Commit e6cd8739 authored by Glenn Strauss's avatar Glenn Strauss

release 1.4.53-4 to unstable

parent 00ecaca2
Pipeline #43729 failed with stages
in 24 minutes and 50 seconds
lighttpd (1.4.53-4) unstable; urgency=high
* fix mixed use of srv->split_vals array (regression)
* mod_magnet:fix invalid script return-type crash
* fix assertion with server.error-handler
* mod_wstunnel:fix wstunnel.ping-interval for big-endian architectures
* fix abort in server.http-parseopts with url-path-2f-decode enabled
CVE-2019-11072 (closes #926885)
-- Glenn Strauss <gstrauss@gluelogic.com> Sat, 13 Apr 2019 00:00:00 -0400
lighttpd (1.4.53-3) unstable; urgency=medium
* QA upload.
......
......@@ -26,7 +26,7 @@ server.http-parseopts = (
"url-ctrls-reject" => "enable",# recommended
"url-path-2f-decode" => "enable",# recommended highly (unless breaks app)
#"url-path-2f-reject" => "enable",
"url-path-dotseg-remove" => "enable",# recommended
"url-path-dotseg-remove" => "enable",# recommended highly (unless breaks app)
#"url-path-dotseg-reject" => "enable",
#"url-query-20-plus" => "enable",# consistency in query string
)
......
commit 32120d5b8b3203fc21ccb9eafb0eaf824bb59354
Author: Glenn Strauss <gstrauss@gluelogic.com>
Date: Wed, 10 Apr 2019 11:28:10 -0400
[core] fix abort in http-parseopts (fixes #2945)
fix abort in server.http-parseopts with url-path-2f-decode enabled
(thx stze)
x-ref:
"Security - SIGABRT during GET request handling with url-path-2f-decode enabled"
https://redmine.lighttpd.net/issues/2945
diff --git a/src/burl.c b/src/burl.c
index 51182628..c4b928fd 100644
--- a/src/burl.c
+++ b/src/burl.c
@@ -252,8 +252,10 @@ static int burl_normalize_2F_to_slash_fix (buffer *b, int qs, int i)
}
}
if (qs >= 0) {
- memmove(s+j, s+qs, blen - qs);
- j += blen - qs;
+ const int qslen = blen - qs;
+ memmove(s+j, s+qs, (size_t)qslen);
+ qs = j;
+ j += qslen;
}
buffer_string_set_length(b, j);
return qs;
diff --git a/src/t/test_burl.c b/src/t/test_burl.c
index 7be9be50..f7a16815 100644
--- a/src/t/test_burl.c
+++ b/src/t/test_burl.c
@@ -97,6 +97,8 @@ static void test_burl_normalize (void) {
flags |= HTTP_PARSEOPT_URL_NORMALIZE_PATH_2F_DECODE;
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a/b?c=/"), CONST_STR_LEN("/a/b?c=/"));
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a/b?c=%2f"), CONST_STR_LEN("/a/b?c=/"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("%2f?"), CONST_STR_LEN("/?"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/%2f?"), CONST_STR_LEN("//?"));
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2fb"), CONST_STR_LEN("/a/b"));
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2Fb"), CONST_STR_LEN("/a/b"));
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2fb?c=/"), CONST_STR_LEN("/a/b?c=/"));
commit 5440f04e8a9476e9a8665a93db3934a566f8beec
Author: Glenn Strauss <gstrauss@gluelogic.com>
Date: Wed, 13 Mar 2019 00:46:49 -0400
[core] fix assertion with server.error-handler (fixes #2941)
(thx andpr)
x-ref:
"failed assertion on incoming bad request when server.error-handler option is used"
https://redmine.lighttpd.net/issues/2941
diff --git a/src/connections.c b/src/connections.c
index 2e2be98f..a67c377a 100644
--- a/src/connections.c
+++ b/src/connections.c
@@ -1193,6 +1193,8 @@ static int connection_handle_request(server *srv, connection *con) {
con->error_handler_saved_status = -con->http_status; /*(negative to flag old behavior)*/
}
+ if (con->request.http_version == HTTP_VERSION_UNSET) con->request.http_version = HTTP_VERSION_1_0;
+
buffer_copy_buffer(con->request.uri, error_handler);
connection_handle_errdoc_init(con);
con->http_status = 0; /*(after connection_handle_errdoc_init())*/
commit 9459c0546842930265c8bc19b07609286e7e67cb
Author: Glenn Strauss <gstrauss@gluelogic.com>
Date: Wed, 13 Feb 2019 19:53:04 -0500
[core] fix mixed use of srv->split_vals array (fixes #2932)
regression in mod_evhost in lighttpd 1.4.53
regression in mod_flv_streaming in lighttpd 1.4.51 - lighttpd 1.4.53
(thx moisseev)
x-ref:
"[regression] %0 pattern does not match hostnames without the domain part"
https://redmine.lighttpd.net/issues/2932
diff --git a/src/array.c b/src/array.c
index 4331b67b..1b54ec5c 100644
--- a/src/array.c
+++ b/src/array.c
@@ -64,6 +64,7 @@ void array_reset(array *a) {
for (i = 0; i < a->used; i++) {
a->data[i]->fn->reset(a->data[i]);
+ a->data[i]->is_index_key = 0;
}
a->used = 0;
@@ -76,6 +77,7 @@ void array_reset_data_strings(array *a) {
for (size_t i = 0; i < a->used; ++i) {
data_string * const ds = (data_string *)a->data[i];
