-
Notifications
You must be signed in to change notification settings - Fork 5
/
ChangeLog
5254 lines (3390 loc) · 152 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
2023-11-20 18:17 bluhm
* usr.sbin/httpd/: httpd.h, server.c, server_fcgi.c: Avoid a NULL
dereference when handling a malformed fastcgi request.
Rework the hack to avoid a use-after-free in the fastcgi code.
Since server_fcgi() can be called by server_read_httpcontent() we
can't set clt_fcgi_error to NULL. Instead, we implement a simple
reference count to track when a fastcgi session is in progress to
avoid closing the http session prematurely on fastcgi error.
Based on a diff from and OK by tb@. Reported by Ben Kallus.
from millert@
this is errata/7.3/020_httpd.patch.sig
2023-11-20 18:14 bluhm
* usr.sbin/httpd/: httpd.h, server.c, server_fcgi.c: Avoid a NULL
dereference when handling a malformed fastcgi request.
Rework the hack to avoid a use-after-free in the fastcgi code.
Since server_fcgi() can be called by server_read_httpcontent() we
can't set clt_fcgi_error to NULL. Instead, we implement a simple
reference count to track when a fastcgi session is in progress to
avoid closing the http session prematurely on fastcgi error.
Based on a diff from and OK by tb@. Reported by Ben Kallus.
from millert@
this is errata/7.4/006_httpd.patch.sig
2023-11-08 19:19 millert
* usr.sbin/httpd/: httpd.h, server.c, server_fcgi.c: Avoid a NULL
dereference when handling a malformed fastcgi request.
Rework the hack to avoid a use-after-free in the fastcgi code.
Since server_fcgi() can be called by server_read_httpcontent() we
can't set clt_fcgi_error to NULL. Instead, we implement a simple
reference count to track when a fastcgi session is in progress to
avoid closing the http session prematurely on fastcgi error.
Based on a diff from and OK by tb@. Reported by Ben Kallus.
2023-11-08 11:17 deraadt
* usr.sbin/httpd/patterns.7: remove accidental double space
2023-11-03 13:03 espie
* usr.sbin/httpd/httpd.conf.5: Be explicit in saying what a shell
pattern is. I'm not a big fan of idiosyncratic lua patterns,
especially in that context, but pointing towards them and not
mentionning glob(7) is thoroughly confusing. Don't push lua
patterns down people throats !
At least you know what the incredibly fuzzy "shell patterns"
refers to now !
okay millert@, jmc@
2023-10-29 11:27 kn
* usr.sbin/httpd/httpd.conf.5: Unmention/don't explain SSL, drop 9y
old "ssl" keyword/deprecation warning
Switch "ssl" to "tls" in relayd.conf(5) if you haven't done so in
the last ten years, "ssl" is now an error.
Say "TLS" not "SSL/TLS" and drop the primer in the TLS RELAYS
section.
OK benno
2023-09-24 08:28 tb
* share/mk/bsd.regress.mk: Make REGRESS_LOG more useful again
Enabling REGRESS_FAIL_EARLY made REGRESS_LOG error out at the
first error, which is pointless. So default to no if REGRESS_LOG
is set unless the user explicitly enabled it.
Requested by claudio ok bluhm
2023-09-15 07:13 tb
* share/mk/bsd.regress.mk: Default REGRESS_FAIL_EARLY to yes
The current fail open behavior may be desirable in some
circumstances, but it is an unexpected and dangerous default
since one expects some kind of feedback when running a test
suite. Currently failing tests are only visible on inspecting the
log, which led to unsuspecting people missing failures several
times in the past. Flip the default to fail closed. For those
that want to have the old behavior, it is easy enough to set the
variable to no.
Positive feedback job and schwarze ok kn
2023-09-03 10:18 nicm
* usr.sbin/httpd/server.c: Use EVBUFFER_DATA instead of reaching
into struct evbuffer. ok tb
2023-08-17 07:25 op
* usr.sbin/httpd/httpd.conf.5: use "example.com" instead of
"default" as server name in the various examples: it matches the
sample config and avoids tricking the user into thinking that
"default" as server name has a special meaning.
