reattaching debdiff
diff -Nru lighttpd-1.4.53/debian/changelog lighttpd-1.4.53/debian/changelog --- lighttpd-1.4.53/debian/changelog 2019-04-13 00:00:00.000000000 -0400 +++ lighttpd-1.4.53/debian/changelog 2020-03-21 19:30:00.000000000 -0400 @@ -1,11 +1,67 @@ +lighttpd (1.4.53-4+deb10u1) UNRELEASED; urgency=high + + * QA upload. + * backport security, bug, portability fixes from lighttpd 1.4.54, 1.4.55 + * mod_evhost, mod_flv_streaming: + [regression] %0 pattern does not match hostnames without the domain part + https://redmine.lighttpd.net/issues/2932 + * mod_magnet: Lighttpd crashes on wrong return type in lua script + https://redmine.lighttpd.net/issues/2938 + * failed assertion on incoming bad request with server.error-handler + https://redmine.lighttpd.net/issues/2941 + * mod_wstunnel: fix wstunnel.ping-interval for big-endian architectures + https://redmine.lighttpd.net/issues/2944 + * fix abort in server.http-parseopts with url-path-2f-decode enabled + https://redmine.lighttpd.net/issues/2945 + * remove repeated slashes in server.http-parseopts with url-path-dotseg-remove, including leading "//" + * [regression][Bisected] lighttpd uses way more memory with POST since 1.4.52 + https://redmine.lighttpd.net/issues/2948 + * OPTIONS should return 2xx status for non-existent resources if Allow is set + https://redmine.lighttpd.net/issues/2939 + * use high precision stat timestamp (on systems where available) in etag + * mod_authn_ldap/mod_cgi race condition, "Can't contact LDAP server" + https://redmine.lighttpd.net/issues/2940 + * SUN_LEN in sock_addr.c (1.4.53, 1.4.54) + https://redmine.lighttpd.net/issues/2962 + * Embedded vim command line in conf file with no comment (#) hangs server + https://redmine.lighttpd.net/issues/2980 + * mod_authn_gssapi: 500 if fail to delegate creds + https://redmine.lighttpd.net/issues/2967 + * mod_authn_gssapi: option to store delegated creds + https://redmine.lighttpd.net/issues/2967 + * mod_auth: require digest uri= match original URI + HTTP digest authentication not compatible with some clients + https://redmine.lighttpd.net/issues/2974 + * mod_auth: send Authentication-Info nextnonce when nonce is approaching expiration + * mod_auth: http_auth_const_time_memeq improvement + * mod_auth: http_auth_const_time_memeq_pad() + * mod_auth: use constant time comparison when comparing digests + * stricter request header parsing: reject WS following header field-name + https://redmine.lighttpd.net/issues/2985 + * stricter request header parsing: reject Transfer-Encoding + Content-Length + https://redmine.lighttpd.net/issues/2985 + * mod_openssl: reject invalid ALPN + * mod_accesslog: parse multiple cookies + https://redmine.lighttpd.net/issues/2986 + * preserve %2b and %2B in query string + https://redmine.lighttpd.net/issues/2999 + * mod_auth: close connection after bad password + mitigation slows down brute force password attacks + https://redmine.lighttpd.net/boards/3/topics/8885 + * do not accept() > server.max-connections + * update /var/run -> /run for systemd (closes: #929203) + + -- Glenn Strauss <gstra...@gluelogic.com> Sat, 21 Mar 2020 18:30:00 -0500 + lighttpd (1.4.53-4) unstable; urgency=high + * QA upload. * fix mixed use of srv->split_vals array (regression) * mod_magnet:fix invalid script return-type crash * fix assertion with server.error-handler * mod_wstunnel:fix wstunnel.ping-interval for big-endian architectures * fix abort in server.http-parseopts with url-path-2f-decode enabled - CVE-2019-11072 (closes #926885) + CVE-2019-11072 (closes: #926885) -- Glenn Strauss <gstra...@gluelogic.com> Sat, 13 Apr 2019 00:00:00 -0400 diff -Nru lighttpd-1.4.53/debian/.gitlab-ci.yml lighttpd-1.4.53/debian/.gitlab-ci.yml --- lighttpd-1.4.53/debian/.gitlab-ci.yml 2019-04-13 00:00:00.000000000 -0400 +++ lighttpd-1.4.53/debian/.gitlab-ci.yml 2020-03-21 19:30:00.000000000 -0400 @@ -1,13 +1,7 @@ -include: https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml -build: - extends: .build-unstable - -lintian: - extends: .test-lintian - -autopkgtest: - extends: .test-autopkgtest - -piuparts: - extends: .test-piuparts +variables: + # Disable reprotest until salsa-ci-team/pipeline#26 is resolved. + SALSA_CI_DISABLE_REPROTEST: 1 diff -Nru lighttpd-1.4.53/debian/patches/config-update-var-run-run-for-systemd.patch lighttpd-1.4.53/debian/patches/config-update-var-run-run-for-systemd.patch --- lighttpd-1.4.53/debian/patches/config-update-var-run-run-for-systemd.patch 1969-12-31 19:00:00.000000000 -0500 +++ lighttpd-1.4.53/debian/patches/config-update-var-run-run-for-systemd.patch 2020-03-21 19:30:00.000000000 -0400 @@ -0,0 +1,67 @@ +From 15cdc313b500e2473de7bafdcf1c703dbfd11e56 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Elan=20Ruusam=C3=A4e?= <g...@pld-linux.org> +Date: Thu, 10 Oct 2019 22:26:44 +0300 +Subject: [PATCH] [config] update /var/run -> /run for systemd +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This gets rid of the warning: +> May 19 10:56:32 buster systemd[1]: /lib/systemd/system/lighttpd.service:6: +> PIDFile= references path below legacy directory /var/run/, +> updating /var/run/lighttpd.pid → /run/lighttpd.pid; +> please update the unit file accordingly. + +refs: +- https://github.com/systemd/systemd/commit/a2d1fb882c4308bc10362d971f333c5031d60069 +- https://github.com/systemd/systemd/pull/9019 +- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929203 +- Filesystem Hierarchy Standard 3.0 (FHS 3.0) + +github: closes #100 +--- + doc/systemd/lighttpd.service | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/systemd/lighttpd.service b/doc/systemd/lighttpd.service +index b59bdcd7..6fa622b7 100644 +--- a/doc/systemd/lighttpd.service ++++ b/doc/systemd/lighttpd.service +@@ -4,7 +4,7 @@ After=network-online.target + + [Service] + Type=simple +-PIDFile=/var/run/lighttpd.pid ++PIDFile=/run/lighttpd.pid + ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf + ExecStart=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf + ExecReload=/bin/kill -USR1 $MAINPID +diff --git a/doc/config/lighttpd.conf b/doc/config/lighttpd.conf +index 7673535..0485de9 100644 +--- a/doc/config/lighttpd.conf ++++ b/doc/config/lighttpd.conf +@@ -15,7 +15,7 @@ + ## + var.log_root = "/var/log/lighttpd" + var.server_root = "/srv/www" +-var.state_dir = "/var/run" ++var.state_dir = "/run" + var.home_dir = "/var/lib/lighttpd" + var.conf_dir = "/etc/lighttpd" + +diff --git a/doc/lighttpd.8 b/doc/lighttpd.8 +index 1ab6520..a2c98b8 100644 +--- a/doc/lighttpd.8 ++++ b/doc/lighttpd.8 +@@ -59,7 +59,7 @@ Show a brief help message and exit. + /etc/lighttpd/lighttpd.conf + The standard location for the configuration file. + .TP 8 +-/var/run/lighttpd.pid ++/run/lighttpd.pid + The standard location for the PID of the running \fBlighttpd\fP process. + . + .SH SEE ALSO +-- +2.25.1 + diff -Nru lighttpd-1.4.53/debian/patches/core-200-for-OPTIONS-non-existent-path-HTTP-1.1-fixe.patch lighttpd-1.4.53/debian/patches/core-200-for-OPTIONS-non-existent-path-HTTP-1.1-fixe.patch --- lighttpd-1.4.53/debian/patches/core-200-for-OPTIONS-non-existent-path-HTTP-1.1-fixe.patch 1969-12-31 19:00:00.000000000 -0500 +++ lighttpd-1.4.53/debian/patches/core-200-for-OPTIONS-non-existent-path-HTTP-1.1-fixe.patch 2020-03-21 19:30:00.000000000 -0400 @@ -0,0 +1,36 @@ +From 95aa2c178d6d61e1e42c99018d79993c66bc46e6 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstra...@gluelogic.com> +Date: Mon, 25 Mar 2019 22:37:31 -0400 +Subject: [PATCH] [core] 200 for OPTIONS /non-existent/path HTTP/1.1 (fixes + #2939) + +200 for OPTIONS /non-existent/path HTTP/1.1 when a module, +such as mod_webdav, has set Allow response header + +x-ref: + "OPTIONS should return 2xx status for non-existent resources if Allow is set" + https://redmine.lighttpd.net/issues/2939 +--- + src/response.