From fcf0dc3e336a5d62c58036cdb8fc9f4c099b178e Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Wed, 23 Nov 2022 10:45:05 -0500 Subject: [multiple] remove deprecated modules remove deprecated modules: mod_evasive mod_secdownload mod_uploadprogress mod_usertrack These scheduled lighttpd behavior changes have been announced over the past year: * Continue gradual deprecation of "mini-application" lighttpd modules for which mod_magnet lua implementations are better and more flexible. Please post on lighttpd forums to share feedback if you use these modules. Forums: https://redmine.lighttpd.net/projects/lighttpd/boards * Deprecated: mod_evasive has been removed. mod_evasive can be replaced by mod_magnet and a few lines of lua: Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security * Deprecated: mod_secdownload has been removed. mod_secdownload can be replaced by mod_magnet and a few lines of lua: Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available * Deprecated: mod_uploadprogress has been removed. mod_uploadprogress can be replaced by mod_magnet and a few lines of lua: Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress * Deprecated: mod_usertrack has been removed. mod_usertrack can be replaced by mod_magnet and a few lines of lua: Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack mod_usertrack historically uses insecure MD5. --- tests/request.t | 192 +------------------------------------------------------- 1 file changed, 1 insertion(+), 191 deletions(-) (limited to 'tests/request.t') diff --git a/tests/request.t b/tests/request.t index b25f4f96..3fdb1ab6 100755 --- a/tests/request.t +++ b/tests/request.t @@ -8,7 +8,7 @@ BEGIN { use strict; use IO::Socket; -use Test::More tests => 178; +use Test::More tests => 164; use LightyTest; my $tf = LightyTest->new(); @@ -1592,196 +1592,6 @@ ok($tf_proxy->stop_proc == 0, "Stopping lighttpd proxy"); } while (0); -## mod_secdownload - -use Digest::MD5 qw(md5_hex); -use Digest::SHA qw(hmac_sha1 hmac_sha256); -use MIME::Base64 qw(encode_base64url); - -my $secret = "verysecret"; -my ($f, $thex, $m); - -$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ]; - -ok($tf->handle_http($t) == 0, 'skipping secdownload - direct access'); - -## MD5 -$f = "/index.html"; -$thex = sprintf("%08x", time); -$m = md5_hex($secret.$f.$thex); - -$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload (md5)'); - -$thex = sprintf("%08x", time - 1800); -$m = md5_hex($secret.$f.$thex); - -$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 410 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload - gone (timeout) (md5)'); - -$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload - direct access (md5)'); - -$f = "/noexists"; -$thex = sprintf("%08x", time); -$m = md5_hex($secret.$f.$thex); - -$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload - timeout (md5)'); - - -if (!$tf->has_crypto()) { - - for (1..4) { ok(1, "secdownload (hmac-sha1) (skipped) - (missing SSL support)"); } - for (1..5) { ok(1, "secdownload (hmac-sha256) (skipped) - (missing SSL support)"); } - -} -else { - -## HMAC-SHA1 -$f = "/index.html"; -$thex = sprintf("%08x", time); -$m = encode_base64url(hmac_sha1("/$thex$f", $secret)); - -$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload (hmac-sha1)'); - -$thex = sprintf("%08x", time - 1800); -$m = encode_base64url(hmac_sha1("/$thex$f", $secret)); - -$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 410 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload - gone (timeout) (hmac-sha1)'); - -$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload - direct access (hmac-sha1)'); - - -$f = "/noexists"; -$thex = sprintf("%08x", time); -$m = encode_base64url(hmac_sha1("/$thex$f", $secret)); - -$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload - timeout (hmac-sha1)'); - -## HMAC-SHA256 -$f = "/index.html"; -$thex = sprintf("%08x", time); -$m = encode_base64url(hmac_sha256("/$thex$f", $secret)); - -$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload (hmac-sha256)'); - -## HMAC-SHA256 -$f = "/index.html?qs=1"; -$thex = sprintf("%08x", time); -$m = encode_base64url(hmac_sha256("/$thex$f", $secret)); - -$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload (hmac-sha256) with hash-querystr'); - -$thex = sprintf("%08x", time - 1800); -$m = encode_base64url(hmac_sha256("/$thex$f", $secret)); - -$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 410 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload - gone (timeout) (hmac-sha256)'); - -$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload - direct access (hmac-sha256)'); - - -$f = "/noexists"; -$thex = sprintf("%08x", time); -$m = encode_base64url(hmac_sha256("/$thex$f", $secret)); - -$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ]; - -ok($tf->handle_http($t) == 0, 'secdownload - timeout (hmac-sha256)'); - -} # SKIP if lighttpd built without crypto algorithms (e.g. without openssl) - - ## mod_setenv $t->{REQUEST} = ( <