Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-7-1]: src/libexec/httpd Pull up the following revisions (via patc...
details: https://anonhg.NetBSD.org/src/rev/cf6f588fea02
branches: netbsd-7-1
changeset: 452024:cf6f588fea02
user: martin <martin%NetBSD.org@localhost>
date: Sat Jun 15 15:56:21 2019 +0000
description:
Pull up the following revisions (via patch) requested by mrg in ticket #1699:
libexec/httpd/CHANGES 1.31-1.40
libexec/httpd/Makefile 1.28
libexec/httpd/auth-bozo.c 1.23-1.24
libexec/httpd/bozohttpd.8 1.75-1.79
libexec/httpd/bozohttpd.c 1.100-1.113
libexec/httpd/bozohttpd.h 1.58-1.60
libexec/httpd/cgi-bozo.c 1.46-1.48
libexec/httpd/daemon-bozo.c 1.20-1.21
libexec/httpd/dir-index-bozo.c 1.29-1.32
libexec/httpd/ssl-bozo.c 1.26
libexec/httpd/testsuite/Makefile 1.12-1.13
libexec/httpd/testsuite/t11.out 1.2
libexec/httpd/testsuite/test-bigfile 1.6
libexec/httpd/testsuite/test-simple 1.6
Don't display special files in the directory index. They aren't
served, but links to them are generated.
---
All from "Rajeev V. Pillai" <rajeev_v_pillai%yahoo.com@localhost>:
- use html tables for directory index.
- don't include "index.html" in html headers
- additional escaping of names
- re-add top/bottom borders
- adds an aquamarine table header
- Zebra-stripes table rows using CSS instead of code
- fix CGI '+' param and error handling.
- remove unused parameter to daemon_poll_err().
- avoid sign extension in % handling
fix a few problems pointed out by clang static analyzer:
- bozostrnsep() may return with "in = NULL", so check for it.
- nul terminating in bozo_escape_rfc3986() can be simpler
- don't use uniinit variables in check_remap()
- don't use re-used freed data in check_virtual().
- fix bozoprefs->size setting when increasing the size (new total was
being added to the prior total.)
however, bozostrdup() may reference request->hr_file.
---
Add ssl specific timeout value (30s). If SSL_accept() doesn't
work with in this timeout value, ssl setup now fails.
---
Fix handling of bozo_set_timeout() timeouts (and `-T' option parsing)
---
Avoid .htpasswd exposure to authenticated users when .htpasswd is
in the slashdir too.
---
Avoid possible NULL dereference when sending a big request that timeout.
---
Use strings.h for strcasecmp (on linux)
---
Account for cgihandler being set when counting the number of CGI environment
headers we are about to set. Avoids an assertion failure (and overruninng
the array) later.
diffstat:
libexec/httpd/CHANGES | 24 +++++-
libexec/httpd/Makefile | 5 +-
libexec/httpd/auth-bozo.c | 6 +-
libexec/httpd/bozohttpd.8 | 47 +++++-----
libexec/httpd/bozohttpd.c | 150 +++++++++++++++++++---------------
libexec/httpd/bozohttpd.h | 22 ++++-
libexec/httpd/cgi-bozo.c | 17 ++-
libexec/httpd/daemon-bozo.c | 8 +-
libexec/httpd/dir-index-bozo.c | 103 ++++++++++--------------
libexec/httpd/ssl-bozo.c | 14 ++-
libexec/httpd/testsuite/Makefile | 8 +-
libexec/httpd/testsuite/t11.out | 10 ++
libexec/httpd/testsuite/test-bigfile | 3 +-
libexec/httpd/testsuite/test-simple | 5 +-
14 files changed, 242 insertions(+), 180 deletions(-)
diffs (truncated from 1113 to 300 lines):
diff -r ab9e5c64c394 -r cf6f588fea02 libexec/httpd/CHANGES
--- a/libexec/httpd/CHANGES Fri May 31 08:15:11 2019 +0000
+++ b/libexec/httpd/CHANGES Sat Jun 15 15:56:21 2019 +0000
@@ -1,4 +1,24 @@
-$NetBSD: CHANGES,v 1.19.2.5.2.2 2018/11/28 19:56:09 martin Exp $
+$NetBSD: CHANGES,v 1.19.2.5.2.3 2019/06/15 15:56:21 martin Exp $
+
+changes in bozohttpd 20190228:
+ o extend timeout facility to ssl and stop servers hanging forever
+ if the client never sends anything. reported by Steffen in netbsd
+ PR#50655.
