Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-7-1]: src/libexec/httpd Pull up the following revisions (via patc...



details:   https://anonhg.NetBSD.org/src/rev/cf6f588fea02
branches:  netbsd-7-1
changeset: 452024:cf6f588fea02
user:      martin <martin%NetBSD.org@localhost>
date:      Sat Jun 15 15:56:21 2019 +0000

description:
Pull up the following revisions (via patch) requested by mrg in ticket #1699:

        libexec/httpd/CHANGES                   1.31-1.40
        libexec/httpd/Makefile                  1.28
        libexec/httpd/auth-bozo.c               1.23-1.24
        libexec/httpd/bozohttpd.8               1.75-1.79
        libexec/httpd/bozohttpd.c               1.100-1.113
        libexec/httpd/bozohttpd.h               1.58-1.60
        libexec/httpd/cgi-bozo.c                1.46-1.48
        libexec/httpd/daemon-bozo.c             1.20-1.21
        libexec/httpd/dir-index-bozo.c          1.29-1.32
        libexec/httpd/ssl-bozo.c                1.26
        libexec/httpd/testsuite/Makefile        1.12-1.13
        libexec/httpd/testsuite/t11.out         1.2
        libexec/httpd/testsuite/test-bigfile    1.6
        libexec/httpd/testsuite/test-simple     1.6

Don't display special files in the directory index.  They aren't
served, but links to them are generated.
---
All from "Rajeev V. Pillai" <rajeev_v_pillai%yahoo.com@localhost>:
- use html tables for directory index.
- don't include "index.html" in html headers
- additional escaping of names
- re-add top/bottom borders
- adds an aquamarine table header
- Zebra-stripes table rows using CSS instead of code
- fix CGI '+' param and error handling.
- remove unused parameter to daemon_poll_err().
- avoid sign extension in % handling
fix a few problems pointed out by clang static analyzer:
- bozostrnsep() may return with "in = NULL", so check for it.
- nul terminating in bozo_escape_rfc3986() can be simpler
- don't use uniinit variables in check_remap()
- don't use re-used freed data in check_virtual().
- fix bozoprefs->size setting when increasing the size (new total was
  being added to the prior total.)
  however, bozostrdup() may reference request->hr_file.
---
Add ssl specific timeout value (30s).  If SSL_accept() doesn't
work with in this timeout value, ssl setup now fails.
---
Fix handling of bozo_set_timeout() timeouts (and `-T' option parsing)
---
Avoid .htpasswd exposure to authenticated users when .htpasswd is
in the slashdir too.
---
Avoid possible NULL dereference when sending a big request that timeout.
---
Use strings.h for strcasecmp (on linux)
---
Account for cgihandler being set when counting the number of CGI environment
headers we are about to set. Avoids an assertion failure (and overruninng
the array) later.

diffstat:

 libexec/httpd/CHANGES                |   24 +++++-
 libexec/httpd/Makefile               |    5 +-
 libexec/httpd/auth-bozo.c            |    6 +-
 libexec/httpd/bozohttpd.8            |   47 +++++-----
 libexec/httpd/bozohttpd.c            |  150 +++++++++++++++++++---------------
 libexec/httpd/bozohttpd.h            |   22 ++++-
 libexec/httpd/cgi-bozo.c             |   17 ++-
 libexec/httpd/daemon-bozo.c          |    8 +-
 libexec/httpd/dir-index-bozo.c       |  103 ++++++++++--------------
 libexec/httpd/ssl-bozo.c             |   14 ++-
 libexec/httpd/testsuite/Makefile     |    8 +-
 libexec/httpd/testsuite/t11.out      |   10 ++
 libexec/httpd/testsuite/test-bigfile |    3 +-
 libexec/httpd/testsuite/test-simple  |    5 +-
 14 files changed, 242 insertions(+), 180 deletions(-)

diffs (truncated from 1113 to 300 lines):

