Home | History | Annotate | Download | only in testsuite
History log of /src/libexec/httpd/testsuite/test-simple
RevisionDateAuthorComments
 1.6  14-Dec-2018  maya Don't pass ${HOST} to test scripts.
htnl_cmp compares against the output of `hostname`.

This makes the tests pass on my machine.
 1.5  21-Nov-2018  mrg - move special files defines into bozohttpd.h, so we can ...
- consolidate all the special file checks into
bozo_check_special_files() so that all builds check the same
list of special files, regardless of build options.
- convert "(void)bozo_http_error(...); return -1;" into plain
"return bozo_http_error(...);"
- fix the call to bozo_check_special_files() to be used on all
input types. part of the fixes for failure to reject access
to /.htpasswd as reported by JP on tech-security.
- use warn_unused_result attribute on bozo_check_special_files(),
and fix the failures to return failure. second part of the
htpasswd access fix.
- update testsuite to use a fixed fake hostname.

call this bozohttpd 20181121.
 1.4  31-Jan-2017  mrg branches: 1.4.2; 1.4.4; 1.4.6; 1.4.10; 1.4.16; 1.4.18;
- fix a bug in cgi processing. from Dennis Lindroos.
- add a testcase for this, and expand test-simple to handle additional
args to bozohttpd for eg, cgi-bin setting.
- fix objdir bugs in the testsuite.
 1.3  27-Dec-2016  schmonz branches: 1.3.2; 1.3.4;
When testing non-verbosely, show diff on failure. ok mrg@
 1.2  26-Sep-2016  schmonz branches: 1.2.2; 1.2.4; 1.2.6;
Missed in previous: exit 1 if html_cmp says no match.
 1.1  23-Sep-2016  schmonz Add a VERBOSE knob to the testsuite ("yes" by default, producing
basically the same output as before). When turned off, tests run
silently except when there's a failure.

Reviewed by mrg@.
 1.2.6.5  15-Jun-2019  martin Pull up the following revisions (via patch) requested by mrg in ticket #1699:

libexec/httpd/CHANGES 1.31-1.40
libexec/httpd/Makefile 1.28
libexec/httpd/auth-bozo.c 1.23-1.24
libexec/httpd/bozohttpd.8 1.75-1.79
libexec/httpd/bozohttpd.c 1.100-1.113
libexec/httpd/bozohttpd.h 1.58-1.60
libexec/httpd/cgi-bozo.c 1.46-1.48
libexec/httpd/daemon-bozo.c 1.20-1.21
libexec/httpd/dir-index-bozo.c 1.29-1.32
libexec/httpd/ssl-bozo.c 1.26
libexec/httpd/testsuite/Makefile 1.12-1.13
libexec/httpd/testsuite/t11.out 1.2
libexec/httpd/testsuite/test-bigfile 1.6
libexec/httpd/testsuite/test-simple 1.6

Don't display special files in the directory index. They aren't
served, but links to them are generated.
---
All from "Rajeev V. Pillai" <rajeev_v_pillai@yahoo.com>:
- use html tables for directory index.
- don't include "index.html" in html headers
- additional escaping of names
- re-add top/bottom borders
- adds an aquamarine table header
- Zebra-stripes table rows using CSS instead of code
- fix CGI '+' param and error handling.
- remove unused parameter to daemon_poll_err().
- avoid sign extension in % handling
fix a few problems pointed out by clang static analyzer:
- bozostrnsep() may return with "in = NULL", so check for it.
- nul terminating in bozo_escape_rfc3986() can be simpler
- don't use uniinit variables in check_remap()
- don't use re-used freed data in check_virtual().
- fix bozoprefs->size setting when increasing the size (new total was
being added to the prior total.)
however, bozostrdup() may reference request->hr_file.
---
Add ssl specific timeout value (30s). If SSL_accept() doesn't
work with in this timeout value, ssl setup now fails.
---
Fix handling of bozo_set_timeout() timeouts (and `-T' option parsing)
---
Avoid .htpasswd exposure to authenticated users when .htpasswd is
in the slashdir too.
---
Avoid possible NULL dereference when sending a big request that timeout.
---
Use strings.h for strcasecmp (on linux)
---
Account for cgihandler being set when counting the number of CGI environment
headers we are about to set. Avoids an assertion failure (and overruninng
the array) later.
 1.2.6.4  24-Nov-2018  martin Sync to HEAD (requested by mrg in ticket #1655):

