Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package lighttpd for openSUSE:Factory checked in at 2025-09-14 18:50:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lighttpd (Old) and /work/SRC/openSUSE:Factory/.lighttpd.new.1977 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lighttpd" Sun Sep 14 18:50:10 2025 rev:72 rq:1304455 version:1.4.82 Changes: -------- --- /work/SRC/openSUSE:Factory/lighttpd/lighttpd.changes 2025-08-15 21:53:50.072546196 +0200 +++ /work/SRC/openSUSE:Factory/.lighttpd.new.1977/lighttpd.changes 2025-09-14 18:50:46.555606251 +0200 @@ -1,0 +2,14 @@ +Fri Sep 12 20:14:47 UTC 2025 - Andreas Stieger <[email protected]> + +- update to 1.4.82: + * restrict request trailers to configured list: + trailers in request headers will be ignored unless allowed + field names are explicitly configured in a comma-separated list + containing no spaces: + server.feature-flags += (“request.trailer-whitelist” => “…”) + This changes behavior from lighttpd 1.4.80, which added support + for request trailers and header merging, but did not restrict + request trailers. + * bug fixes + +------------------------------------------------------------------- Old: ---- lighttpd-1.4.80.tar.xz lighttpd-1.4.80.tar.xz.asc New: ---- lighttpd-1.4.82.tar.xz lighttpd-1.4.82.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lighttpd.spec ++++++ --- /var/tmp/diff_new_pack.7z8OVu/_old 2025-09-14 18:50:48.463686208 +0200 +++ /var/tmp/diff_new_pack.7z8OVu/_new 2025-09-14 18:50:48.483687046 +0200 @@ -23,7 +23,7 @@ %define pkg_version %{version} %define tarball_version %{version} Name: lighttpd -Version: 1.4.80 +Version: 1.4.82 Release: 0 Summary: A Secure, Fast, Compliant, and Very Flexible Web Server License: BSD-3-Clause ++++++ lighttpd-1.4.80.tar.xz -> lighttpd-1.4.82.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lighttpd-1.4.80/.github/workflows/ci.yml new/lighttpd-1.4.82/.github/workflows/ci.yml --- old/lighttpd-1.4.80/.github/workflows/ci.yml 2025-08-13 15:07:22.000000000 +0200 +++ new/lighttpd-1.4.82/.github/workflows/ci.yml 2025-09-12 21:08:20.000000000 +0200 @@ -30,7 +30,7 @@ platform: ['x64'] compiler: ['gcc'] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Install packages run: | sudo apt-get update @@ -63,7 +63,7 @@ platform: ['x64'] compiler: ['clang'] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Install packages run: | sudo apt-get update @@ -90,7 +90,7 @@ macOS: runs-on: macos-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Install packages run: | brew install -q meson ninja pkg-config pcre2 perl \ @@ -110,7 +110,7 @@ DragonflyBSD: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: vmactions/dragonflybsd-vm@v1 with: usesh: true @@ -125,7 +125,7 @@ FreeBSD: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: vmactions/freebsd-vm@v1 with: usesh: true @@ -148,7 +148,7 @@ NetBSD: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: vmactions/netbsd-vm@v1 with: #usesh: true @@ -174,7 +174,7 @@ OpenBSD: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: vmactions/openbsd-vm@v1 with: usesh: true @@ -197,7 +197,7 @@ Solaris: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: vmactions/solaris-vm@v1 with: release: "11.4-gcc" @@ -246,7 +246,7 @@ CYGWIN: winsymlinks:native steps: - run: git config --global core.autocrlf input - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Set up env and create cache dir id: env shell: pwsh @@ -302,7 +302,7 @@ #env: # VCPKG_BINARY_SOURCES: "clear;x-gha,readwrite" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: ilammy/msvc-dev-cmd@v1 #- name: Install dependencies # run: vcpkg install --triplet ${{matrix.platform}}-windows openssl pcre2 zlib @@ -326,7 +326,7 @@ #platform: ['mingw32', 'mingw64', 'ucrt64', 'clang32', 'clang64'] steps: - run: git config --global core.autocrlf input - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: msys2/setup-msys2@v2 with: msystem: ${{matrix.platform}} @@ -361,7 +361,7 @@ matrix: platform: ['x86_64'] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: jirutka/setup-alpine@v1 with: branch: latest-stable @@ -399,7 +399,7 @@ matrix: platform: ['x86','armhf','armv7','aarch64','ppc64le','riscv64','s390x'] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: jirutka/setup-alpine@v1 with: # riscv64 currently requires 'edge' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lighttpd-1.4.80/CMakeLists.txt new/lighttpd-1.4.82/CMakeLists.txt --- old/lighttpd-1.4.80/CMakeLists.txt 2025-08-13 15:07:22.000000000 +0200 +++ new/lighttpd-1.4.82/CMakeLists.txt 2025-09-12 21:08:20.000000000 +0200 @@ -1,6 +1,6 @@ cmake_minimum_required(VERSION 3.7.0 FATAL_ERROR) -project(lighttpd VERSION 1.4.80 LANGUAGES C) +project(lighttpd VERSION 1.4.82 LANGUAGES C) # use C11 with CMake >= 3.1 set(CMAKE_C_STANDARD 11) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lighttpd-1.4.80/NEWS new/lighttpd-1.4.82/NEWS --- old/lighttpd-1.4.80/NEWS 2025-08-13 15:07:22.000000000 +0200 +++ new/lighttpd-1.4.82/NEWS 2025-09-12 21:08:20.000000000 +0200 @@ -3,6 +3,19 @@ NEWS ==== +- 1.4.82 - 2025-09-12 + * [core] restrict request trailers to configured list + * [core] fix logic inversion in "toupper:" modifier + * [mod_redirect,mod_rewrite] ${url.authority.noport} token + * [cmake,mod_mbedtls] mbedx509 mbedcrypto order + * [mod_mbedtls] psa_crypto_init() for MBEDTLS_USE_PSA_CRYPTO (fixes #3288) + * [build] mod_mbedtls: use tfpsacrypto if found + * [ci] Bump actions/checkout from 4 to 5 + * [core] avoid chunk mem reallocation on read/recv + +- 1.4.81 - 2025-08-17 + * [core] security: fix to reject disallowed trailers + - 1.4.80 - 2025-08-13 * [doc] move comments in systemd lighttpd.service * [doc] refresh INSTALL diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lighttpd-1.4.80/SConstruct new/lighttpd-1.4.82/SConstruct --- old/lighttpd-1.4.80/SConstruct 2025-08-13 15:07:22.000000000 +0200 +++ new/lighttpd-1.4.82/SConstruct 2025-09-12 21:08:20.000000000 +0200 @@ -12,7 +12,7 @@ string_types = str package = 'lighttpd' -version = '1.4.80' +version = '1.4.82' underscorify_reg = re.compile('[^A-Z0-9]') def underscorify(id): @@ -640,13 +640,22 @@ if env['with_mbedtls']: if not autoconf.CheckLibWithHeader('mbedtls', 'mbedtls/ssl.h', 