While here, document also that http uses the first server
matching the listening port when there's no match on the server
name. (was corrected on this by Crystal Kolipe, thanks)
ok kn on a previous version, improvements from sthen and jmc, ok
sthen
2023-07-12 12:46 tb
* usr.sbin/httpd/: httpd.h, server.c, server_fcgi.c: Work around
use after free in httpd(8)
A malformed HTTP request can cause httpd in fastcgi mode to crash
due to a use-after-free. This is an awful hack, but it's good
enough until someone figures out the correct way of dealing with
server_close() here.
Reported by Jesper Wallin <jesper () ifconfig.se>
"this will do the trick for now" claudio ok beck deraadt
This is errata/7.2/029_httpd.patch.sig
2023-07-12 12:46 tb
* usr.sbin/httpd/: httpd.h, server.c, server_fcgi.c: Work around
use after free in httpd(8)
A malformed HTTP request can cause httpd in fastcgi mode to crash
due to a use-after-free. This is an awful hack, but it's good
enough until someone figures out the correct way of dealing with
server_close() here.
Reported by Jesper Wallin <jesper () ifconfig.se>
"this will do the trick for now" claudio ok beck deraadt
2023-07-12 12:37 tb
* usr.sbin/httpd/: httpd.h, server.c, server_fcgi.c: Work around
use after free in httpd(8)
A malformed HTTP request can cause httpd in fastcgi mode to crash
due to a use-after-free. This is an awful hack, but it's good
enough until someone figures out the correct way of dealing with
server_close() here.
"this will do the trick for now" claudio ok beck deraadt
2023-03-08 04:43 guenther
* usr.sbin/httpd/control.c: Delete obsolete /* ARGSUSED */ lint
comments.
ok miod@ millert@
2023-02-15 20:44 tobhe
* usr.sbin/httpd/proc.c: proc_ispeer() is not used anywhere anymore
so remove it everywhere.
ok florian@ bluhm@ ok for vmd mlarkin@
2022-12-28 21:30 jmc
* usr.sbin/httpd/config.c: spelling fixes; from paul tagliamonte
any parts of his diff not taken are noted on tech
2022-12-09 09:30 tb
* share/mk/bsd.regress.mk: Allow overriding default run-regress-*
targets
Overriding a default run-regress-* target with custom commands is
already possible and done by many tests. The fact that it
currently works depends on behavior in the BUGs section of
make.1, however. The fix is not to add commands if the target is
already defined with commands.
tested by anton correct fix from espie, ok anton
2022-10-24 15:02 jmc
* usr.sbin/httpd/: httpd.8, httpd.h: remove unused references to
httpd.sock; found by dante catalfamo ok florian
2022-09-21 05:55 yasuoka
* usr.sbin/httpd/server_http.c: Default request message body size
should be 0.
ok claudio
2022-09-02 07:38 benno
* usr.sbin/httpd/: httpd.c, httpd.conf.5: Make newer mime type
definitions take precedence over existing ones.
Patch from Ben Fuller <ben -AT- bvnf -DOT- space>, helped along
by florian@ ok florian@ and some mumblings from claudio who does
not want okays in httpd.
2022-09-01 20:36 tb
* usr.sbin/httpd/server_http.c: ugly whitespace
2022-08-28 11:11 jsg
* lib/libc/crypt/blowfish.c: remove unused blowfish inline defines
inline use was removed in 1998
2022-08-15 12:29 claudio
* usr.sbin/httpd/: httpd.h, server_fcgi.c: Neither clt_descreq nor
clt_descresp in struct client need to be void *. They both are
only used as struct http_descriptor. OK tb@
2022-08-15 10:29 claudio
* usr.sbin/httpd/server_fcgi.c: For FCGI_END_REQUEST reset the clt
struct similar to what is done in the file and other cases.
Especially when the session uses keep-alive it is important to
set TOREAD_HTTP_HEADER so that the state machine knows what's
next. OK op@
2022-08-15 09:40 op
* usr.sbin/httpd/server_file.c: plug some memory leaks in
server_file_index when failures occur
namelist and its entries are not freed if escape_html fails or if
we fail in the inner loop. Move scandir later so it's closer to
the for loop and handle escape_html and url_encode failures.
