| Age | Commit message (Collapse) | Author |
|---|
|
Fix by Rivo Nurges, fixes a problem with Atlassian JIRA
OK benno@
|
|
Make sure that the beginning of a new request starts with an
alphabetic character. This is a quick way to detect non-ASCII
requests (eg. TLS on port 80). The full validation of the request
method is done once the input line is read.
Make sure that non-terminated lines do not exceed the
SERVER_MAXHEADERLENGTH which is 8k. As the current read watermark is
set to 64k, this means that the limit check is triggered after max.
64k of input, depending on the TCP read buffer.
OK benno@ jsing@
|
|
Tested & OK jung@
|
|
The previous implementation loaded all the output into a single output
buffer and used its size to determine the Content-Length of the body.
The new implementation calculates the body length first and writes the
individual ranges in an async way using the bufferevent mechanism.
This prevents httpd from using too much memory and applies the
watermark and throttling mechanisms to range requests.
Problem reported by Pierre Kim (pierre.kim.sec at gmail.com)
OK benno@ sunil@
|
|
Introduce a new variable clt_headersdone in the async HTTP parser.
OK sunil@ benno@
|
|
ok reyk@
|
|
specification does not define any use for such a payload, future
extensions to HTTP might use the OPTIONS body to make more detailed
queries about the target resource." The future has arrived.
Found and tested by Michael Lechtermann
OK benno@
|
|
requests lacking "HTTP/<version>".
This makes it more obvious that httpd(8) does not attempt to support
HTTP v0.9 (circa 1991), when "GET <url>\r\n" was valid.
ok millert@ florian@
|
|
from Hiltjo Posthuma
"do." deraadt
|
|
Pointed out and diff by dhill, thanks!
Tweaks and same change for error documents by me.
|
|
|
|
to distinguish between http and https requests.
OK florian@ reyk@ a while ago
|
|
|
|
From Jan Schreiber
|
|
Ok gilles@, reyk@
|
|
From Michael McConville
|
|
srv_conf->auth in serverconfig_free() because it was not allocated in
config_getserver() but assigned as a reference by id from a global
list that is maintained independently. This fixes a potential
double-free. This fix also makes srv_conf->auth "const" to emphasize
that the read-only auth pointer was not allocated here.
OK jsing@
|
|
handling the HTTP methods in server_http.c which resulted in a 405
method not allowed error when trying to use it.
Fix by jaminh on github
|
|
of u_intN_t) and replace u_int with unsigned int. Mixing both
variants is a bad style and most contributors seem to prefer this
style; it also helps us to get used to it, portability, and
standardization.
Theoretically no binary change, except one in practice: httpd.o has a
different checksum because gcc with -O2 pads/optimizes "struct
privsep" differently when using "unsigned int" instead "u_int" for the
affected members. "u_int" is just a typedef of "unsigned int", -O0
doesn't build the difference and clang with -O2 doesn't do it either -
it is just another curiosity from gcc-land.
OK semarie@
|
|
Strict-Transport-Security headers. Add __format__ attribute to
kv_set() and kv_setkey() to make it easier to spot such problems.
Found by and fix from Donovan Watteau <tsoomi -AT- gmail -DOT- com>,
thanks for your help.
ok deraadt@
|
|
we need more care to find a proper fix for the fastcgi headers.
acknowledged by deraadt@
|
|
parse it. Otherwise http headers can leak into the body.
Pointed out by Jean-Philippe Ouellet on bugs@ Thanks!
OK reyk, commit ASAP deraadt@
|
|
The diff corrects this problem by using VIS_DQ.
ok reyk@ florian@
|
|
OK florian@
|
|
eg. default type text/html.
OK florian@
|
|
Input & OK reyk
|
|
|
|
OK benno@
|
|
This makes the output more readable and matches Apache's log encoding.
OK sthen@ brynet@
|
|
default and only setting it to 0 on success, we don't have to set it
in each error case. While here, also remove two superfluous NULL
checks (as pointed out by semarie).
OK semarie@
|
|
an attacker to push arbitaries characters in logs (newline for forging entries,
or some control escaping interpreted by terminal emulator).
OK reyk@
|
|
ok reyk@
|
|
With important help on the pattern matcher from semarie@
OK semarie@
|
|
$REMOTE_USER before using them in the Location.
From Sebastien Marie (semarie)
|
|
elements from the user input and not the constants from the
configuration. This makes it possible to specify chars like '?' in
the uri.
OK Sebastien Marie
|
|
constructing the Content-Length header field. Should fix some, but probably
not all, problems with serving files bigger than 2G on 32-bit architectures.
ok reyk@, florian@
|
|
From Sunil Nimmagadda <sunil At nimmagadda DOT net>
OK benno@
|
|
newlines which could lead to http response splitting/smuggling
if a badly behaved proxy is in front of httpd.
Switch from evbuffer_readline() to evbuffer_readln() with
EVBUFFER_EOL_CRLF_STRICT to avoid this.
ok florian@
|
|
I fscked up the testing, sorry!
Found the hard way by jsg@
|
|
Pointed out by Regis Leroy (regis.leroy AT makina-corpus DOT com),
thanks!
Tweak and OK reyk@
|
|
block return 301 "http://www.example.com/$REQUEST_URI"
OK tedu@ florian@
|
|
|
|
|
|
OK florian@
|
|
Reported and tested by Markus Bergkvist
OK florian@
|
|
|
|
needed by its ancestor. jsg@, include-what-you-use, and some manual
review helped to cleanup the headers (take iwyu with a grain of salt).
Based on common practice, httpd.h now also includes the necessary
headers for itself.
OK florian@
|
|
Pointed out by, tweak & OK reyk@
|
|
OK reyk@
|
|
OK florian@
|