libexec/httpd/testsuite/data/.bzremap up to 1.1
libexec/httpd/testsuite/t12.out up to 1.1
libexec/httpd/testsuite/t12.in up to 1.1
libexec/httpd/testsuite/t13.out up to 1.1
libexec/httpd/testsuite/t13.in up to 1.1
libexec/httpd/testsuite/t14.out up to 1.1
libexec/httpd/testsuite/t14.in up to 1.1
libexec/httpd/testsuite/t15.out up to 1.1
libexec/httpd/testsuite/t15.in up to 1.1
libexec/httpd/CHANGES up to 1.28
libexec/httpd/Makefile up to 1.27
libexec/httpd/auth-bozo.c up to 1.22
libexec/httpd/bozohttpd.8 up to 1.74
libexec/httpd/bozohttpd.c up to 1.96
libexec/httpd/bozohttpd.h up to 1.56
libexec/httpd/cgi-bozo.c up to 1.44
libexec/httpd/content-bozo.c up to 1.16
libexec/httpd/daemon-bozo.c up to 1.19
libexec/httpd/dir-index-bozo.c up to 1.28
libexec/httpd/lua-bozo.c up to 1.15
libexec/httpd/main.c up to 1.21
libexec/httpd/ssl-bozo.c up to 1.25
libexec/httpd/tilde-luzah-bozo.c up to 1.16
libexec/httpd/libbozohttpd/Makefile up to 1.3
libexec/httpd/lua/bozo.lua up to 1.3
libexec/httpd/lua/glue.c up to 1.5
libexec/httpd/lua/optparse.lua up to 1.2
libexec/httpd/testsuite/Makefile up to 1.11
libexec/httpd/testsuite/html_cmp up to 1.6
libexec/httpd/testsuite/t3.out up to 1.4
libexec/httpd/testsuite/t5.out up to 1.4
libexec/httpd/testsuite/t6.out up to 1.4
libexec/httpd/testsuite/test-bigfile up to 1.5
libexec/httpd/testsuite/test-simple up to 1.5

Cosmetic changes to Lua binding in bozohttpd.

- Don't use negative indicies to read arguments of Lua functions.
- On error, return nil, "error string".
- Use ssize_t for return values from bozo_read() and bozo_write().
- Prefer lstring especially when if saves you from appending NUL and
doing len + 1 which can potentially wraparound.
- Don't mix C allocations with Lua functions marked with "m" in the Lua
manual. Those functions may throw (longjump) and leak data allocated
by C function. In one case, I use luaL_Buffer, in the other case,
I rearranged calls a bit.


fix ordering of a couple of words. from Edgar Pettijohn in PR#52375.
thanks!


s/u_int/unsigned/.

from Jan Danielsson. increases/fixes portability.


PR bin/52194: bozohttpd fails to exec scripts via the -C mechanism
sometimes with EFAULT due to not NULL terminated environment.


Document script handler issues with httpd(8).
From martin@, addressing PR 52194.

While here, use American spelling consistently and upper-case some
abbreviations.

Bump date.


fix output since protocol agnostic change went in.

XXX: i thought someone hooked this into atf already, please do :)


Add support for remapping requested paths via a .bzredirect file.
Fixes PR 52772. Ok: mrg@


Bump date


Remove trailing whitespace.


use __func__ in debug().


fix a denial of service attack against header contents, which
is now bounded at 16KiB. reported by JP.


avoid memory leak in sending multiple auth headers.
mostly mitigated by previous patch to limit total header size,
but still a real problem here.


note the changes present in bozohttpd 20181118:

o add url remap support via .bzremap file, from martin%netbsd.org@localhost
o handle redirections for any protocol, not just http:
o fix a denial of service attack against header contents, which
is now bounded at 16KiB. reported by JP.


from CHANGES:

o reduce default timeouts, and add expand timeouts to handle the
initial line, each header, and the total time spent
o add -T option to expose new timeout settings
o minor RFC fixes related to timeout handling responses

old timeouts:
60 seconds for initial request like, 60 seconds per header line,
and no whole timeout (though the recent total header size changes
do introduce one that would be about 11 hours.)
new timeouts:
30 seconds for initial request like, 10 seconds per header line,
and a total request time of 600 seconds.

the new global timeout is implemented using CLOCK_MONOTONIC, with
a fallback to CLOCK_REALTIME if monotonic time is unavailable.

reject multiple Host: headers. besides being protocol standard,
this closes one additional memory leak found by JP. add a simple
test to check this.

clean up option and usage handling some.


move some #if support into bozohttpd.h.


fix previous: have_debug was reversed.


also fix have_dynamic_content from the previous previous. re-order
the debug and dynamic content to match the same pattern as everything
else so similar problems are less likely in the future.