diff -r ab9e5c64c394 -r cf6f588fea02 libexec/httpd/CHANGES
--- a/libexec/httpd/CHANGES     Fri May 31 08:15:11 2019 +0000
+++ b/libexec/httpd/CHANGES     Sat Jun 15 15:56:21 2019 +0000
@@ -1,4 +1,24 @@
-$NetBSD: CHANGES,v 1.19.2.5.2.2 2018/11/28 19:56:09 martin Exp $
+$NetBSD: CHANGES,v 1.19.2.5.2.3 2019/06/15 15:56:21 martin Exp $
+
+changes in bozohttpd 20190228:
+       o  extend timeout facility to ssl and stop servers hanging forever
+          if the client never sends anything.  reported by Steffen in netbsd
+          PR#50655.
+       o  don't display special files in the directory index.  they aren't
+          served, but links to them are generated.
+       o  fix CGI '+' parameter handling, some error checking, and a double
+          free.  from rajeev_v_pillai%yahoo.com@localhost
+       o  more directory indexing clean up.  from rajeev_v_pillai%yahoo.com@localhost
+
+changes in bozohttpd 20181215:
+       o  fix .htpasswd bypass for authenticated users.  reported by JP,
+          from leot%netbsd.org@localhost
+       o  avoid possible null dereference when receiving a big request that
+          timeout.  reported by maya%netbsd.org@localhost, from leot%netbsd.org@localhost
+       o  fix handling of -T option, from leot%netbsd.org@localhost
+       o  cleanups and portability improvements, from maya%netbsd.org@localhost
+       o  change directory indexing to use html tables, from
+          rajeev_v_pillai%yahoo.com@localhost
 
 changes in bozohttpd 20181125:
        o  fixes for option parsing introduced in bozohttpd 20181123
@@ -293,7 +313,7 @@
        - add many new content-types, now support most common ones
 
 changes in bozohttpd 5.06 (20000825):
-       - add IPv6 suppor from itojun%iijlab.net@localhost
+       - add IPv6 support from itojun%iijlab.net@localhost
        - man page fixes from jlam%netbsd.org@localhost
 
 changes in bozohttpd 5.05 (20000815):
diff -r ab9e5c64c394 -r cf6f588fea02 libexec/httpd/Makefile
--- a/libexec/httpd/Makefile    Fri May 31 08:15:11 2019 +0000
+++ b/libexec/httpd/Makefile    Sat Jun 15 15:56:21 2019 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: Makefile,v 1.22.2.2.4.1 2018/11/24 17:23:20 martin Exp $
+#      $NetBSD: Makefile,v 1.22.2.2.4.2 2019/06/15 15:56:21 martin Exp $
 #
 #      $eterna: Makefile,v 1.30 2010/07/11 00:34:27 mrg Exp $
 #
@@ -77,6 +77,9 @@
 
 CLEANFILES+=   bozohttpd.8.html bozohttpd.8.txt
 
+check:
+       cd ${.CURDIR}/testsuite && ${MAKE} check
+
 # Create a distfile: uses /tmp
 BASE=bozohttpd-${BOZOVER}
 TAR=${BASE}.tar
diff -r ab9e5c64c394 -r cf6f588fea02 libexec/httpd/auth-bozo.c
--- a/libexec/httpd/auth-bozo.c Fri May 31 08:15:11 2019 +0000
+++ b/libexec/httpd/auth-bozo.c Sat Jun 15 15:56:21 2019 +0000
@@ -1,9 +1,9 @@
-/*     $NetBSD: auth-bozo.c,v 1.13.2.2.4.1 2018/11/24 17:23:20 martin Exp $    */
+/*     $NetBSD: auth-bozo.c,v 1.13.2.2.4.2 2019/06/15 15:56:21 martin Exp $    */
 