'C'): fail("Couldn't find mbedtls") - autoconf.env.Append( - CPPFLAGS = [ '-DHAVE_LIBMBEDCRYPTO' ], - LIBMBEDTLS = 'mbedtls', - LIBMBEDX509 = 'mbedx509', - LIBMBEDCRYPTO = 'mbedcrypto', - LIBCRYPTO = 'mbedcrypto', - ) + if autoconf.CheckLibWithHeader('tfpsacrypto', 'tf-psa-crypto/version.h', 'C'): + autoconf.env.Append( + CPPFLAGS = [ '-DHAVE_LIBMBEDCRYPTO' ], + LIBMBEDTLS = 'mbedtls', + LIBMBEDX509 = 'mbedx509', + LIBMBEDCRYPTO = 'tfpsacrypto', + LIBCRYPTO = 'tfpsacrypto', + ) + else: + autoconf.env.Append( + CPPFLAGS = [ '-DHAVE_LIBMBEDCRYPTO' ], + LIBMBEDTLS = 'mbedtls', + LIBMBEDX509 = 'mbedx509', + LIBMBEDCRYPTO = 'mbedcrypto', + LIBCRYPTO = 'mbedcrypto', + ) if env['with_nettle']: if not autoconf.CheckLibWithHeader('nettle', 'nettle/nettle-types.h', 'C'): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lighttpd-1.4.80/configure.ac new/lighttpd-1.4.82/configure.ac --- old/lighttpd-1.4.80/configure.ac 2025-08-13 15:07:22.000000000 +0200 +++ new/lighttpd-1.4.82/configure.ac 2025-09-12 21:08:20.000000000 +0200 @@ -14,7 +14,7 @@ dnl function call, the argument should be on different lines than the dnl wrapping braces AC_PREREQ([2.60]) -AC_INIT([lighttpd],[1.4.80],[https://redmine.lighttpd.net/projects/lighttpd/boards/2],[lighttpd],[https://www.lighttpd.net/]) +AC_INIT([lighttpd],[1.4.82],[https://redmine.lighttpd.net/projects/lighttpd/boards/2],[lighttpd],[https://www.lighttpd.net/]) AC_CONFIG_SRCDIR([src/server.c]) AC_CONFIG_HEADERS([config.h]) AC_CONFIG_MACRO_DIR([m4]) @@ -742,17 +742,29 @@ if test "x$use_mbedtls" = "xyes"; then AC_CHECK_HEADERS([mbedtls/ssl.h]) OLDLIBS="$LIBS" - AC_CHECK_LIB(mbedcrypto, mbedtls_base64_encode, + AC_CHECK_LIB(tfpsacrypto, mbedtls_base64_encode, [AC_CHECK_LIB(mbedx509, mbedtls_x509_get_name, [AC_CHECK_LIB(mbedtls, mbedtls_ssl_init, - [MTLS_LIBS="-lmbedtls -lmbedx509 -lmbedcrypto" - CRYPTO_LIB="-lmbedcrypto" + [MTLS_LIBS="-lmbedtls -lmbedx509 -ltfpsacrypto" + CRYPTO_LIB="-ltfpsacrypto" AC_DEFINE(HAVE_LIBMBEDTLS, [1], [Have libmbedtls library]) AC_DEFINE(HAVE_LIBMBEDX509, [1], [Have libmbedx509 library]) AC_DEFINE(HAVE_LIBMBEDCRYPTO, [1], [Have libmbedcrypto library]) ], - [],[-lmbedx509 -lmbedcrypto "$DL_LIB"]) - ],[],[-lmbedcrypto "$DL_LIB"]) - ],[],[]) + [],[-lmbedx509 -ltfpsacrypto "$DL_LIB"]) + ],[],[-ltfpsacrypto "$DL_LIB"]) + ], + [AC_CHECK_LIB(mbedcrypto, mbedtls_base64_encode, + [AC_CHECK_LIB(mbedx509, mbedtls_x509_get_name, + [AC_CHECK_LIB(mbedtls, mbedtls_ssl_init, + [MTLS_LIBS="-lmbedtls -lmbedx509 -lmbedcrypto" + CRYPTO_LIB="-lmbedcrypto" + AC_DEFINE(HAVE_LIBMBEDTLS, [1], [Have libmbedtls library]) + AC_DEFINE(HAVE_LIBMBEDX509, [1], [Have libmbedx509 library]) + AC_DEFINE(HAVE_LIBMBEDCRYPTO, [1], [Have libmbedcrypto library]) ], + [],[-lmbedx509 -lmbedcrypto "$DL_LIB"]) + ],[],[-lmbedcrypto "$DL_LIB"]) + ],[],[]) + ],[]) LIBS="$OLDLIBS" AC_SUBST(MTLS_LIBS) AC_SUBST(CRYPTO_LIB) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lighttpd-1.4.80/meson.build new/lighttpd-1.4.82/meson.build --- old/lighttpd-1.4.80/meson.build 2025-08-13 15:07:22.000000000 +0200 +++ new/lighttpd-1.4.82/meson.build 2025-09-12 21:08:20.000000000 +0200 @@ -1,7 +1,7 @@ project( 'lighttpd', 'c', - version: '1.4.80', + version: '1.4.82', license: 'BSD-3-Clause', default_options: [ 'buildtype=debugoptimized', diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lighttpd-1.4.80/src/CMakeLists.txt new/lighttpd-1.4.82/src/CMakeLists.txt --- old/lighttpd-1.4.80/src/CMakeLists.txt 2025-08-13 15:07:22.000000000 +0200 +++ new/lighttpd-1.4.82/src/CMakeLists.txt 2025-09-12 21:08:20.000000000 +0200 @@ -470,13 +470,23 @@ if(WITH_MBEDTLS) check_include_files(mbedtls/ssl.h HAVE_MBEDTLS_SSL_H) if(HAVE_MBEDTLS_SSL_H) - check_library_exists(mbedcrypto mbedtls_base64_encode "" HAVE_LIBMBEDCRYPTO) + check_library_exists(tfpsacrypto mbedtls_base64_encode "" HAVE_LIBMBEDCRYPTO) if(HAVE_LIBMBEDCRYPTO) - set(CRYPTO_LIBRARY mbedcrypto) + set(CRYPTO_LIBRARY tfpsacrypto) + set(HAVE_LIBTFPSACRYPTO 1) check_library_exists(mbedtls mbedtls_ssl_init "" HAVE_LIBMBEDTLS) if(HAVE_LIBMBEDTLS) check_library_exists(mbedx509 mbedtls_x509_get_name "" HAVE_LIBMBEDX509) endif() + else() + check_library_exists(mbedcrypto mbedtls_base64_encode "" HAVE_LIBMBEDCRYPTO) + if(HAVE_LIBMBEDCRYPTO) + set(CRYPTO_LIBRARY mbedcrypto) + check_library_exists(mbedtls mbedtls_ssl_init "" HAVE_LIBMBEDTLS) + if(HAVE_LIBMBEDTLS) + check_library_exists(mbedx509 mbedtls_x509_get_name "" HAVE_LIBMBEDX509) + endif() + endif() endif() endif() else() @@ -1213,7 +1223,11 @@ if(HAVE_LIBMBEDTLS AND HAVE_LIBMEDCRYPTO AND HAVE_LIBMEDX509) add_and_install_library(mod_mbedtls "mod_mbedtls.c") - set(L_MOD_MBEDTLS ${L_MOD_MBEDTLS} mbedtls mbedcrypto mbedx509) + if(HAVE_LIBTFPSACRYPTO) + set(L_MOD_MBEDTLS ${L_MOD_MBEDTLS} mbedtls mbedx509 tfpsacrypto) + else() + set(L_MOD_MBEDTLS ${L_MOD_MBEDTLS} mbedtls mbedx509 mbedcrypto) + endif() target_link_libraries(mod_mbedtls ${L_MOD_MBEDTLS}) endif() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lighttpd-1.4.80/src/chunk.c new/lighttpd-1.4.82/src/chunk.c --- old/lighttpd-1.4.80/src/chunk.c 2025-08-13 15:07:22.000000000 +0200 +++ new/lighttpd-1.4.82/src/chunk.c 2025-09-12 21:08:20.000000000 +0200 @@ -714,7 +714,7 @@ } /* allocate new chunk */ - b = chunkqueue_append_buffer_open_sz(cq, sz); + b = chunkqueue_append_buffer_open_sz(cq, sz+1); *len = buffer_string_space(b); return b->ptr; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lighttpd-1.4.80/src/configfile.c new/lighttpd-1.4.82/src/configfile.c --- old/lighttpd-1.4.80/src/configfile.c 2025-08-13 15:07:22.000000000 +0200 +++ new/lighttpd-1.4.82/src/configfile.c 2025-09-12 21:08:20.000000000 +0200 @@ -18,6 +18,7 @@ #include "configfile.h" #include "plugin.h" #include "reqpool.h" +#include "request.h" #include "sock_addr.h" #include "stat_cache.h" #include "sys-crypto.h" @@ -917,6 +918,15 @@ config_plugin_value_to_bool( array_get_element_klen(cpv->v.a, CONST_STR_LEN("server.absolute-dir-redirect")), 0); + { + const data_unset *du = + array_get_element_klen(cpv->v.a, + CONST_STR_LEN("request.trailer-whitelist")); + if (du && du->type == TYPE_STRING) { + buffer *trailer_whitelist = &((data_string *)du)->value; + http_request_trailer_set_whitelist(trailer_whitelist); + } + } break; default:/* should