- move special files defines into bozohttpd.h, so we can ...
- consolidate all the special file checks into
bozo_check_special_files() so that all builds check the same
list of special files, regardless of build options.
- convert "(void)bozo_http_error(...); return -1;" into plain
"return bozo_http_error(...);"
- fix the call to bozo_check_special_files() to be used on all
input types. part of the fixes for failure to reject access
to /.htpasswd as reported by JP on tech-security.
- use warn_unused_result attribute on bozo_check_special_files(),
and fix the failures to return failure. second part of the
htpasswd access fix.
- update testsuite to use a fixed fake hostname.

call this bozohttpd 20181121.


two fixes reported by mouse:
- don't check contents of 'st' if stat(2) failed.
- round up instead of truncate. now 10000 byte files say 10kB not 9kB.


use MAP_SHARED for the bzremap file. avoids netbsd kernel complaining:

WARNING: defaulted mmap() share type to MAP_PRIVATE (pid 15478 command bozohttpd)


many clean ups:
- keep a list of special files and their human names
- remove (void) casts on bozo_http_error()
- fix a few more misuses of bozo_http_error()
- rename check_mapping() to check_remap() and perform some CSE
- switch away from ``%s'' to '%s'
- remove a bunch of #ifdef using new have_feature defines


alpha sort the option switch.


add an assert() check on array bounds.


minor style fixes. simplify bozo_match_content_map().
 1.2.6.3  12-Feb-2017  snj Pull up following revision(s) (requested by mrg in ticket #1357):
libexec/httpd/CHANGES: revision 1.25
libexec/httpd/bozohttpd.8: revisions 1.63-1.65
libexec/httpd/bozohttpd.c: revisions 1.85, 1.86
libexec/httpd/bozohttpd.h: revision 1.47
libexec/httpd/cgi-bozo.c: revisions 1.36, 1.37
libexec/httpd/libbozohttpd/libbozohttpd.3: revision 1.4
libexec/httpd/testsuite/Makefile: revision 1.7
libexec/httpd/testsuite/html_cmp: revision 1.5
libexec/httpd/testsuite/test-bigfile: revision 1.4
libexec/httpd/testsuite/test-simple: revisions 1.3, 1.4
libexec/httpd/testsuite/t11.in: revision 1.1
libexec/httpd/testsuite/t11.out: revision 1.1
libexec/httpd/testsuite/cgi-bin/empty: revision 1.1
Update bozohttpd to 20170201:
- fix an infinite loop in cgi processing
- fixes and clean up for the testsuite
- no longer sends encoding header for compressed formats
 1.2.6.2  23-Dec-2016  snj Pull up following revision(s) (requested by mrg in ticket #1309):
libexec/httpd/CHANGES: revisions 1.23, 1.24
libexec/httpd/bozohttpd.8: revisions 1.60-1.62
libexec/httpd/bozohttpd.c: revisions 1.81-1.84
libexec/httpd/bozohttpd.h: revision 1.46
libexec/httpd/cgi-bozo.c: revision 1.35
libexec/httpd/content-bozo.c: revision 1.14
libexec/httpd/main.c: revisions 1.14-1.16
libexec/httpd/testsuite/Makefile: revision 1.6
libexec/httpd/testsuite/test-bigfile: revision 1.3
libexec/httpd/testsuite/test-simple: revisions 1.1, 1.2
update bozohttpd to 2016072:
- fix memory leak
- addd -G option to display version
- fix some content type issues
- fix issues in testsuite
 1.2.6.1  26-Sep-2016  snj file test-simple was added on branch netbsd-7-0 on 2016-12-23 07:47:40 +0000
 1.2.4.5  15-Jun-2019  martin Pull up the following revisions (via patch) requested by mrg in ticket #1699:

