sthttpd is a simple, small, fast, and secure HTTP server. It doesn't have

a lot of special features, but it suffices for most uses of the web, it's about as fast as the best full-featured servers (Apache, NCSA, Netscape), and it has one extremely useful feature (URL-traffic-based throttling) that no other server currently has. ok sthen@
2013-08-10 02:48:26 +00:00 · 2013-08-10 02:48:26 +00:00 · 8d8efa11b0
commit 8d8efa11b0
parent d96497156f
10 changed files with 185 additions and 0 deletions
--- a/www/sthttpd/Makefile
+++ b/www/sthttpd/Makefile
@ -0,0 +1,21 @@
+# $OpenBSD: Makefile,v 1.1.1.1 2013/08/10 02:48:26 brad Exp $
+
+COMMENT=	tiny/turbo/throttling HTTP server
+
+DISTNAME=	sthttpd-2.26.3
+CATEGORIES=	www
+MASTER_SITES=	http://opensource.dyc.edu/pub/sthttpd/
+
+HOMEPAGE=	http://opensource.dyc.edu/sthttpd/
+
+# BSD
+PERMIT_PACKAGE_CDROM=	Yes
+
+WANTLIB=	c
+
+CONFIGURE_STYLE= gnu
+CONFIGURE_ENV+=	WEBDIR="/var/www/htdocs" WEBGROUP=www
+
+NO_TEST=	Yes
+
+.include <bsd.port.mk>
--- a/www/sthttpd/distinfo
+++ b/www/sthttpd/distinfo
@ -0,0 +1,2 @@
+SHA256 (sthttpd-2.26.3.tar.gz) = 5d8lpFSCvRi7mBVe3ebaIXHmi6G4WY9HRQNXyvioVsE=
+SIZE (sthttpd-2.26.3.tar.gz) = 195629
--- a/www/sthttpd/patches/patch-extras_Makefile_in
+++ b/www/sthttpd/patches/patch-extras_Makefile_in
@ -0,0 +1,11 @@
+$OpenBSD: patch-extras_Makefile_in,v 1.1.1.1 2013/08/10 02:48:26 brad Exp $
+--- extras/Makefile.in.orig	Thu Jul 19 23:23:10 2012
+++ extras/Makefile.in	Thu Jul 19 23:23:49 2012
+@@ -460,7 +460,6 @@ install-dvi-am:
+ 
+ install-exec-am: install-dist_sbinSCRIPTS install-sbinPROGRAMS
+ 	@$(NORMAL_INSTALL)
+-	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+ install-html: install-html-am
+ 
+ install-html-am:
--- a/www/sthttpd/patches/patch-extras_htpasswd_c
+++ b/www/sthttpd/patches/patch-extras_htpasswd_c
@ -0,0 +1,20 @@
+$OpenBSD: patch-extras_htpasswd_c,v 1.1.1.1 2013/08/10 02:48:26 brad Exp $
+
+A local attacker with the ability to alter .htpasswd files could
+cause a Denial of Service in thttpd by specially-crafting them.
+CVE-2012-5640
+
+--- extras/htpasswd.c.orig	Thu Mar 14 04:10:47 2013
+++ extras/htpasswd.c	Thu Mar 14 04:11:29 2013
+@@ -136,7 +136,10 @@ add_password( char* user, FILE* f )
+     (void) srandom( (int) time( (time_t*) 0 ) );
+     to64( &salt[0], random(), 2 );
+     cpw = crypt( pw, salt );
+-    (void) fprintf( f, "%s:%s\n", user, cpw );
+    if (cpw)
+        (void) fprintf( f, "%s:%s\n", user, cpw );
+    else
+        (void) fprintf( stderr, "crypt() returned NULL, sorry\n" );
+     }
+ 
+ static void usage(void) {
--- a/www/sthttpd/patches/patch-src_libhttpd_c
+++ b/www/sthttpd/patches/patch-src_libhttpd_c
@ -0,0 +1,40 @@
+$OpenBSD: patch-src_libhttpd_c,v 1.1.1.1 2013/08/10 02:48:26 brad Exp $
+
+A local attacker with the ability to alter .htpasswd files could
+cause a Denial of Service in thttpd by specially-crafting them.
