summaryrefslogtreecommitdiff
path: root/src/t/test_burl.c
Commit message (Collapse)AuthorAgeFilesLines
* [core] "url-invalid-utf8-reject" normalization optGlenn Strauss2022-05-241-1/+8
| | | | | server.http-parseopts "url-invalid-utf8-reject" url normalization option default: "url-invalid-utf8-reject" => "enable"
* [tests] combine tests into test_common.cGlenn Strauss2021-11-171-3/+4
| | | | | | combine common components tests into test_common.c combine into a single executable to reduce compilation/link redundancy
* quiet clang analyzer scan-build warningsGlenn Strauss2020-07-081-0/+1
| | | | | | | | | | (expansion of buffer_string_lenth() inline function and CONST_BUF_LEN() macro, which always check for NULL, appears to cause the analyzer to believe that a pointer might be NULL in cases where it otherwise can not be NULL) x-ref: http://clang-analyzer.llvm.org/faq.html
* [tests] use buffer_eq_slen() for str comparisonGlenn Strauss2020-07-081-1/+1
| | | | (substitute buffer_eq_slen() for buffer_is_equal_string())
* [core] preserve %2b and %2B in query string (fixes #2999)Glenn Strauss2020-01-261-0/+2
| | | | | | | | | | | normalize %2b or %2B in query string to %2B (uppercase hex), and not to '+' (thx int-e) x-ref: "url-normalize-required expands %2B in query strings" https://redmine.lighttpd.net/issues/2999
* [core] remove repeated slashes in http-parseoptsGlenn Strauss2019-04-151-0/+4
| | | | | | | remove repeated slashes in server.http-parseopts with url-path-dotseg-remove, including leading "//" (prior to this patch, leading "//" was skipped)
* [core] fix abort in http-parseopts (fixes #2945)Glenn Strauss2019-04-101-0/+2
| | | | | | | | | | fix abort in server.http-parseopts with url-path-2f-decode enabled (thx stze) x-ref: "Security - SIGABRT during GET request handling with url-path-2f-decode enabled" https://redmine.lighttpd.net/issues/2945
* [core] reject decoded url-path without leading '/'Glenn Strauss2018-11-251-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | buffer_simplify_path() no longer prepends '/' if '/' is missing. Callers must check for leading '/' depending on use, such as in concatenation with others paths, or direct use accessing filesystem Note: lighttpd 1.4.50 provides the server.http-parseopts directive. Recommended settings unless specific use requires looser settings: server.http-parseopts = ( "header-strict" => "enable", "host-strict" => "enable", "host-normalize" => "enable", "url-normalize" => "enable", "url-normalize-unreserved" => "enable", "url-normalize-required" => "enable", "url-ctrls-reject" => "enable", "url-path-2f-decode" => "enable", "url-path-dotseg-remove" => "enable", "url-query-20-plus" => "enable" ) x-ref: https://digi.ninja/blog/lighttpd_rewrite_bypass.php As noted in the link above, mod_access should be preferred instead of mod_rewrite for access controls to URLs.
* [core] server.http-parseopts URL normalization opt (fixes #1720)Glenn Strauss2018-08-121-0/+142
server.http-parseopts = ( ... ) URL normalization options Note: *not applied* to CONNECT method Note: In a future release, URL normalization likely enabled by default (normalize URL, reject control chars, remove . and .. path segments) To prepare for this change, lighttpd.conf configurations should explicitly select desired behavior by enabling or disabling: server.http-parseopts = ( "url-normalize" => "enable", ... ) server.http-parseopts = ( "url-normalize" => "disable" ) x-ref: "lighttpd ... compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data." https://www.cvedetails.com/cve/CVE-2008-4359/ "Rewrite/redirect rules and URL encoding" https://redmine.lighttpd.net/issues/1720
View Lorry Controller Status