libexec/httpd/CHANGES 1.31-1.40
libexec/httpd/Makefile 1.28
libexec/httpd/auth-bozo.c 1.23-1.24
libexec/httpd/bozohttpd.8 1.75-1.79
libexec/httpd/bozohttpd.c 1.100-1.113
libexec/httpd/bozohttpd.h 1.58-1.60
libexec/httpd/cgi-bozo.c 1.46-1.48
libexec/httpd/daemon-bozo.c 1.20-1.21
libexec/httpd/dir-index-bozo.c 1.29-1.32
libexec/httpd/ssl-bozo.c 1.26
libexec/httpd/testsuite/Makefile 1.12-1.13
libexec/httpd/testsuite/t11.out 1.2
libexec/httpd/testsuite/test-bigfile 1.6
libexec/httpd/testsuite/test-simple 1.6

Don't display special files in the directory index. They aren't
served, but links to them are generated.
---
All from "Rajeev V. Pillai" <rajeev_v_pillai@yahoo.com>:
- use html tables for directory index.
- don't include "index.html" in html headers
- additional escaping of names
- re-add top/bottom borders
- adds an aquamarine table header
- Zebra-stripes table rows using CSS instead of code
- fix CGI '+' param and error handling.
- remove unused parameter to daemon_poll_err().
- avoid sign extension in % handling
fix a few problems pointed out by clang static analyzer:
- bozostrnsep() may return with "in = NULL", so check for it.
- nul terminating in bozo_escape_rfc3986() can be simpler
- don't use uniinit variables in check_remap()
- don't use re-used freed data in check_virtual().
- fix bozoprefs->size setting when increasing the size (new total was
being added to the prior total.)
however, bozostrdup() may reference request->hr_file.
---
Add ssl specific timeout value (30s). If SSL_accept() doesn't
work with in this timeout value, ssl setup now fails.
---
Fix handling of bozo_set_timeout() timeouts (and `-T' option parsing)
---
Avoid .htpasswd exposure to authenticated users when .htpasswd is
in the slashdir too.
---
Avoid possible NULL dereference when sending a big request that timeout.
---
Use strings.h for strcasecmp (on linux)
---
Account for cgihandler being set when counting the number of CGI environment
headers we are about to set. Avoids an assertion failure (and overruninng
the array) later.
 1.2.4.4  24-Nov-2018  martin Sync to HEAD (requested by mrg in ticket #1655):

libexec/httpd/testsuite/data/.bzremap up to 1.1
libexec/httpd/testsuite/t12.out up to 1.1
libexec/httpd/testsuite/t12.in up to 1.1
libexec/httpd/testsuite/t13.out up to 1.1
libexec/httpd/testsuite/t13.in up to 1.1
libexec/httpd/testsuite/t14.out up to 1.1
libexec/httpd/testsuite/t14.in up to 1.1
libexec/httpd/testsuite/t15.out up to 1.1
libexec/httpd/testsuite/t15.in up to 1.1
libexec/httpd/CHANGES up to 1.28
libexec/httpd/Makefile up to 1.27
libexec/httpd/auth-bozo.c up to 1.22
libexec/httpd/bozohttpd.8 up to 1.74
libexec/httpd/bozohttpd.c up to 1.96
libexec/httpd/bozohttpd.h up to 1.56
libexec/httpd/cgi-bozo.c up to 1.44
libexec/httpd/content-bozo.c up to 1.16
libexec/httpd/daemon-bozo.c up to 1.19
libexec/httpd/dir-index-bozo.c up to 1.28
libexec/httpd/lua-bozo.c up to 1.15
libexec/httpd/main.c up to 1.21
libexec/httpd/ssl-bozo.c up to 1.25
libexec/httpd/tilde-luzah-bozo.c up to 1.16
libexec/httpd/libbozohttpd/Makefile up to 1.3
libexec/httpd/lua/bozo.lua up to 1.3
libexec/httpd/lua/glue.c up to 1.5
libexec/httpd/lua/optparse.lua up to 1.2
libexec/httpd/testsuite/Makefile up to 1.11
libexec/httpd/testsuite/html_cmp up to 1.6
libexec/httpd/testsuite/t3.out up to 1.4
libexec/httpd/testsuite/t5.out up to 1.4
libexec/httpd/testsuite/t6.out up to 1.4
libexec/httpd/testsuite/test-bigfile up to 1.5
libexec/httpd/testsuite/test-simple up to 1.5

Cosmetic changes to Lua binding in bozohttpd.

