summaryrefslogtreecommitdiffstats
path: root/usr.sbin/httpd/server_http.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* unwrap a linetb2021-01-051-3/+2
|
* Add location (found|not found) option to test for resource path existence.denis2020-10-291-3/+41
| | | | Diff by Matthias Pressfreund <mpfr @ fn de>. Thanks.
* Use the original requested URI for REQUEST_URI.yasuoka2020-09-121-3/+9
| | | | ok millert florian
* remove another tautologybenno2020-08-031-3/+2
| | | | | from Ross L Richardson <openbsd AT rlr DOT id DOT au>, Thanks ok claudio@
* Use the simpler HTML5 idiom to declare charset in autogenerated pages.bentley2020-05-221-3/+2
| | | | | | | This came from a suggestion by Andras Farkas to replace use of XHTML self-closing tags. ok cwen@ danj@ florian@
* httpd: add a "dark mode" in directory listings and error pagescwen2020-05-181-2/+5
| | | | | | | | | | | | | Introduce a new "dark mode" for httpd(8) directory listings and error pages, using the prefers-color-scheme css function. It uses the colorscheme already used in OpenBSD project websites. This version will only be displayed if the user's browser specifically sends a "prefer darker themes if available" request. Input from florian@, danj@ and clematis. OK florian@, danj@ (on a previous version with the wrong background color)
* httpd: allow $REQUEST_SCHEME in redirect targets, ok jung@ florian@sthen2020-02-251-1/+10
| | | | | | | | | Sometimes you want to redirect a request to another site but maintaining the same type of connection (http or https) as the original request. Allow a $REQUEST_SCHEME variable to be used in redirect locations to allow this, e.g. location "/cgi-bin/foobar*" { block return 302 "$REQUEST_SCHEME://foobar.example.org$REQUEST_URI" }
* Pick the value for "max requests number" from the correct server {}benno2020-01-141-8/+8
| | | | | | | | | | | | section in the config, by moving the code down where the Host: header has been read and the correct server configuration selected. Note that it may not be that useful to have this option per server, because it is valid to send requests with different Host: headers over the same tcp connection. problem noted and diff from Tracey Emery, thanks! ok florian@
* remove useless NULL check, it's checked 7 lines further up.benno2019-11-041-4/+1
| | | | found by Clemens Goessnitzer, ok and prodded by florian@
* Do not log "(null)" in debug logging.florian2019-10-221-2/+3
| | | | OK deraadt
* The QUERY_STRING macro is not actually URL encoded, so fix the manual.tb2019-05-081-2/+14
| | | | | | | | Add a QUERY_STRING_ENC macro that is URL encoded. Patch from Tim Baumgartner ok reyk
* Set the REQUEST_URI CGI variable to the requested URI and query stringtb2019-05-081-9/+11
| | | | | | | | instead of the rewritten path and query string. Patch from Tim Baumgard, reminded by Mischa Peters. ok benno, reyk
* spacingreyk2019-05-081-4/+4
|
* Add a "forwarded" log format that extends the "combined" log formattb2019-05-031-5/+41
| | | | | | | | | | | by including the contents of the X-Forwarded-For and X-Forwarded-Port headers. If httpd(8) runs behind a proxy like relayd(8), this allows tracking the origin of the requests. The format is compatible with log analyzers such as GoAccess and Webalizer. Patch from Bruno Flueckiger ok benno, reyk
* log X509 peer's cert subject name when tls client authentication is used,benno2019-02-101-2/+9
| | | | | | in the same way as the http authenticated username is loged. From Karel Gardas, gardask at gmail dot com, Thanks! ok florian@
* Check maxrequestbody when we found the right server / location.florian2018-12-041-7/+7
| | | | | | Very patiently pointed out repeatedly by Tracey Emery ( tracey AT traceyemery.net ), thanks! OK benno
* isalpha(3) requires an unsigned char value (or -1).guenther2018-11-041-2/+2
| | | | from Hiltjo Posthuma (hiltjo(at)codemadness.org)
* Omit HSTS headers over unencrypted connections, per RFC 6797.bentley2018-10-151-3/+5
| | | | ok florian@
* Backout my previous commit:benno2018-10-111-7/+1