With lots of help from tb, thanks!
ok tb@
2022-08-15 09:36 op
* usr.sbin/httpd/server_http.c: plug a fd leak in read_errdoc if
fstat fails or if the file is empty
tweak/ok tb@
2022-08-12 08:40 claudio
* usr.sbin/httpd/server_fcgi.c: Use break instead of return so that
a HEAD request still consumes all data. OK op@
2022-08-12 06:41 op
* usr.sbin/httpd/server_fcgi.c: fix regression introduced in
previous commit. HEAD replies don't have a body so
server_fcgi_error shouldn't print the end marker.
OK claudio@
2022-08-11 14:25 op
* usr.sbin/httpd/server_fcgi.c: correctly handle an abnormal
fastcgi termination. httpd handles the disconnection from the
fastcgi application via server_file_error which assumes that the
reply was completey done. However, if the fastcgi reply wasn't
complete (e.g. because slowcgi hit the timeout) the HTTP client
are left "hanging" and waiting for a reply until they give up.
This adds a server_fcgi_error callback to handle the "no headers"
and "incomplete data" cases and properly close the reply before
falling back to server_file_error.
OK claudio@
2022-05-04 18:57 deraadt
* lib/libc/gen/vis.c: Found two multiple evaluation macros. One of
them so long and scary it too many people to unravel correctly
and place into a static function. While here, move the flags
bits into local variables, which reduces the amount of () in the
checks. help from millert, miod, tedu
2022-03-31 17:27 naddy
* usr.bin/htpasswd/htpasswd.1: man pages: add missing commas
between subordinate and main clauses
jmc@ dislikes a comma before "then" in a conditional, so leave
those untouched.
ok jmc@
2022-03-09 13:50 jsg
* usr.sbin/httpd/httpd.conf.5: bandwith -> bandwidth
2022-03-04 01:46 deraadt
* usr.sbin/httpd/server_file.c: Only provide the .gz file if
timestamp is >= the non-gzip file. Make sure it is a regular
file. Use the timestamp of the non-gzip file as the
last-modified timestamp, as proposed by claudio. ok claudio
bluhm millert
2022-03-02 23:27 deraadt
* usr.sbin/httpd/server_file.c: struct stat from early file
inspection was being used after actual file open() which means
the stat could refer to the wrong file. Mostly this relates to
st_size use. This bug could mean that httpd sends new files
truncated to the old length, saying "I am sure you have the
correct file now"? Could have other bad effects. ok tb millert
bluhm
2022-03-02 19:52 tb
* usr.sbin/httpd/server_file.c: Simplify .gz handling a bit
Combine strlcpy + strlcat into a single snprintf and remove a few
unnecessary parentheses.
ok deraadt millert
2022-03-02 11:10 florian
* usr.sbin/httpd/: httpd.c, httpd.h, server_fcgi.c, server_http.c:
Nothing uses kv_flags.
John (j AT bitminer.ca) pointed out that we didn't correctly
initialize struct kv and might use slower KV_FLAG_GLOBBING path
in kv_find depending on stack garbage. Instead of fixing the
initialization just delete kv_flags from struct kv.
OK claudio, tb
2022-02-27 20:30 bluhm
* usr.sbin/httpd/: httpd.conf.5, httpd.h, parse.y, server_file.c:
Add gzip-static option to httpd. This allows to deliver
precompressed files with content-encoding gzip. from prx at si3t
dot ch; OK tracey@
2022-02-18 10:24 jsg
* usr.sbin/httpd/patterns.7: prefer https links in man pages ok
gnezdo@ miod@ jmc@
2021-12-22 15:54 bluhm
* regress/usr.sbin/httpd/tests/: Client.pm, LICENSE, Makefile,
funcs.pl: Replace deprecated IO::Socket::INET6 with
IO::Socket::IP.
2021-12-04 06:52 florian
* usr.sbin/httpd/proc.c: Do not setup pipes between SERVER
processes, they don't talk to each other. Since this generates a
full mesh, the amount of filedescriptors needed grows
quadratically with the amount of configured prefork processes.