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/response.c b/src/response.c +index c4a541fb..173e1859 100644 +--- a/src/response.c ++++ b/src/response.c +@@ -138,6 +138,12 @@ static handler_t http_response_physical_path_check(server *srv, connection *con) + case ENAMETOOLONG: + /* file name to be read was too long. return 404 */ + case ENOENT: ++ if (con->request.http_method == HTTP_METHOD_OPTIONS ++ && NULL != http_header_response_get(con, HTTP_HEADER_OTHER, CONST_STR_LEN("Allow"))) { ++ con->http_status = 200; ++ return HANDLER_FINISHED; ++ } ++ + con->http_status = 404; + + if (con->conf.log_request_handling) { +-- +2.25.1 + diff -Nru lighttpd-1.4.53/debian/patches/core-allocate-unix-socket-paths-with-SUN_LEN-1-fixes.patch lighttpd-1.4.53/debian/patches/core-allocate-unix-socket-paths-with-SUN_LEN-1-fixes.patch --- lighttpd-1.4.53/debian/patches/core-allocate-unix-socket-paths-with-SUN_LEN-1-fixes.patch 1969-12-31 19:00:00.000000000 -0500 +++ lighttpd-1.4.53/debian/patches/core-allocate-unix-socket-paths-with-SUN_LEN-1-fixes.patch 2020-03-21 19:30:00.000000000 -0400 @@ -0,0 +1,35 @@ +From 186ce8a2b105cce1c8b5133f40b0b429e5547105 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstra...@gluelogic.com> +Date: Tue, 25 Jun 2019 00:33:59 -0400 +Subject: [PATCH] [core] allocate unix socket paths with SUN_LEN()+1 (fixes + #2962) + +(thx lighthouse2) + +x-ref: + "SUN_LEN in sock_addr.c (1.4.53, 1.4.54)" + https://redmine.lighttpd.net/issues/2962 +--- + src/sock_addr.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/sock_addr.c b/src/sock_addr.c +index cc15086c..7be57ce1 100644 +--- a/src/sock_addr.c ++++ b/src/sock_addr.c +@@ -544,10 +544,9 @@ int sock_addr_from_str_hints(server *srv, sock_addr *saddr, socklen_t *len, cons + } + memcpy(saddr->un.sun_path, str, hostlen); + #if defined(SUN_LEN) +- *len = SUN_LEN(&saddr->un); ++ *len = SUN_LEN(&saddr->un)+1; + #else +- /* stevens says: */ +- *len = hostlen + sizeof(saddr->un.sun_family); ++ *len = offsetof(struct sockaddr_un, sun_path) + hostlen; + #endif + } + return 1; +-- +2.25.1 + diff -Nru lighttpd-1.4.53/debian/patches/core-do-not-accept-server.max-connections.patch lighttpd-1.4.53/debian/patches/core-do-not-accept-server.max-connections.patch --- lighttpd-1.4.53/debian/patches/core-do-not-accept-server.max-connections.patch 1969-12-31 19:00:00.000000000 -0500 +++ lighttpd-1.4.53/debian/patches/core-do-not-accept-server.max-connections.patch 2020-03-21 19:30:00.000000000 -0400 @@ -0,0 +1,41 @@ +From fb74bb75148142d622b665275b1bb7751abf1a5a Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstra...@gluelogic.com> +Date: Sun, 19 Jan 2020 00:02:22 -0500 +Subject: [PATCH] [core] do not accept() > server.max-connections + +--- + src/network.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/network.c b/src/network.c +index d563b4c8..dc55169a 100644 +--- a/src/network.c ++++ b/src/network.c +@@ -46,7 +46,7 @@ network_accept_tcp_nagle_disable (const int fd) + static handler_t network_server_handle_fdevent(server *srv, void *context, int revents) { + server_socket *srv_socket = (server_socket *)context; + connection *con; +- int loops = 0; ++ int loops; + + UNUSED(context); + +@@ -61,9 +61,13 @@ static handler_t network_server_handle_fdevent(server *srv, void *context, int r + /* accept()s at most 100 connections directly + * + * we jump out after 100 to give the waiting connections a chance */ +- for (loops = 0; loops < 100 && NULL != (con = connection_accept(srv, srv_socket)); loops++) { ++ if (srv->conns->used >= srv->max_conns) return HANDLER_GO_ON; ++ loops = (int)(srv->max_conns - srv->conns->used + 1); ++ if (loops > 100) loops = 101; ++ ++ while (--loops && NULL != (con = connection_accept(srv, srv_socket))) + connection_state_machine(srv, con); +- } ++ + return HANDLER_GO_ON; + } + +-- +2.25.1 + diff -Nru lighttpd-1.4.53/debian/patches/core-fix-1.4.52-regression-in-mem-use-with-POST-fixe.patch lighttpd-1.4.53/debian/patches/core-fix-1.4.52-regression-in-mem-use-with-POST-fixe.patch --- lighttpd-1.4.53/debian/patches/core-fix-1.4.52-regression-in-mem-use-with-POST-fixe.patch 1969-12-31 19:00:00.000000000 -0500 +++ lighttpd-1.4.53/debian/patches/core-fix-1.4.52-regression-in-mem-use-with-POST-fixe.patch 2020-03-21 19:30:00.000000000 -0400 @@ -0,0 +1,188 @@ +From 599b4f05c8ccebd0c06074972824b930afc9c832 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstra...@gluelogic.com> +Date: Thu, 18 Apr 2019 17:02:42 -0400 +Subject: [PATCH] [core] fix 1.4.52 regression in mem use with POST (fixes + #2948) + +(thx rgenoud) + +x-ref: + "[regression][Bisected] lighttpd uses way more memory with POST since 1.4.52" + https://redmine.lighttpd.net/issues/2948 +--- + src/chunk.c | 80 ++++++++++++++++++++++++++++------------------------- + 1 file changed, 43 insertions(+), 37 deletions(-) + +diff --git a/src/chunk.c b/src/chunk.c +index e209707c..73c9fd68 100644 +--- a/src/chunk.c ++++ b/src/chunk.c +@@ -26,7 +26,7 @@ + #define MAX_TEMPFILE_SIZE (128 * 1024 * 1024) + + static size_t chunk_buf_sz = 4096; +-static chunk *chunks; ++static chunk *chunks, *chunks_oversized; + static chunk *chunk_buffers; + static array *chunkqueue_default_tempdirs = NULL; + static unsigned int chunkqueue_default_tempfile_size = DEFAULT_TEMPFILE_SIZE; +@@ -141,23 +141,42 @@ void chunk_buffer_release(buffer *b) { + } + } + +-static chunk * chunk_acquire(void) { +- if (chunks) { +- chunk *c = chunks; +- chunks = c->next; +- return c; ++static chunk * chunk_acquire(size_t sz) { ++ if (sz <= chunk_buf_sz) { ++ if (chunks) { ++ chunk *c = chunks; ++ chunks = c->next; ++ return c; ++ } ++ sz = chunk_buf_sz; + } + else { +- return chunk_init(chunk_buf_sz); ++ sz = (sz + 8191) & ~8191uL; ++ /* future: might have buckets of certain sizes, up to socket buf sizes*/ ++ if (chunks_oversized && chunks_oversized->mem->size >= sz) { ++ chunk *c = chunks_oversized; ++ chunks_oversized = c->next; ++ return c; ++ } + } ++ ++ return chunk_init(sz); + } + + static void chunk_release(chunk *c) { +- if (c->mem->size >= chunk_buf_sz) { ++ const size_t sz = c->mem->size; ++ if (sz == chunk_buf_sz) { + chunk_reset(c); + c->next = chunks; + chunks = c; + } ++ else if (sz > chunk_buf_sz) { ++ chunk_reset(c); ++ chunk **co = &chunks_oversized; ++ while (*co && sz < (*co)->mem->size) co = &(*co)->next; ++ c->next = *co; ++ *co = c; ++ } + else { + chunk_free(c); + } +@@ -170,6 +189,11 @@ void chunkqueue_chunk_pool_clear(void) + chunk_free(c); + } + chunks = NULL; ++ for (chunk *next, *c = chunks_oversized; c; c = next) { ++ next = c->next; ++ chunk_free(c); ++ } ++ chunks_oversized = NULL; + } + + void chunkqueue_chunk_pool_free(void) +@@ -235,20 +259,20 @@ static void chunkqueue_append_chunk(chunkqueue *cq, chunk *c) { + } + } + +-static chunk * chunkqueue_prepend_mem_chunk(chunkqueue *cq) { +- chunk *c = chunk_acquire(); ++static chunk * chunkqueue_prepend_mem_chunk(chunkqueue *cq, size_t sz) { ++ chunk *c = chunk_acquire(sz); + chunkqueue_prepend_chunk(cq, c); + return c; + } + +-static chunk * chunkqueue_append_mem_chunk(chunkqueue *cq) { +- chunk *c = chunk_acquire(); ++static chunk * chunkqueue_append_mem_chunk(chunkqueue *cq, size_t sz) { ++ chunk *c = chunk_acquire(sz); + chunkqueue_append_chunk(cq, c); + return c; + } + + static chunk * chunkqueue_append_file_chunk(chunkqueue *cq, buffer *fn, off_t offset, off_t len) { +- chunk *c = chunk_acquire(); ++ chunk *c = chunk_acquire(buffer_string_length(fn)+1); + chunkqueue_append_chunk(cq, c); + c->type = FILE_CHUNK; + c->file.start = offset; +@@ -308,7 +332,7 @@ void chunkqueue_append_buffer(chunkqueue *cq, buffer *mem) { + size_t len = buffer_string_length(mem); + if (len < 256 && chunkqueue_append_mem_extend_chunk(cq, mem->ptr, len)) return; + +- c = chunkqueue_append_mem_chunk(cq); ++ c = chunkqueue_append_mem_chunk(cq, chunk_buf_sz); + cq->bytes_in += len; + buffer_move(c->mem, mem); + } +@@ -319,7 +343,7 @@ void chunkqueue_append_mem(chunkqueue *cq, const char * mem, size_t len) { + if (len < chunk_buf_sz && chunkqueue_append_mem_extend_chunk(cq, mem, len)) + return; + +- c = chunkqueue_append_mem_chunk(cq); ++ c = chunkqueue_append_mem_chunk(cq, len+1); + cq->bytes_in += len; + buffer_copy_string_len(c->mem, mem, len); + } +@@ -354,28 +378,14 @@ void chunkqueue_append_chunkqueue(chunkqueue *cq, chunkqueue *src) { + } + + +-__attribute_cold__ +-static void chunkqueue_buffer_open_resize(chunk *c, size_t sz) { +- chunk * const n = chunk_init((sz + 4095) & ~4095uL); +- buffer * const b = c->mem; +- c->mem = n->mem; +- n->mem = b; +- chunk_release(n); +-} +- +- + buffer * chunkqueue_prepend_buffer_open_sz(chunkqueue *cq, size_t sz) { +- chunk * const c = chunkqueue_prepend_mem_chunk(cq); +- if (buffer_string_space(c->mem) < sz) { +- chunkqueue_buffer_open_resize(c, sz); +- } ++ chunk * const c = chunkqueue_prepend_mem_chunk(cq, sz); + return c->mem; + } + + + buffer * chunkqueue_prepend_buffer_open(chunkqueue *cq) { +- chunk *c = chunkqueue_prepend_mem_chunk(cq); +- return c->mem; ++ return chunkqueue_prepend_buffer_open_sz(cq, chunk_buf_sz); + } + + +@@ -385,17 +395,13 @@ void chunkqueue_prepend_buffer_commit(chunkqueue *cq) { + + + buffer * chunkqueue_append_buffer_open_sz(chunkqueue *cq, size_t sz) { +- chunk * const c = chunkqueue_append_mem_chunk(cq); +- if (buffer_string_space(c->mem) < sz) { +- chunkqueue_buffer_open_resize(c, sz); +- } ++ chunk * const c = chunkqueue_append_mem_chunk(cq, sz); + return c->mem; + } + + + buffer * chunkqueue_append_buffer_open(chunkqueue *cq) { +- chunk *c = chunkqueue_append_mem_chunk(cq); +- return c->mem; ++ return chunkqueue_append_buffer_open_sz(cq, chunk_buf_sz); + } + + +-- +2.25.1 + diff -Nru lighttpd-1.4.53/debian/patches/core-issue-config-error-for-invalid-fixes-2980.patch lighttpd-1.4.53/debian/patches/core-issue-config-error-for-invalid-fixes-2980.patch --- lighttpd-1.4.53/debian/patches/core-issue-config-error-for-invalid-fixes-2980.patch 1969-12-31 19:00:00.000000000 -0500 +++ lighttpd-1.4.53/debian/patches/core-issue-config-error-for-invalid-fixes-2980.patch 2020-03-21 19:30:00.000000000 -0400 @@ -0,0 +1,33 @@ +From 06a395a93ee22df13cb6fe2a5a06cdac3ed1946c Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstra...@gluelogic.com> +Date: Thu, 5 Sep 2019 21:54:10 -0400 +Subject: [PATCH] [core] issue config error for invalid ':' (fixes #2980) + +x-ref: + "Embedded vim command line in conf file with no comment (#) hangs server" + https://redmine.lighttpd.net/issues/2980 +--- + src/configfile.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/configfile.c b/src/configfile.c +index b870b593..a7ac53bc 100644 +--- a/src/configfile.c ++++ b/src/configfile.c +@@ -1130,6 +1130,13 @@ static int config_tokenizer(server *srv, tokenizer_t *t, int *token_id, buffer * + t->offset += 2; + tid = TK_FORCE_ASSIGN; + buffer_copy_string_len(token, CONST_STR_LEN(":=")); ++ } else { ++ /* ERROR */ ++ log_error_write(srv, __FILE__, __LINE__, "sbsdsds", ++ "source:", t->source, ++ "line:", t->line, "pos:", t->line_pos, ++ "unexpected character ':'"); ++ return -1; + } + break; + +-- +2.25.1 + diff -Nru lighttpd-1.4.53/debian/patches/core-preserve-2b-and-2B-in-query-string-fixes-2999.patch lighttpd-1.4.53/debian/patches/core-preserve-2b-and-2B-in-query-string-fixes-2999.patch --- lighttpd-1.4.53/debian/patches/core-preserve-2b-and-2B-in-query-string-fixes-2999.patch 1969-12-31 19:00:00.000000000 -0500 +++ lighttpd-1.4.53/debian/patches/core-preserve-2b-and-2B-in-query-string-fixes-2999.patch 2020-03-21 19:30:00.000000000 -0400 @@ -0,0 +1,60 @@ +From 9cdfb4846653253f2c11dd74964eb4a9bc006a2c Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstra...@gluelogic.com> +Date: Wed, 1 Jan 2020 15:28:43 -0500 +Subject: [PATCH] [core] preserve %2b and %2B in query string (fixes #2999) + +normalize %2b or %2B in query string to %2B (uppercase hex), +and not to '+' + +(thx int-e) + +x-ref: + "url-normalize-required expands %2B in query strings" + https://redmine.lighttpd.net/issues/2999 +--- + src/burl.c | 8 ++++++-- + src/t/test_burl.c | 2 ++ + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/burl.c b/src/burl.c +index b62a5cd5..ca8c8bd6 100644 +--- a/src/burl.c ++++ b/src/burl.c +@@ -139,7 +139,9 @@ static int burl_normalize_basic_required_fix (buffer *b, buffer *t, int i, int q + else if (s[i]=='%' && li_cton(s[i+1], n1) && li_cton(s[i+2], n2)) { + const unsigned int x = (n1 << 4) | n2; + if (!encoded_chars_http_uri_reqd[x] +- && (qs < 0 ? (x!='/'&&x!='?') : (x!='&'&&x!='='&&x!=';'))) { ++ && (qs < 0 ++ ? (x != '/' && x != '?') ++ : (x != '&' && x != '=' && x != ';' && x != '+'))) { + p[j] = x; + } + else { +@@ -177,7 +179,9 @@ static int burl_normalize_basic_required (buffer *b, buffer *t) + } + else if (s[i]=='%' && li_cton(s[i+1], n1) && li_cton(s[i+2], n2) + && (encoded_chars_http_uri_reqd[(x = (n1 << 4) | n2)] +- ||(qs < 0 ? (x=='/'||x=='?') : (x=='&'||x=='='||x==';')))){ ++ || (qs < 0 ++ ? (x == '/' || x == '?') ++ : (x == '&' || x == '=' || x == ';' || x == '+')))) { + if (li_utf8_invalid_byte(x)) qs = -2; + if (s[i+1] >= 'a') b->ptr[i+1] &= 0xdf; /* uppercase hex */ + if (s[i+2] >= 'a') b->ptr[i+2] &= 0xdf; /* uppercase hex */ +diff --git a/src/t/test_burl.c b/src/t/test_burl.c +index e9cc80de..c2bbe69e 100644 +--- a/src/t/test_burl.c ++++ b/src/t/test_burl.c +@@ -78,6 +78,8 @@ static void test_burl_normalize (void) { + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/%2B"), CONST_STR_LEN("/+")); + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/%3a"), CONST_STR_LEN("/:")); + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/%3A"), CONST_STR_LEN("/:")); ++ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/%2b?x=%2b"), CONST_STR_LEN("/+?x=%2B")); ++ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/%2B?x=%2B"), CONST_STR_LEN("/+?x=%2B")); + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/~test%20ä_"), CONST_STR_LEN("/~test%20%C3%A4_")); + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/\375"), "", (size_t)-2); + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/\376"), "", (size_t)-2); +-- +2.25.1 + diff -Nru lighttpd-1.4.53/debian/patches/core-reject-Transfer-Encoding-Content-Length-2985.patch lighttpd-1.4.53/debian/patches/core-reject-Transfer-Encoding-Content-Length-2985.patch --- lighttpd-1.4.53/debian/patches/core-reject-Transfer-Encoding-Content-Length-2985.patch 1969-12-31 19:00:00.000000000 -0500 +++ lighttpd-1.4.53/debian/patches/core-reject-Transfer-Encoding-Content-Length-2985.patch 2020-03-21 19:30:00.000000000 -0400 @@ -0,0 +1,70 @@ +From 66624b375b6f1ceae446ba09d55f123683506337 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstra...@gluelogic.com> +Date: Sun, 6 Oct 2019 15:14:05 -0400 +Subject: [PATCH] [core] reject Transfer-Encoding + Content-Length (#2985) + +reject requests with both Transfer-Encoding and Content-Length +as recommended in RFC 7230 Section 3.3.3. + +strict header parsing is enabled by default in lighttpd. However, +if explicitly disabled in lighttpd.conf, lighttpd will continue to +accept Transfer-Encoding and Content-Length in the same request, +and will ignore (and remove) Content-Length before passing to backend. + UNSAFE: server.http-parseopts = ( "header-strict" => "disable" ) + This is NOT RECOMMENDED since doing so disables other protections + provided by lighttpd strict http header parsing. + +RFC7230 Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing + 3.3.3. Message Body Length + [...] + If a message is received with both a Transfer-Encoding and a + Content-Length header field, the Transfer-Encoding overrides the + Content-Length. Such a message might indicate an attempt to + perform request smuggling (Section 9.5) or response splitting + (Section 9.4) and ought to be handled as an error. A sender MUST + remove the received Content-Length field prior to forwarding such + a message downstream. + +x-ref: + stricter request header parsing + https://redmine.lighttpd.net/issues/2985 +--- + src/request.