From: Marcin Krol Date: Wed, 13 Apr 2016 08:11:04 +0000 (+0000) Subject: - PLD merge X-Git-Url: https://git.tld-linux.org/?a=commitdiff_plain;h=95835267f409ea5ac3106694680113f1a041f7f4;p=packages%2Flighttpd.git - PLD merge --- diff --git a/env-documentroot.patch b/env-documentroot.patch index eea738e..e225dc3 100644 --- a/env-documentroot.patch +++ b/env-documentroot.patch @@ -2,16 +2,14 @@ revert: - * [*cgi] Use physical base dir (alias, userdir) as DOCUMENT_ROOT in cgi environments (fixes #2216) -Index: src/mod_fastcgi.c -=================================================================== ---- src/mod_fastcgi.c (revision 2794) -+++ src/mod_fastcgi.c (revision 2793) -@@ -1968,7 +1968,7 @@ - if (!buffer_is_empty(host->docroot)) { - buffer_copy_string_buffer(p->path, host->docroot); +--- lighttpd-1.4.36/src/mod_fastcgi.c~ 2015-07-26 18:30:29.000000000 +0300 ++++ lighttpd-1.4.36/src/mod_fastcgi.c 2015-07-26 18:31:50.285226477 +0300 +@@ -1918,7 +1918,7 @@ + if (!buffer_string_is_empty(host->docroot)) { + buffer_copy_buffer(p->path, host->docroot); } else { -- buffer_copy_string_buffer(p->path, con->physical.basedir); -+ buffer_copy_string_buffer(p->path, con->physical.doc_root); +- buffer_copy_buffer(p->path, con->physical.basedir); ++ buffer_copy_buffer(p->path, con->physical.doc_root); } buffer_append_string_buffer(p->path, con->request.pathinfo); FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("PATH_TRANSLATED"), CONST_BUF_LEN(p->path)),con) @@ -24,24 +22,22 @@ Index: src/mod_fastcgi.c } if (host->strip_request_uri->used > 1) { -@@ -3273,7 +3273,6 @@ +@@ -3108,7 +3108,6 @@ */ - buffer_copy_string_buffer(con->physical.doc_root, host->docroot); -- buffer_copy_string_buffer(con->physical.basedir, host->docroot); + buffer_copy_buffer(con->physical.doc_root, host->docroot); +- buffer_copy_buffer(con->physical.basedir, host->docroot); - buffer_copy_string_buffer(con->physical.path, host->docroot); + buffer_copy_buffer(con->physical.path, host->docroot); buffer_append_string_buffer(con->physical.path, con->uri.path); -Index: src/mod_scgi.c -=================================================================== ---- src/mod_scgi.c (revision 2794) -+++ src/mod_scgi.c (revision 2793) -@@ -1558,7 +1558,7 @@ - if (!buffer_is_empty(host->docroot)) { - buffer_copy_string_buffer(p->path, host->docroot); +--- lighttpd-1.4.36/src/mod_scgi.c~ 2015-07-26 18:30:29.000000000 +0300 ++++ lighttpd-1.4.36/src/mod_scgi.c 2015-07-26 18:33:12.406160926 +0300 +@@ -1547,7 +1547,7 @@ + if (!buffer_string_is_empty(host->docroot)) { + buffer_copy_buffer(p->path, host->docroot); } else { -- buffer_copy_string_buffer(p->path, con->physical.basedir); -+ buffer_copy_string_buffer(p->path, con->physical.doc_root); +- buffer_copy_buffer(p->path, con->physical.basedir); ++ buffer_copy_buffer(p->path, con->physical.doc_root); } buffer_append_string_buffer(p->path, con->request.pathinfo); scgi_env_add(p->scgi_env, CONST_STR_LEN("PATH_TRANSLATED"), CONST_BUF_LEN(p->path)); @@ -56,8 +52,8 @@ Index: src/mod_scgi.c if (!buffer_is_equal(con->request.uri, con->request.orig_uri)) { Index: src/mod_cgi.c =================================================================== ---- src/mod_cgi.c (revision 2794) -+++ src/mod_cgi.c (revision 2793) +--- ./src/mod_cgi.c (revision 2794) ++++ ./src/mod_cgi.c (revision 2793) @@ -928,7 +928,7 @@ cgi_env_add(&env, CONST_STR_LEN("CONTENT_LENGTH"), buf, strlen(buf)); cgi_env_add(&env, CONST_STR_LEN("SCRIPT_FILENAME"), CONST_BUF_LEN(con->physical.path)); diff --git a/lighttpd-branch.diff b/lighttpd-branch.diff deleted file mode 100644 index 76f06ce..0000000 --- a/lighttpd-branch.diff +++ /dev/null @@ -1,1957 +0,0 @@ -# Revision 2815 -Index: src/http_auth_digest.c -=================================================================== ---- src/http_auth_digest.c (.../tags/lighttpd-1.4.29) -+++ src/http_auth_digest.c (.../branches/lighttpd-1.4.x) -@@ -1,26 +0,0 @@ --#include "buffer.h" -- --#include "http_auth_digest.h" -- --#include -- --#ifndef USE_OPENSSL --# include "md5.h" -- --typedef li_MD5_CTX MD5_CTX; --#define MD5_Init li_MD5_Init --#define MD5_Update li_MD5_Update --#define MD5_Final li_MD5_Final -- --#endif -- --void CvtHex(IN HASH Bin, OUT HASHHEX Hex) { -- unsigned short i; -- -- for (i = 0; i < HASHLEN; i++) { -- Hex[i*2] = int2hex((Bin[i] >> 4) & 0xf); -- Hex[i*2+1] = int2hex(Bin[i] & 0xf); -- } -- Hex[HASHHEXLEN] = '\0'; --} -- -Index: src/http_auth_digest.h -=================================================================== ---- src/http_auth_digest.h (.../tags/lighttpd-1.4.29) -+++ src/http_auth_digest.h (.../branches/lighttpd-1.4.x) -@@ -1,24 +0,0 @@ --#ifndef _DIGCALC_H_ --#define _DIGCALC_H_ -- --#ifdef HAVE_CONFIG_H --# include "config.h" --#endif -- --#define HASHLEN 16 --typedef unsigned char HASH[HASHLEN]; --#define HASHHEXLEN 32 --typedef char HASHHEX[HASHHEXLEN+1]; --#ifdef USE_OPENSSL --#define IN const --#else --#define IN --#endif --#define OUT -- --void CvtHex( -- IN HASH Bin, -- OUT HASHHEX Hex -- ); -- --#endif -Index: src/network_write.c -=================================================================== ---- src/network_write.c (.../tags/lighttpd-1.4.29) -+++ src/network_write.c (.../branches/lighttpd-1.4.x) -@@ -24,17 +24,16 @@ - # include - #endif - --int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq) { -+int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { - chunk *c; -- size_t chunks_written = 0; - -- for(c = cq->first; c; c = c->next) { -+ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { - int chunk_finished = 0; - - switch(c->type) { - case MEM_CHUNK: { - char * offset; -- size_t toSend; -+ off_t toSend; - ssize_t r; - - if (c->mem->used == 0) { -@@ -44,6 +43,8 @@ - - offset = c->mem->ptr + c->offset; - toSend = c->mem->used - 1 - c->offset; -+ if (toSend > max_bytes) toSend = max_bytes; -+ - #ifdef __WIN32 - if ((r = send(fd, offset, toSend, 0)) < 0) { - /* no error handling for windows... */ -@@ -72,6 +73,7 @@ - - c->offset += r; - cq->bytes_out += r; -+ max_bytes -= r; - - if (c->offset == (off_t)c->mem->used - 1) { - chunk_finished = 1; -@@ -85,7 +87,7 @@ - #endif - ssize_t r; - off_t offset; -- size_t toSend; -+ off_t toSend; - stat_cache_entry *sce = NULL; - int ifd; - -@@ -98,6 +100,8 @@ - offset = c->file.start + c->offset; - toSend = c->file.length - c->offset; - -+ if (toSend > max_bytes) toSend = max_bytes; -+ - if (offset > sce->st.st_size) { - log_error_write(srv, __FILE__, __LINE__, "sb", "file was shrinked:", c->file.name); - -@@ -181,6 +185,7 @@ - - c->offset += r; - cq->bytes_out += r; -+ max_bytes -= r; - - if (c->offset == c->file.length) { - chunk_finished = 1; -@@ -200,11 +205,9 @@ - - break; - } -- -- chunks_written++; - } - -- return chunks_written; -+ return 0; - } - - #if 0 -Index: src/mod_secure_download.c -=================================================================== ---- src/mod_secure_download.c (.../tags/lighttpd-1.4.29) -+++ src/mod_secure_download.c (.../branches/lighttpd-1.4.x) -@@ -8,18 +8,8 @@ - #include - #include - --#ifdef USE_OPENSSL --# include --#else --# include "md5.h" -+#include "md5.h" - --typedef li_MD5_CTX MD5_CTX; --#define MD5_Init li_MD5_Init --#define MD5_Update li_MD5_Update --#define MD5_Final li_MD5_Final -- --#endif -- - #define HASHLEN 16 - typedef unsigned char HASH[HASHLEN]; - #define HASHHEXLEN 32 -@@ -200,7 +190,7 @@ - - URIHANDLER_FUNC(mod_secdownload_uri_handler) { - plugin_data *p = p_d; -- MD5_CTX Md5Ctx; -+ li_MD5_CTX Md5Ctx; - HASH HA1; - const char *rel_uri, *ts_str, *md5_str; - time_t ts = 0; -@@ -266,9 +256,9 @@ - buffer_append_string(p->md5, rel_uri); - buffer_append_string_len(p->md5, ts_str, 8); - -- MD5_Init(&Md5Ctx); -- MD5_Update(&Md5Ctx, (unsigned char *)p->md5->ptr, p->md5->used - 1); -- MD5_Final(HA1, &Md5Ctx); -+ li_MD5_Init(&Md5Ctx); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)p->md5->ptr, p->md5->used - 1); -+ li_MD5_Final(HA1, &Md5Ctx); - - buffer_copy_string_hex(p->md5, (char *)HA1, 16); - -Index: src/base.h -=================================================================== ---- src/base.h (.../tags/lighttpd-1.4.29) -+++ src/base.h (.../branches/lighttpd-1.4.x) -@@ -277,6 +277,7 @@ - buffer *ssl_cipher_list; - buffer *ssl_dh_file; - buffer *ssl_ec_curve; -+ unsigned short ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */ - unsigned short ssl_use_sslv2; - unsigned short ssl_use_sslv3; - unsigned short ssl_verifyclient; -@@ -284,6 +285,7 @@ - unsigned short ssl_verifyclient_depth; - buffer *ssl_verifyclient_username; - unsigned short ssl_verifyclient_export_cert; -+ unsigned short ssl_disable_client_renegotiation; - - unsigned short use_ipv6, set_v6only; /* set_v6only is only a temporary option */ - unsigned short defer_accept; -@@ -437,6 +439,7 @@ - # ifndef OPENSSL_NO_TLSEXT - buffer *tlsext_server_name; - # endif -+ unsigned int renegotiations; /* count of SSL_CB_HANDSHAKE_START */ - #endif - /* etag handling */ - etag_flags_t etag_flags; -@@ -647,11 +650,9 @@ - - fdevent_handler_t event_handler; - -- int (* network_backend_write)(struct server *srv, connection *con, int fd, chunkqueue *cq); -- int (* network_backend_read)(struct server *srv, connection *con, int fd, chunkqueue *cq); -+ int (* network_backend_write)(struct server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); - #ifdef USE_OPENSSL -- int (* network_ssl_backend_write)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq); -- int (* network_ssl_backend_read)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq); -+ int (* network_ssl_backend_write)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes); - #endif - - uid_t uid; -Index: src/connections.c -=================================================================== ---- src/connections.c (.../tags/lighttpd-1.4.29) -+++ src/connections.c (.../branches/lighttpd-1.4.x) -@@ -223,6 +223,12 @@ - - len = SSL_read(con->ssl, b->ptr + read_offset, toread); - -+ if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { -+ connection_set_state(srv, con, CON_STATE_ERROR); -+ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); -+ return -1; -+ } -+ - if (len > 0) { - if (b->used > 0) b->used--; - b->used += len; -@@ -445,6 +451,7 @@ - default: - switch(con->http_status) { - case 400: /* bad request */ -+ case 401: /* authorization required */ - case 414: /* overload request header */ - case 505: /* unknown protocol */ - case 207: /* this was webdav */ -@@ -617,8 +624,9 @@ - } - - static int connection_handle_write(server *srv, connection *con) { -- switch(network_write_chunkqueue(srv, con, con->write_queue)) { -+ switch(network_write_chunkqueue(srv, con, con->write_queue, MAX_WRITE_LIMIT)) { - case 0: -+ con->write_request_ts = srv->cur_ts; - if (con->file_finished) { - connection_set_state(srv, con, CON_STATE_RESPONSE_END); - joblist_append(srv, con); -@@ -635,6 +643,7 @@ - joblist_append(srv, con); - break; - case 1: -+ con->write_request_ts = srv->cur_ts; - con->is_writable = 0; - - /* not finished yet -> WRITE */ -@@ -1251,8 +1260,6 @@ - log_error_write(srv, __FILE__, __LINE__, "ds", - con->fd, - "handle write failed."); -- } else if (con->state == CON_STATE_WRITE) { -- con->write_request_ts = srv->cur_ts; - } - } - -@@ -1352,6 +1359,7 @@ - return NULL; - } - -+ con->renegotiations = 0; - #ifndef OPENSSL_NO_TLSEXT - SSL_set_app_data(con->ssl, con); - #endif -@@ -1667,8 +1675,6 @@ - con->fd, - "handle write failed."); - connection_set_state(srv, con, CON_STATE_ERROR); -- } else if (con->state == CON_STATE_WRITE) { -- con->write_request_ts = srv->cur_ts; - } - } - -Index: src/mod_staticfile.c -=================================================================== ---- src/mod_staticfile.c (.../tags/lighttpd-1.4.29) -+++ src/mod_staticfile.c (.../branches/lighttpd-1.4.x) -@@ -26,6 +26,7 @@ - typedef struct { - array *exclude_ext; - unsigned short etags_used; -+ unsigned short disable_pathinfo; - } plugin_config; - - typedef struct { -@@ -84,6 +85,7 @@ - config_values_t cv[] = { - { "static-file.exclude-extensions", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 0 */ - { "static-file.etags", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 1 */ -+ { "static-file.disable-pathinfo", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 2 */ - { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET } - }; - -@@ -97,9 +99,11 @@ - s = calloc(1, sizeof(plugin_config)); - s->exclude_ext = array_init(); - s->etags_used = 1; -+ s->disable_pathinfo = 0; - - cv[0].destination = s->exclude_ext; - cv[1].destination = &(s->etags_used); -+ cv[2].destination = &(s->disable_pathinfo); - - p->config_storage[i] = s; - -@@ -119,6 +123,7 @@ - - PATCH(exclude_ext); - PATCH(etags_used); -+ PATCH(disable_pathinfo); - - /* skip the first, the global context */ - for (i = 1; i < srv->config_context->used; i++) { -@@ -136,7 +141,9 @@ - PATCH(exclude_ext); - } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("static-file.etags"))) { - PATCH(etags_used); -- } -+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("static-file.disable-pathinfo"))) { -+ PATCH(disable_pathinfo); -+ } - } - } - -@@ -350,7 +357,6 @@ - URIHANDLER_FUNC(mod_staticfile_subrequest) { - plugin_data *p = p_d; - size_t k; -- int s_len; - stat_cache_entry *sce = NULL; - buffer *mtime = NULL; - data_string *ds; -@@ -376,7 +382,12 @@ - - mod_staticfile_patch_connection(srv, con, p); - -- s_len = con->uri.path->used - 1; -+ if (p->conf.disable_pathinfo && 0 != con->request.pathinfo->used) { -+ if (con->conf.log_request_handling) { -+ log_error_write(srv, __FILE__, __LINE__, "s", "-- NOT handling file as static file, pathinfo forbidden"); -+ } -+ return HANDLER_GO_ON; -+ } - - /* ignore certain extensions */ - for (k = 0; k < p->conf.exclude_ext->used; k++) { -Index: src/network.c -=================================================================== ---- src/network.c (.../tags/lighttpd-1.4.29) -+++ src/network.c (.../branches/lighttpd-1.4.x) -@@ -27,6 +27,19 @@ - # include - #endif - -+#ifdef USE_OPENSSL -+static void ssl_info_callback(const SSL *ssl, int where, int ret) { -+ UNUSED(ret); -+ -+ if (0 != (where & SSL_CB_HANDSHAKE_START)) { -+ connection *con = SSL_get_app_data(ssl); -+ ++con->renegotiations; -+ } else if (0 != (where & SSL_CB_HANDSHAKE_DONE)) { -+ ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; -+ } -+} -+#endif -+ - static handler_t network_server_handle_fdevent(server *srv, void *context, int revents) { - server_socket *srv_socket = (server_socket *)context; - connection *con; -@@ -480,9 +493,11 @@ - network_backend_t backend; - - #if OPENSSL_VERSION_NUMBER >= 0x0090800fL -+#ifndef OPENSSL_NO_ECDH - EC_KEY *ecdh; - int nid; - #endif -+#endif - - #ifdef USE_OPENSSL - DH *dh; -@@ -553,6 +568,11 @@ - /* load SSL certificates */ - for (i = 0; i < srv->config_context->used; i++) { - specific_config *s = srv->config_storage[i]; -+#ifndef SSL_OP_NO_COMPRESSION -+# define SSL_OP_NO_COMPRESSION 0 -+#endif -+ long ssloptions = -+ SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_COMPRESSION; - - if (buffer_is_empty(s->ssl_pemfile)) continue; - -@@ -586,6 +606,9 @@ - return -1; - } - -+ SSL_CTX_set_options(s->ssl_ctx, ssloptions); -+ SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback); -+ - if (!s->ssl_use_sslv2) { - /* disable SSLv2 */ - if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) { -@@ -611,6 +634,10 @@ - ERR_error_string(ERR_get_error(), NULL)); - return -1; - } -+ -+ if (s->ssl_honor_cipher_order) { -+ SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); -+ } - } - - /* Support for Diffie-Hellman key exchange */ -@@ -847,7 +874,7 @@ - return 0; - } - --int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq) { -+int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq, off_t max_bytes) { - int ret = -1; - off_t