Might fix an out of filedescriptor bug that beck is seeing. OK
benno
2021-12-02 17:10 kn
* regress/usr.sbin/httpd/tests/Makefile: Tell testers which
packages to install right away (and why)
Other regress tests do it differently; just fix/thouch those
that did not mention any package name at all.
This helps grepping logs for SKIPPED to find instructions for the
next run.
2021-11-29 01:04 djm
* include/blf.h, lib/libc/crypt/blowfish.c: Niels agreed to remove
the advertising clause; switching these to 3-term BSD license.
2021-11-11 15:52 claudio
* usr.sbin/httpd/server_http.c: Move the assignment of http_query
down. Also do not assign a non-malloced string to it since the
code assumes it can call free on it. Fixes crashes noticed by
tobhe@ and florian@ OK otto@ tobhe@
2021-11-05 19:01 benno
* usr.sbin/httpd/server_http.c: Perform stricter checking on the
version string (which RFC 7230 says must be "HTTP" "/" DIGIT "."
DIGIT), and answer 505 version not supported when the number is
outside of what we support, and 400 bad request when the version
format is wrong. from Ross L Richardson, thanks! ok claudio@
2021-10-24 16:01 ian
* usr.sbin/httpd/: config.c, httpd.conf.5, httpd.h, parse.y,
server_http.c: Add httpd custom error page facility. Adapted by
me from https://github.com/mpfr/httpd-plus. Improvements from &
(earlier version) reads fine to tracey@; improvements & OK this
version benno@, florian@. Thanks.
2021-10-23 15:52 benno
* usr.sbin/httpd/server_fcgi.c: * stop sending the content for head
requests, even when its supplied by the fcgi. Required by RFC
7231 and RFC 3875 section 4.3.2. * If the client sends an empty
body without a Content-Lenght: do not add the Content-Lenght if
it's a HEAD request. If it's a HEAD request, the
Content-Lenght should show the size of the equivalent GET
request, but we don't know how much that will be so don't lie.
found by and fix suggested by Ross L Richardson, Thanks!
Additionally:
* when the fcgi supplies a Content-Length header, do not remove
it and set Transfer-Encoding: chunked. Instead, leave the
Content-Lenght header in place, as obviously the fcgi knows how
much data will come.
ok claudio@
2021-10-23 15:30 benno
* usr.sbin/httpd/server_http.c: annotate a 413 error with "request
body too large" in the error log. ok claudio@
2021-10-22 08:51 benno
* usr.sbin/httpd/server_http.c: return unsupported version for
version less than HTTP/0.9 and higher than HTTP/1.9. Downgrade
version >= HTTP/1.2++ to 1.1.
Found by "J. K." (openbsd DOT list AT krottmayer DOT com) ok
claudio@
2021-10-21 11:48 benno
* usr.sbin/httpd/server_http.c: when a client sends header lines
without a colon, respond with 400 Bad Request instead of 500
Internal Server Error. ok claudio@
2021-10-15 15:01 naddy
* usr.sbin/httpd/parse.y: Don't declare variables as "unsigned char
*" that are passed to functions that take "char *" arguments.
Where such chars are assigned to int or passed to ctype
functions, explicitly cast them to unsigned char.
For OpenBSD's clang, -Wpointer-sign has been disabled by default,
but when the parse.y code was built elsewhere, the compiler would
complain.
With help from millert@ ok benno@ deraadt@
2021-10-05 17:40 anton
* regress/usr.sbin/httpd/tests/: Httpd.pm, Makefile, Proc.pm: add
missing sudo and handle arguments
2021-08-31 23:33 bluhm
* share/mk/bsd.regress.mk: Make include bsd.prog.mk is supporting
PROGS for a while. Allow multiple programs also in
bsd.regress.mk for consistency. OK anton@
2021-07-14 13:33 kn
* usr.sbin/httpd/server.c: Remove unneeded calls to tls_init(3)
As per the manual and lib/libtls/tls.c revision 1.79 from 2018
"Automatically handle library initialisation for libtls."
initialisation is handled automatically by other tls_*(3)
functions.
