| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
The diff corrects this problem by using VIS_DQ.
ok reyk@ florian@
|
| |
|
|
| |
OK florian@
|
| |
|
|
|
|
| |
eg. default type text/html.
OK florian@
|
| |
|
|
| |
Input & OK reyk
|
| | |
|
| |
|
|
| |
OK benno@
|
| |
|
|
|
|
| |
This makes the output more readable and matches Apache's log encoding.
OK sthen@ brynet@
|
| |
|
|
|
|
|
|
| |
default and only setting it to 0 on success, we don't have to set it
in each error case. While here, also remove two superfluous NULL
checks (as pointed out by semarie).
OK semarie@
|
| |
|
|
|
|
|
| |
an attacker to push arbitaries characters in logs (newline for forging entries,
or some control escaping interpreted by terminal emulator).
OK reyk@
|
| |
|
|
| |
ok reyk@
|
| |
|
|
|
|
| |
With important help on the pattern matcher from semarie@
OK semarie@
|
| |
|
|
|
|
| |
$REMOTE_USER before using them in the Location.
From Sebastien Marie (semarie)
|
| |
|
|
|
|
|
|
| |
elements from the user input and not the constants from the
configuration. This makes it possible to specify chars like '?' in
the uri.
OK Sebastien Marie
|
| |
|
|
|
|
|
| |
constructing the Content-Length header field. Should fix some, but probably
not all, problems with serving files bigger than 2G on 32-bit architectures.
ok reyk@, florian@
|
| |
|
|
|
| |
From Sunil Nimmagadda <sunil At nimmagadda DOT net>
OK benno@
|
| |
|
|
|
|
|
|
|
|
| |
newlines which could lead to http response splitting/smuggling
if a badly behaved proxy is in front of httpd.
Switch from evbuffer_readline() to evbuffer_readln() with
EVBUFFER_EOL_CRLF_STRICT to avoid this.
ok florian@
|
| |
|
|
|
| |
I fscked up the testing, sorry!
Found the hard way by jsg@
|
| |
|
|
|
|
| |
Pointed out by Regis Leroy (regis.leroy AT makina-corpus DOT com),
thanks!
Tweak and OK reyk@
|
| |
|
|
|
|
| |
block return 301 "http://www.example.com/$REQUEST_URI"
OK tedu@ florian@
|
| | |
|
| | |
|
| |
|
|
| |
OK florian@
|
| |
|
|
|
| |
Reported and tested by Markus Bergkvist
OK florian@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
needed by its ancestor. jsg@, include-what-you-use, and some manual
review helped to cleanup the headers (take iwyu with a grain of salt).
Based on common practice, httpd.h now also includes the necessary
headers for itself.
OK florian@
|
| |
|
|
| |
Pointed out by, tweak & OK reyk@
|
| |
|
|
| |
OK reyk@
|
| |
|
|
| |
OK florian@
|
| |
|
|
|
|
|
|
| |
Currently the htpasswd file needs to be in the chroot; will hopefully
improved soonish.
Based on a diff from Oscar Linderholm many months ago but turned into
a complete rewrite.
input/OK reyk@
|
| |
|
|
|
|
|
|
|
| |
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)
|
| | |
|
| |
|
|
| |
Found by Fabian Raetz at gmail
|
| |
|
|
| |
From Fabian Raetz at gmail
|
| |
|
|
|
|
| |
unknown/invalid HTTP requests.
From Fabian Raetz at gmail
|
| |
|
|
|
|
|
|
|
|
| |
strip number
Strip number path components from the beginning of the
request URI before looking up the stripped-down URI at
the document root.
reviewed with much patience and OK by reyk@
|
| |
|
|
|
|
|
|
| |
shorter, newer, and the recommendation. From James Jerkins.
Exclude the charset for now because it is not explicitly handled by httpd.
OK validator.w3.org (This document was successfully checked as HTML5!)
|
| |
|
|
|
|
| |
*Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
| |
|
|
|
| |
From Bertrand Janin (b at janin dot com), thanks!
OK reyk@
|
| |
|
|
| |
from Max Fillinger
|
| |
|
|
| |
ok millert@
|
| |
|
|
|
| |
Tested by ajacoutot@ and others
OK doug@
|
| |
|
|
|
|
|
|
|
| |
error. Traditionally, web servers responsed with the request path on
40x errors which could be abused to inject JavaScript etc. Instead of
sanitizing the path, we just don't reprint it. Also modify the style
a little bit but keep Comic Sans.
With input from Jonas Lindemann and doug@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
www.example.com, www.example.com:80, [2001:db8::1], [2001:db8::1]:80).
The port is optional and is typically used on non-default ports. If
the server name is a plain IPv6 address, it is commonly specified in
square brackets.
Makes ajacoutot@ happy
OK florian@
|
| |
|
|
|
|
| |
This fixes (Fast)CGI-based WebDAV and CalDAV (calendar) servers with httpd.
ok benno@ stsp@
|
| |
|
|
|
|
|
|
|
| |
The key has been changed to server name + address + port and now it is
possible to use the same server name for multiple servers with
different addresses, eg. http://www.example.com and
https://www.example.com/.
OK doug@ florian@
|
| |
|
|
| |
OK chrisz@
|
| |
|
|
| |
OK reyk@
|
| |
|
|
|
|
|
| |
has been appended. This allows to use a fastcgi target as the default
index, for example index.php.
OK florian@
|
semarie
reyk
florian
kettenis
jsg
deraadt
chrisz
guenther
tedu
lteo