written = 0; - #ifdef TCP_CORK -@@ -855,16 +882,34 @@ - #endif - server_socket *srv_socket = con->srv_socket; - -- if (con->conf.global_kbytes_per_second && -- *(con->conf.global_bytes_per_second_cnt_ptr) > con->conf.global_kbytes_per_second * 1024) { -- /* we reached the global traffic limit */ -+ if (con->conf.global_kbytes_per_second) { -+ off_t limit = con->conf.global_kbytes_per_second * 1024 - *(con->conf.global_bytes_per_second_cnt_ptr); -+ if (limit <= 0) { -+ /* we reached the global traffic limit */ - -- con->traffic_limit_reached = 1; -- joblist_append(srv, con); -+ con->traffic_limit_reached = 1; -+ joblist_append(srv, con); - -- return 1; -+ return 1; -+ } else { -+ if (max_bytes > limit) max_bytes = limit; -+ } - } - -+ if (con->conf.kbytes_per_second) { -+ off_t limit = con->conf.kbytes_per_second * 1024 - con->bytes_written_cur_second; -+ if (limit <= 0) { -+ /* we reached the traffic limit */ -+ -+ con->traffic_limit_reached = 1; -+ joblist_append(srv, con); -+ -+ return 1; -+ } else { -+ if (max_bytes > limit) max_bytes = limit; -+ } -+ } -+ - written = cq->bytes_out; - - #ifdef TCP_CORK -@@ -879,10 +924,10 @@ - - if (srv_socket->is_ssl) { - #ifdef USE_OPENSSL -- ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq); -+ ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq, max_bytes); - #endif - } else { -- ret = srv->network_backend_write(srv, con, con->fd, cq); -+ ret = srv->network_backend_write(srv, con, con->fd, cq, max_bytes); - } - - if (ret >= 0) { -@@ -903,12 +948,5 @@ - - *(con->conf.global_bytes_per_second_cnt_ptr) += written; - -- if (con->conf.kbytes_per_second && -- (con->bytes_written_cur_second > con->conf.kbytes_per_second * 1024)) { -- /* we reached the traffic limit */ -- -- con->traffic_limit_reached = 1; -- joblist_append(srv, con); -- } - return ret; - } -Index: src/network.h -=================================================================== ---- src/network.h (.../tags/lighttpd-1.4.29) -+++ src/network.h (.../branches/lighttpd-1.4.x) -@@ -3,7 +3,7 @@ - - #include "server.h" - --int network_write_chunkqueue(server *srv, connection *con, chunkqueue *c); -+int network_write_chunkqueue(server *srv, connection *con, chunkqueue *c, off_t max_bytes); - - int network_init(server *srv); - int network_close(server *srv); -Index: src/configfile.c -=================================================================== ---- src/configfile.c (.../tags/lighttpd-1.4.29) -+++ src/configfile.c (.../branches/lighttpd-1.4.x) -@@ -105,6 +105,8 @@ - { "ssl.use-sslv3", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 62 */ - { "ssl.dh-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 63 */ - { "ssl.ec-curve", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 64 */ -+ { "ssl.disable-client-renegotiation", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },/* 65 */ -+ { "ssl.honor-cipher-order", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 66 */ - - { "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET }, - { "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET }, -@@ -176,6 +178,7 @@ - s->max_write_idle = 360; - s->use_xattr = 0; - s->is_ssl = 0; -+ s->ssl_honor_cipher_order = 1; - s->ssl_use_sslv2 = 0; - s->ssl_use_sslv3 = 1; - s->use_ipv6 = 0; -@@ -199,6 +202,7 @@ - s->ssl_verifyclient_username = buffer_init(); - s->ssl_verifyclient_depth = 9; - s->ssl_verifyclient_export_cert = 0; -+ s->ssl_disable_client_renegotiation = 1; - - cv[2].destination = s->errorfile_prefix; - -@@ -245,6 +249,8 @@ - cv[62].destination = &(s->ssl_use_sslv3); - cv[63].destination = s->ssl_dh_file; - cv[64].destination = s->ssl_ec_curve; -+ cv[66].destination = &(s->ssl_honor_cipher_order); -+ - cv[49].destination = &(s->etag_use_inode); - cv[50].destination = &(s->etag_use_mtime); - cv[51].destination = &(s->etag_use_size); -@@ -255,6 +261,7 @@ - cv[58].destination = &(s->ssl_verifyclient_depth); - cv[59].destination = s->ssl_verifyclient_username; - cv[60].destination = &(s->ssl_verifyclient_export_cert); -+ cv[65].destination = &(s->ssl_disable_client_renegotiation); - - srv->config_storage[i] = s; - -@@ -335,6 +342,7 @@ - PATCH(ssl_cipher_list); - PATCH(ssl_dh_file); - PATCH(ssl_ec_curve); -+ PATCH(ssl_honor_cipher_order); - PATCH(ssl_use_sslv2); - PATCH(ssl_use_sslv3); - PATCH(etag_use_inode); -@@ -346,6 +354,7 @@ - PATCH(ssl_verifyclient_depth); - PATCH(ssl_verifyclient_username); - PATCH(ssl_verifyclient_export_cert); -+ PATCH(ssl_disable_client_renegotiation); - - return 0; - } -@@ -400,6 +409,8 @@ - #endif - } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) { - PATCH(ssl_ca_file); -+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) { -+ PATCH(ssl_honor_cipher_order); - } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) { - PATCH(ssl_use_sslv2); - } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv3"))) { -@@ -454,6 +465,8 @@ - PATCH(ssl_verifyclient_username); - } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.exportcert"))) { - PATCH(ssl_verifyclient_export_cert); -+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.disable-client-renegotiation"))) { -+ PATCH(ssl_disable_client_renegotiation); - } - } - } -Index: src/mod_scgi.c -=================================================================== ---- src/mod_scgi.c (.../tags/lighttpd-1.4.29) -+++ src/mod_scgi.c (.../branches/lighttpd-1.4.x) -@@ -2296,7 +2296,7 @@ - - /* fall through */ - case FCGI_STATE_WRITE: -- ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb); -+ ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT); - - chunkqueue_remove_finished_chunks(hctx->wb); - -Index: src/request.c -=================================================================== ---- src/request.c (.../tags/lighttpd-1.4.29) -+++ src/request.c (.../branches/lighttpd-1.4.x) -@@ -49,7 +49,7 @@ - if (++colon_cnt > 7) { - return -1; - } -- } else if (!light_isxdigit(*c)) { -+ } else if (!light_isxdigit(*c) && '.' != *c) { - return -1; - } - } -Index: src/network_backends.h -=================================================================== ---- src/network_backends.h (.../tags/lighttpd-1.4.29) -+++ src/network_backends.h (.../branches/lighttpd-1.4.x) -@@ -47,18 +47,18 @@ - #include "base.h" - - /* return values: -- * >= 0 : chunks completed -+ * >= 0 : no error - * -1 : error (on our side) - * -2 : remote close - */ - --int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq); --int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq); --int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq); --int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq); --int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq); -+int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); -+int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); -+int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); -+int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); -+int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); - #ifdef USE_OPENSSL --int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq); -+int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes); - #endif - - #endif -Index: src/SConscript -=================================================================== ---- src/SConscript (.../tags/lighttpd-1.4.29) -+++ src/SConscript (.../branches/lighttpd-1.4.x) -@@ -12,7 +12,8 @@ - data_integer.c md5.c data_fastcgi.c \ - fdevent_select.c fdevent_libev.c \ - fdevent_poll.c fdevent_linux_sysepoll.c \ -- fdevent_solaris_devpoll.c fdevent_freebsd_kqueue.c \ -+ fdevent_solaris_devpoll.c fdevent_solaris_port.c \ -+ fdevent_freebsd_kqueue.c \ - data_config.c bitset.c \ - inet_ntop_cache.c crc32.c \ - connections-glue.c \ -@@ -62,7 +63,7 @@ - 'mod_redirect' : { 'src' : [ 'mod_redirect.c' ], 'lib' : [ env['LIBPCRE'] ] }, - 'mod_rewrite' : { 'src' : [ 'mod_rewrite.c' ], 'lib' : [ env['LIBPCRE'] ] }, - 'mod_auth' : { -- 'src' : [ 'mod_auth.c', 