Remove explicit tls_init() calls from base to not give the
impression of it being needed.
Feedback tb OK Tests mestre
2021-07-12 15:09 beck
* usr.bin/htpasswd/htpasswd.c: Change the error reporting pattern
throughout the tree when unveil fails to report the path that the
failure occured on. Suggested by deraadt@ after some tech
discussion.
Work done and verified by Ashton Fagg <ashton@fagg.id.au>
ok deraadt@ semarie@ claudio@
2021-06-07 10:53 tb
* usr.sbin/httpd/httpd.conf.5: tweak previous: avoid markup and
refer to an HTTP header only by its name as is done elsewhere on
this page.
pointed out by jmc
2021-06-06 22:00 tb
* usr.sbin/httpd/httpd.conf.5: appease mandoc -Tlint
2021-06-06 21:59 tb
* usr.sbin/httpd/httpd.conf.5: Add .Pp for consistency with all
other config blocks.
2021-05-20 15:12 florian
* usr.sbin/httpd/server_fcgi.c: Fix previous. Only set
Content-Length when we no the body is empty and we disable
chunked encoding. Otherwise we break the nextcloud app again :/
Pointed out by Matthias Pressfreund, thanks!
2021-05-19 19:42 florian
* usr.sbin/httpd/server_fcgi.c: When we disable "Transfer-Encoding:
chunked" in the fastcgi backend because we are going to send an
empty body we have to provide "Content-Length: 0" otherwise some
browsers (Firefox, Safari) just hang until httpd(8) closes the
connection. Problem reported by Matthias Pressfreund, debugged
with weerd@ who pointed out that the problem is browser
dependent. OK tracey
2021-05-17 09:26 florian
* usr.sbin/httpd/: httpd.h, server_fcgi.c: Do not try to chunk
encode an empty http body coming from an fcgi upstream.
Found the hard way by Chris Narkiewicz who tracked failing
uploads in the nextcloud mobile app down to httpd(8) trying to
chunk encode a "204 No Content" resonse.
Testing by Steve Williams Testing & OK stsp
2021-05-15 15:08 florian
* usr.sbin/httpd/server_fcgi.c: Remove outdated comment. We got all
httpd headers from the fcgi server at this point.
2021-04-29 18:23 dv
* usr.sbin/httpd/server_file.c: Use relative reference URIs in
Location header on directory redirects.
This adds support for front-ending httpd(8) with a
TLS-terminating gateway like relayd(8) that forwards unencrypted
http traffic.
Previously httpd(8) would use a full URL in the Location header
in 301 redirects when a user-agent requests a directory but
without the trailing '/'. If the user-agent originally connected
with https, this caused the redirected url to be http.
This change conforms to RFC7231 section 7.1.2.
Reported by Vincent Lee.
OK claudio@
2021-04-20 21:11 dv
* usr.sbin/httpd/: control.c, httpd.h, proc.c: Move TAILQ
initialization to files where they are used.
These priv-sep daemons all follow a similar design and use TAILQs
for tracking control process connections. In most cases, the
TAILQs are initialized separate from where they are used. Since
the scope of use is generally confined to a specific control
process file, this commit also removes any extern definitions and
exposing the TAILQ structures to other compilation units.
ok bluhm@, tb@
2021-04-10 10:10 claudio
* usr.sbin/httpd/: httpd.h, parse.y, server.c: Do not compare TLS
config params for non-TLS servers. This allows to mix 'listen *
port 80' and 'listen * tls port 443' in one server block. Also
the last argument of server_tls_cmp - match_keypair - is always 0
so remove this code. OK florian@ tb@ some long time ago
2021-04-06 06:28 jmc
* usr.sbin/httpd/httpd.conf.5: use "braces" consistenly; fastcgi
can take multiple options; original issue and text from laurence
tratt, with updates from raf czlonka
2021-03-16 06:44 otto
* usr.sbin/httpd/server_file.c: A socket buffer is not the best
size to read from a disk. Use st_blksize to set high water mark;
florian@
2021-01-27 07:21 deraadt
* usr.sbin/httpd/: httpd.c, httpd.h, logger.c: these programs (with
common ancestry) had a -fno-common problem related to
privsep_procid. ok mortimer
2021-01-22 13:07 benno
* usr.sbin/httpd/parse.y: fix a memory leak, found by rob@ in
relayd.
