Bug#955833: marked as done (lighttpd: Get requests send invalid data for files above 30kB)

[Debian Bug Tracking System]

Your message dated Tue, 7 Apr 2020 14:39:07 -0400
with message-id <20200407183907.GA5621@xps13>
and subject line 955833-done
has caused the Debian Bug report #955833,
regarding lighttpd: Get requests send invalid data for files above 30kB
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
955833: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955833
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: lighttpd
Version: 1.4.55-1
Severity: important

Dear Maintainer,

Here is a very wired bug. I'll try to explain...

GET requests send invalid data for files above 30kB when connecting to the 
server over http. But GET requests send good data when connecing over https.

I've done my investigations using png image files, having different sizes. I've 
also tested with different client softawares : firefox 74.0, gnome-web 3.34.4, 
and wget 1.20.3. ANd I used a minimalistic server configuration file that can 
be found as attachment.

Thank's for your help !

Guillaume


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 5.4.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lighttpd depends on:
ii  libattr1      1:2.4.48-5
ii  libbz2-1.0    1.0.8-2
ii  libc6         2.30-4
ii  libcrypt1     1:4.4.15-1
ii  libfam0       2.7.0-17.3
ii  libpcre3      2:8.39-12+b1
ii  libssl1.1     1.1.1d-2
ii  lsb-base      11.1.0
ii  mime-support  3.64
ii  zlib1g        1:1.2.11.dfsg-2

Versions of packages lighttpd recommends:
ii  perl        5.30.0-9
pn  spawn-fcgi  <none>

Versions of packages lighttpd suggests:
pn  apache2-utils               <none>
pn  lighttpd-doc                <none>
pn  lighttpd-mod-authn-gssapi   <none>
pn  lighttpd-mod-authn-pam      <none>
pn  lighttpd-mod-authn-sasl     <none>
pn  lighttpd-mod-cml            <none>
pn  lighttpd-mod-geoip          <none>
pn  lighttpd-mod-magnet         <none>
pn  lighttpd-mod-maxminddb      <none>
pn  lighttpd-mod-trigger-b4-dl  <none>
pn  lighttpd-mod-vhostdb-dbi    <none>
pn  lighttpd-mod-vhostdb-pgsql  <none>
pn  lighttpd-mod-webdav         <none>
pn  lighttpd-modules-ldap       <none>
pn  lighttpd-modules-mysql      <none>
ii  openssl                     1.1.1d-2
ii  php-cgi                     2:7.3+69
ii  php7.0-cgi [php-cgi]        7.0.31-1
ii  php7.3-cgi [php-cgi]        7.3.15-3
pn  rrdtool                     <none>

-- Configuration Files:
/etc/lighttpd/conf-available/10-ssl.conf changed:
server.modules += ( "mod_openssl" )
$SERVER["socket"] == "0.0.0.0:443" {
        ssl.engine  = "enable"
        ssl.pemfile = "/etc/lighttpd/cert.pem"
        ssl.privkey = "/etc/lighttpd/privkey.pem"
        ssl.cipher-list = "HIGH"
}

/etc/lighttpd/conf-available/90-debian-doc.conf changed:
$HTTP["remoteip"] =~ "^127\.0\.0\.1$|^::1$" {
        alias.url += (
        #       "/cgi-bin/" => "/usr/lib/cgi-bin/",
                "/doc/" => "/usr/share/doc/",
                "/images/" => "/usr/share/images/"
        )
        $HTTP["url"] =~ "^/doc/|^/images/" {
                dir-listing.activate = "enable"
        }
        $HTTP["url"] =~ "^/cgi-bin/" {
                cgi.assign = ( "" => "" )
        }
}

/etc/lighttpd/lighttpd.conf changed:
server.modules = (
        "mod_indexfile",
        "mod_access",
        "mod_alias",
        "mod_redirect",
)
server.document-root        = "/var/www/html"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
server.port                 = 80
server.http-parseopts = (
  "header-strict"           => "enable",# default
  "host-strict"             => "enable",# default
  "host-normalize"          => "enable",# default
  "url-normalize-unreserved"=> "enable",# recommended highly
  "url-normalize-required"  => "enable",# recommended
  "url-ctrls-reject"        => "enable",# recommended
  "url-path-2f-decode"      => "enable",# recommended highly (unless breaks app)
 #"url-path-2f-reject"      => "enable",
  "url-path-dotseg-remove"  => "enable",# recommended highly (unless breaks app)
 #"url-path-dotseg-reject"  => "enable",
 #"url-query-20-plus"       => "enable",# consistency in query string
)
index-file.names            = ( "index.php", "index.html" )
url.access-deny             = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
compress.cache-dir          = "/var/cache/lighttpd/compress/"
compress.filetype           = ( "application/javascript", "text/css", 
"text/html", "text/plain" )
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.conf.pl"
include "/etc/lighttpd/conf-enabled/*.conf"
server.compat-module-load   = "disable"
server.modules += (
        "mod_compress",
        "mod_dirlisting",
        "mod_staticfile",
)


-- no debconf information

--- End Message ---

--- Begin Message ---

not a bug in lighttpd

--- End Message ---