_* TYPE_*
(new data type would probably have (data_string *) as base class)
(might revisit choice in the future)
HTTP_HEADER_UNSPECIFIED has been removed. It was used in select
locations as an optimization to avoid looking up enum header_header_e
before checking the array, but the ordering in the array now relies
on having the id. Having the id allows for a quick check if a common
header is present or not in the htags bitmask, before checking the
array, and allows for integer comparison in the log(n) search of the
array, instead of strncasecmp().
With HTTP_HEADER_UNSPECIFIED removed, add optimization to set bit
in htags for HTTP_HEADER_OTHER when an "other" header is added,
but do not clear the bit, as there might be addtl "other" headers
|
| |
|
|
|
| |
Preserve changed addr for lifetime of h2 connection; upstream proxy
should not reuse same h2 connection for requests from different clients
|
| |
|
|
|
|
| |
do not re-run mod_extforward uri handler after HANDLER_COMEBACK
add some additional comments
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Even though request headers are per-request, update the proto on the
connection level for trusted (proxy) clients. Note: the proxy must use
each connection only for a single connection from a single client
(typically true in practice), and not for multiple clients.
proto was previously saved on connection level for mod_extforward with
HAProxy PROXY protocol, but did not occur with X-Forwarded-Proto or the
Forwarded request header with proto=...
Before this change, modules which returned HANDLER_COMEBACK could lose
HTTPS=on if the resulting request was for a backend such as mod_fastcgi.
This was reported in mod_rewrite, but could also affect mod_magnet if
MAGNET_RESTART_REQUEST, or mod_cgi with cgi.local-redir = "enable"
x-ref:
"FastCGI behavior different when using rewrite?"
https://redmine.lighttpd.net/boards/2/topics/9293
|
| | |
|
| |
|
|
| |
rename connection_reset to handle_request_reset
|
| |
|
|
| |
modules with connection level hooks now store ctx in con->plugin_ctx
|
| |
|
|
|
|
|
|
|
|
| |
(expansion of buffer_string_lenth() inline function and CONST_BUF_LEN()
macro, which always check for NULL, appears to cause the analyzer to
believe that a pointer might be NULL in cases where it otherwise can
not be NULL)
x-ref:
http://clang-analyzer.llvm.org/faq.html
|
| |
|
|
|
|
|
|
|
|
|
|
| |
(experimental)
WARNING: EXPERIMENTAL code sketch; mod_nss is INCOMPLETE and UNTESTED
mod_nss supports most ssl.* config options supported by mod_openssl
x-ref:
"alternate ssl backend"
https://redmine.lighttpd.net/issues/1218
|
| |
|
|
| |
expand config warning for module load order to include other TLS modules
|
| | |
|
| |
|
|
|
|
|
| |
stricter parse of numerical digits for http status code, port num,
and a few other places. (stricter parse than that of strtol())
content ranges are still parsed more loosely at points of use
|
| |
|
|
|
|
| |
x-ref:
"Script for fixing spelling errors with codespell"
https://redmine.lighttpd.net/boards/3/topics/8947
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NB: r->tmp_buf == srv->tmp_buf (pointer is copied for quicker access)
NB: request read and write chunkqueues currently point to connection
chunkqueues; per-request and per-connection chunkqueues are
not distinct from one another
con->read_queue == r->read_queue
con->write_queue == r->write_queue
NB: in the future, a separate connection config may be needed for
connection-level module hooks. Similarly, might need to have
per-request chunkqueues separate from per-connection chunkqueues.
Should probably also have a request_reset() which is distinct from
connection_reset().
|
| |
|
|
| |
store pointer to module in handler_module instead of con->mode id
|
| |
|
|
|
| |
NB: in the future, a separate plugin_ctx may be needed for
connection-level plugins to keep state across multiple requests
|
| | |
|
