[pkg-lighttpd] r338 - in lighttpd/trunk/debian: . patches
madcoder at alioth.debian.org
madcoder at alioth.debian.org
Sat Sep 27 10:02:33 UTC 2008
Author: madcoder
Date: 2008-09-27 10:02:31 +0000 (Sat, 27 Sep 2008)
New Revision: 338
Added:
lighttpd/trunk/debian/patches/lighttpd-1.4.x_request_header_memleak.patch
lighttpd/trunk/debian/patches/lighttpd-1.4.x_rewrite_redirect_decode_url.patch
lighttpd/trunk/debian/patches/lighttpd-1.4.x_userdir_lowercase.patch
Modified:
lighttpd/trunk/debian/changelog
lighttpd/trunk/debian/patches/series
Log:
security fixes
Modified: lighttpd/trunk/debian/changelog
===================================================================
--- lighttpd/trunk/debian/changelog 2008-09-27 09:57:20 UTC (rev 337)
+++ lighttpd/trunk/debian/changelog 2008-09-27 10:02:31 UTC (rev 338)
@@ -1,8 +1,13 @@
-lighttpd (1.4.19-5) UNRELEASED; urgency=low
+lighttpd (1.4.19-5) unstable; urgency=high
* Remove the alias.url stanza from 10-cgi.conf (Closes: #499334).
+ * Add patches for lighttpd security 2008-05 to 2008-07 (no CVE yet):
+ + patches/lighttpd-1.4.x_request_header_memleak.patch
+ + patches/lighttpd-1.4.x_rewrite_redirect_decode_url.patch
+ + patches/lighttpd-1.4.x_userdir_lowercase.patch
+ * Urgency set to high for security fix.
- -- Pierre Habouzit <madcoder at debian.org> Sat, 27 Sep 2008 11:56:34 +0200
+ -- Pierre Habouzit <madcoder at debian.org> Sat, 27 Sep 2008 12:00:47 +0200
lighttpd (1.4.19-4) unstable; urgency=high
Added: lighttpd/trunk/debian/patches/lighttpd-1.4.x_request_header_memleak.patch
===================================================================
--- lighttpd/trunk/debian/patches/lighttpd-1.4.x_request_header_memleak.patch (rev 0)
+++ lighttpd/trunk/debian/patches/lighttpd-1.4.x_request_header_memleak.patch 2008-09-27 10:02:31 UTC (rev 338)
@@ -0,0 +1,50 @@
+--- src/request.c.orig
++++ src/request.c
+@@ -825,6 +825,7 @@
+ "request-header:\n",
+ con->request.request);
+ }
++ array_insert_unique(con->request.headers, (data_unset *)ds);
+ return 0;
+ }
+
+@@ -874,6 +875,7 @@
+ "request-header:\n",
+ con->request.request);
+ }
++ array_insert_unique(con->request.headers, (data_unset *)ds);
+ return 0;
+ }
+ } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Expect")))) {
+@@ -911,6 +913,7 @@
+ "request-header:\n",
+ con->request.request);
+ }
++ array_insert_unique(con->request.headers, (data_unset *)ds);
+ return 0;
+ }
+ } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("If-Modified-Since")))) {
+@@ -936,6 +939,7 @@
+ "request-header:\n",
+ con->request.request);
+ }
++ array_insert_unique(con->request.headers, (data_unset *)ds);
+ return 0;
+ }
+ } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("If-None-Match")))) {
+@@ -953,6 +957,7 @@
+ "request-header:\n",
+ con->request.request);
+ }
++ array_insert_unique(con->request.headers, (data_unset *)ds);
+ return 0;
+ }
+ } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Range")))) {
+@@ -976,6 +981,7 @@
+ "request-header:\n",
+ con->request.request);
+ }
++ array_insert_unique(con->request.headers, (data_unset *)ds);
+ return 0;
+ }
+ }
Added: lighttpd/trunk/debian/patches/lighttpd-1.4.x_rewrite_redirect_decode_url.patch
===================================================================
--- lighttpd/trunk/debian/patches/lighttpd-1.4.x_rewrite_redirect_decode_url.patch (rev 0)
+++ lighttpd/trunk/debian/patches/lighttpd-1.4.x_rewrite_redirect_decode_url.patch 2008-09-27 10:02:31 UTC (rev 338)
@@ -0,0 +1,122 @@
+--- src/mod_rewrite.c.orig
++++ src/mod_rewrite.c
+@@ -350,7 +350,11 @@
+
+ if (!p->conf.rewrite) return HANDLER_GO_ON;
+
+- buffer_copy_string_buffer(p->match_buf, con->request.uri);
++ buffer_copy_string_buffer(p->match_buf, con->uri.path);
++ if (con->uri.query->used > 0) {
++ buffer_append_string_len(p->match_buf, CONST_STR_LEN("?"));
++ buffer_append_string_buffer(p->match_buf, con->uri.query);
++ }
+
+ for (i = 0; i < p->conf.rewrite->used; i++) {
+ pcre *match;
+--- src/response.c.orig
++++ src/response.c
+@@ -224,27 +224,6 @@
+ }
+
+
+- /**
+- *
+- * call plugins
+- *
+- * - based on the raw URL
+- *
+- */
+-
+- switch(r = plugins_call_handle_uri_raw(srv, con)) {
+- case HANDLER_GO_ON:
+- break;
+- case HANDLER_FINISHED:
+- case HANDLER_COMEBACK:
+- case HANDLER_WAIT_FOR_EVENT:
+- case HANDLER_ERROR:
+- return r;
+- default:
+- log_error_write(srv, __FILE__, __LINE__, "sd", "handle_uri_raw: unknown return value", r);