/*force_assert(ds->type == TYPE_STRING);*/
+ ds->is_index_key = 0;
buffer_reset(ds->key);
buffer_reset(ds->value);
}
commit e757978497c35b2857784f3b4452d0ebef7793f9
Author: Glenn Strauss <gstrauss@gluelogic.com>
Date: Mon, 15 Apr 2019 23:36:21 -0400
[core] remove repeated slashes in http-parseopts
remove repeated slashes in server.http-parseopts
with url-path-dotseg-remove, including leading "//"
(prior to this patch, leading "//" was skipped)
diff --git a/src/burl.c b/src/burl.c
index c4b928fd..b62a5cd5 100644
--- a/src/burl.c
+++ b/src/burl.c
@@ -289,7 +289,7 @@ static int burl_normalize_path (buffer *b, buffer *t, int qs, int flags)
path_simplify = 1;
break;
}
- do { ++i; } while (i < len && s[i] != '/');
+ while (i < len && s[i] != '/') ++i;
if (s[i] == '/' && s[i+1] == '/') { /*(s[len] != '/')*/
path_simplify = 1;
break;
diff --git a/src/t/test_burl.c b/src/t/test_burl.c
index f7a16815..e9cc80de 100644
--- a/src/t/test_burl.c
+++ b/src/t/test_burl.c
@@ -98,6 +98,8 @@ static void test_burl_normalize (void) {
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a/b?c=/"), CONST_STR_LEN("/a/b?c=/"));
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a/b?c=%2f"), CONST_STR_LEN("/a/b?c=/"));
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("%2f?"), CONST_STR_LEN("/?"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("%2f%2f"), CONST_STR_LEN("//"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("%2f%2f?"), CONST_STR_LEN("//?"));
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/%2f?"), CONST_STR_LEN("//?"));
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2fb"), CONST_STR_LEN("/a/b"));
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2Fb"), CONST_STR_LEN("/a/b"));
@@ -112,6 +114,8 @@ static void test_burl_normalize (void) {
flags &= ~HTTP_PARSEOPT_URL_NORMALIZE_PATH_2F_REJECT;
flags |= HTTP_PARSEOPT_URL_NORMALIZE_PATH_DOTSEG_REMOVE;
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("//"), CONST_STR_LEN("/"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a//b"), CONST_STR_LEN("/a/b"));
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("./a/b"), CONST_STR_LEN("/a/b"));
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("../a/b"), CONST_STR_LEN("/a/b"));
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a/./b"), CONST_STR_LEN("/a/b"));
--
2.20.1
commit 8064b7483ae4b2bd58a5ab56b2bf7e2663cc094c
Author: Glenn Strauss <gstrauss@gluelogic.com>
Date: Wed, 6 Mar 2019 23:12:22 -0500
[mod_magnet] fix invalid script return-type crash (fixes #2938)
(thx flynn)
x-ref:
"Lighttpd crashes on wrong return type in lua script"
https://redmine.lighttpd.net/issues/2938
diff --git a/src/mod_magnet.c b/src/mod_magnet.c
index dcb1fd8c..8f570f3a 100644
--- a/src/mod_magnet.c
+++ b/src/mod_magnet.c
@@ -965,7 +965,20 @@ static handler_t magnet_attract(server *srv, connection *con, plugin_data *p, bu
/* we should have the function, the lighty table and the return value on the stack */
force_assert(lua_gettop(L) == 3);
- lua_return_value = (int) luaL_optinteger(L, -1, -1);
+ switch (lua_type(L, -1)) {
+ case LUA_TNUMBER:
+ case LUA_TNIL:
+ lua_return_value = (int) luaL_optinteger(L, -1, -1);
+ break;
+ default:
+ log_error_write(srv, __FILE__, __LINE__, "sss",
+ "lua_pcall():",
+ "unexpected return type:",
+ luaL_typename(L, -1));
+ lua_return_value = -1;
+ break;
+ }
+
lua_pop(L, 1); /* pop return value */
magnet_copy_response_header(con, L, lighty_table_ndx);
--
2.20.1
commit 107fa1f2827d281468e2c12b539751a5a68acbe5
Author: Glenn Strauss <gstrauss@gluelogic.com>
Date: Wed, 10 Apr 2019 11:26:02 -0400
[mod_wstunnel] fix ping-interval for big-endian (fixes #2944)
fix wstunnel.ping-interval for big-endian architectures
(thx ste_p_james)
x-ref:
"[patch] wstunnel.ping-interval ineffective"
https://redmine.lighttpd.net/issues/2944
diff --git a/src/mod_wstunnel.c b/src/mod_wstunnel.c
index 238791a9..ba3ddc17 100644
--- a/src/mod_wstunnel.c
+++ b/src/mod_wstunnel.c
@@ -107,7 +107,7 @@ typedef struct {
gw_plugin_config gw;
buffer *frame_type;
array *origins;
- unsigned int ping_interval;
+ unsigned short int ping_interval;
} plugin_config;
typedef struct plugin_data {
core-fix-mixed-use-of-srv-split_vals-array-fixes-293.patch
mod_magnet-fix-invalid-script-return-type-crash-fixe.patch
core-fix-assertion-with-server.error-handler-fixes-2.patch
mod_wstunnel-fix-ping-interval-for-big-endian-fixes-.patch
core-fix-abort-in-http-parseopts-fixes-2945.patch
core-remove-repeated-slashes-in-http-parseopts.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment