| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
ok reyk@
|
| |
|
|
|
|
|
|
|
| |
specification does not define any use for such a payload, future
extensions to HTTP might use the OPTIONS body to make more detailed
queries about the target resource." The future has arrived.
Found and tested by Michael Lechtermann
OK benno@
|
| |
|
|
|
|
|
|
|
| |
requests lacking "HTTP/<version>".
This makes it more obvious that httpd(8) does not attempt to support
HTTP v0.9 (circa 1991), when "GET <url>\r\n" was valid.
ok millert@ florian@
|
| |
|
|
|
|
| |
from Hiltjo Posthuma
"do." deraadt
|
| |
|
|
|
| |
Pointed out and diff by dhill, thanks!
Tweaks and same change for error documents by me.
|
| | |
|
| |
|
|
|
|
| |
to distinguish between http and https requests.
OK florian@ reyk@ a while ago
|
| | |
|
| |
|
|
| |
From Jan Schreiber
|
| |
|
|
| |
Ok gilles@, reyk@
|
| |
|
|
| |
From Michael McConville
|
| |
|
|
|
|
|
|
|
|
| |
srv_conf->auth in serverconfig_free() because it was not allocated in
config_getserver() but assigned as a reference by id from a global
list that is maintained independently. This fixes a potential
double-free. This fix also makes srv_conf->auth "const" to emphasize
that the read-only auth pointer was not allocated here.
OK jsing@
|
| |
|
|
|
|
|
| |
handling the HTTP methods in server_http.c which resulted in a 405
method not allowed error when trying to use it.
Fix by jaminh on github
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
of u_intN_t) and replace u_int with unsigned int. Mixing both
variants is a bad style and most contributors seem to prefer this
style; it also helps us to get used to it, portability, and
standardization.
Theoretically no binary change, except one in practice: httpd.o has a
different checksum because gcc with -O2 pads/optimizes "struct
privsep" differently when using "unsigned int" instead "u_int" for the
affected members. "u_int" is just a typedef of "unsigned int", -O0
doesn't build the difference and clang with -O2 doesn't do it either -
it is just another curiosity from gcc-land.
OK semarie@
|
| |
|
|
|
|
|
|
|
|
| |
Strict-Transport-Security headers. Add __format__ attribute to
kv_set() and kv_setkey() to make it easier to spot such problems.
Found by and fix from Donovan Watteau <tsoomi -AT- gmail -DOT- com>,
thanks for your help.
ok deraadt@
|
| |
|
|
|
|
| |
we need more care to find a proper fix for the fastcgi headers.
acknowledged by deraadt@
|
| |
|
|
|
|
| |
parse it. Otherwise http headers can leak into the body.
Pointed out by Jean-Philippe Ouellet on bugs@ Thanks!
OK reyk, commit ASAP deraadt@
|
| |
|
|
|
|
| |
The diff corrects this problem by using VIS_DQ.
ok reyk@ florian@
|
| |
|
|
| |
OK florian@
|
| |
|
|
|
|
| |
eg. default type text/html.
OK florian@
|
| |
|
|
| |
Input & OK reyk
|
| | |
|
| |
|
|
| |
OK benno@
|
| |
|
|
|
|
| |
This makes the output more readable and matches Apache's log encoding.
OK sthen@ brynet@
|
| |
|
|
|
|
|
|
| |
default and only setting it to 0 on success, we don't have to set it
in each error case. While here, also remove two superfluous NULL
checks (as pointed out by semarie).
OK semarie@
|
| |
|
|
|
|
|
| |
an attacker to push arbitaries characters in logs (newline for forging entries,
or some control escaping interpreted by terminal emulator).
OK reyk@
|
| |
|
|
| |
ok reyk@
|
| |
|
|
|
|
| |
With important help on the pattern matcher from semarie@
OK semarie@
|
| |
|
|
|
|
| |
$REMOTE_USER before using them in the Location.
From Sebastien Marie (semarie)
|
| |
|
|
|
|
|
|
| |
elements from the user input and not the constants from the
configuration. This makes it possible to specify chars like '?' in
the uri.
OK Sebastien Marie
|
| |
|
|
|
|
|
| |
constructing the Content-Length header field. Should fix some, but probably
not all, problems with serving files bigger than 2G on 32-bit architectures.
ok reyk@, florian@
|
| |
|
|
|
| |
From Sunil Nimmagadda <sunil At nimmagadda DOT net>
OK benno@
|
| |
|
|
|
|
|
|
|
|
| |
newlines which could lead to http response splitting/smuggling
if a badly behaved proxy is in front of httpd.
Switch from evbuffer_readline() to evbuffer_readln() with
EVBUFFER_EOL_CRLF_STRICT to avoid this.
ok florian@
|
| |
|
|
|
| |
I fscked up the testing, sorry!
Found the hard way by jsg@
|
| |
|
|
|
|
| |
Pointed out by Regis Leroy (regis.leroy AT makina-corpus DOT com),
thanks!
Tweak and OK reyk@
|
| |
|
|
|
|
| |
block return 301 "http://www.example.com/$REQUEST_URI"
OK tedu@ florian@
|
| | |
|
| | |
|
| |
|
|
| |
OK florian@
|
| |
|
|
|
| |
Reported and tested by Markus Bergkvist
OK florian@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
needed by its ancestor. jsg@, include-what-you-use, and some manual
review helped to cleanup the headers (take iwyu with a grain of salt).
Based on common practice, httpd.h now also includes the necessary
headers for itself.
OK florian@
|
| |
|
|
| |
Pointed out by, tweak & OK reyk@
|
| |
|
|
| |
OK reyk@
|
| |
|
|
| |
OK florian@
|
| |
|
|
|
|
|
|
| |
Currently the htpasswd file needs to be in the chroot; will hopefully
improved soonish.
Based on a diff from Oscar Linderholm many months ago but turned into
a complete rewrite.
input/OK reyk@
|
| |
|
|
|
|
|
|
|
| |
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)
|
| | |
|
| |
|
|
| |
Found by Fabian Raetz at gmail
|
| |
|
|
| |
From Fabian Raetz at gmail
|
rzalamena
reyk
krw
jung
florian
tim
mmcc
sunil
benno
semarie
kettenis
jsg
deraadt