+CVE-2012-5640
+
+--- src/libhttpd.c.orig	Thu Mar 14 04:11:40 2013
+++ src/libhttpd.c	Thu Mar 14 04:13:02 2013
+@@ -1017,6 +1017,7 @@ auth_check2( httpd_conn* hc, char* dirname  )
+     static size_t maxprevuser = 0;
+     static char* prevcryp;
+     static size_t maxprevcryp = 0;
+    char *crypt_result;
+ 
+     /* Construct auth filename. */
+     httpd_realloc_str(
+@@ -1063,7 +1064,10 @@ auth_check2( httpd_conn* hc, char* dirname  )
+ 	 strcmp( authinfo, prevuser ) == 0 )
+ 	{
+ 	/* Yes.  Check against the cached encrypted password. */
+-	if ( strcmp( crypt( authpass, prevcryp ), prevcryp ) == 0 )
+        crypt_result = crypt( authpass, prevcryp );
+        if ( ! crypt_result )
+            return -1;
+	if ( strcmp( crypt_result, prevcryp ) == 0 )
+ 	    {
+ 	    /* Ok! */
+ 	    httpd_realloc_str(
+@@ -1112,7 +1116,10 @@ auth_check2( httpd_conn* hc, char* dirname  )
+ 	    /* Yes. */
+ 	    (void) fclose( fp );
+ 	    /* So is the password right? */
+-	    if ( strcmp( crypt( authpass, cryp ), cryp ) == 0 )
+            crypt_result = crypt( authpass, cryp );
+            if ( ! crypt_result )
+                return -1;
+	    if ( strcmp( crypt_result, cryp ) == 0 )
+ 		{
+ 		/* Ok! */
+ 		httpd_realloc_str(
--- a/www/sthttpd/patches/patch-src_thttpd_c
+++ b/www/sthttpd/patches/patch-src_thttpd_c
@ -0,0 +1,43 @@
+$OpenBSD: patch-src_thttpd_c,v 1.1.1.1 2013/08/10 02:48:26 brad Exp $
+
+Make sure that the logfile is created or reopened as read/write
+by thttpd user only. CVE-2013-0348
+
+--- src/thttpd.c.orig	Thu Mar 14 04:08:35 2013
+++ src/thttpd.c	Thu Mar 14 04:10:23 2013
+@@ -326,6 +326,7 @@ static void
+ re_open_logfile( void )
+     {
+     FILE* logfp;
+    int retchmod;
+ 
+     if ( no_log || hs == (httpd_server*) 0 )
+ 	return;
+@@ -335,7 +336,8 @@ re_open_logfile( void )
+ 	{
+ 	syslog( LOG_NOTICE, "re-opening logfile" );
+ 	logfp = fopen( logfile, "a" );
+-	if ( logfp == (FILE*) 0 )
+	retchmod = chmod( logfile, S_IRUSR|S_IWUSR );
+	if ( logfp == (FILE*) 0 || retchmod != 0 )
+ 	    {
+ 	    syslog( LOG_CRIT, "re-opening %.80s - %m", logfile );
+ 	    return;
+@@ -355,6 +357,7 @@ main( int argc, char** argv )
+     gid_t gid = 32767;
+     char cwd[MAXPATHLEN+1];
+     FILE* logfp;
+    int retchmod;
+     int num_ready;
+     int cnum;
+     connecttab* c;
+@@ -424,7 +427,8 @@ main( int argc, char** argv )
+ 	else
+ 	    {
+ 	    logfp = fopen( logfile, "a" );
+-	    if ( logfp == (FILE*) 0 )
+	    retchmod = chmod( logfile, S_IRUSR|S_IWUSR );
+	    if ( logfp == (FILE*) 0 || retchmod != 0 )
+ 		{
+ 		syslog( LOG_CRIT, "%.80s - %m", logfile );
+ 		perror( logfile );
--- a/www/sthttpd/patches/patch-src_thttpd_h
+++ b/www/sthttpd/patches/patch-src_thttpd_h
@ -0,0 +1,12 @@
+$OpenBSD: patch-src_thttpd_h,v 1.1.1.1 2013/08/10 02:48:26 brad Exp $
+--- src/thttpd.h.orig	Sun Aug  5 04:59:29 2012
+++ src/thttpd.h	Sun Aug  5 04:59:46 2012
+@@ -237,7 +237,7 @@
+ ** initializing.  If this user (or the one specified by the -u flag) does
+ ** not exist, the program will refuse to run.
+ */
+-#define DEFAULT_USER "nobody"
+#define DEFAULT_USER "www"
+ 
+ /* CONFIGURE: When started as root, the program can automatically chdir()
+ ** to the home directory of the user specified by -u or DEFAULT_USER.
--- a/www/sthttpd/patches/patch-www_cgi-bin_Makefile_in
+++ b/www/sthttpd/patches/patch-www_cgi-bin_Makefile_in
@ -0,0 +1,12 @@
+$OpenBSD: patch-www_cgi-bin_Makefile_in,v 1.1.1.1 2013/08/10 02:48:26 brad Exp $
+--- www/cgi-bin/Makefile.in.orig	Fri Jul 13 07:50:37 2012
+++ www/cgi-bin/Makefile.in	Sun Aug  5 04:53:10 2012
+@@ -180,7 +180,7 @@ target_alias = @target_alias@
+ top_build_prefix = @top_build_prefix@
+ top_builddir = @top_builddir@
+ top_srcdir = @top_srcdir@
+-cgidir = $(WEBDIR)/cgi-bin
+cgidir = $(pkglibexecdir)
+ redirect_SOURCES = redirect.c
+ redirect_CPPFLAGS = -I$(top_srcdir)/src
+ ssi_SOURCES = ssi.c
--- a/www/sthttpd/pkg/DESCR
+++ b/www/sthttpd/pkg/DESCR
@ -0,0 +1,5 @@
+sthttpd is a simple, small, fast, and secure HTTP server. It doesn't have
+a lot of special features, but it suffices for most uses of the web,
+it's about as fast as the best full-featured servers (Apache, NCSA,
+Netscape), and it has one extremely useful feature (URL-traffic-based
+throttling) that no other server currently has.
--- a/www/sthttpd/pkg/PLIST
+++ b/www/sthttpd/pkg/PLIST
@ -0,0 +1,19 @@
+@comment $OpenBSD: PLIST,v 1.1.1.1 2013/08/10 02:48:26 brad Exp $
+@conflict thttpd-*
+@pkgpath www/thttpd
+libexec/sthttpd/
+@comment libexec/sthttpd/index.html
+@comment @bin libexec/sthttpd/phf
+@comment libexec/sthttpd/printenv
+@bin libexec/sthttpd/redirect
+@bin libexec/sthttpd/ssi
+@comment @man man/man1/htpasswd.1
+@comment @man man/man1/makeweb.1
+@man man/man8/redirect.8
+@man man/man8/ssi.8
+@man man/man8/syslogtocern.8
+@man man/man8/thttpd.8
+@comment @bin sbin/htpasswd
+@comment @bin sbin/makeweb
+sbin/syslogtocern
+@bin sbin/thttpd