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/src/request.c b/src/request.c +index 64b2ba45..7ce30869 100644 +--- a/src/request.c ++++ b/src/request.c +@@ -887,9 +887,26 @@ int http_request_parse(server *srv, connection *con, buffer *hdrs) { + * which must not be blindly forwarded to backends */ + http_header_request_unset(con, HTTP_HEADER_TRANSFER_ENCODING, CONST_STR_LEN("Transfer-Encoding")); + +- /*(note: ignore whether or not Content-Length was provided)*/ + if (con->request.htags & HTTP_HEADER_CONTENT_LENGTH) { +- http_header_request_unset(con, HTTP_HEADER_CONTENT_LENGTH, CONST_STR_LEN("Content-Length")); ++ /* RFC7230 Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing ++ * 3.3.3. Message Body Length ++ * [...] ++ * If a message is received with both a Transfer-Encoding and a ++ * Content-Length header field, the Transfer-Encoding overrides the ++ * Content-Length. Such a message might indicate an attempt to ++ * perform request smuggling (Section 9.5) or response splitting ++ * (Section 9.4) and ought to be handled as an error. A sender MUST ++ * remove the received Content-Length field prior to forwarding such ++ * a message downstream. ++ */ ++ if (http_header_strict) { ++ log_error_write(srv, __FILE__, __LINE__, "s", "invalid Transfer-Encoding + Content-Length -> 400"); ++ goto failure; ++ } ++ else { ++ /* ignore Content-Length */ ++ http_header_request_unset(con, HTTP_HEADER_CONTENT_LENGTH, CONST_STR_LEN("Content-Length")); ++ } + } + + state.con_length_set = 1; +-- +2.25.1 + diff -Nru lighttpd-1.4.53/debian/patches/core-reject-WS-following-header-field-name-fixes-298.patch lighttpd-1.4.53/debian/patches/core-reject-WS-following-header-field-name-fixes-298.patch --- lighttpd-1.4.53/debian/patches/core-reject-WS-following-header-field-name-fixes-298.patch 1969-12-31 19:00:00.000000000 -0500 +++ lighttpd-1.4.53/debian/patches/core-reject-WS-following-header-field-name-fixes-298.patch 2020-03-21 19:30:00.000000000 -0400 @@ -0,0 +1,105 @@ +From 61f85d14ee4444755e0771495b97af11162448dd Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstra...@gluelogic.com> +Date: Sat, 28 Sep 2019 19:21:56 -0400 +Subject: [PATCH] [core] reject WS following header field-name (fixes #2985) + +reject whitespace following request header field-name and before colon +Such whitespace is forbidden in RFC 7230 Section 3.2.4. + +strict header parsing is enabled by default in lighttpd. However, +if explicitly disabled in lighttpd.conf, lighttpd will continue to +accept (and re-format) such field-names before passing to any backend. + UNSAFE: server.http-parseopts = ( "header-strict" => "disable" ) + This is NOT RECOMMENDED since doing so disables other protections + provided by lighttpd strict http header parsing. + +(thx fedormixalich) + +x-ref: + stricter request header parsing + https://redmine.lighttpd.net/issues/2985 +--- + src/request.c | 13 +++++++++++++ + src/t/test_request.c | 5 +---- + tests/request.t | 12 +----------- + 3 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/src/request.c b/src/request.c +index b72bb974..64b2ba45 100644 +--- a/src/request.c ++++ b/src/request.c +@@ -723,6 +723,21 @@ int http_request_parse(server *srv, connection *con, buffer *hdrs) { + switch(*cur) { + case ' ': + case '\t': ++ /* RFC7230 Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing ++ * 3.2.4. Field Parsing ++ * [...] ++ * No whitespace is allowed between the header field-name and colon. In ++ * the past, differences in the handling of such whitespace have led to ++ * security vulnerabilities in request routing and response handling. A ++ * server MUST reject any received request message that contains ++ * whitespace between a header field-name and colon with a response code ++ * of 400 (Bad Request). A proxy MUST remove any such whitespace from a ++ * response message before forwarding the message downstream. ++ */ ++ if (http_header_strict) { ++ log_error_write(srv, __FILE__, __LINE__, "s", "invalid whitespace between field-name and colon -> 400"); ++ goto failure; ++ } + /* skip every thing up to the : */ + do { ++cur; } while (*cur == ' ' || *cur == '\t'); + if (*cur != ':') { +diff --git a/src/t/test_request.c b/src/t/test_request.c +index e001fb6a..1387565e 100644 +--- a/src/t/test_request.c ++++ b/src/t/test_request.c +@@ -310,14 +310,11 @@ static void test_request_http_request_parse(server *srv, connection *con) + assert(buffer_is_equal_string(con->request.uri, + CONST_STR_LEN("/"))); + +- run_http_request_parse(srv, con, __LINE__, 0, ++ run_http_request_parse(srv, con, __LINE__, 400, + "whitespace after key", + CONST_STR_LEN("GET / HTTP/1.0\r\n" + "ABC : foo\r\n" + "\r\n")); +- ds = (data_string *) +- array_get_element_klen(con->request.headers, CONST_STR_LEN("ABC")); +- assert(ds && buffer_is_equal_string(ds->value, CONST_STR_LEN("foo"))); + + run_http_request_parse(srv, con, __LINE__, 400, + "whitespace within key", +diff --git a/tests/request.t b/tests/request.t +index 96ef077b..aa1cace0 100755 +--- a/tests/request.t ++++ b/tests/request.t +@@ -8,7 +8,7 @@ BEGIN { + + use strict; + use IO::Socket; +-use Test::More tests => 52; ++use Test::More tests => 51; + use LightyTest; + + my $tf = LightyTest->new(); +@@ -503,16 +503,6 @@ $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 403 } ]; + ok($tf->handle_http($t) == 0, 'static file with forbidden pathinfo'); + + +-print "\nConnection header\n"; +-$t->{REQUEST} = ( <<EOF +-GET /12345.txt HTTP/1.1 +-Connection : close +-Host: 123.example.org +-EOF +- ); +-$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.1', 'HTTP-Status' => 200, 'HTTP-Content' => '12345'."\n", 'Content-Type' => 'text/plain', 'Connection' => 'close' } ]; +-ok($tf->handle_http($t) == 0, 'Connection-header, spaces before ":"'); +- + $t->{REQUEST} = ( <<EOF + GET /12345.txt HTTP/1.1 + Connection: ,close +-- +2.25.1 + diff -Nru lighttpd-1.4.53/debian/patches/core-remove-repeated-slashes-in-http-parseopts.patch lighttpd-1.4.53/debian/patches/core-remove-repeated-slashes-in-http-parseopts.patch --- lighttpd-1.4.53/debian/patches/core-remove-repeated-slashes-in-http-parseopts.patch 1969-12-31 19:00:00.000000000 -0500 +++ lighttpd-1.4.53/debian/patches/core-remove-repeated-slashes-in-http-parseopts.patch 2020-03-21 19:30:00.000000000 -0400 @@ -0,0 +1,49 @@ +commit e757978497c35b2857784f3b4452d0ebef7793f9 +Author: Glenn Strauss <gstra...@gluelogic.com> +Date: Mon, 15 Apr 2019 23:36:21 -0400 + +[core] remove repeated slashes in http-parseopts + +remove repeated slashes in server.http-parseopts +with url-path-dotseg-remove, including leading "//" + +(prior to this patch, leading "//" was skipped) + +diff --git a/src/burl.c b/src/burl.c +index c4b928fd..b62a5cd5 100644 +--- a/src/burl.c ++++ b/src/burl.c +@@ -289,7 +289,7 @@ static int burl_normalize_path (buffer *b, buffer *t, int qs, int flags) + path_simplify = 1; + break; + } +- do { ++i; } while (i < len && s[i] != '/'); ++ while (i < len && s[i] != '/') ++i; + if (s[i] == '/' && s[i+1] == '/') { /*(s[len] != '/')*/ + path_simplify = 1; + break; +diff --git a/src/t/test_burl.c b/src/t/test_burl.c +index f7a16815..e9cc80de 100644 +--- a/src/t/test_burl.c ++++ b/src/t/test_burl.c +@@ -98,6 +98,8 @@ static void test_burl_normalize (void) { + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a/b?c=/"), CONST_STR_LEN("/a/b?c=/")); + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a/b?c=%2f"), CONST_STR_LEN("/a/b?c=/")); + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("%2f?"), CONST_STR_LEN("/?")); ++ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("%2f%2f"), CONST_STR_LEN("//")); ++ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("%2f%2f?"), CONST_STR_LEN("//?")); + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/%2f?"), CONST_STR_LEN("//?")); + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2fb"), CONST_STR_LEN("/a/b")); + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2Fb"), CONST_STR_LEN("/a/b")); +@@ -112,6 +114,8 @@ static void test_burl_normalize (void) { + flags &= ~HTTP_PARSEOPT_URL_NORMALIZE_PATH_2F_REJECT; + + flags |= HTTP_PARSEOPT_URL_NORMALIZE_PATH_DOTSEG_REMOVE; ++ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("//"), CONST_STR_LEN("/")); ++ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a//b"), CONST_STR_LEN("/a/b")); + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("./a/b"), CONST_STR_LEN("/a/b")); + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("../a/b"), CONST_STR_LEN("/a/b")); + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a/./b"), CONST_STR_LEN("/a/b")); +-- +2.20.1 + diff -Nru lighttpd-1.4.53/debian/patches/core-use-high-precision-stat-timestamp-in-etag.patch lighttpd-1.4.53/debian/patches/core-use-high-precision-stat-timestamp-in-etag.patch --- lighttpd-1.4.53/debian/patches/core-use-high-precision-stat-timestamp-in-etag.patch 1969-12-31 19:00:00.000000000 -0500 +++ lighttpd-1.4.53/debian/patches/core-use-high-precision-stat-timestamp-in-etag.patch 2020-03-21 19:30:00.000000000 -0400 @@ -0,0 +1,27 @@ +From 338c73fd28bf3fbed831b624f2345af02355b329 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstra...@gluelogic.com> +Date: Wed, 24 Apr 2019 03:35:26 -0400 +Subject: [PATCH] [core] use high precision stat timestamp in etag + +use high precision stat timestamp (on systems where available) in etag +--- + src/etag.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/etag.c b/src/etag.c +index c534e4e3..a89c4e51 100644 +--- a/src/etag.c ++++ b/src/etag.c +@@ -160,6 +160,9 @@ int etag_create(buffer *etag, const struct stat *st, etag_flags_t flags) { + + if (flags & ETAG_USE_MTIME) { + buffer_append_int(etag, st->st_mtime); ++ #ifdef st_mtime /* use high-precision timestamp if available */ ++ buffer_append_int(etag, st->st_mtim.tv_nsec); ++ #endif + } + + return 0; +-- +2.25.1 + diff -Nru lighttpd-1.4.53/debian/patches/mod_accesslog-parse-multiple-cookies-fixes-2986.patch lighttpd-1.4.53/debian/patches/mod_accesslog-parse-multiple-cookies-fixes-2986.patch --- lighttpd-1.4.53/debian/patches/mod_accesslog-parse-multiple-cookies-fixes-2986.patch 1969-12-31 19:00:00.000000000 -0500 +++ lighttpd-1.4.53/debian/patches/mod_accesslog-parse-multiple-cookies-fixes-2986.patch 2020-03-21 19:30:00.000000000 -0400 @@ -0,0 +1,30 @@ +From 330c39c694a28e32162519c8843f3253ca9546f0 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstra...@gluelogic.com> +Date: Wed, 16 Oct 2019 23:59:54 -0400 +Subject: [PATCH] [mod_accesslog] parse multiple cookies (fixes #2986) + +(thx xoneca) + +x-ref: + "Cookie format specifier is broken" + https://redmine.lighttpd.net/issues/2986 +--- + src/mod_accesslog.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mod_accesslog.c b/src/mod_accesslog.c +index 77300134..83a12423 100644 +--- a/src/mod_accesslog.c ++++ b/src/mod_accesslog.c +@@ -1098,7 +1098,7 @@ REQUESTDONE_FUNC(log_access_write) { + buffer_free(bstr); + break; + } else { +- do { ++str; } while (*str != ' ' && *str != '\t' && *str != '\0'); ++ while (*str != ';' && *str != ' ' && *str != '\t' && *str != '\0') ++str; + } + while (*str == ' ' || *str == '\t') ++str; + } while (*str++ == ';'); +-- +2.25.1 + diff -Nru lighttpd-1.4.53/debian/patches/mod_auth-Authentication-Info-nextnonce.patch lighttpd-1.4.53/debian/patches/mod_auth-Authentication-Info-nextnonce.patch --- lighttpd-1.4.53/debian/patches/mod_auth-Authentication-Info-nextnonce.patch 1969-12-31 19:00:00.000000000 -0500 +++ lighttpd-1.4.53/debian/patches/mod_auth-Authentication-Info-nextnonce.patch 2020-03-21 19:30:00.000000000 -0400 @@ -0,0 +1,67 @@ +From 6ad325c659c4f602584c9450242204f410e74952 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstra...@gluelogic.com> +Date: Sun, 8 Sep 2019 18:22:10 -0400 +Subject: [PATCH] [mod_auth] Authentication-Info: nextnonce=... + +send Authentication-Info nextnonce when nonce is approaching expiration +--- + src/mod_auth.c | 34 +++++++++++++++++++++++++++++++++- + 1 file changed, 33 insertions(+), 1 deletion(-) + +diff --git a/src/mod_auth.c b/src/mod_auth.c +index 49ab7a85..34e5e91a 100644 +--- a/src/mod_auth.c ++++ b/src/mod_auth.c +@@ -532,6 +532,35 @@ static void CvtHex(const HASH Bin, char (*Hex)[33]) { + li_tohex(*Hex, sizeof(*Hex), (const char*) Bin, 16); + } + ++static void mod_auth_digest_authentication_info(buffer *b, time_t cur_ts) { ++ li_MD5_CTX Md5Ctx; ++ HASH h; ++ char hh[33]; ++ ++ force_assert(33 >= LI_ITOSTRING_LENGTH); /*(buffer used for both li_itostrn() and CvtHex())*/ ++ ++ /* generate nonce */ ++ ++ /* generate shared-secret */ ++ li_MD5_Init(&Md5Ctx); ++ ++ li_itostrn(hh, sizeof(hh), cur_ts); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); ++ li_itostrn(hh, sizeof(hh), li_rand_pseudo()); ++ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); ++ ++ li_MD5_Final(h, &Md5Ctx); ++ ++ CvtHex(h, &hh); ++ ++ buffer_clear(b); ++ buffer_append_string_len(b, CONST_STR_LEN("nextnonce=\"")); ++ buffer_append_uint_hex(b, (uintmax_t)cur_ts); ++ buffer_append_string_len(b, CONST_STR_LEN(":")); ++ buffer_append_string_len(b, hh, HASHHEXLEN); ++ buffer_append_string_len(b, CONST_STR_LEN("\"")); ++} ++ + typedef struct { + const char *key; + int key_len; +@@ -820,7 +847,12 @@ static handler_t mod_auth_check_digest(server *srv, connection *con, void *p_d, + /* nonce is stale; have client regenerate digest */ + buffer_free(b); + return mod_auth_send_401_unauthorized_digest(srv, con, require->realm, 1); +- } /*(future: might send nextnonce when expiration is imminent)*/ ++ } ++ else if (srv->cur_ts - ts > 540) { /*(9 mins)*/ ++ /*(send nextnonce when expiration is approaching)*/ ++ mod_auth_digest_authentication_info(srv->tmp_buf, srv->cur_ts); ++ http_header_response_set(con, HTTP_HEADER_OTHER, CONST_STR_LEN("Authentication-Info"), CONST_BUF_LEN(srv->tmp_buf)); ++ } + } + + http_auth_setenv(con, username, strlen(username), CONST_STR_LEN("Digest")); +-- +2.25.1 + diff -Nru lighttpd-1.4.53/debian/patches/mod_auth-close-connection-after-bad-password.patch lighttpd-1.4.53/debian/patches/mod_auth-close-connection-after-bad-password.patch --- lighttpd-1.4.53/debian/patches/mod_auth-close-connection-after-bad-password.patch 1969-12-31 19:00:00.000000000 -0500 +++ lighttpd-1.4.53/debian/patches/mod_auth-close-connection-after-bad-password.patch 2020-03-21 19:30:00.000000000 -0400 @@ -0,0 +1,45 @@ +From 8bddac9263aec30a214bc81b3f8f771944ede428 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstra...@gluelogic.com> +Date: Tue, 7 Jan 2020 01:14:12 -0500 +Subject: [PATCH] [mod_auth] close connection after bad password + +mitigation slows down brute force password attacks + +x-ref: + "Possible feature: authentication brute force hardening" + https://redmine.lighttpd.net/boards/3/topics/8885 +--- + src/mod_auth.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/mod_auth.c b/src/mod_auth.c +index 5dee41a..599f7b4 100644 +--- a/src/mod_auth.c ++++ b/src/mod_auth.c +@@ -515,6 +515,7 @@ static handler_t mod_auth_check_basic(server *srv, connection *con, void *p_d, c + case HANDLER_ERROR: + default: + log_error_write(srv, __FILE__, __LINE__, "sbsBsB", "password doesn't match for", con->uri.path, "username:", username, ", IP:", con->dst_addr_buf); ++ con->keep_alive = 0; /*(disable keep-alive if bad password)*/ + rc = HANDLER_UNSET; + break; + } +@@ -733,6 +734,7 @@ static handler_t mod_auth_check_digest(server *srv, connection *con, void *p_d, + return HANDLER_FINISHED; + case HANDLER_ERROR: + default: ++ con->keep_alive = 0; /*(disable keep-alive if unknown user)*/ + buffer_free(b); + return mod_auth_send_401_unauthorized_digest(srv, con, require->realm, 0); + } +@@ -789,6 +791,7 @@ static handler_t mod_auth_check_digest(server *srv, connection *con, void *p_d, + /* digest not ok */ + log_error_write(srv, __FILE__, __LINE__, "sssB", + "digest: auth failed for ", username, ": wrong password, IP:", con->dst_addr_buf); ++ con->keep_alive = 0; /*(disable keep-alive if bad password)*/ + + buffer_free(b); + return mod_auth_send_401_unauthorized_digest(srv, con, require->realm, 0); +-- +2.25.1 + diff -Nru lighttpd-1.4.53/debian/patches/mod_auth-http_auth_const_time_memeq-2975-2976.patch lighttpd-1.4.53/debian/patches/mod_auth-http_auth_const_time_memeq-2975-2976.patch --- lighttpd-1.4.53/debian/patches/mod_auth-http_auth_const_time_memeq-2975-2976.patch 1969-12-31 19:00:00.000000000 -0500 +++ lighttpd-1.4.53/debian/patches/mod_auth-http_auth_const_time_memeq-2975-2976.patch 2020-03-21 19:30:00.000000000 -0400 @@ -0,0 +1,112 @@ +From 0e749c1c84326a51f0f8a80c6db49c31c8e920ab Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstra...@gluelogic.com> +Date: Sun, 8 Sep 2019 18:26:58 -0400 +Subject: [PATCH] [mod_auth] http_auth_const_time_memeq() (#2975, #2976) + +use constant time comparison when comparing digests + +(mitigation for brute-force timing attacks against digests + generated using the same nonce) + +x-ref: + "Digest auth nonces are not validated" + https://redmine.lighttpd.net/issues/2976 + "safe_memcmp new function proposal" + https://redmine.lighttpd.net/issues/2975 +--- + src/http_auth.c | 23 +++++++++++++++++++++++ + src/http_auth.h | 3 +++ + src/mod_auth.c | 2 +- + src/mod_authn_file.c | 2 +- + src/mod_authn_mysql.c | 2 +- + 5 files changed, 29 insertions(+), 3 deletions(-) + +diff --git a/src/http_auth.c b/src/http_auth.c +index fd6cbd8..360f469 100644 +--- a/src/http_auth.c ++++ b/src/http_auth.c +@@ -51,6 +51,29 @@ void http_auth_backend_set (const http_auth_backend_t *backend) + } + + ++int http_auth_const_time_memeq (const void *a, const void *b, const size_t len) ++{ ++ /* constant time memory compare, unless compiler figures it out ++ * (similar to mod_secdownload.c:const_time_memeq()) */ ++ /* caller should prefer http_auth_const_time_memeq_pad() ++ * if not operating on digests, which have defined lengths */ ++ /* Note: some libs provide similar funcs, e.g. ++ * OpenSSL: ++ * int CRYPTO_memcmp(const void * in_a, const void * in_b, size_t len) ++ * Note: some OS provide similar funcs, e.g. ++ * OpenBSD: int timingsafe_bcmp(const void *b1, const void *b2, size_t len) ++ * NetBSD: int consttime_memequal(void *b1, void *b2, size_t len) ++ */ ++ const volatile unsigned char * const av = (const unsigned char *)a; ++ const volatile unsigned char * const bv = (const unsigned char *)b; ++ int diff = 0; ++ for (size_t i = 0; i < len; ++i) { ++ diff |= (av[i] ^ bv[i]); ++ } ++ return (0 == diff); ++} ++ ++ + int http_auth_const_time_memeq_pad (const void *a, const size_t alen, const void *b, const size_t blen) + { + /* constant time memory compare, unless compiler figures it out +diff --git a/src/http_auth.h b/src/http_auth.h +index df8690a..efa6b1d 100644 +--- a/src/http_auth.h ++++ b/src/http_auth.h +@@ -44,6 +44,8 @@ void http_auth_scheme_set (const http_auth_scheme_t *scheme); + const http_auth_backend_t * http_auth_backend_get (const buffer *name); + void http_auth_backend_set (const http_auth_backend_t *backend); + ++int http_auth_const_time_memeq (const void *a, const void *b, size_t len); ++ + int http_auth_const_time_memeq_pad (const void *a, size_t alen, const void *b, size_t blen); + + void http_auth_setenv(connection *con, const char *username, size_t ulen, const char *auth_type, size_t alen); +diff --git a/src/mod_auth.c b/src/mod_auth.c +index 977b5c2..5dee41a 100644 +--- a/src/mod_auth.c ++++ b/src/mod_auth.c +@@ -785,7 +785,7 @@ static handler_t mod_auth_check_digest(server *srv, connection *con, void *p_d, + li_MD5_Final(RespHash, &Md5Ctx); + CvtHex(RespHash, &a2); + +- if (0 != strcmp(a2, respons)) { ++ if (!http_auth_const_time_memeq(a2, respons, HASHHEXLEN)) { + /* digest not ok */ + log_error_write(srv, __FILE__, __LINE__, "sssB", + "digest: auth failed for ", username, ": wrong password, IP:", con->dst_addr_buf); +diff --git a/src/mod_authn_file.c b/src/mod_authn_file.c +index cd28bc0..352ba1a 100644 +--- a/src/mod_authn_file.c ++++ b/src/mod_authn_file.c +@@ -296,7 +296,7 @@ static handler_t mod_authn_file_htdigest_basic(server *srv, connection *con, voi + li_MD5_Final(HA1, &Md5Ctx); + + UNUSED(con); +- return (0 == memcmp(HA1, htdigest, sizeof(HA1)) ++ return (http_auth_const_time_memeq(htdigest, HA1, sizeof(HA1)) + && http_auth_match_rules(require, username->ptr, NULL, NULL)) + ? HANDLER_GO_ON + : HANDLER_ERROR; +diff --git a/src/mod_authn_mysql.c b/src/mod_authn_mysql.c +index 3a41cd4..1ce10b8 100644 +--- a/src/mod_authn_mysql.c ++++ b/src/mod_authn_mysql.c +@@ -380,7 +380,7 @@ static int mod_authn_mysql_password_cmp(const char *userpw, unsigned long userpw + /*(compare 16-byte MD5 binary instead of converting to hex strings + * in order to then have to do case-insensitive hex str comparison)*/ + return (0 == http_auth_md5_hex2bin(userpw, 32 /*(userpwlen)*/, md5pw)) +- ? memcmp(HA1, md5pw, sizeof(md5pw)) ++ ? http_auth_const_time_memeq(HA1, md5pw, sizeof(md5pw)) ? 0 : 1 + : -1; + } + +-- +2.25.1 + diff -Nru lighttpd-1.4.53/debian/patches/mod_auth-http_auth_const_time_memeq-improvement.patch lighttpd-1.4.53/debian/patches/mod_auth-http_auth_const_time_memeq-improvement.patch --- lighttpd-1.4.53/debian/patches/mod_auth-http_auth_const_time_memeq-improvement.patch 1969-12-31 19:00:00.000000000 -0500 +++ lighttpd-1.4.53/debian/patches/mod_auth-http_auth_const_time_memeq-improvement.patch 2020-03-21 19:30:00.000000000 -0400 @@ -0,0 +1,46 @@ +From ea6006944bc6de9eba8b9fa44cc326005bde5091 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstra...@gluelogic.com> +Date: Sat, 7 Sep 2019 13:37:36 -0400 +Subject: [PATCH] [mod_auth] http_auth_const_time_memeq improvement + +employ volatile, which might matter with some compilers (or might not) +explicitly check that string lengths match + (or else might match string where last char of short string matches + repeated chars in longer string) +--- + src/http_auth.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/src/http_auth.c b/src/http_auth.c +index e9a64f60..d3d3f6dd 100644 +--- a/src/http_auth.c ++++ b/src/http_auth.c +@@ -56,11 +56,22 @@ int http_auth_const_time_memeq (const char *a, const size_t alen, const char *b, + /* constant time memory compare, unless compiler figures it out + * (similar to mod_secdownload.c:const_time_memeq()) */ + /* round to next multiple of 64 to avoid potentially leaking exact +- * password length when subject to high precision timing attacks) */ ++ * password length when subject to high precision timing attacks) ++ * (not necessary when comparing digests, which have defined lengths) ++ */ ++ /* Note: some libs provide similar funcs but might not obscure length, e.g. ++ * OpenSSL: ++ * int CRYPTO_memcmp(const void * in_a, const void * in_b, size_t len) ++ * Note: some OS provide similar funcs but might not obscure length, e.g. ++ * OpenBSD: int timingsafe_bcmp(const void *b1, const void *b2, size_t len) ++ * NetBSD: int consttime_memequal(void *b1, void *b2, size_t len) ++ */ ++ const volatile unsigned char * const av = (const unsigned char *)a; ++ const volatile unsigned char * const bv = (const unsigned char *)b; + size_t lim = ((alen >= blen ? alen : blen) + 0x3F) & ~0x3F; +- int diff = 0; ++ int diff = (alen != blen); /*(never match if string length mismatch)*/ + for (size_t i = 0, j = 0; lim; --lim) { +- diff |= (a[i] ^ b[j]); ++ diff |= (av[i] ^ bv[j]); + i += (i < alen); + j += (j < blen); + } +-- +2.25.1 + diff -Nru lighttpd-1.4.53/debian/patches/mod_auth-http_auth_const_time_memeq_pad.patch lighttpd-1.4.53/debian/patches/mod_auth-http_auth_const_time_memeq_pad.patch --- lighttpd-1.4.53/debian/patches/mod_auth-http_auth_const_time_memeq_pad.patch 1969-12-31 19:00:00.000000000 -0500 +++ lighttpd-1.4.53/debian/patches/mod_auth-http_auth_const_time_memeq_pad.patch 2020-03-21 19:30:00.000000000 -0400 @@ -0,0 +1,57 @@ +From 89dfbf14a5f9bb19bc89e9c29bffe2f5e8dcdcaa Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstra...@gluelogic.com> +Date: Sun, 8 Sep 2019 18:25:39 -0400 +Subject: [PATCH] [mod_auth] http_auth_const_time_memeq_pad() + +rename http_auth_const_time_memeq() to http_auth_const_time_memeq_pad() +for constant time padded comparison of strings of potentially different +length +--- + src/http_auth.c | 2 +- + src/http_auth.h | 4 +++- + src/mod_authn_file.c | 2 +- + 3 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/http_auth.c b/src/http_auth.c +index d3d3f6dd..24c2319a 100644 +--- a/src/http_auth.c ++++ b/src/http_auth.c +@@ -51,7 +51,7 @@ void http_auth_backend_set (const http_auth_backend_t *backend) + } + + +-int http_auth_const_time_memeq (const char *a, const size_t alen, const char *b, const size_t blen) ++int http_auth_const_time_memeq_pad (const void *a, const size_t alen, const void *b, const size_t blen) + { + /* constant time memory compare, unless compiler figures it out + * (similar to mod_secdownload.c:const_time_memeq()) */ +diff --git a/src/http_auth.h b/src/http_auth.h +index e652d71..df8690a 100644 +--- a/src/http_auth.h ++++ b/src/http_auth.h +@@ -43,7 +43,8 @@ const http_auth_scheme_t * http_auth_scheme_get (const buffer *name); + void http_auth_scheme_set (const http_auth_scheme_t *scheme); + const http_auth_backend_t * http_auth_backend_get (const buffer *name); + void http_auth_backend_set (const http_auth_backend_t *backend); +-int http_auth_const_time_memeq (const char *a, size_t alen, const char *b, size_t blen); ++ ++int http_auth_const_time_memeq_pad (const void *a, size_t alen, const void *b, size_t blen); + + void http_auth_setenv(connection *con, const char *username, size_t ulen, const char *auth_type, size_t alen); + +diff --git a/src/mod_authn_file.c b/src/mod_authn_file.c +index db1a241..cd28bc0 100644 +--- a/src/mod_authn_file.c ++++ b/src/mod_authn_file.c +@@ -394,7 +394,7 @@ static handler_t mod_authn_file_plain_basic(server *srv, connection *con, void * + mod_authn_file_patch_connection(srv, con, p); + rc = mod_authn_file_htpasswd_get(srv, p->conf.auth_plain_userfile, username, password_buf); + if (0 == rc) { +- rc = http_auth_const_time_memeq(CONST_BUF_LEN(password_buf), pw, strlen(pw)) ? 0 : -1; ++ rc = http_auth_const_time_memeq_pad(CONST_BUF_LEN(password_buf), pw, strlen(pw)) ? 0 : -1; + } + buffer_free(password_buf); + UNUSED(con); +-- +2.25.1 + diff -Nru lighttpd-1.4.53/debian/patches/mod_authn_gssapi-500-if-fail-to-delegate-creds-2967.patch lighttpd-1.4.53/debian/patches/mod_authn_gssapi-500-if-fail-to-delegate-creds-2967.patch --- lighttpd-1.4.53/debian/patches/mod_authn_gssapi-500-if-fail-to-delegate-creds-2967.patch 1969-12-31 19:00:00.000000000 -0500 +++ lighttpd-1.4.53/debian/patches/mod_authn_gssapi-500-if-fail-to-delegate-creds-2967.patch 2020-03-21 19:30:00.000000000 -0400 @@ -0,0 +1,84 @@ +From e9440ecfdf2b9497f3ae720d6e5219fd0ad6b9f9 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstra...@gluelogic.com> +Date: Sat, 7 Sep 2019 16:37:00 -0400 +Subject: [PATCH] [mod_authn_gssapi] 500 if fail to delegate creds (#2967) + +x-ref: + "mod_authn_gssapi requires delegation?" + https://redmine.lighttpd.net/issues/2967 +--- + src/mod_authn_gssapi.c | 32 ++++++++++++++++++++++---------- + 1 file changed, 22 insertions(+), 10 deletions(-) + +diff --git a/src/mod_authn_gssapi.c b/src/mod_authn_gssapi.c +index 4439c3ba..7200408c 100644 +--- a/src/mod_authn_gssapi.c ++++ b/src/mod_authn_gssapi.c +@@ -269,6 +269,13 @@ static int mod_authn_gssapi_create_krb5_ccache(server *srv, connection *con, plu + * HTTP auth Negotiate + */ + ++static handler_t mod_authn_gssapi_send_500_server_error (connection *con) ++{ ++ con->http_status = 500; ++ con->mode = DIRECT; ++ return HANDLER_FINISHED; ++} ++ + static handler_t mod_authn_gssapi_send_401_unauthorized_negotiate (connection *con) + { + con->http_status = 401; +@@ -334,7 +341,7 @@ static handler_t mod_authn_gssapi_check_spnego(server *srv, connection *con, plu + gss_name_t client_name = GSS_C_NO_NAME; + + buffer *sprinc; +- int ret = 0; ++ handler_t rc = HANDLER_UNSET; + + buffer *t_in = buffer_init(); + if (!buffer_append_base64_decode(t_in, realm_str, strlen(realm_str), BASE64_STANDARD)) { +@@ -421,19 +428,24 @@ static handler_t mod_authn_gssapi_check_spnego(server *srv, connection *con, plu + goto end; + } + +- if (!(acc_flags & GSS_C_DELEG_FLAG)) { +- log_error_write(srv, __FILE__, __LINE__, "ss", "Unable to delegate credentials for user:", token_out.value); +- goto end; +- } +- + /* check the allow-rules */ + if (!http_auth_match_rules(require, token_out.value, NULL, NULL)) { + goto end; + } + +- ret = mod_authn_gssapi_store_gss_creds(srv, con, p, token_out.value, client_cred); +- if (ret) +- http_auth_setenv(con, token_out.value, token_out.length, CONST_STR_LEN("GSSAPI")); ++ { ++ if (!(acc_flags & GSS_C_DELEG_FLAG)) { ++ log_error_write(srv, __FILE__, __LINE__, "ss", "Unable to delegate credentials for user:", token_out.value); ++ goto end; ++ } ++ else if (!mod_authn_gssapi_store_gss_creds(srv, con, p, token_out.value, client_cred)) { ++ rc = mod_authn_gssapi_send_500_server_error(con); ++ goto end; ++ } ++ } ++ ++ http_auth_setenv(con, token_out.value, token_out.length, CONST_STR_LEN("GSSAPI")); ++ rc = HANDLER_GO_ON; /* success */ + + end: + buffer_free(t_in); +@@ -459,7 +471,7 @@ static handler_t mod_authn_gssapi_check_spnego(server *srv, connection *con, plu + if (token_out.length) + gss_release_buffer(&st_minor, &token_out); + +- return ret ? HANDLER_GO_ON : mod_authn_gssapi_send_401_unauthorized_negotiate(con); ++ return rc != HANDLER_UNSET ? rc : mod_authn_gssapi_send_401_unauthorized_negotiate(con); + } + + static handler_t mod_authn_gssapi_check (server *srv, connection *con, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend) +-- +2.25.1 + diff -Nru lighttpd-1.4.53/debian/patches/mod_authn_gssapi-option-to-store-delegated-creds-fix.patch lighttpd-1.4.53/debian/patches/mod_authn_gssapi-option-to-store-delegated-creds-fix.patch --- lighttpd-1.4.53/debian/patches/mod_authn_gssapi-option-to-store-delegated-creds-fix.patch 1969-12-31 19:00:00.000000000 -0500 +++ lighttpd-1.4.53/debian/patches/mod_authn_gssapi-option-to-store-delegated-creds-fix.patch 2020-03-21 19:30:00.000000000 -0400 @@ -0,0 +1,85 @@ +From 339064228589f8f76c905abd2de3e5f744539c86 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstra...@gluelogic.com> +Date: Sat, 7 Sep 2019 17:59:21 -0400 +Subject: [PATCH] [mod_authn_gssapi] option to store delegated creds (fixes + #2967) + +default enabled for backwards compatibility; disable in future + +(thx lameventanas) + +x-ref: + "mod_authn_gssapi requires delegation?" + https://redmine.lighttpd.net/issues/2967 +--- + src/mod_authn_gssapi.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/src/mod_authn_gssapi.c b/src/mod_authn_gssapi.c +index 7200408c..b19c6287 100644 +--- a/src/mod_authn_gssapi.c ++++ b/src/mod_authn_gssapi.c +@@ -41,6 +41,7 @@ + typedef struct { + buffer *auth_gssapi_keytab; + buffer *auth_gssapi_principal; ++ unsigned short int auth_gssapi_store_creds; + } plugin_config; + + typedef struct { +@@ -101,6 +102,7 @@ SETDEFAULTS_FUNC(mod_authn_gssapi_set_defaults) { + config_values_t cv[] = { + { "auth.backend.gssapi.keytab", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, + { "auth.backend.gssapi.principal", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, ++ { "auth.backend.gssapi.store-creds",NULL, T_CONFIG_BOOLEAN,T_CONFIG_SCOPE_CONNECTION }, + { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET } + }; + +@@ -117,6 +119,9 @@ SETDEFAULTS_FUNC(mod_authn_gssapi_set_defaults) { + + cv[0].destination = s->auth_gssapi_keytab; + cv[1].destination = s->auth_gssapi_principal; ++ cv[2].destination = &s->auth_gssapi_store_creds; ++ /* default enabled for backwards compatibility; disable in future */ ++ s->auth_gssapi_store_creds = 1; + + p->config_storage[i] = s; + +@@ -137,6 +142,7 @@ static int mod_authn_gssapi_patch_connection(server *srv, connection *con, plugi + + PATCH(auth_gssapi_keytab); + PATCH(auth_gssapi_principal); ++ PATCH(auth_gssapi_store_creds); + + /* skip the first, the global context */ + for (i = 1; i < srv->config_context->used; i++) { +@@ -154,6 +160,8 @@ static int mod_authn_gssapi_patch_connection(server *srv, connection *con, plugi + PATCH(auth_gssapi_keytab); + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.gssapi.principal"))) { + PATCH(auth_gssapi_principal); ++ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.gssapi.store-creds"))) { ++ PATCH(auth_gssapi_store_creds); + } + } + } +@@ -433,7 +441,7 @@ static handler_t mod_authn_gssapi_check_spnego(server *srv, connection *con, plu + goto end; + } + +- { ++ if (p->conf.auth_gssapi_store_creds) { + if (!