- Don't use negative indicies to read arguments of Lua functions.
- On error, return nil, "error string".
- Use ssize_t for return values from bozo_read() and bozo_write().
- Prefer lstring especially when if saves you from appending NUL and
doing len + 1 which can potentially wraparound.
- Don't mix C allocations with Lua functions marked with "m" in the Lua
manual. Those functions may throw (longjump) and leak data allocated
by C function. In one case, I use luaL_Buffer, in the other case,
I rearranged calls a bit.


fix ordering of a couple of words. from Edgar Pettijohn in PR#52375.
thanks!


s/u_int/unsigned/.

from Jan Danielsson. increases/fixes portability.


PR bin/52194: bozohttpd fails to exec scripts via the -C mechanism
sometimes with EFAULT due to not NULL terminated environment.


Document script handler issues with httpd(8).
From martin@, addressing PR 52194.

While here, use American spelling consistently and upper-case some
abbreviations.

Bump date.


fix output since protocol agnostic change went in.

XXX: i thought someone hooked this into atf already, please do :)


Add support for remapping requested paths via a .bzredirect file.
Fixes PR 52772. Ok: mrg@


Bump date


Remove trailing whitespace.


use __func__ in debug().


fix a denial of service attack against header contents, which
is now bounded at 16KiB. reported by JP.


avoid memory leak in sending multiple auth headers.
mostly mitigated by previous patch to limit total header size,
but still a real problem here.


note the changes present in bozohttpd 20181118:

o add url remap support via .bzremap file, from martin%netbsd.org@localhost
o handle redirections for any protocol, not just http:
o fix a denial of service attack against header contents, which
is now bounded at 16KiB. reported by JP.


from CHANGES:

o reduce default timeouts, and add expand timeouts to handle the
initial line, each header, and the total time spent
o add -T option to expose new timeout settings
o minor RFC fixes related to timeout handling responses

old timeouts:
60 seconds for initial request like, 60 seconds per header line,
and no whole timeout (though the recent total header size changes
do introduce one that would be about 11 hours.)
new timeouts:
30 seconds for initial request like, 10 seconds per header line,
and a total request time of 600 seconds.

the new global timeout is implemented using CLOCK_MONOTONIC, with
a fallback to CLOCK_REALTIME if monotonic time is unavailable.

reject multiple Host: headers. besides being protocol standard,
this closes one additional memory leak found by JP. add a simple
test to check this.

clean up option and usage handling some.


move some #if support into bozohttpd.h.


fix previous: have_debug was reversed.


also fix have_dynamic_content from the previous previous. re-order
the debug and dynamic content to match the same pattern as everything
else so similar problems are less likely in the future.


- move special files defines into bozohttpd.h, so we can ...
- consolidate all the special file checks into
bozo_check_special_files() so that all builds check the same
list of special files, regardless of build options.
- convert "(void)bozo_http_error(...); return -1;" into plain
"return bozo_http_error(...);"
- fix the call to bozo_check_special_files() to be used on all
input types. part of the fixes for failure to reject access
to /.htpasswd as reported by JP on tech-security.
- use warn_unused_result attribute on bozo_check_special_files(),
and fix the failures to return failure. second part of the
htpasswd access fix.
- update testsuite to use a fixed fake hostname.

call this bozohttpd 20181121.


two fixes reported by mouse:
- don't check contents of 'st' if stat(2) failed.
- round up instead of truncate. now 10000 byte files say 10kB not 9kB.


use MAP_SHARED for the bzremap file. avoids netbsd kernel complaining:

WARNING: defaulted mmap() share type to MAP_PRIVATE (pid 15478 command bozohttpd)


many clean ups:
- keep a list of special files and their human names
- remove (void) casts on bozo_http_error()
- fix a few more misuses of bozo_http_error()
- rename check_mapping() to check_remap() and perform some CSE
- switch away from ``%s'' to '%s'
- remove a bunch of #ifdef using new have_feature defines


alpha sort the option switch.


add an assert() check on array bounds.