+ o don't display special files in the directory index. they aren't
+ served, but links to them are generated.
+ o fix CGI '+' parameter handling, some error checking, and a double
+ free. from rajeev_v_pillai%yahoo.com@localhost
+ o more directory indexing clean up. from rajeev_v_pillai%yahoo.com@localhost
+
+changes in bozohttpd 20181215:
+ o fix .htpasswd bypass for authenticated users. reported by JP,
+ from leot%netbsd.org@localhost
+ o avoid possible null dereference when receiving a big request that
+ timeout. reported by maya%netbsd.org@localhost, from leot%netbsd.org@localhost
+ o fix handling of -T option, from leot%netbsd.org@localhost
+ o cleanups and portability improvements, from maya%netbsd.org@localhost
+ o change directory indexing to use html tables, from
+ rajeev_v_pillai%yahoo.com@localhost
changes in bozohttpd 20181125:
o fixes for option parsing introduced in bozohttpd 20181123
@@ -293,7 +313,7 @@
- add many new content-types, now support most common ones
changes in bozohttpd 5.06 (20000825):
- - add IPv6 suppor from itojun%iijlab.net@localhost
+ - add IPv6 support from itojun%iijlab.net@localhost
- man page fixes from jlam%netbsd.org@localhost
changes in bozohttpd 5.05 (20000815):
diff -r ab9e5c64c394 -r cf6f588fea02 libexec/httpd/Makefile
--- a/libexec/httpd/Makefile Fri May 31 08:15:11 2019 +0000
+++ b/libexec/httpd/Makefile Sat Jun 15 15:56:21 2019 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.22.2.2.4.1 2018/11/24 17:23:20 martin Exp $
+# $NetBSD: Makefile,v 1.22.2.2.4.2 2019/06/15 15:56:21 martin Exp $
#
# $eterna: Makefile,v 1.30 2010/07/11 00:34:27 mrg Exp $
#
@@ -77,6 +77,9 @@
CLEANFILES+= bozohttpd.8.html bozohttpd.8.txt
+check:
+ cd ${.CURDIR}/testsuite && ${MAKE} check
+
# Create a distfile: uses /tmp
BASE=bozohttpd-${BOZOVER}
TAR=${BASE}.tar
diff -r ab9e5c64c394 -r cf6f588fea02 libexec/httpd/auth-bozo.c
--- a/libexec/httpd/auth-bozo.c Fri May 31 08:15:11 2019 +0000
+++ b/libexec/httpd/auth-bozo.c Sat Jun 15 15:56:21 2019 +0000
@@ -1,9 +1,9 @@
-/* $NetBSD: auth-bozo.c,v 1.13.2.2.4.1 2018/11/24 17:23:20 martin Exp $ */
+/* $NetBSD: auth-bozo.c,v 1.13.2.2.4.2 2019/06/15 15:56:21 martin Exp $ */
/* $eterna: auth-bozo.c,v 1.17 2011/11/18 09:21:15 mrg Exp $ */
/*
- * Copyright (c) 1997-2018 Matthew R. Green
+ * Copyright (c) 1997-2019 Matthew R. Green
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -64,7 +64,7 @@
strcpy(dir, ".");
else {
*basename++ = '\0';
- if (bozo_check_special_files(request, basename))
+ if (bozo_check_special_files(request, basename, true))
return 1;
}
request->hr_authrealm = bozostrdup(httpd, request, dir);
diff -r ab9e5c64c394 -r cf6f588fea02 libexec/httpd/bozohttpd.8
--- a/libexec/httpd/bozohttpd.8 Fri May 31 08:15:11 2019 +0000