| | | | | | | | | | | | | | | date: 2018/10/01 19:24:09; author: benno; state: Exp; lines: +7 -1; commitid: 0O8fyHPNvPd8rvYU; Only send 408 Timeout responses when we have seen at least part of a request. Without a request, just close the connection when we hit request timeout. Prompted by a bug report from Nikola Kolev, thanks. ok reyk@ and some suggestions from claudio@ and bluhm@ Mark Patruck (mark AT wrapped DOT cx) found a problem with it, thanks for the report. ok reyk@ bluhm@ sthen@ deraadt@
* Only send 408 Timeout responses when we have seen at least part of abenno2018-10-011-1/+7
| | | | | | | request. Without a request, just close the connection when we hit request timeout. Prompted by a bug report from Nikola Kolev, thanks. ok reyk@ and some suggestions from claudio@ and bluhm@
* Do not send a Content-Length header for 1xx and 204 status codes sinceflorian2018-09-071-4/+18
| | | | | | | | RFC 7230 states that a server MUST NOT do so. At least relayd chokes on this. Pointed out & diff by Carlin Bingham (cb AT walcyrge.org), thanks! OK benno
* Add support for simple one-off internal rewrites.reyk2018-06-201-6/+45
| | | | | | | | | | | | For example: location match "/page/(%d+)/.*" { request rewrite "/static/index.php?id=%1&$QUERY_STRING" } Requested by many. Ok benno@
* Fix 304 Not Modified response: don't send a body, use the correct MIME type.reyk2018-06-151-5/+5
| | | | | | | | Reported by Hidvegi Gabor gaborca websivision hu Fix found by anton@ OK anton@
* The http_query is already url_encoded; don't encode it twice.reyk2018-06-111-22/+7
| | | | | | | | | | This fixes a bug in the macros and log file handler that double-encoded the query. This does not change FCGI as it was already handling the query correctly. Additional verification of the QUERY_STRING should be implemented as well. OK claudio@
* After processing of a range request httpd would never close theflorian2018-04-061-1/+2
| | | | | | | | | | | | connection and eventually stop answering queries because of file descriptor starvation. Problem reported by, minimal testcase provided and testing by trondd _AT_ kagu-tsuchi.com, thanks! Testing Nick Holland and millert OK deraadt
* set Location header for 307 and 308 status codesbenno2017-12-141-1/+3
| | | | ok sthen@ phessler@
* Avoid a crash servicing requests when a server is configured withjsg2017-05-151-1/+5
| | | | | "block return 401". Problem reported by Jurjen Oskam. ok florian@
* Expand $HTTP_HOST in redirects.florian2017-03-161-1/+9
| | | | | From Rivo Nurges Rivo.Nurges AT smit.ee, thanks! OK reyk
* Sync from relayd: DELETE can have a body.reyk2017-03-101-2/+2
| | | | | | Fix by Rivo Nurges, fixes a problem with Atlassian JIRA OK benno@
* Improve parsing of the HTTP request linereyk2017-02-071-4/+22
| | | | | | | | | | | | | | Make sure that the beginning of a new request starts with an alphabetic character. This is a quick way to detect non-ASCII requests (eg. TLS on port 80). The full validation of the request method is done once the input line is read. Make sure that non-terminated lines do not exceed the SERVER_MAXHEADERLENGTH which is 8k. As the current read watermark is set to 64k, this means that the limit check is triggered after max. 64k of input, depending on the TCP read buffer. OK benno@ jsing@
* Fix support for HTTP pipelining by handling all requests in the buffer.reyk2017-02-021-1/+5
| | | | Tested & OK jung@
* Reimplement httpd's support for byte ranges.reyk2017-01-311-2/+97
| | | | | | | | | | | | | | | The previous implementation loaded all the output into a single output buffer and used its size to determine the Content-Length of the body. The new implementation calculates the body length first and writes the individual ranges in an async way using the bufferevent mechanism. This prevents httpd from using too much memory and applies the watermark and throttling mechanisms to range requests. Problem reported by Pierre Kim (pierre.kim.sec at gmail.com) OK benno@ sunil@
