summaryrefslogtreecommitdiffstats
path: root/usr.sbin/httpd (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* VIS_QUOTE is not there yet, unbreak the tree. Noticed by semarie@reyk2015-07-161-2/+2
|
* Escape the message in server_log() as well.reyk2015-07-153-13/+16
| | | | OK benno@
* For some values like the User-Agent, use vis(3) instead of url_encode().reyk2015-07-151-18/+19
| | | | | | This makes the output more readable and matches Apache's log encoding. OK sthen@ brynet@
* Simplify the error path of the previous commit: by using ret = -1 byreyk2015-07-151-37/+15
| | | | | | | | default and only setting it to 0 on success, we don't have to set it in each error case. While here, also remove two superfluous NULL checks (as pointed out by semarie). OK semarie@
* Close connections that fail to complete a TLS handshake.jsing2015-07-151-1/+2
| | | | | | Based on a diff from Jack Burton <jack at saosce dot com dot au>. ok reyk@
* Unbreak configurations that have a non-TLS listen statement followed by ajsing2015-07-151-2/+3
| | | | | | | | TLS listen statement. A bug was introduced in r1.68 of parse.y, which results in flags being directly copied from the parent, meaning that the TLS flag for the second server gets lost. ok reyk@
* Fix typo in comment.jsing2015-07-151-2/+2
|
* Document default locations for TLS certificate and key.jsing2015-07-151-2/+6
| | | | ok reyk@
* httpd don't sanitize variables before putting them in logs. It is possible forsemarie2015-07-151-20/+101
| | | | | | | an attacker to push arbitaries characters in logs (newline for forging entries, or some control escaping interpreted by terminal emulator). OK reyk@
* Send the TLS certificate and key via separate imsgs, rather thanjsing2015-07-153-26/+142
| | | | | | | | | including them in the IMSG_CFG_SERVER imsg. This allows the certificate and key to each be almost 16KB (the maximum size for an imsg), rather than having a combined total of less than 16KB (which can be reached with large keys, certificate bundles or by including text versions of certificates). ok reyk@
* Explicitly check for and handle EOF on a TLS connection.jsing2015-07-151-1/+6
| | | | ok reyk@
* Fix memory leaks that can occur when config_getserver() fails.jsing2015-07-152-11/+20
| | | | | | | | | | config.c r1.34 and r1.30 introduced potential memory leaks for auth and return_uri when config_getserver fails. Fix this by switching to serverconfig_free() and adding the missing free for srv_conf->auth. While here, make serverconfig_free() a little more bulletproof by explicit_bzero()ing key material. ok reyk@
* new sentence, new line;jmc2015-06-301-4/+5
| | | | my apologies to semarie for not pointing this out when he asked for an ok...
* Add a small paragraph about some difference with Lua implementation.semarie2015-06-301-3/+7
| | | | | | Suggestion from Theo Buehler. OK jmc@ reyk@
* Corrects the manpage for patterns(7): the indexing for empty capture followsemarie2015-06-271-4/+4
| | | | | | | | C-style (starting from 0) and not the Lua-style (starting from 1). Patch from Theo Buehler. OK reyk@
* move #include inside #ifndef PATTERNS_Hsemarie2015-06-261-4/+4
| | | | OK reyk@
* Corrects some minors nits. Patch from Theo Buehler.semarie2015-06-261-6/+6
| | | | | | | | | - cleanup in included headers (removing unsed assert.h, and reorder) - one remaining '%%' in an error string corrected in '%' while here, add sys/types.h for off_t type. OK reyk@
* various tweaks;jmc2015-06-232-16/+15
|
* escape the matched substrings before using it in expansion.semarie2015-06-231-3/+6
| | | | ok reyk@
* remove a deprecated character class.semarie2015-06-231-5/+2
| | | | | | | it was deprecated in lua code, but here the code is new. The documentation don't mention it either. ok reyk@
* Add initial support for pattern matching using Lua's pattern matching code.reyk2015-06-238-47/+1238
| | | | | | With important help on the pattern matcher from semarie@ OK semarie@
* After the last change, we also have to url_encode $SERVER_NAME andreyk2015-06-221-9/+16
| | | | | | $REMOTE_USER before using them in the Location. From Sebastien Marie (semarie)
* When encoding the Location url, only encode the query and pathreyk2015-06-211-22/+37
| | | | | | | | elements from the user input and not the constants from the configuration. This makes it possible to specify chars like '?' in the uri. OK Sebastien Marie
* Use "compliant" header guards by avoiding the reserved '_' namespace.reyk2015-06-111-4/+4
| | | | | | Pointed out by Markus Elfring OK mikeb@ millert@
* plug fd leak found by Todd Mortimerjung2015-06-091-1/+4
| | | | ok claudio deraadt florian
* Do not assume that asprintf() clears the pointer on failure, whichmillert2015-06-031-4/+10
| | | | | is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
* use "uri"; from yegor timoschenkojmc2015-05-281-4/+4
|
* Do not try to unlink the control socket in an unprivileged childflorian2015-05-282-4/+5