+++ b/libexec/httpd/bozohttpd.8 Sat Jun 15 15:56:21 2019 +0000
@@ -1,8 +1,8 @@
-.\" $NetBSD: bozohttpd.8,v 1.46.4.8.2.1 2018/11/24 17:23:20 martin Exp $
+.\" $NetBSD: bozohttpd.8,v 1.46.4.8.2.2 2019/06/15 15:56:21 martin Exp $
.\"
.\" $eterna: bozohttpd.8,v 1.101 2011/11/18 01:25:11 mrg Exp $
.\"
-.\" Copyright (c) 1997-2018 Matthew R. Green
+.\" Copyright (c) 1997-2019 Matthew R. Green
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd November 19, 2018
+.Dd February 27, 2019
.Dt BOZOHTTPD 8
.Os
.Sh NAME
@@ -245,11 +245,13 @@
The valid values of
.Ar type
are
+.Dq ssl timeout ,
.Dq initial timeout ,
.Dq header timeout ,
and
.Dq request timeout .
-The default values are 30 seconds, 10 seconds and 600 seconds, respectively.
+The default values are 30 seconds, 30 seconds, 10 seconds and 600 seconds,
+respectively.
.It Fl t Ar chrootdir
Makes
.Nm
@@ -477,9 +479,7 @@
.Pa .bzdirect
file is found (contents are irrelevant)
.Nm
-will allow direct access even with the
-.Fl r
-option.
+will allow direct access.
If a
.Pa .bzredirect
symbolic link is found,
@@ -599,7 +599,7 @@
and regular code audits.
This manual documents
.Nm
-version 20181123.
+version 20190116.
.Sh AUTHORS
.An -nosplit
.Nm
@@ -610,14 +610,14 @@
The large list of contributors includes:
.Bl -dash
.It
+.An Christoph Badura
+.Aq Mt bad%bsd.de@localhost
+provided Range: header support
+.It
.An Marc Balmer
.Aq Mt mbalmer%NetBSD.org@localhost
added Lua support for dynamic content creation
.It
-.An Christoph Badura
-.Aq Mt bad%bsd.de@localhost
-provided Range: header support
-.It
.An Sean Boudreau
.Aq Mt seanb%NetBSD.org@localhost
provided a security fix for virtual hosting
@@ -634,7 +634,7 @@
.Aq Mt agc%NetBSD.org@localhost
cleaned up many internal interfaces, made
.Nm
-linkable as a library and provided the Lua binding.
+linkable as a library and provided the Lua binding
.It
.An DEGROOTE Arnaud
.Aq Mt degroote%NetBSD.org@localhost
@@ -644,14 +644,14 @@
.Aq Mt ad%NetBSD.org@localhost
provided directory indexing support
.It
+.An Roland Dowdeswell
+.Aq Mt elric%NetBSD.org@localhost
+added support for serving gzipped files and better SSL handling
+.It
.An Per Ekman
.Aq Mt pek%pdc.kth.se@localhost
provided a fix for a minor (non-security) buffer overflow condition
.It
-.An Roland Dowdeswell
-.Aq Mt elric%NetBSD.org@localhost
-added support for serving gzipped files and better SSL handling
-.It
.An Jun-ichiro itojun Hagino, KAME
.Aq Mt itojun%iijlab.net@localhost
provided initial IPv6 support
@@ -690,7 +690,7 @@
fixed memory leaks, various issues with userdir support,
information disclosure issues, added support for using CGI handlers
with directory indexing, found several security issues and provided
-various other fixes.