minor style fixes. simplify bozo_match_content_map().
 1.2.4.3  12-Feb-2017  snj branches: 1.2.4.3.2;
Pull up following revision(s) (requested by mrg in ticket #1357):
libexec/httpd/CHANGES: revision 1.25
libexec/httpd/bozohttpd.8: revisions 1.63-1.65
libexec/httpd/bozohttpd.c: revisions 1.85, 1.86
libexec/httpd/bozohttpd.h: revision 1.47
libexec/httpd/cgi-bozo.c: revisions 1.36, 1.37
libexec/httpd/libbozohttpd/libbozohttpd.3: revision 1.4
libexec/httpd/testsuite/Makefile: revision 1.7
libexec/httpd/testsuite/html_cmp: revision 1.5
libexec/httpd/testsuite/test-bigfile: revision 1.4
libexec/httpd/testsuite/test-simple: revisions 1.3, 1.4
libexec/httpd/testsuite/t11.in: revision 1.1
libexec/httpd/testsuite/t11.out: revision 1.1
libexec/httpd/testsuite/cgi-bin/empty: revision 1.1
Update bozohttpd to 20170201:
- fix an infinite loop in cgi processing
- fixes and clean up for the testsuite
- no longer sends encoding header for compressed formats
 1.2.4.2  23-Dec-2016  snj Pull up following revision(s) (requested by mrg in ticket #1309):
libexec/httpd/CHANGES: revisions 1.23, 1.24
libexec/httpd/bozohttpd.8: revisions 1.60-1.62
libexec/httpd/bozohttpd.c: revisions 1.81-1.84
libexec/httpd/bozohttpd.h: revision 1.46
libexec/httpd/cgi-bozo.c: revision 1.35
libexec/httpd/content-bozo.c: revision 1.14
libexec/httpd/main.c: revisions 1.14-1.16
libexec/httpd/testsuite/Makefile: revision 1.6
libexec/httpd/testsuite/test-bigfile: revision 1.3
libexec/httpd/testsuite/test-simple: revisions 1.1, 1.2
update bozohttpd to 2016072:
- fix memory leak
- addd -G option to display version
- fix some content type issues
- fix issues in testsuite
 1.2.4.1  26-Sep-2016  snj file test-simple was added on branch netbsd-7 on 2016-12-23 07:42:09 +0000
 1.2.4.3.2.2  15-Jun-2019  martin Pull up the following revisions (via patch) requested by mrg in ticket #1699:

libexec/httpd/CHANGES 1.31-1.40
libexec/httpd/Makefile 1.28
libexec/httpd/auth-bozo.c 1.23-1.24
libexec/httpd/bozohttpd.8 1.75-1.79
libexec/httpd/bozohttpd.c 1.100-1.113
libexec/httpd/bozohttpd.h 1.58-1.60
libexec/httpd/cgi-bozo.c 1.46-1.48
libexec/httpd/daemon-bozo.c 1.20-1.21
libexec/httpd/dir-index-bozo.c 1.29-1.32
libexec/httpd/ssl-bozo.c 1.26
libexec/httpd/testsuite/Makefile 1.12-1.13
libexec/httpd/testsuite/t11.out 1.2
libexec/httpd/testsuite/test-bigfile 1.6
libexec/httpd/testsuite/test-simple 1.6

Don't display special files in the directory index. They aren't
served, but links to them are generated.
---
All from "Rajeev V. Pillai" <rajeev_v_pillai@yahoo.com>:
- use html tables for directory index.
- don't include "index.html" in html headers
- additional escaping of names
- re-add top/bottom borders
- adds an aquamarine table header
- Zebra-stripes table rows using CSS instead of code
- fix CGI '+' param and error handling.
- remove unused parameter to daemon_poll_err().
- avoid sign extension in % handling
fix a few problems pointed out by clang static analyzer:
- bozostrnsep() may return with "in = NULL", so check for it.
- nul terminating in bozo_escape_rfc3986() can be simpler
- don't use uniinit variables in check_remap()
- don't use re-used freed data in check_virtual().
- fix bozoprefs->size setting when increasing the size (new total was
being added to the prior total.)
however, bozostrdup() may reference request->hr_file.
---
Add ssl specific timeout value (30s). If SSL_accept() doesn't
work with in this timeout value, ssl setup now fails.
---
Fix handling of bozo_set_timeout() timeouts (and `-T' option parsing)
---
Avoid .htpasswd exposure to authenticated users when .htpasswd is
in the slashdir too.
---
Avoid possible NULL dereference when sending a big request that timeout.
---
Use strings.h for strcasecmp (on linux)
---
Account for cgihandler being set when counting the number of CGI environment
headers we are about to set. Avoids an assertion failure (and overruninng
the array) later.
 1.2.4.3.2.1  24-Nov-2018  martin Sync to HEAD (requested by mrg in ticket #1655):

