Package: lighttpd
Version: 1.4.55-1
Severity: important
Dear Maintainer,
Here is a very wired bug. I'll try to explain...
GET requests send invalid data for files above 30kB when connecting to the
server over http. But GET requests send good data when connecing over https.
I've done my investigations using png image files, having different sizes. I've
also tested with different client softawares : firefox 74.0, gnome-web 3.34.4,
and wget 1.20.3. ANd I used a minimalistic server configuration file that can
be found as attachment.
Thank's for your help !
Guillaume
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 5.4.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8),
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages lighttpd depends on:
ii libattr1 1:2.4.48-5
ii libbz2-1.0 1.0.8-2
ii libc6 2.30-4
ii libcrypt1 1:4.4.15-1
ii libfam0 2.7.0-17.3
ii libpcre3 2:8.39-12+b1
ii libssl1.1 1.1.1d-2
ii lsb-base 11.1.0
ii mime-support 3.64
ii zlib1g 1:1.2.11.dfsg-2
Versions of packages lighttpd recommends:
ii perl 5.30.0-9
pn spawn-fcgi <none>
Versions of packages lighttpd suggests:
pn apache2-utils <none>
pn lighttpd-doc <none>
pn lighttpd-mod-authn-gssapi <none>
pn lighttpd-mod-authn-pam <none>
pn lighttpd-mod-authn-sasl <none>
pn lighttpd-mod-cml <none>
pn lighttpd-mod-geoip <none>
pn lighttpd-mod-magnet <none>
pn lighttpd-mod-maxminddb <none>
pn lighttpd-mod-trigger-b4-dl <none>
pn lighttpd-mod-vhostdb-dbi <none>
pn lighttpd-mod-vhostdb-pgsql <none>
pn lighttpd-mod-webdav <none>
pn lighttpd-modules-ldap <none>
pn lighttpd-modules-mysql <none>
ii openssl 1.1.1d-2
ii php-cgi 2:7.3+69
ii php7.0-cgi [php-cgi] 7.0.31-1
ii php7.3-cgi [php-cgi] 7.3.15-3
pn rrdtool <none>
-- Configuration Files:
/etc/lighttpd/conf-available/10-ssl.conf changed:
server.modules += ( "mod_openssl" )
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/cert.pem"
ssl.privkey = "/etc/lighttpd/privkey.pem"
ssl.cipher-list = "HIGH"
}
/etc/lighttpd/conf-available/90-debian-doc.conf changed:
$HTTP["remoteip"] =~ "^127\.0\.0\.1$|^::1$" {
alias.url += (
# "/cgi-bin/" => "/usr/lib/cgi-bin/",
"/doc/" => "/usr/share/doc/",
"/images/" => "/usr/share/images/"
)
$HTTP["url"] =~ "^/doc/|^/images/" {
dir-listing.activate = "enable"
}
$HTTP["url"] =~ "^/cgi-bin/" {
cgi.assign = ( "" => "" )
}
}
/etc/lighttpd/lighttpd.conf changed:
server.modules = (
"mod_indexfile",
"mod_access",
"mod_alias",
"mod_redirect",
)
server.document-root = "/var/www/html"
server.upload-dirs = ( "/var/cache/lighttpd/uploads" )
server.errorlog = "/var/log/lighttpd/error.log"
server.pid-file = "/run/lighttpd.pid"
server.username = "www-data"
server.groupname = "www-data"
server.port = 80
server.http-parseopts = (
"header-strict" => "enable",# default
"host-strict" => "enable",# default
"host-normalize" => "enable",# default
"url-normalize-unreserved"=> "enable",# recommended highly
"url-normalize-required" => "enable",# recommended
"url-ctrls-reject" => "enable",# recommended
"url-path-2f-decode" => "enable",# recommended highly (unless breaks app)
#"url-path-2f-reject" => "enable",
"url-path-dotseg-remove" => "enable",# recommended highly (unless breaks app)
#"url-path-dotseg-reject" => "enable",
#"url-query-20-plus" => "enable",# consistency in query string
)
index-file.names = ( "index.php", "index.html" )
url.access-deny = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
compress.cache-dir = "/var/cache/lighttpd/compress/"
compress.filetype = ( "application/javascript", "text/css",
"text/html", "text/plain" )
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.conf.pl"
include "/etc/lighttpd/conf-enabled/*.conf"
server.compat-module-load = "disable"
server.modules += (
"mod_compress",
"mod_dirlisting",
"mod_staticfile",
)
-- no debconf information
