| Age | Commit message (Collapse) | Author |
|---|
|
ok florian
|
|
ok claudio
|
|
Patch from Ben Fuller <ben -AT- bvnf -DOT- space>,
helped along by florian@
ok florian@ and some mumblings from claudio who does not want okays in httpd.
|
|
|
|
They both are only used as struct http_descriptor.
OK tb@
|
|
file and other cases. Especially when the session uses keep-alive it is
important to set TOREAD_HTTP_HEADER so that the state machine knows what's
next.
OK op@
|
|
namelist and its entries are not freed if escape_html fails or if we
fail in the inner loop. Move scandir later so it's closer to the for
loop and handle escape_html and url_encode failures.
With lots of help from tb, thanks!
ok tb@
|
|
tweak/ok tb@
|
|
OK op@
|
|
body so server_fcgi_error shouldn't print the end marker.
OK claudio@
|
|
disconnection from the fastcgi application via server_file_error which
assumes that the reply was completey done. However, if the fastcgi
reply wasn't complete (e.g. because slowcgi hit the timeout) the HTTP
client are left "hanging" and waiting for a reply until they give up.
This adds a server_fcgi_error callback to handle the "no headers" and
"incomplete data" cases and properly close the reply before falling back
to server_file_error.
OK claudio@
|
|
|
|
sure it is a regular file. Use the timestamp of the non-gzip file as
the last-modified timestamp, as proposed by claudio.
ok claudio bluhm millert
|
|
open() which means the stat could refer to the wrong file. Mostly this
relates to st_size use. This bug could mean that httpd sends new files
truncated to the old length, saying "I am sure you have the correct file now"?
Could have other bad effects.
ok tb millert bluhm
|
|
Combine strlcpy + strlcat into a single snprintf and remove a few
unnecessary parentheses.
ok deraadt millert
|
|
John (j AT bitminer.ca) pointed out that we didn't correctly
initialize struct kv and might use slower KV_FLAG_GLOBBING path in
kv_find depending on stack garbage. Instead of fixing the
initialization just delete kv_flags from struct kv.
OK claudio, tb
|
|
files with content-encoding gzip.
from prx at si3t dot ch; OK tracey@
|
|
ok gnezdo@ miod@ jmc@
|
|
other. Since this generates a full mesh, the amount of filedescriptors
needed grows quadratically with the amount of configured prefork
processes.
Might fix an out of filedescriptor bug that beck is seeing.
OK benno
|
|
string to it since the code assumes it can call free on it.
Fixes crashes noticed by tobhe@ and florian@
OK otto@ tobhe@
|
|
must be "HTTP" "/" DIGIT "." DIGIT), and answer 505 version not
supported when the number is outside of what we support, and 400 bad
request when the version format is wrong.
from Ross L Richardson, thanks!
ok claudio@
|
|
https://github.com/mpfr/httpd-plus.
Improvements from & (earlier version) reads fine to tracey@;
improvements & OK this version benno@, florian@. Thanks.
|
|
fcgi. Required by RFC 7231 and RFC 3875 section 4.3.2.
* If the client sends an empty body without a Content-Lenght:
do not add the Content-Lenght if it's a HEAD request.
If it's a HEAD request, the Content-Lenght should show the size of the
equivalent GET request, but we don't know how much that will be so
don't lie.
found by and fix suggested by Ross L Richardson, Thanks!
Additionally:
* when the fcgi supplies a Content-Length header, do not remove it and
set Transfer-Encoding: chunked. Instead, leave the Content-Lenght
header in place, as obviously the fcgi knows how much data will come.
ok claudio@
|
|
ok claudio@
|
|
than HTTP/1.9. Downgrade version >= HTTP/1.2++ to 1.1.
Found by "J. K." (openbsd DOT list AT krottmayer DOT com)
ok claudio@
|
|
Request instead of 500 Internal Server Error.
ok claudio@
|
|
functions that take "char *" arguments. Where such chars are
assigned to int or passed to ctype functions, explicitly cast them
to unsigned char.