not happen */ break; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lighttpd-1.4.80/src/h1.c new/lighttpd-1.4.82/src/h1.c --- old/lighttpd-1.4.80/src/h1.c 2025-08-13 15:07:22.000000000 +0200 +++ new/lighttpd-1.4.82/src/h1.c 2025-09-12 21:08:20.000000000 +0200 @@ -643,6 +643,8 @@ if (NULL == v) break; /*(final blank line; v already validated)*/ uint32_t klen = (uint32_t)(v - k); do { ++v; } while (*v == ' ' || *v == '\t'); + if (!http_request_trailer_check_whitelist(k, klen)) + continue; /*(checked in http_request_trailers_check())*/ /*if (*v == '\r' || *v == '\n') continue;*/ enum http_header_e id = http_header_hkey_get(k, klen); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lighttpd-1.4.80/src/keyvalue.c new/lighttpd-1.4.82/src/keyvalue.c --- old/lighttpd-1.4.80/src/keyvalue.c 2025-08-13 15:07:22.000000000 +0200 +++ new/lighttpd-1.4.82/src/keyvalue.c 2025-09-12 21:08:20.000000000 +0200 @@ -270,7 +270,7 @@ p+=6; } else if (0 == strncmp((const char *)p, "upper:", 6)) { - flags |= BURL_TOLOWER; + flags |= BURL_TOUPPER; p+=6; } else { /* skip unrecognized to... */ @@ -309,6 +309,19 @@ burl_append(b, BUF_PTR_LEN(burl->query), flags); p+=5; } + else if (0 == strncmp((const char *)p, "authority.noport}", 17)) { + /*(note: specific to authority; + * not implemented as "noport:" BURL_* token)*/ + if (burl->authority) { + const char * const colon = strrchr(burl->authority->ptr, ':'); + uint32_t len = buffer_clen(burl->authority); + const char * const ptr = burl->authority->ptr; + if (colon && ptr[len-1] != ']') + len = (uint32_t)(colon - ptr); + burl_append(b, ptr, len, flags); + } + p+=16; + } else { /* skip unrecognized url.* */ p = (const unsigned char *)strchr((const char *)p, '}'); if (NULL == p) return -1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lighttpd-1.4.80/src/meson.build new/lighttpd-1.4.82/src/meson.build --- old/lighttpd-1.4.80/src/meson.build 2025-08-13 15:07:22.000000000 +0200 +++ new/lighttpd-1.4.82/src/meson.build 2025-09-12 21:08:20.000000000 +0200 @@ -379,12 +379,30 @@ if not(libmbedx509.found()) libmbedx509 = [ compiler.find_library('mbedx509') ] endif - libmbedcrypto = dependency('mbedcrypto', required: false) + libmbedcrypto = dependency('tfpsacrypto', required: false) + if not(libmbedcrypto.found()) + libmbedcrypto = compiler.find_library('tfpsacrypto', required: false, disabler: true) + if (libmbedcrypto.found()) + libmbedcrypto = [ libmbedcrypto ] + endif + endif + if not(libmbedcrypto.found()) + libmbedcrypto = dependency('mbedcrypto', required: false) + endif if not(libmbedcrypto.found()) libmbedcrypto = [ compiler.find_library('mbedcrypto') ] endif if compiler.get_define('FORCE_GNUTLS_CRYPTO') == '' and compiler.get_define('FORCE_OPENSSL_CRYPTO') == '' and compiler.get_define('FORCE_WOLFSSL_CRYPTO') == '' - libcrypto = dependency('mbedcrypto', required: false) + libcrypto = dependency('tfpsacrypto', required: false) + if not(libcrypto.found()) + libcrypto = compiler.find_library('tfpsacrypto', required: false, disabler: true) + if (libcrypto.found()) + libcrypto = [ libcrypto ] + endif + endif + if not(libcrypto.found()) + libcrypto = dependency('mbedcrypto', required: false) + endif if not(libcrypto.found()) libcrypto = [ compiler.find_library('mbedcrypto') ] endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lighttpd-1.4.80/src/mod_mbedtls.c new/lighttpd-1.4.82/src/mod_mbedtls.c --- old/lighttpd-1.4.80/src/mod_mbedtls.c 2025-08-13 15:07:22.000000000 +0200 +++ new/lighttpd-1.4.82/src/mod_mbedtls.c 2025-09-12 21:08:20.000000000 +0200 @@ -1229,6 +1229,11 @@ static void * network_mbedtls_load_pemfile (server *srv, const buffer *pemfile, const buffer *privkey) { + #if defined(MBEDTLS_USE_PSA_CRYPTO) + if (!mod_mbedtls_init_once_mbedtls(srv)) + return NULL; + #endif + mod_mbedtls_kp * const kp = mod_mbedtls_kp_init(); int rc; @@ -2115,9 +2120,9 @@ __attribute_fallthrough__ case 2: /* ssl.ca-file */ case 3: /* ssl.ca-dn-file */ - #if 0 /* defer; not necessary for pemfile parsing */ + #if defined(MBEDTLS_USE_PSA_CRYPTO) if (!mod_mbedtls_init_once_mbedtls(srv)) return HANDLER_ERROR; - #endif + #endif /* else defer; not necessary for pemfile parsing */ if (!buffer_is_blank(cpv->v.b)) { mbedtls_x509_crt *cacert = ck_calloc(1, sizeof(*cacert)); mbedtls_x509_crt_init(cacert); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lighttpd-1.4.80/src/request.c new/lighttpd-1.4.82/src/request.c --- old/lighttpd-1.4.80/src/request.c 2025-08-13 15:07:22.000000000 +0200 +++ new/lighttpd-1.4.82/src/request.c 2025-09-12 21:08:20.000000000 +0200 @@ -558,7 +558,8 @@ /* note: Trailer header (if set) is left set as info for backends. * To remove Trailer, would have to check for trailer merging into * headers after all trailers processed */ - http_header_request_append(r, id, k, klen, v, vlen); + if (http_request_trailer_check_whitelist(k, klen)) + http_header_request_append(r, id, k, klen, v, vlen); } else { /* trailers currently ignored if streaming request, @@ -1445,6 +1446,37 @@ } +static buffer *trailer_whitelist; + + +__attribute_cold__ +void +http_request_trailer_set_whitelist (buffer *b) +{ + if (buffer_string_is_empty(b)) + b = NULL; + else if (b->ptr[buffer_clen(b)-1] != ',') + buffer_append_char(b, ','); /*see http_request_trailer_check_whitelist*/ + trailer_whitelist = b; +} + + +__attribute_cold__ +__attribute_pure__ +int +http_request_trailer_check_whitelist (const char *k, const uint32_t klen) +{ + if (!trailer_whitelist) return 0; + const char *s = trailer_whitelist->ptr; + for (const char *comma; (comma = strchr(s, ',')); s = comma+1) { + uint32_t n = (uint32_t)(comma - s); + if (n == klen && buffer_eq_icase_ssn(k, s, n)) + return 1; + } + return 0; +} + + __attribute_cold__ int http_request_trailer_check (request_st * const restrict r, http_trailer_parse_ctx * const restrict tpctx) @@ -1467,7 +1499,7 @@ if (__builtin_expect( (id != HTTP_HEADER_OTHER), 1)) { /*(recognizing label name establishes label name * does not contain bad whitespace or CTL chars)*/ - /* explicitly reject certain field names disallows in trailers + /* explicitly reject certain field names disallowed in trailers * (XXX: list can be expanded