(acc_flags & GSS_C_DELEG_FLAG)) { + log_error_write(srv, __FILE__, __LINE__, "ss", "Unable to delegate credentials for user:", token_out.value); + goto end; +@@ -731,6 +739,8 @@ static handler_t mod_authn_gssapi_basic(server *srv, connection *con, void *p_d, + goto end; + } + ++ if (!p->conf.auth_gssapi_store_creds) goto end; ++ + ret = krb5_cc_resolve(kcontext, "MEMORY:", &ret_ccache); + if (ret) { + mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_resolve", NULL, kcontext, ret); +-- +2.25.1 + diff -Nru lighttpd-1.4.53/debian/patches/mod_authn_ldap-ldap_set_option-LDAP_OPT_RESTART-fixe.patch lighttpd-1.4.53/debian/patches/mod_authn_ldap-ldap_set_option-LDAP_OPT_RESTART-fixe.patch --- lighttpd-1.4.53/debian/patches/mod_authn_ldap-ldap_set_option-LDAP_OPT_RESTART-fixe.patch 1969-12-31 19:00:00.000000000 -0500 +++ lighttpd-1.4.53/debian/patches/mod_authn_ldap-ldap_set_option-LDAP_OPT_RESTART-fixe.patch 2020-03-21 19:30:00.000000000 -0400 @@ -0,0 +1,49 @@ +From ae9cafecea3ca0786dfad260ca064fc824e5ccc9 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstra...@gluelogic.com> +Date: Mon, 27 May 2019 02:05:51 -0400 +Subject: [PATCH] [mod_authn_ldap] ldap_set_option LDAP_OPT_RESTART (fixes + #2940) + +ldap_set_option LDAP_OPT_RESTART to handle EINTR on SIGCHLD from CGI + +(ldap uses poll(), which is not restartable with sigaction SA_RESTART) + +x-ref: + "mod_authn_ldap/mod_cgi race condition, "Can't contact LDAP server"" + https://redmine.lighttpd.net/issues/2940 +--- + src/mod_authn_ldap.c | 3 +++ + src/mod_vhostdb_ldap.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/src/mod_authn_ldap.c b/src/mod_authn_ldap.c +index 26191f5c..f95234bd 100644 +--- a/src/mod_authn_ldap.c ++++ b/src/mod_authn_ldap.c +@@ -404,6 +404,9 @@ static LDAP * mod_authn_ldap_host_init(server *srv, plugin_config *s) { + return NULL; + } + ++ /* restart ldap functions if interrupted by a signal, e.g. SIGCHLD */ ++ ldap_set_option(ld, LDAP_OPT_RESTART, LDAP_OPT_ON); ++ + if (s->auth_ldap_starttls) { + /* if no CA file is given, it is ok, as we will use encryption + * if the server requires a CAfile it will tell us */ +diff --git a/src/mod_vhostdb_ldap.c b/src/mod_vhostdb_ldap.c +index e5362c40..234c2ba7 100644 +--- a/src/mod_vhostdb_ldap.c ++++ b/src/mod_vhostdb_ldap.c +@@ -256,6 +256,9 @@ static LDAP * mod_authn_ldap_host_init(server *srv, vhostdb_config *s) { + return NULL; + } + ++ /* restart ldap functions if interrupted by a signal, e.g. SIGCHLD */ ++ ldap_set_option(ld, LDAP_OPT_RESTART, LDAP_OPT_ON); ++ + if (s->starttls) { + /* if no CA file is given, it is ok, as we will use encryption + * if the server requires a CAfile it will tell us */ +-- +2.25.1 + diff -Nru lighttpd-1.4.53/debian/patches/mod_auth-require-digest-uri-match-original-URI.patch lighttpd-1.4.53/debian/patches/mod_auth-require-digest-uri-match-original-URI.patch --- lighttpd-1.4.53/debian/patches/mod_auth-require-digest-uri-match-original-URI.patch 1969-12-31 19:00:00.000000000 -0500 +++ lighttpd-1.4.53/debian/patches/mod_auth-require-digest-uri-match-original-URI.patch 2020-03-21 19:30:00.000000000 -0400 @@ -0,0 +1,60 @@ +From c81bd354b258121f6491f44f924bc7c715bd9389 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstra...@gluelogic.com> +Date: Sun, 8 Sep 2019 15:07:25 -0400 +Subject: [PATCH] [mod_auth] require digest uri= match original URI + +lighttpd requires a strict match between the request URI and the uri= +auth-param provided in the Authenticate header. lighttpd does not +attempt to determine if different URIs are semantically equivalent. + +This commit removes a condition which permitted an Authenticate header +with a uri= containing a query-string to be used with the request-uri +which did not contain any query-string. The condition was likely added +in the original implementation which operated on lighttpd request.uri +instead of the correct request.orig_uri (original URI sent to lighttpd). + +. + +HTTP Digest Access Authentication +https://www.rfc-editor.org/rfc/rfc7616.txt + +3.4.6. Various Considerations + + The authenticating server MUST assure that the resource designated by + the "uri" parameter is the same as the resource specified in the + Request-Line; if they are not, the server SHOULD return a 400 Bad + Request error. (Since this may be a symptom of an attack, server + implementers may want to consider logging such errors.) The purpose + of duplicating information from the request URL in this field is to + deal with the possibility that an intermediate proxy may alter the + client's Request-Line. This altered (but presumably semantically + equivalent) request would not result in the same digest as that + calculated by the client. + +x-ref: + "HTTP Digest Access Authentication" + https://www.rfc-editor.org/rfc/rfc7616.txt + "HTTP digest authentication not compatible with some clients" + https://redmine.lighttpd.net/issues/2974 +--- + src/mod_auth.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/src/mod_auth.c b/src/mod_auth.c +index 61d4c10c..49ab7a85 100644 +--- a/src/mod_auth.c ++++ b/src/mod_auth.c +@@ -1076,9 +1076,7 @@ static handler_t mod_auth_check_digest(server *srv, connection *con, void *p_d, + * uri sent in client request. */ + { + const size_t ulen = strlen(uri); +- const size_t rlen = buffer_string_length(con->request.orig_uri); +- if (!buffer_is_equal_string(con->request.orig_uri, uri, ulen) +- && !(rlen < ulen && 0 == memcmp(con->request.orig_uri->ptr, uri, rlen) && uri[rlen] == '?')) { ++ if (!buffer_is_equal_string(con->request.orig_uri, uri, ulen)) { + log_error_write(srv, __FILE__, __LINE__, "sbsssB", + "digest: auth failed: uri mismatch (", con->request.orig_uri, "!=", uri, "), IP:", con->dst_addr_buf); + buffer_free(b); +-- +2.25.1 + diff -Nru lighttpd-1.4.53/debian/patches/mod_openssl-reject-invalid-ALPN.patch lighttpd-1.4.53/debian/patches/mod_openssl-reject-invalid-ALPN.patch --- lighttpd-1.4.53/debian/patches/mod_openssl-reject-invalid-ALPN.patch 1969-12-31 19:00:00.000000000 -0500 +++ lighttpd-1.4.53/debian/patches/mod_openssl-reject-invalid-ALPN.patch 2020-03-21 19:30:00.000000000 -0400 @@ -0,0 +1,25 @@ +From fa8856757c59e1ecea4dc1bd208a78c7e0a7eeea Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstra...@gluelogic.com> +Date: Wed, 16 Oct 2019 23:54:46 -0400 +Subject: [PATCH] [mod_openssl] reject invalid ALPN + +--- + src/mod_openssl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mod_openssl.c b/src/mod_openssl.c +index f9a4fe82..27015f9a 100644 +--- a/src/mod_openssl.c ++++ b/src/mod_openssl.c +@@ -662,7 +662,7 @@ mod_openssl_alpn_select_cb (SSL *ssl, const unsigned char **out, unsigned char * + + for (unsigned int i = 0, n; i < inlen; i += n) { + n = in[i++]; +- if (i+n > inlen) break; ++ if (i+n > inlen || 0 == n) break; + switch (n) { + #if 0 + case 2: /* "h2" */ +-- +2.25.1 + diff -Nru lighttpd-1.4.53/debian/patches/series lighttpd-1.4.53/debian/patches/series --- lighttpd-1.4.53/debian/patches/series 2019-04-13 00:00:00.000000000 -0400 +++ lighttpd-1.4.53/debian/patches/series 2020-03-21 19:30:00.000000000 -0400 @@ -3,3 +3,25 @@ core-fix-assertion-with-server.error-handler-fixes-2.patch mod_wstunnel-fix-ping-interval-for-big-endian-fixes-.patch core-fix-abort-in-http-parseopts-fixes-2945.patch +core-remove-repeated-slashes-in-http-parseopts.patch +core-fix-1.4.52-regression-in-mem-use-with-POST-fixe.patch +core-200-for-OPTIONS-non-existent-path-HTTP-1.1-fixe.patch +core-use-high-precision-stat-timestamp-in-etag.patch +mod_authn_ldap-ldap_set_option-LDAP_OPT_RESTART-fixe.patch +core-allocate-unix-socket-paths-with-SUN_LEN-1-fixes.patch +core-issue-config-error-for-invalid-fixes-2980.patch +mod_authn_gssapi-500-if-fail-to-delegate-creds-2967.patch +mod_authn_gssapi-option-to-store-delegated-creds-fix.patch +mod_auth-require-digest-uri-match-original-URI.patch +mod_auth-Authentication-Info-nextnonce.patch +mod_auth-http_auth_const_time_memeq-improvement.patch +mod_auth-http_auth_const_time_memeq_pad.patch +mod_auth-http_auth_const_time_memeq-2975-2976.patch +core-reject-WS-following-header-field-name-fixes-298.patch +core-reject-Transfer-Encoding-Content-Length-2985.patch +mod_openssl-reject-invalid-ALPN.patch +mod_accesslog-parse-multiple-cookies-fixes-2986.patch +core-preserve-2b-and-2B-in-query-string-fixes-2999.patch +mod_auth-close-connection-after-bad-password.patch +core-do-not-accept-server.max-connections.patch +config-update-var-run-run-for-systemd.patch