 /*     $eterna: auth-bozo.c,v 1.17 2011/11/18 09:21:15 mrg Exp $       */
 
 /*
- * Copyright (c) 1997-2018 Matthew R. Green
+ * Copyright (c) 1997-2019 Matthew R. Green
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -64,7 +64,7 @@
                strcpy(dir, ".");
        else {
                *basename++ = '\0';
-               if (bozo_check_special_files(request, basename))
+               if (bozo_check_special_files(request, basename, true))
                        return 1;
        }
        request->hr_authrealm = bozostrdup(httpd, request, dir);
diff -r ab9e5c64c394 -r cf6f588fea02 libexec/httpd/bozohttpd.8
--- a/libexec/httpd/bozohttpd.8 Fri May 31 08:15:11 2019 +0000
+++ b/libexec/httpd/bozohttpd.8 Sat Jun 15 15:56:21 2019 +0000
@@ -1,8 +1,8 @@
-.\"    $NetBSD: bozohttpd.8,v 1.46.4.8.2.1 2018/11/24 17:23:20 martin Exp $
+.\"    $NetBSD: bozohttpd.8,v 1.46.4.8.2.2 2019/06/15 15:56:21 martin Exp $
 .\"
 .\"    $eterna: bozohttpd.8,v 1.101 2011/11/18 01:25:11 mrg Exp $
 .\"
-.\" Copyright (c) 1997-2018 Matthew R. Green
+.\" Copyright (c) 1997-2019 Matthew R. Green
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd November 19, 2018
+.Dd February 27, 2019
 .Dt BOZOHTTPD 8
 .Os
 .Sh NAME
@@ -245,11 +245,13 @@
 The valid values of
 .Ar type
 are
+.Dq ssl timeout ,
 .Dq initial timeout ,
 .Dq header timeout ,
 and
 .Dq request timeout .
-The default values are 30 seconds, 10 seconds and 600 seconds, respectively.
+The default values are 30 seconds, 30 seconds, 10 seconds and 600 seconds,
+respectively.
 .It Fl t Ar chrootdir
 Makes
 .Nm
@@ -477,9 +479,7 @@
 .Pa .bzdirect
 file is found (contents are irrelevant)
 .Nm
-will allow direct access even with the
-.Fl r
-option.
+will allow direct access.
 If a
 .Pa .bzredirect
 symbolic link is found,
@@ -599,7 +599,7 @@
 and regular code audits.
 This manual documents
 .Nm
-version 20181123.
+version 20190116.
 .Sh AUTHORS
 .An -nosplit
 .Nm
@@ -610,14 +610,14 @@
 The large list of contributors includes:
 .Bl -dash
 .It
+.An Christoph Badura
+.Aq Mt bad%bsd.de@localhost
+provided Range: header support
+.It
 .An Marc Balmer
 .Aq Mt mbalmer%NetBSD.org@localhost
 added Lua support for dynamic content creation
 .It
-.An Christoph Badura
-.Aq Mt bad%bsd.de@localhost
-provided Range: header support
-.It
 .An Sean Boudreau
 .Aq Mt seanb%NetBSD.org@localhost
 provided a security fix for virtual hosting
@@ -634,7 +634,7 @@
 .Aq Mt agc%NetBSD.org@localhost
 cleaned up many internal interfaces, made
 .Nm
-linkable as a library and provided the Lua binding.
+linkable as a library and provided the Lua binding
 .It
 .An DEGROOTE Arnaud
 .Aq Mt degroote%NetBSD.org@localhost
@@ -644,14 +644,14 @@
 .Aq Mt ad%NetBSD.org@localhost
 provided directory indexing support
 .It
+.An Roland Dowdeswell
+.Aq Mt elric%NetBSD.org@localhost
+added support for serving gzipped files and better SSL handling
+.It
 .An Per Ekman
 .Aq Mt pek%pdc.kth.se@localhost
 provided a fix for a minor (non-security) buffer overflow condition
 .It
-.An Roland Dowdeswell
-.Aq Mt elric%NetBSD.org@localhost
-added support for serving gzipped files and better SSL handling
-.It
 .An Jun-ichiro itojun Hagino, KAME
 .Aq Mt itojun%iijlab.net@localhost
 provided initial IPv6 support
@@ -690,7 +690,7 @@
 fixed memory leaks, various issues with userdir support,
 information disclosure issues, added support for using CGI handlers
 with directory indexing, found several security issues and provided
-various other fixes.
+various other fixes
 .It
 .An Arnaud Lacombe
 .Aq Mt alc%NetBSD.org@localhost
@@ -708,7 +708,7 @@
 .Aq Mt jmmv%NetBSD.org@localhost
 Added the
 .Fl P
-option (pidfile support) and provided some man page fixes.
+option (pidfile support) and provided some man page fixes
 .It
 .An Luke Mewburn
 .Aq Mt lukem%NetBSD.org@localhost
@@ -717,7 +717,8 @@
 .It
 .An Rajeev V. Pillai
 .Aq Mt rajeev_v_pillai%yahoo.com@localhost
-provided several fixes for virtual hosting
+provided several fixes for virtual hosting and directory indexing and
+fixes for CGI
 .It
 .An Jeremy C. Reed
 .Aq Mt reed%NetBSD.org@localhost
@@ -739,11 +740,11 @@
 .Aq Mt rumble%ephemeral.org@localhost
 provided the
 .Fl V
-option.
+option
 .It
 .An Thor Lancelot Simon
 .Aq Mt tls%NetBSD.org@localhost
-enhanced cgi-bin support.
+enhanced cgi-bin support
 .It
 .An Joerg Sonnenberger
 .Aq Mt joerg%NetBSD.org@localhost
@@ -760,7 +761,7 @@
 .Aq Mt xs%kittenz.org@localhost
 provided chroot and change-to-user support, and other various fixes
 .It
-Coyote Point provided various CGI fixes.
+Coyote Point provided various CGI fixes
 .El
 .Pp
 There are probably others I have forgotten (let me know if you care)
diff -r ab9e5c64c394 -r cf6f588fea02 libexec/httpd/bozohttpd.c
--- a/libexec/httpd/bozohttpd.c Fri May 31 08:15:11 2019 +0000
+++ b/libexec/httpd/bozohttpd.c Sat Jun 15 15:56:21 2019 +0000
@@ -1,9 +1,9 @@
-/*     $NetBSD: bozohttpd.c,v 1.56.2.8.2.2 2018/11/28 19:56:09 martin Exp $    */
+/*     $NetBSD: bozohttpd.c,v 1.56.2.8.2.3 2019/06/15 15:56:21 martin Exp $    */
 