+various other fixes
.It
.An Arnaud Lacombe
.Aq Mt alc%NetBSD.org@localhost
@@ -708,7 +708,7 @@
.Aq Mt jmmv%NetBSD.org@localhost
Added the
.Fl P
-option (pidfile support) and provided some man page fixes.
+option (pidfile support) and provided some man page fixes
.It
.An Luke Mewburn
.Aq Mt lukem%NetBSD.org@localhost
@@ -717,7 +717,8 @@
.It
.An Rajeev V. Pillai
.Aq Mt rajeev_v_pillai%yahoo.com@localhost
-provided several fixes for virtual hosting
+provided several fixes for virtual hosting and directory indexing and
+fixes for CGI
.It
.An Jeremy C. Reed
.Aq Mt reed%NetBSD.org@localhost
@@ -739,11 +740,11 @@
.Aq Mt rumble%ephemeral.org@localhost
provided the
.Fl V
-option.
+option
.It
.An Thor Lancelot Simon
.Aq Mt tls%NetBSD.org@localhost
-enhanced cgi-bin support.
+enhanced cgi-bin support
.It
.An Joerg Sonnenberger
.Aq Mt joerg%NetBSD.org@localhost
@@ -760,7 +761,7 @@
.Aq Mt xs%kittenz.org@localhost
provided chroot and change-to-user support, and other various fixes
.It
-Coyote Point provided various CGI fixes.
+Coyote Point provided various CGI fixes
.El
.Pp
There are probably others I have forgotten (let me know if you care)
diff -r ab9e5c64c394 -r cf6f588fea02 libexec/httpd/bozohttpd.c
--- a/libexec/httpd/bozohttpd.c Fri May 31 08:15:11 2019 +0000
+++ b/libexec/httpd/bozohttpd.c Sat Jun 15 15:56:21 2019 +0000
@@ -1,9 +1,9 @@
-/* $NetBSD: bozohttpd.c,v 1.56.2.8.2.2 2018/11/28 19:56:09 martin Exp $ */
+/* $NetBSD: bozohttpd.c,v 1.56.2.8.2.3 2019/06/15 15:56:21 martin Exp $ */
/* $eterna: bozohttpd.c,v 1.178 2011/11/18 09:21:15 mrg Exp $ */
/*
- * Copyright (c) 1997-2018 Matthew R. Green
+ * Copyright (c) 1997-2019 Matthew R. Green
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -109,7 +109,7 @@
#define INDEX_HTML "index.html"
#endif
#ifndef SERVER_SOFTWARE
-#define SERVER_SOFTWARE "bozohttpd/20181125"
+#define SERVER_SOFTWARE "bozohttpd/20190228"
#endif
#ifndef PUBLIC_HTML
#define PUBLIC_HTML "public_html"
@@ -137,10 +137,9 @@
#include <netdb.h>
#include <pwd.h>
#include <grp.h>
-#include <signal.h>
#include <stdarg.h>
#include <stdlib.h>
-#include <stdbool.h>
+#include <strings.h>
#include <string.h>
#include <syslog.h>
#include <time.h>
@@ -148,6 +147,9 @@
#include "bozohttpd.h"
+#ifndef SSL_TIMEOUT
+#define SSL_TIMEOUT "30" /* wait for 30 seconds for ssl handshake */
+#endif
#ifndef INITIAL_TIMEOUT
#define INITIAL_TIMEOUT "30" /* wait for 30 seconds initially */
#endif
@@ -183,39 +185,27 @@
{ NULL, NULL },
};
-volatile sig_atomic_t timeout_hit;
+volatile sig_atomic_t bozo_timeout_hit;
/*
* check there's enough space in the prefs and names arrays.
*/
static int
-size_arrays(bozoprefs_t *bozoprefs, size_t needed)
+size_arrays(bozohttpd_t *httpd, bozoprefs_t *bozoprefs, size_t needed)
{
- char **temp;
+ size_t len = sizeof(char *) * needed;
Home |
Main Index |
Thread Index |
Old Index