+- break;
+- }
+-
+ /* build filename
+ *
+ * - decode url-encodings (e.g. %20 -> ' ')
+@@ -252,7 +231,6 @@
+ */
+
+
+-
+ if (con->request.http_method == HTTP_METHOD_OPTIONS &&
+ con->uri.path_raw->ptr[0] == '*' && con->uri.path_raw->ptr[1] == '\0') {
+ /* OPTIONS * ... */
+@@ -268,6 +246,28 @@
+ log_error_write(srv, __FILE__, __LINE__, "sb", "URI-path : ", con->uri.path);
+ }
+
++
++ /**
++ *
++ * call plugins
++ *
++ * - based on the raw URL
++ *
++ */
++
++ switch(r = plugins_call_handle_uri_raw(srv, con)) {
++ case HANDLER_GO_ON:
++ break;
++ case HANDLER_FINISHED:
++ case HANDLER_COMEBACK:
++ case HANDLER_WAIT_FOR_EVENT:
++ case HANDLER_ERROR:
++ return r;
++ default:
++ log_error_write(srv, __FILE__, __LINE__, "sd", "handle_uri_raw: unknown return value", r);
++ break;
++ }
++
+ /**
+ *
+ * call plugins
+--- tests/mod-rewrite.t.orig
++++ tests/mod-rewrite.t
+@@ -8,7 +8,7 @@
+
+ use strict;
+ use IO::Socket;
+-use Test::More tests => 5;
++use Test::More tests => 4;
+ use LightyTest;
+
+ my $tf = LightyTest->new();
+@@ -44,5 +44,13 @@
+ $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'HTTP-Content' => 'bar&a=b' } ];
+ ok($tf->handle_http($t) == 0, 'valid request');
+
++ $t->{REQUEST} = ( <<EOF
++GET %2Frewrite/f%6Fo?a=b HTTP/1.0
++Host: www.example.org
++EOF
++ );
++ $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'HTTP-Content' => 'a=b' } ];
++ ok($tf->handle_http($t) == 0, 'valid request with url encoded characters');
++
+ ok($tf->stop_proc == 0, "Stopping lighttpd");
+ }
+--- src/mod_redirect.c.orig
++++ src/mod_redirect.c
+@@ -178,7 +178,11 @@
+
+ mod_redirect_patch_connection(srv, con, p);
+
+- buffer_copy_string_buffer(p->match_buf, con->request.uri);
++ buffer_copy_string_buffer(p->match_buf, con->uri.path);
++ if (con->uri.query->used > 0) {
++ buffer_append_string_len(p->match_buf, CONST_STR_LEN("?"));
++ buffer_append_string_buffer(p->match_buf, con->uri.query);
++ }
+
+ for (i = 0; i < p->conf.redirect->used; i++) {
+ pcre *match;
Added: lighttpd/trunk/debian/patches/lighttpd-1.4.x_userdir_lowercase.patch
===================================================================
--- lighttpd/trunk/debian/patches/lighttpd-1.4.x_userdir_lowercase.patch (rev 0)
+++ lighttpd/trunk/debian/patches/lighttpd-1.4.x_userdir_lowercase.patch 2008-09-27 10:02:31 UTC (rev 338)
@@ -0,0 +1,38 @@
+--- src/mod_userdir.c.orig
++++ src/mod_userdir.c
+@@ -262,6 +262,9 @@
+ return HANDLER_GO_ON;
+ }
+ }
++ if (con->conf.force_lowercase_filenames) {
++ buffer_to_lower(p->username);
++ }
+
+ buffer_copy_string_buffer(p->temp_path, p->conf.basepath);
+ BUFFER_APPEND_SLASH(p->temp_path);
+@@ -284,8 +287,24 @@
+ }
+ }
+
++ /* the physical rel_path is basically the same as uri.path;
++ * but it is converted to lowercase in case of force_lowercase_filenames and some special handling
++ * for trailing '.', ' ' and '/' on windows
++ * we assume that no docroot/physical handler changed this
++ * (docroot should only set the docroot/server name, phyiscal should only change the phyiscal.path;
++ * the exception mod_secure_download doesn't work with userdir anyway)
++ */
+ BUFFER_APPEND_SLASH(p->temp_path);
+- buffer_append_string(p->temp_path, rel_url + 1); /* skip the / */
++ /* if no second '/' is found, we assume that it was stripped from the uri.path for the special handling
++ * on windows.
++ * we do not care about the trailing slash here on windows, as we already ensured it is a directory
++ *
++ * TODO: what to do with trailing dots in usernames on windows? they may result in the same directory
++ * as a username without them.
++ */
++ if (NULL != (rel_url = strchr(con->physical.rel_path->ptr + 2, '/'))) {
++ buffer_append_string(p->temp_path, rel_url + 1); /* skip the / */
++ }
+ buffer_copy_string_buffer(con->physical.path, p->temp_path);
+
+ buffer_reset(p->temp_path);
Modified: lighttpd/trunk/debian/patches/series
===================================================================
--- lighttpd/trunk/debian/patches/series 2008-09-27 09:57:20 UTC (rev 337)
+++ lighttpd/trunk/debian/patches/series 2008-09-27 10:02:31 UTC (rev 338)
@@ -3,3 +3,6 @@
ldap_build_filter_fix.patch
ldap-deprecated.patch
ssl-connection-errors.patch
+lighttpd-1.4.x_request_header_memleak.patch -p0
+lighttpd-1.4.x_userdir_lowercase.patch -p0
+lighttpd-1.4.x_rewrite_redirect_decode_url.patch -p0
More information about the pkg-lighttpd-maintainers
mailing list