lighttpd fixes, from upstream via Brad.

- Fix handling of empty header list entries in http_request_split_value. - Fix access log escaping of " and \\. - Fix digest "md5-sess" implementation (Errata ID 1649, RFC 2617). - Add "AUTH_TYPE" environment (for *cgi), remove fastcgi specific workaround. - Fix splitting :port with IPv6.
2012-04-28 09:25:25 +00:00 · 2012-04-28 09:25:25 +00:00 · e0eea98a9f
commit e0eea98a9f
parent 204e300af1
8 changed files with 246 additions and 2 deletions
--- a/www/lighttpd/Makefile
+++ b/www/lighttpd/Makefile
@ -1,11 +1,11 @@
-# $OpenBSD: Makefile,v 1.96 2012/04/09 07:02:11 ajacoutot Exp $
+# $OpenBSD: Makefile,v 1.97 2012/04/28 09:25:25 sthen Exp $

 SHARED_ONLY=	Yes

 COMMENT=	secure, fast, compliant, and very flexible web-server

 DISTNAME=	lighttpd-1.4.30
-REVISION=	2
+REVISION=	3
 CATEGORIES=	www net
 MASTER_SITES=	http://download.lighttpd.net/lighttpd/releases-1.4.x/

--- a/www/lighttpd/patches/patch-src_http_auth_c
+++ b/www/lighttpd/patches/patch-src_http_auth_c
@ -0,0 +1,17 @@
+$OpenBSD: patch-src_http_auth_c,v 1.5 2012/04/28 09:25:25 sthen Exp $
+
+Fix digest "md5-sess" implementation (Errata ID 1649, RFC 2617).
+
+--- src/http_auth.c.orig	Tue Nov 29 06:36:18 2011
+++ src/http_auth.c	Mon Apr 23 00:09:35 2012
+@@ -1095,7 +1095,9 @@ int http_auth_digest_check(server *srv, connection *co
+ 	if (algorithm &&
+ 	    strcasecmp(algorithm, "md5-sess") == 0) {
+ 		li_MD5_Init(&Md5Ctx);
+-		li_MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16);
+		/* Errata ID 1649: http://www.rfc-editor.org/errata_search.php?rfc=2617 */
+		CvtHex(HA1, a1);
+		li_MD5_Update(&Md5Ctx, (unsigned char *)a1, 32);
+ 		li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
+ 		li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
+ 		li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
--- a/www/lighttpd/patches/patch-src_mod_accesslog_c
+++ b/www/lighttpd/patches/patch-src_mod_accesslog_c
@ -0,0 +1,53 @@
+$OpenBSD: patch-src_mod_accesslog_c,v 1.3 2012/04/28 09:25:25 sthen Exp $
+
+- Fix access log escaping of " and \\.
+- Fix splitting :port with IPv6.