libexec/httpd/testsuite/data/.bzremap up to 1.1
libexec/httpd/testsuite/t12.out up to 1.1
libexec/httpd/testsuite/t12.in up to 1.1
libexec/httpd/testsuite/t13.out up to 1.1
libexec/httpd/testsuite/t13.in up to 1.1
libexec/httpd/testsuite/t14.out up to 1.1
libexec/httpd/testsuite/t14.in up to 1.1
libexec/httpd/testsuite/t15.out up to 1.1
libexec/httpd/testsuite/t15.in up to 1.1
libexec/httpd/CHANGES up to 1.28
libexec/httpd/Makefile up to 1.27
libexec/httpd/auth-bozo.c up to 1.22
libexec/httpd/bozohttpd.8 up to 1.74
libexec/httpd/bozohttpd.c up to 1.96
libexec/httpd/bozohttpd.h up to 1.56
libexec/httpd/cgi-bozo.c up to 1.44
libexec/httpd/content-bozo.c up to 1.16
libexec/httpd/daemon-bozo.c up to 1.19
libexec/httpd/dir-index-bozo.c up to 1.28
libexec/httpd/lua-bozo.c up to 1.15
libexec/httpd/main.c up to 1.21
libexec/httpd/ssl-bozo.c up to 1.25
libexec/httpd/tilde-luzah-bozo.c up to 1.16
libexec/httpd/libbozohttpd/Makefile up to 1.3
libexec/httpd/lua/bozo.lua up to 1.3
libexec/httpd/lua/glue.c up to 1.5
libexec/httpd/lua/optparse.lua up to 1.2
libexec/httpd/testsuite/Makefile up to 1.11
libexec/httpd/testsuite/html_cmp up to 1.6
libexec/httpd/testsuite/t3.out up to 1.4
libexec/httpd/testsuite/t5.out up to 1.4
libexec/httpd/testsuite/t6.out up to 1.4
libexec/httpd/testsuite/test-bigfile up to 1.5
libexec/httpd/testsuite/test-simple up to 1.5

Cosmetic changes to Lua binding in bozohttpd.

- Don't use negative indicies to read arguments of Lua functions.
- On error, return nil, "error string".
- Use ssize_t for return values from bozo_read() and bozo_write().
- Prefer lstring especially when if saves you from appending NUL and
doing len + 1 which can potentially wraparound.
- Don't mix C allocations with Lua functions marked with "m" in the Lua
manual. Those functions may throw (longjump) and leak data allocated
by C function. In one case, I use luaL_Buffer, in the other case,
I rearranged calls a bit.


fix ordering of a couple of words. from Edgar Pettijohn in PR#52375.
thanks!


s/u_int/unsigned/.

from Jan Danielsson. increases/fixes portability.


PR bin/52194: bozohttpd fails to exec scripts via the -C mechanism
sometimes with EFAULT due to not NULL terminated environment.


Document script handler issues with httpd(8).
From martin@, addressing PR 52194.

While here, use American spelling consistently and upper-case some
abbreviations.

Bump date.


fix output since protocol agnostic change went in.

XXX: i thought someone hooked this into atf already, please do :)


Add support for remapping requested paths via a .bzredirect file.
Fixes PR 52772. Ok: mrg@


Bump date


Remove trailing whitespace.


use __func__ in debug().


fix a denial of service attack against header contents, which
is now bounded at 16KiB. reported by JP.


avoid memory leak in sending multiple auth headers.
mostly mitigated by previous patch to limit total header size,
but still a real problem here.


note the changes present in bozohttpd 20181118:

o add url remap support via .bzremap file, from martin%netbsd.org@localhost
o handle redirections for any protocol, not just http:
o fix a denial of service attack against header contents, which
is now bounded at 16KiB. reported by JP.


from CHANGES:

o reduce default timeouts, and add expand timeouts to handle the
initial line, each header, and the total time spent
o add -T option to expose new timeout settings
o minor RFC fixes related to timeout handling responses

old timeouts:
60 seconds for initial request like, 60 seconds per header line,
and no whole timeout (though the recent total header size changes
do introduce one that would be about 11 hours.)
new timeouts:
30 seconds for initial request like, 10 seconds per header line,
and a total request time of 600 seconds.

the new global timeout is implemented using CLOCK_MONOTONIC, with
a fallback to CLOCK_REALTIME if monotonic time is unavailable.

reject multiple Host: headers. besides being protocol standard,
this closes one additional memory leak found by JP. add a simple
test to check this.

clean up option and usage handling some.


move some #if support into bozohttpd.h.


fix previous: have_debug was reversed.


also fix have_dynamic_content from the previous previous. re-order
the debug and dynamic content to match the same pattern as everything
else so similar problems are less likely in the future.