ok tb@
2021-01-18 18:47 tb
* usr.sbin/httpd/parse.y: Fix httpd example config
A server configuration yields multiple struct server_config in
the env->sc_servers queue: an actual server ("parent") and one
for each location directive in httpd.conf. In
parent_configure(), the parents are configured first, then the
corresponding locations.
parse.y r1.118 kills the parent if an error is encountered on
loading the TLS keypairs but leaves the locations in the
sc_servers queue. When running the default config without TLS
keys already in place, this then leads to the self-explanatory
"invalid location" error message. Its intention is to indicates
the unexpected situation that config_setserver() encounters a
location without an associated server.
Fix this by not only destroying the parent but also removing all
of its locations.
ok jsing
2021-01-05 19:56 tb
* usr.sbin/httpd/server_http.c: unwrap a line
2021-01-02 18:35 tb
* usr.sbin/httpd/server.c: Pull tls_close() and tls_free() further
up, so tls_free() will already be in the right spot once
tls_close() is handled by libevent.
suggested by jsing
2021-01-02 18:31 tb
* usr.sbin/httpd/server.c: Call tls_close() before closing the
underlying socket
In order to end a TLS connection regularly, an implementation
MUST send a close_notify alert. libtls does this in tls_close()
via SSL_shutdown(), so the socket had better still be open.
The incorrect order in server_close() caused a leak on each tls
connection due to a bug in libssl (fixed in tls_record_layer.c
r1.56).
As pointed out by claudio, tls_close() should really be handled
from the main event loop. This will be addressed in a later
commit.
ok claudio florian jsing
2020-12-31 14:17 tb
* usr.sbin/httpd/server.c: Don't leak the log message in
server_sendlog
While there, use the length calculated by vasprintf() instead of
using strlen needlessly.
ok claudio florian
2020-12-31 14:15 tb
* usr.sbin/httpd/logger.c: Don't leak access.log and error.log on
reload.
ok florian
2020-12-30 18:40 benno
* usr.sbin/httpd/parse.y: getifaddrs() can return entries where
ifa_addr is NULL. Check for this before accessing anything in
ifa_addr. ok claudio@
2020-12-17 14:54 bluhm
* share/mk/bsd.regress.mk: Run setup_once targets in a sepearate
block with headline before all other targets. OK tb@
2020-12-17 00:51 bluhm
* regress/usr.sbin/httpd/tests/Makefile: Remove echo headlines.
2020-12-16 16:53 bluhm
* share/mk/bsd.regress.mk: When debugging tests, it is useful to
see the target name and which output belongs to it. Echo
headline with regress target and empty line afterwards. OK
sthen@ tb@ OK claudio@
2020-11-20 20:39 jung
* usr.sbin/httpd/parse.y: remove an unused struct
from Edgar Pettijohn
ok kn
2020-11-04 10:34 denis
* etc/examples/httpd.conf: Back out last commit.
Some devs are not convinced.
2020-11-02 20:30 denis
* etc/examples/httpd.conf: acme response challenge location to
issue better error code
Notified to me by jmc@
Diff by Matthias Pressfreund <mpfr @ fn de>, thanks
2020-10-29 12:30 denis
* usr.sbin/httpd/: httpd.conf.5, httpd.h, parse.y, server_http.c:
Add location (found|not found) option to test for resource path
existence.
Diff by Matthias Pressfreund <mpfr @ fn de>. Thanks.
2020-10-26 19:31 denis
* usr.sbin/httpd/parse.y: Do not allow duplicate "location"
directive.
Found and fix by Matthias Pressfreund <mpfr @ fn de>. Thanks.