+
+--- src/mod_accesslog.c.orig	Mon Apr 23 00:14:44 2012
+++ src/mod_accesslog.c	Mon Apr 23 00:13:36 2012
+@@ -165,7 +165,8 @@ static void accesslog_append_escaped(buffer *dest, buf
+ 	buffer_prepare_append(dest, str->used - 1);
+ 
+ 	for (ptr = start = str->ptr, end = str->ptr + str->used - 1; ptr < end; ptr++) {
+-		if (*ptr >= ' ' && *ptr <= '~') {
+		char const c = *ptr;
+		if (c >= ' ' && c <= '~' && c != '"' && c != '\\') {
+ 			/* nothing to change, add later as one block */
+ 		} else {
+ 			/* copy previous part */
+@@ -174,7 +175,7 @@ static void accesslog_append_escaped(buffer *dest, buf
+ 			}
+ 			start = ptr + 1;
+ 
+-			switch (*ptr) {
+			switch (c) {
+ 			case '"':
+ 				BUFFER_APPEND_STRING_CONST(dest, "\\\"");
+ 				break;
+@@ -199,9 +200,9 @@ static void accesslog_append_escaped(buffer *dest, buf
+ 			default: {
+ 					/* non printable char => \xHH */
+ 					char hh[5] = {'\\','x',0,0,0};
+-					char h = *ptr / 16;
+					char h = c / 16;
+ 					hh[2] = (h > 9) ? (h - 10 + 'A') : (h + '0');
+-					h = *ptr % 16;
+					h = c % 16;
+ 					hh[3] = (h > 9) ? (h - 10 + 'A') : (h + '0');
+ 					buffer_append_string_len(dest, &hh[0], 4);
+ 				}
+@@ -858,7 +859,13 @@ REQUESTDONE_FUNC(log_access_write) {
+ 				break;
+ 			case FORMAT_SERVER_PORT:
+ 				{
+-					char *colon = strrchr(((server_socket*)(con->srv_socket))->srv_token->ptr, ':');
+					const char *colon;
+					buffer *srvtoken = ((server_socket*)(con->srv_socket))->srv_token;
+					if (srvtoken->ptr[0] == '[') {
+						colon = strstr(srvtoken->ptr, "]:");
+					} else {
+						colon = strchr(srvtoken->ptr, ':');
+					}
+ 					if (colon) {
+ 						buffer_append_string(b, colon+1);
+ 					} else {
--- a/www/lighttpd/patches/patch-src_mod_auth_c
+++ b/www/lighttpd/patches/patch-src_mod_auth_c
@ -0,0 +1,47 @@
+$OpenBSD: patch-src_mod_auth_c,v 1.1 2012/04/28 09:25:25 sthen Exp $
+
+Add "AUTH_TYPE" environment (for *cgi), remove fastcgi specific workaround.
+
+--- src/mod_auth.c.orig	Mon Sep  5 05:26:36 2011
+++ src/mod_auth.c	Mon Apr 23 00:10:24 2012
+@@ -181,6 +181,7 @@ static handler_t mod_auth_uri_handler(server *srv, con
+ 	size_t k;
+ 	int auth_required = 0, auth_satisfied = 0;
+ 	char *http_authorization = NULL;
+	const char *auth_type = NULL;
+ 	data_string *ds;
+ 	mod_auth_plugin_data *p = p_d;
+ 	array *req;
+@@ -245,12 +246,14 @@ static handler_t mod_auth_uri_handler(server *srv, con
+ 
+ 			if ((auth_type_len == 5) &&
+ 			    (0 == strncasecmp(http_authorization, "Basic", auth_type_len))) {
+				auth_type = "Basic";
+ 
+ 				if (0 == strcmp(method->value->ptr, "basic")) {
+ 					auth_satisfied = http_auth_basic_check(srv, con, p, req, con->uri.path, auth_realm+1);
+ 				}
+ 			} else if ((auth_type_len == 6) &&
+ 				   (0 == strncasecmp(http_authorization, "Digest", auth_type_len))) {
+				auth_type = "Digest";
+ 				if (0 == strcmp(method->value->ptr, "digest")) {
+ 					if (-1 == (auth_satisfied = http_auth_digest_check(srv, con, p, req, con->uri.path, auth_realm+1))) {
+ 						con->http_status = 400;
+@@ -302,6 +305,17 @@ static handler_t mod_auth_uri_handler(server *srv, con
+ 		/* the REMOTE_USER header */
+ 
+ 		buffer_copy_string_buffer(con->authed_user, p->auth_user);
+
+		/* AUTH_TYPE environment */
+
+		if (NULL == (ds = (data_string *)array_get_unused_element(con->environment, TYPE_STRING))) {
+			ds = data_string_init();
+		}
+
+		buffer_copy_string(ds->key, "AUTH_TYPE");
+		buffer_copy_string(ds->value, auth_type);
+
+		array_insert_unique(con->environment, (data_unset *)ds);
+ 	}
+ 
+ 	return HANDLER_GO_ON;
--- a/www/lighttpd/patches/patch-src_mod_cgi_c
+++ b/www/lighttpd/patches/patch-src_mod_cgi_c
@ -0,0 +1,23 @@
+$OpenBSD: patch-src_mod_cgi_c,v 1.5 2012/04/28 09:25:25 sthen Exp $
+
+Fix splitting :port with IPv6.
+
+--- src/mod_cgi.c.orig	Sun Dec 18 07:52:52 2011
+++ src/mod_cgi.c	Mon Apr 23 00:13:55 2012
+@@ -811,8 +811,14 @@ static int cgi_create_env(server *srv, connection *con
+ 
+ 		if (!buffer_is_empty(con->server_name)) {
+ 			size_t len = con->server_name->used - 1;
+-			char *colon = strchr(con->server_name->ptr, ':');
+-			if (colon) len = colon - con->server_name->ptr;
+
+			if (con->server_name->ptr[0] == '[') {
+				const char *colon = strstr(con->server_name->ptr, "]:");
+				if (colon) len = (colon + 1) - con->server_name->ptr;
+			} else {
+				const char *colon = strchr(con->server_name->ptr, ':');
+				if (colon) len = colon - con->server_name->ptr;
+			}
+ 
+ 			cgi_env_add(&env, CONST_STR_LEN("SERVER_NAME"), con->server_name->ptr, len);
+ 		} else {
--- a/www/lighttpd/patches/patch-src_mod_fastcgi_c
+++ b/www/lighttpd/patches/patch-src_mod_fastcgi_c
@ -0,0 +1,62 @@
+$OpenBSD: patch-src_mod_fastcgi_c,v 1.9 2012/04/28 09:25:25 sthen Exp $
+
+- Add "AUTH_TYPE" environment (for *cgi), remove fastcgi specific workaround.
+- Fix splitting :port with IPv6.
+
+--- src/mod_fastcgi.c.orig	Mon Apr 23 00:14:54 2012
+++ src/mod_fastcgi.c	Mon Apr 23 00:14:14 2012
+@@ -1857,9 +1857,15 @@ static int fcgi_create_env(server *srv, handler_ctx *h
+ 
+ 	if (con->server_name->used) {
+ 		size_t len = con->server_name->used - 1;
+-		char *colon = strchr(con->server_name->ptr, ':');
+-		if (colon) len = colon - con->server_name->ptr;
+ 
+		if (con->server_name->ptr[0] == '[') {
+			const char *colon = strstr(con->server_name->ptr, "]:");
+			if (colon) len = (colon + 1) - con->server_name->ptr;
+		} else {
+			const char *colon = strchr(con->server_name->ptr, ':');
+			if (colon) len = colon - con->server_name->ptr;
+		}
+
+ 		FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("SERVER_NAME"), con->server_name->ptr, len),con)
+ 	} else {
+ #ifdef HAVE_IPV6
+@@ -1910,36 +1916,7 @@ static int fcgi_create_env(server *srv, handler_ctx *h
+ 	FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REMOTE_ADDR"), s, strlen(s)),con)
+ 
+ 	if (!buffer_is_empty(con->authed_user)) {
+-		/* AUTH_TYPE fix by Troy Kruthoff (tkruthoff@gmail.com)
+-		 * section 4.1.1 of RFC 3875 (cgi spec) requires the server to set a AUTH_TYPE env
+-		 * declaring the type of authentication used.	 (see http://tools.ietf.org/html/rfc3875#page-11)
+-		 *
+-		 * I copied this code from mod_auth.c where it extracts auth info from the "Authorization" 
+-		 * header to authenticate the user before allowing the request to proceed.  I'm guessing it makes
+-		 * sense to re-parse the header here, as mod_auth is unaware if the request is headed for cgi/fcgi.
+-		 * Someone more familiar with the lighty internals should be able to quickly determine if we are 
+-		 * better storing AUTH_TYPE on the initial parse in mod_auth.