'http_auth_digest.c', 'http_auth.c' ], -+ 'src' : [ 'mod_auth.c', 'http_auth.c' ], - 'lib' : [ env['LIBCRYPT'], env['LIBLDAP'], env['LIBLBER'] ] }, - 'mod_webdav' : { 'src' : [ 'mod_webdav.c' ], 'lib' : [ env['LIBXML2'], env['LIBSQLITE3'], env['LIBUUID'] ] }, - 'mod_mysql_vhost' : { 'src' : [ 'mod_mysql_vhost.c' ], 'lib' : [ env['LIBMYSQL'] ] }, -Index: src/mod_cml_funcs.c -=================================================================== ---- src/mod_cml_funcs.c (.../tags/lighttpd-1.4.29) -+++ src/mod_cml_funcs.c (.../branches/lighttpd-1.4.x) -@@ -17,18 +17,8 @@ - #include - #include - --#ifdef USE_OPENSSL --# include --#else --# include "md5.h" -+#include "md5.h" - --typedef li_MD5_CTX MD5_CTX; --#define MD5_Init li_MD5_Init --#define MD5_Update li_MD5_Update --#define MD5_Final li_MD5_Final -- --#endif -- - #define HASHLEN 16 - typedef unsigned char HASH[HASHLEN]; - #define HASHHEXLEN 32 -@@ -43,7 +33,7 @@ - #ifdef HAVE_LUA_H - - int f_crypto_md5(lua_State *L) { -- MD5_CTX Md5Ctx; -+ li_MD5_CTX Md5Ctx; - HASH HA1; - buffer b; - char hex[33]; -@@ -63,9 +53,9 @@ - lua_error(L); - } - -- MD5_Init(&Md5Ctx); -- MD5_Update(&Md5Ctx, (unsigned char *)lua_tostring(L, 1), lua_strlen(L, 1)); -- MD5_Final(HA1, &Md5Ctx); -+ li_MD5_Init(&Md5Ctx); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)lua_tostring(L, 1), lua_strlen(L, 1)); -+ li_MD5_Final(HA1, &Md5Ctx); - - buffer_copy_string_hex(&b, (char *)HA1, 16); - -Index: src/mod_userdir.c -=================================================================== ---- src/mod_userdir.c (.../tags/lighttpd-1.4.29) -+++ src/mod_userdir.c (.../branches/lighttpd-1.4.x) -@@ -166,7 +166,6 @@ - - URIHANDLER_FUNC(mod_userdir_docroot_handler) { - plugin_data *p = p_d; -- int uri_len; - size_t k; - char *rel_url; - #ifdef HAVE_PWD_H -@@ -182,8 +181,6 @@ - */ - if (p->conf.path->used == 0) return HANDLER_GO_ON; - -- uri_len = con->uri.path->used - 1; -- - /* /~user/foo.html -> /home/user/public_html/foo.html */ - - if (con->uri.path->ptr[0] != '/' || -Index: src/mod_proxy.c -=================================================================== ---- src/mod_proxy.c (.../tags/lighttpd-1.4.29) -+++ src/mod_proxy.c (.../branches/lighttpd-1.4.x) -@@ -825,7 +825,7 @@ - - /* fall through */ - case PROXY_STATE_WRITE:; -- ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb); -+ ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT); - - chunkqueue_remove_finished_chunks(hctx->wb); - -Index: src/Makefile.am -=================================================================== ---- src/Makefile.am (.../tags/lighttpd-1.4.29) -+++ src/Makefile.am (.../branches/lighttpd-1.4.x) -@@ -241,7 +241,7 @@ - mod_compress_la_LIBADD = $(Z_LIB) $(BZ_LIB) $(common_libadd) - - lib_LTLIBRARIES += mod_auth.la --mod_auth_la_SOURCES = mod_auth.c http_auth_digest.c http_auth.c -+mod_auth_la_SOURCES = mod_auth.c http_auth.c - mod_auth_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined - mod_auth_la_LIBADD = $(CRYPT_LIB) $(LDAP_LIB) $(LBER_LIB) $(common_libadd) - -@@ -268,7 +268,7 @@ - - hdr = server.h buffer.h network.h log.h keyvalue.h \ - response.h request.h fastcgi.h chunk.h \ -- settings.h http_chunk.h http_auth_digest.h \ -+ settings.h http_chunk.h \ - md5.h http_auth.h stream.h \ - fdevent.h connections.h base.h stat_cache.h \ - plugin.h mod_auth.h \ -Index: src/network_writev.c -=================================================================== ---- src/network_writev.c (.../tags/lighttpd-1.4.29) -+++ src/network_writev.c (.../branches/lighttpd-1.4.x) -@@ -30,17 +30,16 @@ - #define LOCAL_BUFFERING 1 - #endif - --int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq) { -+int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { - chunk *c; -- size_t chunks_written = 0; - -- for(c = cq->first; c; c = c->next) { -+ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { - int chunk_finished = 0; - - switch(c->type) { - case MEM_CHUNK: { - char * offset; -- size_t toSend; -+ off_t toSend; - ssize_t r; - - size_t num_chunks, i; -@@ -65,12 +64,10 @@ - #error "sysconf() doesnt return _SC_IOV_MAX ..., check the output of 'man writev' for the EINVAL error and send the output to jan@kneschke.de" - #endif - -- /* we can't send more then SSIZE_MAX bytes in one chunk */ -- - /* build writev list - * - * 1. limit: num_chunks < max_chunks -- * 2. limit: num_bytes < SSIZE_MAX -+ * 2. limit: num_bytes < max_bytes - */ - for (num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < max_chunks; num_chunks++, tc = tc->next); - -@@ -87,9 +84,9 @@ - chunks[i].iov_base = offset; - - /* protect the return value of writev() */ -- if (toSend > SSIZE_MAX || -- num_bytes + toSend > SSIZE_MAX) { -- chunks[i].iov_len = SSIZE_MAX - num_bytes; -+ if (toSend > max_bytes || -+ (off_t) num_bytes + toSend > max_bytes) { -+ chunks[i].iov_len = max_bytes - num_bytes; - - num_chunks = i + 1; - break; -@@ -121,6 +118,7 @@ - } - - cq->bytes_out += r; -+ max_bytes -= r; - - /* check which chunks have been written */ - -@@ -132,11 +130,10 @@ - - if (chunk_finished) { - /* skip the chunks from further touches */ -- chunks_written++; - c = c->next; - } else { - /* chunks_written + c = c->next is done in the for()*/ -- chunk_finished++; -+ chunk_finished = 1; - } - } else { - /* partially written */ -@@ -284,6 +281,8 @@ - assert(toSend < 0); - } - -+ if (toSend > max_bytes) toSend = max_bytes; -+ - #ifdef LOCAL_BUFFERING - start = c->mem->ptr; - #else -@@ -309,6 +308,7 @@ - - c->offset += r; - cq->bytes_out += r; -+ max_bytes -= r; - - if (c->offset == c->file.length) { - chunk_finished = 1; -@@ -334,11 +334,9 @@ - - break; - } -- -- chunks_written++; - } - -- return chunks_written; -+ return 0; - } - - #endif -Index: src/network_freebsd_sendfile.c -=================================================================== ---- src/network_freebsd_sendfile.c (.../tags/lighttpd-1.4.29) -+++ src/network_freebsd_sendfile.c (.../branches/lighttpd-1.4.x) -@@ -31,17 +31,16 @@ - # endif - #endif - --int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq) { -+int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { - chunk *c; -- size_t chunks_written = 0; - -- for(c = cq->first; c; c = c->next, chunks_written++) { -+ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { - int chunk_finished = 0; - - switch(c->type) { - case MEM_CHUNK: { - char * offset; -- size_t toSend; -+ off_t toSend; - ssize_t r; - - size_t num_chunks, i; -@@ -49,12 +48,10 @@ - chunk *tc; - size_t num_bytes = 0; - -- /* we can't send more then SSIZE_MAX bytes in one chunk */ -- - /* build writev list - * - * 1. limit: num_chunks < UIO_MAXIOV -- * 2. limit: num_bytes < SSIZE_MAX -+ * 2. limit: num_bytes < max_bytes - */ - for(num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < UIO_MAXIOV; num_chunks++, tc = tc->next); - -@@ -69,9 +66,9 @@ - chunks[i].iov_base = offset; - - /* protect the return value of writev() */ -- if (toSend > SSIZE_MAX || -- num_bytes + toSend > SSIZE_MAX) { -- chunks[i].iov_len = SSIZE_MAX - num_bytes; -+ if (toSend > max_bytes || -+ (off_t) num_bytes + toSend > max_bytes) { -+ chunks[i].iov_len = max_bytes - num_bytes; - - num_chunks = i + 1; - break; -@@ -105,6 +102,7 @@ - - /* check which chunks have been written */ - cq->bytes_out += r; -+ max_bytes -= r; - - for(i = 0, tc = c; i < num_chunks; i++, tc = tc->next) { - if (r >= (ssize_t)chunks[i].iov_len) { -@@ -114,11 +112,10 @@ - - if (chunk_finished) { - /* skip the chunks from further touches */ -- chunks_written++; - c = c->next; - } else { - /* chunks_written + c = c->next is done in the for()*/ -- chunk_finished++; -+ chunk_finished = 1; - } - } else { - /* partially written */ -@@ -134,7 +131,7 @@ - } - case FILE_CHUNK: { - off_t offset, r; -- size_t toSend; -+ off_t toSend; - stat_cache_entry *sce = NULL; - - if (HANDLER_ERROR == stat_cache_get_entry(srv, con, c->file.name, &sce)) { -@@ -144,9 +141,8 @@ - } - - offset = c->file.start + c->offset; -- /* limit the toSend to 2^31-1 bytes in a chunk */ -- toSend = c->file.length - c->offset > ((1 << 30) - 1) ? -- ((1 << 30) - 1) : c->file.length - c->offset; -+ toSend = c->file.length - c->offset; -+ if (toSend > max_bytes) toSend = max_bytes; - - if (-1 == c->file.fd) { - if (-1 == (c->file.fd = open(c->file.name->ptr, O_RDONLY))) { -@@ -197,6 +193,7 @@ - - c->offset += r; - cq->bytes_out += r; -+ max_bytes -= r; - - if (c->offset == c->file.length) { - chunk_finished = 1; -@@ -218,7 +215,7 @@ - } - } - -- return chunks_written; -+ return 0; - } - - #endif -Index: src/network_openssl.c -=================================================================== ---- src/network_openssl.c (.../tags/lighttpd-1.4.29) -+++ src/network_openssl.c (.../branches/lighttpd-1.4.x) -@@ -27,10 +27,9 @@ - # include - # include - --int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq) { -+int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes) { - int ssl_r; - chunk *c; -- size_t chunks_written = 0; - - /* this is a 64k sendbuffer - * -@@ -59,13 +58,13 @@ - SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN); - } - -- for(c = cq->first; c; c = c->next) { -+ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { - int chunk_finished = 0; - - switch(c->type) { - case MEM_CHUNK: { - char * offset; -- size_t toSend; -+ off_t toSend; - ssize_t r; - - if (c->mem->used == 0 || c->mem->used == 1) { -@@ -75,6 +74,7 @@ - - offset = c->mem->ptr + c->offset; - toSend = c->mem->used - 1 - c->offset; -+ if (toSend > max_bytes) toSend = max_bytes; - - /** - * SSL_write man-page -@@ -87,7 +87,14 @@ - */ - - ERR_clear_error(); -- if ((r = SSL_write(ssl, offset, toSend)) <= 0) { -+ r = SSL_write(ssl, offset, toSend); -+ -+ if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { -+ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); -+ return -1; -+ } -+ -+ if (r <= 0) { - unsigned long err; - - switch ((ssl_r = SSL_get_error(ssl, r))) { -@@ -139,6 +146,7 @@ - } else { - c->offset += r; - cq->bytes_out += r; -+ max_bytes -= r; - } - - if (c->offset == (off_t)c->mem->used - 1) { -@@ -168,6 +176,7 @@ - do { - off_t offset = c->file.start + c->offset; - off_t toSend = c->file.length - c->offset; -+ if (toSend > max_bytes) toSend = max_bytes; - - if (toSend > LOCAL_SEND_BUFSIZE) toSend = LOCAL_SEND_BUFSIZE; - -@@ -190,7 +199,14 @@ - close(ifd); - - ERR_clear_error(); -- if ((r = SSL_write(ssl, s, toSend)) <= 0) { -+ r = SSL_write(ssl, s, toSend); -+ -+ if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { -+ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); -+ return -1; -+ } -+ -+ if (r <= 0) { - unsigned long err; - - switch ((ssl_r = SSL_get_error(ssl, r))) { -@@ -243,12 +259,13 @@ - } else { - c->offset += r; - cq->bytes_out += r; -+ max_bytes -= r; - } - - if (c->offset == c->file.length) { - chunk_finished = 1; - } -- } while(!chunk_finished && !write_wait); -+ } while (!chunk_finished && !write_wait && max_bytes > 0); - - break; - } -@@ -263,11 +280,9 @@ - - break; - } -- -- chunks_written++; - } - -- return chunks_written; -+ return 0; - } - #endif - -Index: src/http_auth.c -=================================================================== ---- src/http_auth.c (.../tags/lighttpd-1.4.29) -+++ src/http_auth.c (.../branches/lighttpd-1.4.x) -@@ -1,7 +1,6 @@ - #include "server.h" - #include "log.h" - #include "http_auth.h" --#include "http_auth_digest.h" - #include "inet_ntop_cache.h" - #include "stream.h" - -@@ -28,18 +27,23 @@ - #include - #include - --#ifdef USE_OPENSSL --# include --#else --# include "md5.h" -+#include "md5.h" - --typedef li_MD5_CTX MD5_CTX; --#define MD5_Init li_MD5_Init --#define MD5_Update li_MD5_Update --#define MD5_Final li_MD5_Final -+#define HASHLEN 16 -+#define HASHHEXLEN 32 -+typedef unsigned char HASH[HASHLEN]; -+typedef char HASHHEX[HASHHEXLEN+1]; - --#endif -+static void CvtHex(const HASH Bin, char Hex[33]) { -+ unsigned short i; - -+ for (i = 0; i < 16; i++) { -+ Hex[i*2] = int2hex((Bin[i] >> 4) & 0xf); -+ Hex[i*2+1] = int2hex(Bin[i] & 0xf); -+ } -+ Hex[32] = '\0'; -+} -+ - /** - * the $apr1$ handling is taken from apache 1.3.x - */ -@@ -95,7 +99,7 @@ - ch = in[0]; - /* run through the whole string, converting as we go */ - for (i = 0; i < in_len; i++) { -- ch = in[i]; -+ ch = (unsigned char) in[i]; - - if (ch == '\0') break; - -@@ -435,7 +439,7 @@ - - static void to64(char *s, unsigned long v, int n) - { -- static unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */ -+ static const unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */ - "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; - - while (--n >= 0) { -@@ -455,7 +459,7 @@ - const char *sp, *ep; - unsigned char final[APR_MD5_DIGESTSIZE]; - ssize_t sl, pl, i; -- MD5_CTX ctx, ctx1; -+ li_MD5_CTX ctx, ctx1; - unsigned long l; - - /* -@@ -487,33 +491,33 @@ - /* - * 'Time to make the doughnuts..' - */ -- MD5_Init(&ctx); -+ li_MD5_Init(&ctx); - - /* - * The password first, since that is what is most unknown - */ -- MD5_Update(&ctx, pw, strlen(pw)); -+ li_MD5_Update(&ctx, pw, strlen(pw)); - - /* - * Then our magic string - */ -- MD5_Update(&ctx, APR1_ID, strlen(APR1_ID)); -+ li_MD5_Update(&ctx, APR1_ID, strlen(APR1_ID)); - - /* - * Then the raw salt - */ -- MD5_Update(&ctx, sp, sl); -+ li_MD5_Update(&ctx, sp, sl); - - /* - * Then just as many characters of the MD5(pw, salt, pw) - */ -- MD5_Init(&ctx1); -- MD5_Update(&ctx1, pw, strlen(pw)); -- MD5_Update(&ctx1, sp, sl); -- MD5_Update(&ctx1, pw, strlen(pw)); -- MD5_Final(final, &ctx1); -+ li_MD5_Init(&ctx1); -+ li_MD5_Update(&ctx1, pw, strlen(pw)); -+ li_MD5_Update(&ctx1, sp, sl); -+ li_MD5_Update(&ctx1, pw, strlen(pw)); -+ li_MD5_Final(final, &ctx1); - for (pl = strlen(pw); pl > 0; pl -= APR_MD5_DIGESTSIZE) { -- MD5_Update(&ctx, final, -+ li_MD5_Update(&ctx, final, - (pl > APR_MD5_DIGESTSIZE) ? APR_MD5_DIGESTSIZE : pl); - } - -@@ -527,10 +531,10 @@ - */ - for (i = strlen(pw); i != 0; i >>= 1) { - if (i & 1) { -- MD5_Update(&ctx, final, 1); -+ li_MD5_Update(&ctx, final, 1); - } - else { -- MD5_Update(&ctx, pw, 1); -+ li_MD5_Update(&ctx, pw, 1); - } - } - -@@ -542,7 +546,7 @@ - strncat(passwd, sp, sl); - strcat(passwd, "$"); - -- MD5_Final(final, &ctx); -+ li_MD5_Final(final, &ctx); - - /* - * And now, just to make sure things don't run too fast.. -@@ -550,28 +554,28 @@ - * need 30 seconds to build a 1000 entry dictionary... - */ - for (i = 0; i < 1000; i++) { -- MD5_Init(&ctx1); -+ li_MD5_Init(&ctx1); - if (i & 1) { -- MD5_Update(&ctx1, pw, strlen(pw)); -+ li_MD5_Update(&ctx1, pw, strlen(pw)); - } - else { -- MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); -+ li_MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); - } - if (i % 3) { -- MD5_Update(&ctx1, sp, sl); -+ li_MD5_Update(&ctx1, sp, sl); - } - - if (i % 7) { -- MD5_Update(&ctx1, pw, strlen(pw)); -+ li_MD5_Update(&ctx1, pw, strlen(pw)); - } - - if (i & 1) { -- MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); -+ li_MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); - } - else { -- MD5_Update(&ctx1, pw, strlen(pw)); -+ li_MD5_Update(&ctx1, pw, strlen(pw)); - } -- MD5_Final(final,&ctx1); -+ li_MD5_Final(final,&ctx1); - } - - p = passwd + strlen(passwd); -@@ -614,17 +618,17 @@ - * user:realm:md5(user:realm:password) - */ - -- MD5_CTX Md5Ctx; -+ li_MD5_CTX Md5Ctx; - HASH HA1; - char a1[256]; - -- MD5_Init(&Md5Ctx); -- MD5_Update(&Md5Ctx, (unsigned char *)username->ptr, username->used - 1); -- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); -- MD5_Update(&Md5Ctx, (unsigned char *)realm->ptr, realm->used - 1); -- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); -- MD5_Update(&Md5Ctx, (unsigned char *)pw, strlen(pw)); -- MD5_Final(HA1, &Md5Ctx); -+ li_MD5_Init(&Md5Ctx); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)username->ptr, username->used - 1); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)realm->ptr, realm->used - 1); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)pw, strlen(pw)); -+ li_MD5_Final(HA1, &Md5Ctx); - - CvtHex(HA1, a1); - -@@ -930,7 +934,7 @@ - int i; - buffer *password, *b, *username_buf, *realm_buf; - -- MD5_CTX Md5Ctx; -+ li_MD5_CTX Md5Ctx; - HASH HA1; - HASH HA2; - HASH RespHash; -@@ -1067,13 +1071,13 @@ - - if (p->conf.auth_backend == AUTH_BACKEND_PLAIN) { - /* generate password from plain-text */ -- MD5_Init(&Md5Ctx); -- MD5_Update(&Md5Ctx, (unsigned char *)username, strlen(username)); -- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); -- MD5_Update(&Md5Ctx, (unsigned char *)realm, strlen(realm)); -- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); -- MD5_Update(&Md5Ctx, (unsigned char *)password->ptr, password->used - 1); -- MD5_Final(HA1, &Md5Ctx); -+ li_MD5_Init(&Md5Ctx); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)username, strlen(username)); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)realm, strlen(realm)); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)password->ptr, password->used - 1); -+ li_MD5_Final(HA1, &Md5Ctx); - } else if (p->conf.auth_backend == AUTH_BACKEND_HTDIGEST) { - /* HA1 */ - /* transform the 32-byte-hex-md5 to a 16-byte-md5 */ -@@ -1090,45 +1094,45 @@ - - if (algorithm && - strcasecmp(algorithm, "md5-sess") == 0) { -- MD5_Init(&Md5Ctx); -- MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16); -- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); -- MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); -- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); -- MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); -- MD5_Final(HA1, &Md5Ctx); -+ li_MD5_Init(&Md5Ctx); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); -+ li_MD5_Final(HA1, &Md5Ctx); - } - - CvtHex(HA1, a1); - - /* calculate H(A2) */ -- MD5_Init(&Md5Ctx); -- MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m)); -- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); -- MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri)); -+ li_MD5_Init(&Md5Ctx); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m)); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri)); - if (qop && strcasecmp(qop, "auth-int") == 0) { -- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); -- MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN); - } -- MD5_Final(HA2, &Md5Ctx); -+ li_MD5_Final(HA2, &Md5Ctx); - CvtHex(HA2, HA2Hex); - - /* calculate response */ -- MD5_Init(&Md5Ctx); -- MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN); -- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); -- MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); -- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); -+ li_MD5_Init(&Md5Ctx); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - if (qop && *qop) { -- MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc)); -- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); -- MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); -- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); -- MD5_Update(&Md5Ctx, (unsigned char *)qop, strlen(qop)); -- MD5_Update(&Md5Ctx, (unsigned char *)":", 1); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc)); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)qop, strlen(qop)); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - }; -- MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN); -- MD5_Final(RespHash, &Md5Ctx); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN); -+ li_MD5_Final(RespHash, &Md5Ctx); - CvtHex(RespHash, a2); - - if (0 != strcmp(a2, respons)) { -@@ -1171,24 +1175,24 @@ - - int http_auth_digest_generate_nonce(server *srv, mod_auth_plugin_data *p, buffer *fn, char out[33]) { - HASH h; -- MD5_CTX Md5Ctx; -+ li_MD5_CTX Md5Ctx; - char hh[32]; - - UNUSED(p); - - /* generate shared-secret */ -- MD5_Init(&Md5Ctx); -- MD5_Update(&Md5Ctx, (unsigned char *)fn->ptr, fn->used - 1); -- MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); -+ li_MD5_Init(&Md5Ctx); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)fn->ptr, fn->used - 1); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); - - /* we assume sizeof(time_t) == 4 here, but if not it ain't a problem at all */ - LI_ltostr(hh, srv->cur_ts); -- MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); -- MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); - LI_ltostr(hh, rand()); -- MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); - -- MD5_Final(h, &Md5Ctx); -+ li_MD5_Final(h, &Md5Ctx); - - CvtHex(h, out); - -Index: src/mod_usertrack.c -=================================================================== ---- src/mod_usertrack.c (.../tags/lighttpd-1.4.29) -+++ src/mod_usertrack.c (.../branches/lighttpd-1.4.x) -@@ -8,18 +8,8 @@ - #include - #include - --#ifdef USE_OPENSSL --# include --#else --# include "md5.h" -+#include "md5.h" - --typedef li_MD5_CTX MD5_CTX; --#define MD5_Init li_MD5_Init --#define MD5_Update li_MD5_Update --#define MD5_Final li_MD5_Final -- --#endif -- - /* plugin config for all request/connections */ - - typedef struct { -@@ -182,7 +172,7 @@ - plugin_data *p = p_d; - data_string *ds; - unsigned char h[16]; -- MD5_CTX Md5Ctx; -+ li_MD5_CTX Md5Ctx; - char hh[32]; - - if (con->uri.path->used == 0) return HANDLER_GO_ON; -@@ -228,18 +218,18 @@ - /* taken from mod_auth.c */ - - /* generate shared-secret */ -- MD5_Init(&Md5Ctx); -- MD5_Update(&Md5Ctx, (unsigned char *)con->uri.path->ptr, con->uri.path->used - 1); -- MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); -+ li_MD5_Init(&Md5Ctx); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)con->uri.path->ptr, con->uri.path->used - 1); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); - - /* we assume sizeof(time_t) == 4 here, but if not it ain't a problem at all */ - LI_ltostr(hh, srv->cur_ts); -- MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); -- MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); - LI_ltostr(hh, rand()); -- MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); -+ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); - -- MD5_Final(h, &Md5Ctx); -+ li_MD5_Final(h, &Md5Ctx); - - buffer_append_string_encoded(ds->value, (char *)h, 16, ENCODING_HEX); - buffer_append_string_len(ds->value, CONST_STR_LEN("; Path=/")); -Index: src/mod_status.c -=================================================================== ---- src/mod_status.c (.../tags/lighttpd-1.4.29) -+++ src/mod_status.c (.../branches/lighttpd-1.4.x) -@@ -487,7 +487,7 @@ - - buffer_append_string_len(b, CONST_STR_LEN("")); - -- if (con->request.content_length) { -+ if (c->request.content_length) { - buffer_append_long(b, c->request_content_queue->bytes_in); - buffer_append_string_len(b, CONST_STR_LEN("/")); - buffer_append_long(b, c->request.content_length); -Index: src/settings.h -=================================================================== ---- src/settings.h (.../tags/lighttpd-1.4.29) -+++ src/settings.h (.../branches/lighttpd-1.4.x) -@@ -21,8 +21,11 @@ - * 64kB (no real reason, just a guess) - */ - #define BUFFER_MAX_REUSE_SIZE (4 * 1024) --#define MAX_READ_LIMIT (4*1024*1024) - -+/* both should be way smaller than SSIZE_MAX :) */ -+#define MAX_READ_LIMIT (256*1024) -+#define MAX_WRITE_LIMIT (256*1024) -+ - /** - * max size of the HTTP request header - * -Index: src/mod_cml_lua.c -=================================================================== ---- src/mod_cml_lua.c (.../tags/lighttpd-1.4.29) -+++ src/mod_cml_lua.c (.../branches/lighttpd-1.4.x) -@@ -11,18 +11,6 @@ - #include - #include - --#ifdef USE_OPENSSL --# include --#else --# include "md5.h" -- --typedef li_MD5_CTX MD5_CTX; --#define MD5_Init li_MD5_Init --#define MD5_Update li_MD5_Update --#define MD5_Final li_MD5_Final -- --#endif -- - #define HASHLEN 16 - typedef unsigned char HASH[HASHLEN]; - #define HASHHEXLEN 32 -Index: src/mod_fastcgi.c -=================================================================== ---- src/mod_fastcgi.c (.../tags/lighttpd-1.4.29) -+++ src/mod_fastcgi.c (.../branches/lighttpd-1.4.x) -@@ -3075,7 +3075,7 @@ - fcgi_set_state(srv, hctx, FCGI_STATE_WRITE); - /* fall through */ - case FCGI_STATE_WRITE: -- ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb); -+ ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT); - - chunkqueue_remove_finished_chunks(hctx->wb); - -@@ -3132,7 +3132,6 @@ - plugin_data *p = p_d; - - handler_ctx *hctx = con->plugin_ctx[p->id]; -- fcgi_proc *proc; - fcgi_extension_host *host; - - if (NULL == hctx) return HANDLER_GO_ON; -@@ -3201,7 +3200,6 @@ - /* ok, create the request */ - switch(fcgi_write_request(srv, hctx)) { - case HANDLER_ERROR: -- proc = hctx->proc; - host = hctx->host; - - if (hctx->state == FCGI_STATE_INIT || -Index: src/network_solaris_sendfilev.c -=================================================================== ---- src/network_solaris_sendfilev.c (.../tags/lighttpd-1.4.29) -+++ src/network_solaris_sendfilev.c (.../branches/lighttpd-1.4.x) -@@ -38,17 +38,16 @@ - */ - - --int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq) { -+int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { - chunk *c; -- size_t chunks_written = 0; - -- for(c = cq->first; c; c = c->next, chunks_written++) { -+ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { - int chunk_finished = 0; - - switch(c->type) { - case MEM_CHUNK: { - char * offset; -- size_t toSend; -+ off_t toSend; - ssize_t r; - - size_t num_chunks, i; -@@ -77,9 +76,9 @@ - chunks[i].iov_base = offset; - - /* protect the return value of writev() */ -- if (toSend > SSIZE_MAX || -- num_bytes + toSend > SSIZE_MAX) { -- chunks[i].iov_len = SSIZE_MAX - num_bytes; -+ if (toSend > max_bytes || -+ (off_t) num_bytes + toSend > max_bytes) { -+ chunks[i].iov_len = max_bytes - num_bytes; - - num_chunks = i + 1; - break; -@@ -119,11 +118,10 @@ - - if (chunk_finished) { - /* skip the chunks from further touches */ -- chunks_written++; - c = c->next; - } else { - /* chunks_written + c = c->next is done in the for()*/ -- chunk_finished++; -+ chunk_finished = 1; - } - } else { - /* partially written */ -@@ -139,8 +137,8 @@ - } - case FILE_CHUNK: { - ssize_t r; -- off_t offset; -- size_t toSend, written; -+ off_t offset, toSend; -+ size_t written; - sendfilevec_t fvec; - stat_cache_entry *sce = NULL; - int ifd; -@@ -153,6 +151,7 @@ - - offset = c->file.start + c->offset; - toSend = c->file.length - c->offset; -+ if (toSend > max_bytes) toSend = max_bytes; - - if (offset > sce->st.st_size) { - log_error_write(srv, __FILE__, __LINE__, "sb", "file was shrinked:", c->file.name); -@@ -186,6 +185,7 @@ - close(ifd); - c->offset += written; - cq->bytes_out += written; -+ max_bytes -= written; - - if (c->offset == c->file.length) { - chunk_finished = 1; -@@ -207,7 +207,7 @@ - } - } - -- return chunks_written; -+ return 0; - } - - #endif -Index: src/CMakeLists.txt -=================================================================== -Index: src/mod_dirlisting.c -=================================================================== ---- src/mod_dirlisting.c (.../tags/lighttpd-1.4.29) -+++ src/mod_dirlisting.c (.../branches/lighttpd-1.4.x) -@@ -657,7 +657,8 @@ - i = dir->used - 1; - - #ifdef HAVE_PATHCONF -- if (-1 == (name_max = pathconf(dir->ptr, _PC_NAME_MAX))) { -+ if (0 >= (name_max = pathconf(dir->ptr, _PC_NAME_MAX))) { -+ /* some broken fs (fuse) return 0 instead of -1 */ - #ifdef NAME_MAX - name_max = NAME_MAX; - #else -Index: src/network_linux_sendfile.c -=================================================================== ---- src/network_linux_sendfile.c (.../tags/lighttpd-1.4.29) -+++ src/network_linux_sendfile.c (.../branches/lighttpd-1.4.x) -@@ -27,17 +27,16 @@ - /* on linux 2.4.29 + debian/ubuntu we have crashes if this is enabled */ - #undef HAVE_POSIX_FADVISE - --int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq) { -+int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { - chunk *c; -- size_t chunks_written = 0; - -- for(c = cq->first; c; c = c->next, chunks_written++) { -+ for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { - int chunk_finished = 0; - - switch(c->type) { - case MEM_CHUNK: { - char * offset; -- size_t toSend; -+ off_t toSend; - ssize_t r; - - size_t num_chunks, i; -@@ -45,12 +44,10 @@ - chunk *tc; - size_t num_bytes = 0; - -- /* we can't send more then SSIZE_MAX bytes in one chunk */ -- - /* build writev list - * - * 1. limit: num_chunks < UIO_MAXIOV -- * 2. limit: num_bytes < SSIZE_MAX -+ * 2. limit: num_bytes < max_bytes - */ - for (num_chunks = 0, tc = c; - tc && tc->type == MEM_CHUNK && num_chunks < UIO_MAXIOV; -@@ -67,9 +64,9 @@ - chunks[i].iov_base = offset; - - /* protect the return value of writev() */ -- if (toSend > SSIZE_MAX || -- num_bytes + toSend > SSIZE_MAX) { -- chunks[i].iov_len = SSIZE_MAX - num_bytes; -+ if (toSend > max_bytes || -+ (off_t) num_bytes + toSend > max_bytes) { -+ chunks[i].iov_len = max_bytes - num_bytes; - - num_chunks = i + 1; - break; -@@ -100,6 +97,7 @@ - - /* check which chunks have been written */ - cq->bytes_out += r; -+ max_bytes -= r; - - for(i = 0, tc = c; i < num_chunks; i++, tc = tc->next) { - if (r >= (ssize_t)chunks[i].iov_len) { -@@ -109,11 +107,10 @@ - - if (chunk_finished) { - /* skip the chunks from further touches */ -- chunks_written++; - c = c->next; - } else { - /* chunks_written + c = c->next is done in the for()*/ -- chunk_finished++; -+ chunk_finished = 1; - } - } else { - /* partially written */ -@@ -130,13 +127,12 @@ - case FILE_CHUNK: { - ssize_t r; - off_t offset; -- size_t toSend; -+ off_t toSend; - stat_cache_entry *sce = NULL; - - offset = c->file.start + c->offset; -- /* limit the toSend to 2^31-1 bytes in a chunk */ -- toSend = c->file.length - c->offset > ((1 << 30) - 1) ? -- ((1 << 30) - 1) : c->file.length - c->offset; -+ toSend = c->file.length - c->offset; -+ if (toSend > max_bytes) toSend = max_bytes; - - /* open file if not already opened */ - if (-1 == c->file.fd) { -@@ -215,6 +211,7 @@ - - c->offset += r; - cq->bytes_out += r; -+ max_bytes -= r; - - if (c->offset == c->file.length) { - chunk_finished = 1; -@@ -243,7 +240,7 @@ - } - } - -- return chunks_written; -+ return 0; - } - - #endif -Index: tests/mod-auth.t -=================================================================== ---- tests/mod-auth.t (.../tags/lighttpd-1.4.29) -+++ tests/mod-auth.t (.../branches/lighttpd-1.4.x) -@@ -8,7 +8,7 @@ - - use strict; - use IO::Socket; --use Test::More tests => 14; -+use Test::More tests => 15; - use LightyTest; - - my $tf = LightyTest->new(); -@@ -25,6 +25,14 @@ - - $t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ]; -+ok($tf->handle_http($t) == 0, 'Basic-Auth: Invalid base64 Auth-token'); -+ -+$t->{REQUEST} = ( < 44; -+use Test::More tests => 46; - use LightyTest; - - my $tf = LightyTest->new(); -@@ -413,5 +413,21 @@ - $t->{SLOWREQUEST} = 1; - ok($tf->handle_http($t) == 0, 'GET, slow \\r\\n\\r\\n (#2105)'); - -+print "\nPathinfo for static files\n"; -+$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'Content-Type' => 'image/jpeg' } ]; -+ok($tf->handle_http($t) == 0, 'static file accepting pathinfo by default'); -+ -+$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 403 } ]; -+ok($tf->handle_http($t) == 0, 'static file with forbidden pathinfo'); -+ - ok($tf->stop_proc == 0, "Stopping lighttpd"); - -Index: tests/wrapper.sh -=================================================================== ---- tests/wrapper.sh (.../tags/lighttpd-1.4.29) -+++ tests/wrapper.sh (.../branches/lighttpd-1.4.x) -@@ -6,4 +6,4 @@ - top_builddir=$2 - export SHELL srcdir top_builddir - --$3 -+exec $3 -Index: tests/lighttpd.conf -=================================================================== ---- tests/lighttpd.conf (.../tags/lighttpd-1.4.29) -+++ tests/lighttpd.conf (.../branches/lighttpd-1.4.x) -@@ -149,6 +149,7 @@ - $HTTP["host"] == "zzz.example.org" { - server.