2020-10-11 03:21 tb
* usr.sbin/httpd/: parse.y, server.c: Handle absence of TLS certs
while parsing the config
There is a soft fail mechanism to handle missing certs for
seamless interaction with acme-client. Move this to the config
parser. This is simpler than server.c r1.117 and avoids a crash
due to listening on port 443 without having set up the TLS
context first. More precisely, the crash happens if a server with
missing certificate is visited via https in a configuration where
there is a second server with valid certificate and key.
From Joshua Sing (joshua at hypera dot dev)
ok benno
2020-09-21 09:42 tobhe
* usr.sbin/httpd/config.c: Fix memory leak in "iov".
ok jca@
2020-09-12 07:34 yasuoka
* usr.sbin/httpd/: http.h, server_fcgi.c, server_http.c: Use the
original requested URI for REQUEST_URI.
ok millert florian
2020-09-05 11:49 tb
* usr.sbin/httpd/httpd.conf.5: httpd(8) uses TLSv1.3 and TLSv1.2 by
default
Update the httpd.conf(5) manual to reflect this. Initially
prompted by a question from tj and reminded by a diff from Navan
Carson.
ok kn
2020-08-29 07:53 florian
* usr.sbin/httpd/httpd.h: typo; pointed out by Matthias (mpfr AT
fn.de), thanks!
2020-08-26 06:50 florian
* usr.sbin/httpd/: config.c, httpd.h, parse.y: Set fastcgi socket
default on server and location. This allows "fastcgi" directly
inside of a server directive without giving specifying socket.
OK tracey
2020-08-25 13:50 tracey
* usr.sbin/httpd/parse.y: check that fcgiport string value is
within range remove redundant error message tweaks and ok
florian@
2020-08-24 15:49 tracey
* usr.sbin/httpd/: config.c, httpd.conf.5, httpd.h, parse.y,
server_fcgi.c: Add support for non-localhost fastcgi sockets.
Lots of review time kn@ Lots of review time, tweaks, and ok
florian@
2020-08-03 11:05 benno
* usr.sbin/httpd/: httpd.c, httpd.h: remove unused functions from
Ross L Richardson <openbsd AT rlr DOT id DOT au>, Thanks ok
claudio@
2020-08-03 10:59 benno
* usr.sbin/httpd/server_http.c: remove another tautology from Ross
L Richardson <openbsd AT rlr DOT id DOT au>, Thanks ok claudio@
2020-08-03 10:58 benno
* usr.sbin/httpd/server_fcgi.c: remove unused assignment from Ross
L Richardson <openbsd AT rlr DOT id DOT au>, Thanks ok claudio@
2020-08-03 10:57 benno
* usr.sbin/httpd/proc.c: remove tautological condition from Ross L
Richardson <openbsd AT rlr DOT id DOT au>, Thanks ok claudio@
2020-08-03 10:55 benno
* usr.sbin/httpd/config.c: remove dead assignments from Ross L
Richardson <openbsd AT rlr DOT id DOT au>, Thanks ok claudio@
2020-07-30 21:06 benno
* usr.sbin/httpd/: httpd.c, httpd.h: Remove the unused function
canonicalize_host(), it was copied from relayd. Found by Ross L
Richardson, Thanks.
2020-07-25 21:12 benno
* usr.sbin/httpd/httpd.h: remove unsused enum key_type, copied
initialy from relays. found by Ross L Richardson, thanks! ok
deraadt@
2020-07-06 13:33 pirofti
* lib/libc/crypt/bcrypt.c: Add support for timeconting in userland.
This diff exposes parts of clock_gettime(2) and gettimeofday(2)
to userland via libc eliberating processes from the need for a
context switch everytime they want to count the passage of time.
If a timecounter clock can be exposed to userland than it needs
to set its tc_user member to a non-zero value. Tested with one or
multiple counters per architecture.
The timing data is shared through a pointer found in the new ELF
auxiliary vector AUX_openbsd_timekeep containing timehands
information that is frequently updated by the kernel.
Timing differences between the last kernel update and the current
time are adjusted in userland by the tc_get_timecount() function
inside the MD usertc.c file.
This permits a much more responsive environment, quite visible in
browsers, office programs and gaming (apparently one is are able
to fly in Minecraft now).
Tested by robert@, sthen@, naddy@, kmos@, phessler@, and many
others!