+-		 */
+-		char *http_authorization = NULL;
+-		data_string *ds;
+-	  	
+ 		FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REMOTE_USER"), CONST_BUF_LEN(con->authed_user)),con)
+-	
+-		if (NULL != (ds = (data_string *)array_get_element(con->request.headers, "Authorization"))) {
+-			http_authorization = ds->value->ptr;
+-		}
+-	
+-		if (ds && ds->value && ds->value->used) {
+-			char *auth_realm;
+-		  if (NULL != (auth_realm = strchr(http_authorization, ' '))) {
+-				int auth_type_len = auth_realm - http_authorization;
+-				if ((auth_type_len == 5) && (0 == strncmp(http_authorization, "Basic", auth_type_len))) {
+-					  fcgi_env_add(p->fcgi_env, CONST_STR_LEN("AUTH_TYPE"), CONST_STR_LEN("Basic"));
+-				} else if ((auth_type_len == 6) && (0 == strncmp(http_authorization, "Digest", auth_type_len))) {
+-					  fcgi_env_add(p->fcgi_env, CONST_STR_LEN("AUTH_TYPE"), CONST_STR_LEN("Digest"));
+-				}
+-			}
+-		}
+ 	}
+ 
+ 	if (con->request.content_length > 0 && host->mode != FCGI_AUTHORIZER) {
--- a/www/lighttpd/patches/patch-src_mod_scgi_c
+++ b/www/lighttpd/patches/patch-src_mod_scgi_c
@ -0,0 +1,23 @@
+$OpenBSD: patch-src_mod_scgi_c,v 1.5 2012/04/28 09:25:25 sthen Exp $
+
+Fix splitting :port with IPv6.
+
+--- src/mod_scgi.c.orig	Sat Aug 20 09:47:24 2011
+++ src/mod_scgi.c	Mon Apr 23 00:14:32 2012
+@@ -1484,8 +1484,14 @@ static int scgi_create_env(server *srv, handler_ctx *h
+ 
+ 	if (con->server_name->used) {
+ 		size_t len = con->server_name->used - 1;
+-		char *colon = strchr(con->server_name->ptr, ':');
+-		if (colon) len = colon - con->server_name->ptr;
+
+		if (con->server_name->ptr[0] == '[') {
+			const char *colon = strstr(con->server_name->ptr, "]:");
+			if (colon) len = (colon + 1) - con->server_name->ptr;
+		} else {
+			const char *colon = strchr(con->server_name->ptr, ':');
+			if (colon) len = colon - con->server_name->ptr;
+		}
+ 
+ 		scgi_env_add(p->scgi_env, CONST_STR_LEN("SERVER_NAME"), con->server_name->ptr, len);
+ 	} else {
--- a/www/lighttpd/patches/patch-src_request_c
+++ b/www/lighttpd/patches/patch-src_request_c
@ -0,0 +1,19 @@
+$OpenBSD: patch-src_request_c,v 1.3 2012/04/28 09:25:25 sthen Exp $
+
+Fix handling of empty header list entries in http_request_split_value.
+
+--- src/request.c.orig	Wed Nov 30 15:42:19 2011
+++ src/request.c	Mon Apr 23 00:07:25 2012
+@@ -241,9 +241,11 @@ static int http_request_split_value(array *vals, buffe
+ 			start = s;
+ 
+ 			for (; *s != ',' && i < b->used - 1; i++, s++);
+			if (start == s) break; /* empty fields are skipped */
+ 			end = s - 1;
+ 
+-			for (; (*end == ' ' || *end == '\t') && end > start; end--);
+			for (; end > start && (*end == ' ' || *end == '\t'); end--);
+			if (start == end) break; /* empty fields are skipped */
+ 
+ 			if (NULL == (ds = (data_string *)array_get_unused_element(vals, TYPE_STRING))) {
+ 				ds = data_string_init();