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/" - server.name = "zzz.example.org" -+ static-file.disable-pathinfo = "enable" - } - - $HTTP["host"] == "symlink.example.org" { -Index: configure.ac -=================================================================== -Index: doc/config/lighttpd.conf -=================================================================== ---- doc/config/lighttpd.conf (.../tags/lighttpd-1.4.29) -+++ doc/config/lighttpd.conf (.../branches/lighttpd-1.4.x) -@@ -394,6 +394,25 @@ - ## $SERVER["socket"] == "10.0.0.1:443" { - ## ssl.engine = "enable" - ## ssl.pemfile = "/etc/ssl/private/www.example.com.pem" -+## # -+## # Mitigate BEAST attack: -+## # -+## # A stricter base cipher suite. For details see: -+## # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html -+## # -+## ssl.ciphers = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" -+## # -+## # Make the server prefer the order of the server side cipher suite instead of the client suite. -+## # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms). -+## # This option is enabled by default, but only used if ssl.ciphers is set. -+## # -+## # ssl.honor-cipher-order = "enable" -+## # -+## # Mitigate CVE-2009-3555 by disabling client triggered renegotation -+## # This is enabled by default. -+## # -+## # ssl.disable-client-renegotiation = "enable" -+## # - ## server.name = "www.example.com" - ## - ## server.document-root = "/srv/www/vhosts/example.com/www/" -Index: SConstruct -=================================================================== -Index: NEWS -=================================================================== ---- NEWS (.../tags/lighttpd-1.4.29) -+++ NEWS (.../branches/lighttpd-1.4.x) -@@ -3,7 +3,20 @@ - NEWS - ==== - --- 1.4.29 - -+- 1.4.30 - -+ * Always use our 'own' md5 implementation, fixes linking issues on MacOS (fixes #2331) -+ * Limit amount of bytes we send in one go; fixes stalling in one connection and timeouts on slow systems. -+ * [ssl] fix build errors when Elliptic-Curve Diffie-Hellman is disabled -+ * Add static-file.disable-pathinfo option to prevent handling of urls like .../secret.php/image.jpg as static file -+ * Don't overwrite 401 (auth required) with 501 (unknown method) (fixes #2341) -+ * Fix mod_status bug: always showed "0/0" in the "Read" column for uploads (fixes #2351) -+ * [mod_auth] Fix signedness error in http_auth (fixes #2370, CVE-2011-4362) -+ * [ssl] count renegotiations to prevent client renegotiations -+ * [ssl] add option to honor server cipher order (fixes #2364, BEAST attack) -+ * [core] accept dots in ipv6 addresses in host header (fixes #2359) -+ * [ssl] fix ssl connection aborts if files are larger than the MAX_WRITE_LIMIT (256kb) -+ -+- 1.4.29 - 2011-07-03 - * Fix mod_proxy waiting for response even if content-length is 0 (fixes #2259) - * Silence annoying "connection closed: poll() -> ERR" error.log message (fixes #2257) - * mod_cgi: make read buffer as big as incoming data block -Index: CMakeLists.txt -=================================================================== diff --git a/lighttpd-branding.patch b/lighttpd-branding.patch index c0e0062..a3f634c 100644 --- a/lighttpd-branding.patch +++ b/lighttpd-branding.patch @@ -1,11 +1,11 @@ ---- lighttpd-1.4.22/src/response.c~ 2009-04-17 00:50:21.000000000 +0300 -+++ lighttpd-1.4.22/src/response.c 2009-04-17 00:51:22.174367972 +0300 -@@ -105,7 +105,7 @@ +--- lighttpd-1.4.36/src/response.c~ 2015-07-26 13:36:36.000000000 +0300 ++++ lighttpd-1.4.36/src/response.c 2015-07-26 18:29:48.302220417 +0300 +@@ -109,7 +109,7 @@ if (!have_server) { if (buffer_is_empty(con->conf.server_tag)) { - buffer_append_string_len(b, CONST_STR_LEN("\r\nServer: " PACKAGE_DESC)); + buffer_append_string_len(b, CONST_STR_LEN("\r\nServer: " PACKAGE_DESC " (TLD Linux)")); - } else if (con->conf.server_tag->used > 1) { + } else if (!buffer_string_is_empty(con->conf.server_tag)) { buffer_append_string_len(b, CONST_STR_LEN("\r\nServer: ")); buffer_append_string_encoded(b, CONST_BUF_LEN(con->conf.server_tag), ENCODING_HTTP_HEADER); diff --git a/lighttpd.init b/lighttpd.init index 69d169b..aaf4d5f 100755 --- a/lighttpd.init +++ b/lighttpd.init @@ -10,6 +10,8 @@ # Source function library . /etc/rc.d/init.d/functions +upstart_controlled + # Get network config . /etc/sysconfig/network diff --git a/lighttpd.spec b/lighttpd.spec index a4cb532..708bc3a 100644 --- a/lighttpd.spec +++ b/lighttpd.spec @@ -20,6 +20,7 @@ %bcond_with webdav_locks # webdav locks with extra efsprogs deps %bcond_with valgrind # compile code with valgrind support. %bcond_with deflate # build deflate module (needs patch update with current svn) +%bcond_with h264_streaming # build h264_streaming module %if %{with webdav_locks} %define webdav_progs 1 @@ -28,12 +29,12 @@ Summary: Fast and light HTTP server Summary(pl.UTF-8): Szybki i lekki serwer HTTP Name: lighttpd -Version: 1.4.35 -Release: 7 +Version: 1.4.39 +Release: 1 License: BSD Group: Networking/Daemons/HTTP -Source0: http://download.lighttpd.net/lighttpd/releases-1.4.x/%{name}-%{version}.tar.bz2 -# Source0-md5: f7a88130ee9984b421ad8aa80629750a +Source0: http://download.lighttpd.net/lighttpd/releases-1.4.x/%{name}-%{version}.tar.xz +# Source0-md5: 63c7563be1c7a7a9819a51f07f1af8b2 Source1: %{name}.init Source2: %{name}.conf Source3: %{name}.user @@ -89,7 +90,9 @@ Source135: %{name}-mod_extforward.conf Source136: %{name}-mod_h264_streaming.conf Source137: %{name}-mod_cgi_php.conf Source138: %{name}-mod_compress.tmpwatch +# use branch.sh script to create branch.diff #Patch100: %{name}-branch.diff +## Patch100-md5: cdcde8cb4632a42c5ae21d73aae9d34b Patch0: %{name}-use_bin_sh.patch Patch1: %{name}-mod_evasive-status_code.patch Patch2: %{name}-mod_h264_streaming.patch @@ -125,8 +128,10 @@ BuildRequires: pkgconfig BuildRequires: rpm >= 4.4.9-56 BuildRequires: rpmbuild(macros) >= 1.647 %{?with_webdav_props:BuildRequires: sqlite3-devel} +BuildRequires: tar >= 1:1.22 %{?with_valgrind:BuildRequires: valgrind} BuildRequires: which +BuildRequires: xz BuildRequires: zlib-devel Requires(post,preun): /sbin/chkconfig Requires(postun): /usr/sbin/groupdel @@ -826,14 +831,13 @@ Plik monitrc do monitorowania serwera www lighttpd. %prep %setup -q #%patch100 -p0 -#%patch4 -p0 %patch0 -p1 %patch1 -p1 -%patch2 -p1 +%{?with_h264_streaming:%patch2 -p1} %patch3 -p1 %{?with_deflate:%patch5 -p1} %patch6 -p1 -%patch7 -p0 +%patch7 -p1 rm -f src/mod_ssi_exprparser.h # bad patching: should be removed by is emptied instead @@ -843,6 +847,7 @@ cp -p %{SOURCE14} PLD-TODO %if "%{pld_release}" == "ac" %{__sed} -i -e 's/ serial_tests//' configure.ac +%{__sed} -i -e 's/dist-xz/dist-bzip2/' configure.ac %endif %build @@ -926,7 +931,9 @@ cp -p %{SOURCE109} $RPM_BUILD_ROOT%{_sysconfdir}/conf.d/50_mod_evasive.conf cp -p %{SOURCE110} $RPM_BUILD_ROOT%{_sysconfdir}/conf.d/50_mod_evhost.conf cp -p %{SOURCE112} $RPM_BUILD_ROOT%{_sysconfdir}/conf.d/50_mod_fastcgi.conf cp -p %{SOURCE113} $RPM_BUILD_ROOT%{_sysconfdir}/conf.d/50_mod_flv_streaming.conf +%if %{with h264_streaming} cp -p %{SOURCE136} $RPM_BUILD_ROOT%{_sysconfdir}/conf.d/50_mod_h264_streaming.conf +%endif cp -p %{SOURCE114} $RPM_BUILD_ROOT%{_sysconfdir}/conf.d/50_mod_indexfile.conf cp -p %{SOURCE115} $RPM_BUILD_ROOT%{_sysconfdir}/conf.d/50_mod_proxy.conf cp -p %{SOURCE118} $RPM_BUILD_ROOT%{_sysconfdir}/conf.d/50_mod_rrdtool.conf @@ -1213,10 +1220,12 @@ fi %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/conf.d/*mod_flv_streaming.conf %attr(755,root,root) %{_libdir}/mod_flv_streaming.so +%if %{with h264_streaming} %files mod_h264_streaming %defattr(644,root,root,755) %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/conf.d/*mod_h264_streaming.conf %attr(755,root,root) %{_libdir}/mod_h264_streaming.so +%endif %files mod_indexfile %defattr(644,root,root,755)