OK from at least kettenis@, cheloha@, naddy@, sthen@
2020-05-22 07:18 bentley
* usr.sbin/httpd/: server_file.c, server_http.c: Use the simpler
HTML5 idiom to declare charset in autogenerated pages.
This came from a suggestion by Andras Farkas to replace use of
XHTML self-closing tags.
ok cwen@ danj@ florian@
2020-05-18 14:40 cwen
* usr.sbin/httpd/: server_file.c, server_http.c: httpd: add a "dark
mode" in directory listings and error pages
Introduce a new "dark mode" for httpd(8) directory listings and
error pages, using the prefers-color-scheme css function. It uses
the colorscheme already used in OpenBSD project websites.
This version will only be displayed if the user's browser
specifically sends a "prefer darker themes if available" request.
Input from florian@, danj@ and clematis.
OK florian@, danj@ (on a previous version with the wrong
background color)
2020-05-16 16:58 jmc
* usr.sbin/httpd/httpd.conf.5: list example files in FILES with a
short description: generally, "Example configuration file.", but
occasionally something else fit better; at the same time, try to
make the format for FILES more consistent;
original diff from clematis
2020-04-23 21:10 jmc
* usr.sbin/httpd/httpd.conf.5: replace examples of "Ic arg Ic arg"
with "Ic arg arg" and stop the spread;
2020-02-25 15:18 sthen
* usr.sbin/httpd/: httpd.conf.5, server_http.c: httpd: allow
$REQUEST_SCHEME in redirect targets, ok jung@ florian@
Sometimes you want to redirect a request to another site but
maintaining the same type of connection (http or https) as the
original request. Allow a $REQUEST_SCHEME variable to be used in
redirect locations to allow this, e.g.
location "/cgi-bin/foobar*" { block return 302
"$REQUEST_SCHEME://foobar.example.org$REQUEST_URI" }
2020-02-09 09:44 florian
* usr.sbin/httpd/: httpd.conf.5, httpd.h, parse.y, server_fcgi.c:
Implement "strip" option for fastcgi to be able to have multiple
chroots under /var/www for FastCGI servers. From Nazar Zhuk
(nazar AT zhuk DOT online), thanks! Ok benno
2020-01-14 20:48 benno
* usr.sbin/httpd/server_http.c: Pick the value for "max requests
number" from the correct server {} section in the config, by
moving the code down where the Host: header has been read and the
correct server configuration selected.
Note that it may not be that useful to have this option per
server, because it is valid to send requests with different Host:
headers over the same tcp connection.
problem noted and diff from Tracey Emery, thanks! ok florian@
2019-11-04 14:58 benno
* usr.sbin/httpd/server_http.c: remove useless NULL check, it's
checked 7 lines further up. found by Clemens Goessnitzer, ok and
prodded by florian@
2019-10-22 09:31 florian
* usr.sbin/httpd/server_http.c: Do not log "(null)" in debug
logging. OK deraadt
2019-10-14 11:07 florian
* usr.sbin/httpd/server.c: httpd(8) sent a 408 response every time
a connection request timeout was reached. This is not what other
servers are doing, it leads to ugly log messages and might
confuse some clients. benno@ analyzed that the correct behavior
is (probably) to send a 408 when we are in the middle of
receiving headers and time out there and just close the
connection in all other cases. In particular, if a connection
gets opened and no request is received at all just close the
connection. If a connection is set to keep-alive and a request
was handled and no further request is coming in just close the
connection. The later is the usual cause for spurious log
messages and client confusion.
Reported over the years by many. Input, explanations and OK
benno
2019-07-12 19:31 bluhm
* regress/usr.sbin/httpd/tests/Makefile: Test should also run if
there is no obj directory. Name regress targets consistently
with a run- prefix.
2019-06-28 13:32 deraadt
* usr.sbin/httpd/: parse.y, server.c: When system calls indicate an
error they return -1, not some arbitrary value < 0. errno is
only updated in this case. Change all (most?) callers of
syscalls to follow this better, and let's see if this strictness
helps us in the future.
2019-06-17 17:20 espie