* The variable clt_done is used in too many places.reyk2017-01-311-5/+6
| | | | | | Introduce a new variable clt_headersdone in the async HTTP parser. OK sunil@ benno@
* Replace the static env variables with a single global variable.rzalamena2016-08-261-8/+3
| | | | ok reyk@
* According to RFC 7231 4.3.7, OPTIONS may have body. "Although thisreyk2016-07-271-2/+2
| | | | | | | | | specification does not define any use for such a payload, future extensions to HTTP might use the OPTIONS body to make more detailed queries about the target resource." The future has arrived. Found and tested by Michael Lechtermann OK benno@
* Return "400 Bad Request" instead of "500 Server Internal Error" forkrw2016-05-271-3/+5
| | | | | | | | | requests lacking "HTTP/<version>". This makes it more obvious that httpd(8) does not attempt to support HTTP v0.9 (circa 1991), when "GET <url>\r\n" was valid. ok millert@ florian@
* makes sure the value of the asprintf buffer is zeroed on errorjung2016-05-221-3/+7
| | | | | | from Hiltjo Posthuma "do." deraadt
* Set content charset for auto index generated page.florian2016-03-081-1/+3
| | | | | Pointed out and diff by dhill, thanks! Tweaks and same change for error documents by me.
* Back out previous; requested by jung@tim2016-02-111-7/+7
|
* Include the server port number in the common and combined logs. This is usefultim2016-02-111-7/+7
| | | | | | to distinguish between http and https requests. OK florian@ reyk@ a while ago
* No need to check for NULL before free().mmcc2015-12-071-3/+2
|
* Remove unnecessary NULL checks before free().reyk2015-12-031-21/+13
| | | | From Jan Schreiber
* Plug a leak.sunil2015-10-131-1/+2
| | | | Ok gilles@, reyk@
* Pass unsigned chars to ctype functions.reyk2015-10-131-2/+2
| | | | From Michael McConville
* Fix a regression that was introduced with server.c r1.64: Do NOT freereyk2015-09-071-2/+2
| | | | | | | | | | srv_conf->auth in serverconfig_free() because it was not allocated in config_getserver() but assigned as a reference by id from a global list that is maintained independently. This fixes a potential double-free. This fix also makes srv_conf->auth "const" to emphasize that the read-only auth pointer was not allocated here. OK jsing@
* The WebDAV MOVE method was not included in the switch statementreyk2015-08-211-1/+2
| | | | | | | handling the HTTP methods in server_http.c which resulted in a 405 method not allowed error when trying to use it. Fix by jaminh on github
* Change httpd(8) to use C99-style fixed-width integers (uintN_t insteadreyk2015-08-201-7/+7
| | | | | | | | | | | | | | | | of u_intN_t) and replace u_int with unsigned int. Mixing both variants is a bad style and most contributors seem to prefer this style; it also helps us to get used to it, portability, and standardization. Theoretically no binary change, except one in practice: httpd.o has a different checksum because gcc with -O2 pads/optimizes "struct privsep" differently when using "unsigned int" instead "u_int" for the affected members. "u_int" is just a typedef of "unsigned int", -O0 doesn't build the difference and clang with -O2 doesn't do it either - it is just another curiosity from gcc-land. OK semarie@
* repair hsts header output, wrong format strings caused brokenbenno2015-07-311-3/+3
| | | | | | | | | | Strict-Transport-Security headers. Add __format__ attribute to kv_set() and kv_setkey() to make it easier to spot such problems. Found by and fix from Donovan Watteau <tsoomi -AT- gmail -DOT- com>, thanks for your help. ok deraadt@
* backout the previous: it broke wordpress somehow.reyk2015-07-291-2/+1
| | | | | | we need more care to find a proper fix for the fastcgi headers. acknowledged by deraadt@
* Read fcgi response records until we have the whole http header and canflorian2015-07-291-1/+2
| | | | | | parse it. Otherwise http headers can leak into the body. Pointed out by Jean-Philippe Ouellet on bugs@ Thanks! OK reyk, commit ASAP deraadt@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.