| | | | | | process on shutdown. Found while working on tame(2). OK benno@
* Use off_t instead of size_t to pass file size and print it using %lld whenkettenis2015-05-202-5/+5
| | | | | | | constructing the Content-Length header field. Should fix some, but probably not all, problems with serving files bigger than 2G on 32-bit architectures. ok reyk@, florian@
* better spacing in media types.sobrado2015-05-191-9/+9
| | | | ok reyk@
* sort media type extensions for text/html and image/jpeg as given insobrado2015-05-191-3/+3
| | | | | | | | | /usr/share/misc/mime.types; do not include shtml as it is for Server Side Includes (SSI) -- we will never do SSI. joint work with reyk@ ok reyk@
* drop comment about being possible to include /etc/nginx/mime.types,sobrado2015-05-191-10/+2
| | | | | | we do not have to care about nginx anymore. ok jmc@ (who thinks previously suggested removing it), and reyk@
* Implement If-Modified-Since.florian2015-05-051-2/+26
| | | | | | From Kyle Thompson <jmp AT giga DOT moe>. Tweaks by me. OK benno@
* Implement byte ranges.florian2015-05-032-9/+282
| | | | | From Sunil Nimmagadda <sunil At nimmagadda DOT net> OK benno@
* Prepend files or directories containing ":" with "./" in directoryflorian2015-04-251-3/+5
| | | | | | | | | | | | | | | indexes as per RFC 3986: A path segment that contains a colon character (e.g., "this:that") cannot be used as the first segment of a relative-path reference, as it would be mistaken for a scheme name. Such a segment must be preceded by a dot-segment (e.g., "./this:that") to make a relative- path reference. While here add a "/" to the end of directory names, this saves us one redirect round trip. Found the hard way & "functionality wise, OK" ajacoutot@ RFC pointer & OK benno@
* We cannot log errors with server_close() before allocatingflorian2015-04-231-8/+6
| | | | | | | clt_log evbuffer. server_close() calls server_log() which uses ctl_log. Crash reported by Daniel Jakots <vigdis AT chown DOT me>, thanks! OK benno
* Regis Leroy reported that httpd does not strictly accept CRLF forjsg2015-04-181-5/+6
| | | | | | | | | | newlines which could lead to http response splitting/smuggling if a badly behaved proxy is in front of httpd. Switch from evbuffer_readline() to evbuffer_readln() with EVBUFFER_EOL_CRLF_STRICT to avoid this. ok florian@
* Always check the return value of proc_composev_imsg() and handle failuresjsing2015-04-113-10/+32
| | | | | | | | | appropriately. Otherwise imsg construction can silently fail, resulting in non-obvious problems. Found the hard way by Theodore Wynnychenko. ok doug@ florian@
* Revert previous as this breaks stuff.florian2015-04-091-6/+1
| | | | | I fscked up the testing, sorry! Found the hard way by jsg@
* Do not silently accept multiple Content-Length headers.florian2015-04-081-1/+6
| | | | | | Pointed out by Regis Leroy (regis.leroy AT makina-corpus DOT com), thanks! Tweak and OK reyk@
* Zero the tls cert/key length variables when inheriting a serverjsg2015-04-011-1/+3
| | | | | | | | | | configuration for multiple listen statements in a server block. Otherwise httpd will crash when a listen statement with tls is followed by a listen statement without tls. Problem reported by Kent Fritz on misc. ok jsing@ looks good deraadt@
* pointers to slowcgi(8); from alexei malininjmc2015-03-262-6/+8
|
* Allow more characters in CGI environment variables as specified by RFCflorian2015-03-261-2/+13
| | | | | | | | | 7230 and RFC 3875. sthen@ suggested to add a comment to explain where the list of characters is coming from. Found the hard way and initial diff from Tim van der Molen (tbvdm at xs4all), thanks! Some more allowed characters added by me. OK sthen@
* Prevent use after free.florian2015-03-152-6/+5
| | | | | | | | While here unconditionally free clt and move declaration of server_inflight_dec() into server.c Found while investigating if (foo != NULL) free(foo) patterns pointed out by Markus Elfring. OK reyk
* Wrap long line. This is another airplane commit from an 747-8reyk2015-03-111-4/+4
| | | | | somewhere over Siberia and I think I'm just getting into minor turbulences.
* Document the TLSv1.2-only change.reyk2015-03-091-5/+5
| | | | Figured out sthen@
* Make httpd TLSv1.2-only by default. Some older browsers, like IE 10,reyk2015-03-091-2/+2
| | | | | | | | will be incompatible with this change. We do this early in the release cycle, so there is a good chance to get more experience with the impact of it and the upcoming restricted cipher modes. OK jsing@ deraadt@ benno@ bmercer@ krw@ florian@
* Fix minor manpage bug: it is a server, not a relay.reyk2015-03-061-4/+4
| | | | OK deraadt@
* Mark up filenames with Pa.bentley2015-02-241-8/+8
| | | | ok reyk@
* Use the rewritten (index file appended) uri as DOCUMENT_URI.chrisz2015-02-231-2/+2
| | | | OK florian@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.