For OpenBSD's clang, -Wpointer-sign has been disabled by default,
but when the parse.y code was built elsewhere, the compiler would
complain.
With help from millert@
ok benno@ deraadt@
|
|
As per the manual and lib/libtls/tls.c revision 1.79 from 2018
"Automatically handle library initialisation for libtls." initialisation
is handled automatically by other tls_*(3) functions.
Remove explicit tls_init() calls from base to not give the impression of
it being needed.
Feedback tb
OK Tests mestre
|
|
name as is done elsewhere on this page.
pointed out by jmc
|
|
|
|
|
|
Only set Content-Length when we no the body is empty and we disable
chunked encoding. Otherwise we break the nextcloud app again :/
Pointed out by Matthias Pressfreund, thanks!
|
|
because we are going to send an empty body we have to provide
"Content-Length: 0" otherwise some browsers (Firefox, Safari) just
hang until httpd(8) closes the connection.
Problem reported by Matthias Pressfreund, debugged with weerd@ who
pointed out that the problem is browser dependent.
OK tracey
|
|
upstream.
Found the hard way by Chris Narkiewicz who tracked failing uploads in
the nextcloud mobile app down to httpd(8) trying to chunk encode a
"204 No Content" resonse.
Testing by Steve Williams
Testing & OK stsp
|
|
at this point.
|
|
This adds support for front-ending httpd(8) with a TLS-terminating
gateway like relayd(8) that forwards unencrypted http traffic.
Previously httpd(8) would use a full URL in the Location header in 301
redirects when a user-agent requests a directory but without the
trailing '/'. If the user-agent originally connected with https, this
caused the redirected url to be http.
This change conforms to RFC7231 section 7.1.2.
Reported by Vincent Lee.
OK claudio@
|
|
These priv-sep daemons all follow a similar design and use TAILQs
for tracking control process connections. In most cases, the TAILQs
are initialized separate from where they are used. Since the scope
of use is generally confined to a specific control process file,
this commit also removes any extern definitions and exposing the
TAILQ structures to other compilation units.
ok bluhm@, tb@
|
|
mix 'listen * port 80' and 'listen * tls port 443' in one server block.
Also the last argument of server_tls_cmp - match_keypair - is always 0
so remove this code.
OK florian@ tb@ some long time ago
|
|
original issue and text from laurence tratt, with updates from raf czlonka
|
|
Use st_blksize to set high water mark; florian@
|
|
to privsep_procid.
ok mortimer
|
|
ok tb@
|
|
A server configuration yields multiple struct server_config in the
env->sc_servers queue: an actual server ("parent") and one for each
location directive in httpd.conf. In parent_configure(), the parents
are configured first, then the corresponding locations.
parse.y r1.118 kills the parent if an error is encountered on loading
the TLS keypairs but leaves the locations in the sc_servers queue.
When running the default config without TLS keys already in place, this
then leads to the self-explanatory "invalid location" error message. Its
intention is to indicates the unexpected situation that config_setserver()
encounters a location without an associated server.
Fix this by not only destroying the parent but also removing all of its
locations.
ok jsing
|
|
|
|
be in the right spot once tls_close() is handled by libevent.
suggested by jsing
|
|
In order to end a TLS connection regularly, an implementation MUST send a
close_notify alert. libtls does this in tls_close() via SSL_shutdown(),
so the socket had better still be open.
The incorrect order in server_close() caused a leak on each tls connection
due to a bug in libssl (fixed in tls_record_layer.c r1.56).
As pointed out by claudio, tls_close() should really be handled from the
main event loop. This will be addressed in a later commit.
ok claudio florian jsing
|
|
While there, use the length calculated by vasprintf() instead of using
strlen needlessly.
ok claudio florian
|
|
ok florian
|
|
before accessing anything in ifa_addr.
ok claudio@
|
|
from Edgar Pettijohn
ok kn
|