further) * https://datatracker.ietf.org/doc/html/rfc7230#section-4.1.2 * https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Trailer @@ -1475,7 +1507,7 @@ * Choosing to reject Connection,Proxy-Connection in trailers. * Choosing to reject Forwarded,Upgrade,WWW-Authenticate in trailers */ - if (id + if (light_bshift(id) & (light_bshift(HTTP_HEADER_AUTHORIZATION) |light_bshift(HTTP_HEADER_AGE) |light_bshift(HTTP_HEADER_CACHE_CONTROL) @@ -1501,6 +1533,7 @@ |light_bshift(HTTP_HEADER_TE) |light_bshift(HTTP_HEADER_TRANSFER_ENCODING) |light_bshift(HTTP_HEADER_UPGRADE) + |light_bshift(HTTP_HEADER_USER_AGENT) |light_bshift(HTTP_HEADER_VARY) |light_bshift(HTTP_HEADER_WWW_AUTHENTICATE))) return http_request_header_line_invalid(r, 400, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lighttpd-1.4.80/src/request.h new/lighttpd-1.4.82/src/request.h --- old/lighttpd-1.4.80/src/request.h 2025-08-13 15:07:22.000000000 +0200 +++ new/lighttpd-1.4.82/src/request.h 2025-09-12 21:08:20.000000000 +0200 @@ -288,6 +288,12 @@ __attribute_pure__ const char * http_request_field_check_value (const char * restrict v, uint32_t vlen, unsigned int http_header_strict); +__attribute_cold__ +void http_request_trailer_set_whitelist (buffer *b); + +__attribute_pure__ +int http_request_trailer_check_whitelist (const char *k, uint32_t klen); + int http_request_trailer_check (request_st * restrict r, http_trailer_parse_ctx * restrict htctx); int http_request_trailers_check (request_st * restrict r, char *t, uint32_t tlen, const buffer *trailer); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lighttpd-1.4.80/tests/lighttpd.conf new/lighttpd-1.4.82/tests/lighttpd.conf --- old/lighttpd-1.4.80/tests/lighttpd.conf 2025-08-13 15:07:22.000000000 +0200 +++ new/lighttpd-1.4.82/tests/lighttpd.conf 2025-09-12 21:08:20.000000000 +0200 @@ -17,6 +17,7 @@ server.tag = "lighttpd-1.4.x" server.feature-flags += ( "auth.delay-invalid-creds" => "disable" ) +server.feature-flags += ( "request.trailer-whitelist" => "test-trailer" ) server.dir-listing = "enable" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lighttpd-1.4.80/tests/request.t new/lighttpd-1.4.82/tests/request.t --- old/lighttpd-1.4.80/tests/request.t 2025-08-13 15:07:22.000000000 +0200 +++ new/lighttpd-1.4.82/tests/request.t 2025-09-12 21:08:20.000000000 +0200 @@ -8,7 +8,7 @@ use strict; use IO::Socket; -use Test::More tests => 171; +use Test::More tests => 172; use LightyTest; my $tf = LightyTest->new(); @@ -297,6 +297,24 @@ ok($tf->handle_http($t) == 0, 'POST via Transfer-Encoding: chunked, echo trailer'); $t->{REQUEST} = ( <<EOF +POST /cgi.pl?env=HTTP_TEST_TRAILER HTTP/1.1 +Host: www.example.org +Connection: close +Content-Type: application/x-www-form-urlencoded +Transfer-Encoding: chunked +Trailer: Content-Length + +a +0123456789 +0 +Content-Length: 0 + +EOF + ); +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.1', 'HTTP-Status' => 400 } ]; +ok($tf->handle_http($t) == 0, 'POST via Transfer-Encoding: chunked, disallowed trailer'); + +$t->{REQUEST} = ( <<EOF POST /cgi.pl?post-len HTTP/1.1 Host: www.example.org Connection: close