 /*     $eterna: bozohttpd.c,v 1.178 2011/11/18 09:21:15 mrg Exp $      */
 
 /*
- * Copyright (c) 1997-2018 Matthew R. Green
+ * Copyright (c) 1997-2019 Matthew R. Green
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -109,7 +109,7 @@
 #define INDEX_HTML             "index.html"
 #endif
 #ifndef SERVER_SOFTWARE
-#define SERVER_SOFTWARE                "bozohttpd/20181125"
+#define SERVER_SOFTWARE                "bozohttpd/20190228"
 #endif
 #ifndef PUBLIC_HTML
 #define PUBLIC_HTML            "public_html"
@@ -137,10 +137,9 @@
 #include <netdb.h>
 #include <pwd.h>
 #include <grp.h>
-#include <signal.h>
 #include <stdarg.h>
 #include <stdlib.h>
-#include <stdbool.h>
+#include <strings.h>
 #include <string.h>
 #include <syslog.h>
 #include <time.h>
@@ -148,6 +147,9 @@
 
 #include "bozohttpd.h"
 
+#ifndef SSL_TIMEOUT
+#define        SSL_TIMEOUT             "30"    /* wait for 30 seconds for ssl handshake  */
+#endif
 #ifndef INITIAL_TIMEOUT
 #define        INITIAL_TIMEOUT         "30"    /* wait for 30 seconds initially */
 #endif
@@ -183,39 +185,27 @@
        { NULL,               NULL },
 };
 
-volatile sig_atomic_t  timeout_hit;
+volatile sig_atomic_t  bozo_timeout_hit;
 
 /*
  * check there's enough space in the prefs and names arrays.
  */
 static int
-size_arrays(bozoprefs_t *bozoprefs, size_t needed)
+size_arrays(bozohttpd_t *httpd, bozoprefs_t *bozoprefs, size_t needed)
 {
-       char    **temp;
+       size_t  len = sizeof(char *) * needed;
 



Home | Main Index | Thread Index | Old Index