- move special files defines into bozohttpd.h, so we can ...
- consolidate all the special file checks into
bozo_check_special_files() so that all builds check the same
list of special files, regardless of build options.
- convert "(void)bozo_http_error(...); return -1;" into plain
"return bozo_http_error(...);"
- fix the call to bozo_check_special_files() to be used on all
input types. part of the fixes for failure to reject access
to /.htpasswd as reported by JP on tech-security.
- use warn_unused_result attribute on bozo_check_special_files(),
and fix the failures to return failure. second part of the
htpasswd access fix.
- update testsuite to use a fixed fake hostname.

call this bozohttpd 20181121.


two fixes reported by mouse:
- don't check contents of 'st' if stat(2) failed.
- round up instead of truncate. now 10000 byte files say 10kB not 9kB.


use MAP_SHARED for the bzremap file. avoids netbsd kernel complaining:

WARNING: defaulted mmap() share type to MAP_PRIVATE (pid 15478 command bozohttpd)


many clean ups:
- keep a list of special files and their human names
- remove (void) casts on bozo_http_error()
- fix a few more misuses of bozo_http_error()
- rename check_mapping() to check_remap() and perform some CSE
- switch away from ``%s'' to '%s'
- remove a bunch of #ifdef using new have_feature defines


alpha sort the option switch.


add an assert() check on array bounds.


minor style fixes. simplify bozo_match_content_map().
 1.2.2.4  20-Mar-2017  pgoyette Sync with HEAD
 1.2.2.3  07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.2.2.2  04-Nov-2016  pgoyette Sync with HEAD
 1.2.2.1  26-Sep-2016  pgoyette file test-simple was added on branch pgoyette-localcount on 2016-11-04 14:48:55 +0000
 1.3.4.3  13-Mar-2017  skrll Sync with netbsd-7-1-RELEASE
 1.3.4.2  18-Jan-2017  skrll Sync with netbsd-5
 1.3.4.1  27-Dec-2016  skrll file test-simple was added on branch netbsd-7-nhusb on 2017-01-18 08:46:23 +0000
 1.3.2.1  21-Apr-2017  bouyer Sync with HEAD
 1.4.18.1  10-Jun-2019  christos Sync with HEAD
 1.4.16.2  26-Dec-2018  pgoyette Sync with HEAD, resolve a few conflicts
 1.4.16.1  26-Nov-2018  pgoyette Sync with HEAD, resolve a couple of conflicts
 1.4.10.2  12-Jun-2019  martin Pull up the following revisions (via patch) requested by mrg in ticket #1281:

libexec/httpd/CHANGES 1.31-1.40
libexec/httpd/Makefile 1.28
libexec/httpd/auth-bozo.c 1.23-1.24
libexec/httpd/bozohttpd.8 1.75-1.79
libexec/httpd/bozohttpd.c 1.100-1.113
libexec/httpd/bozohttpd.h 1.58-1.60
libexec/httpd/cgi-bozo.c 1.46-1.48
libexec/httpd/daemon-bozo.c 1.20-1.21
libexec/httpd/dir-index-bozo.c 1.29-1.32
libexec/httpd/ssl-bozo.c 1.26
libexec/httpd/testsuite/Makefile 1.12-1.13
libexec/httpd/testsuite/t11.out 1.2
libexec/httpd/testsuite/test-bigfile 1.6
libexec/httpd/testsuite/test-simple 1.6


Don't display special files in the directory index. They aren't
served, but links to them are generated.
---
All from "Rajeev V. Pillai" <rajeev_v_pillai@yahoo.com>:
- use html tables for directory index.
- don't include "index.html" in html headers
- additional escaping of names
- re-add top/bottom borders
- adds an aquamarine table header
- Zebra-stripes table rows using CSS instead of code
- fix CGI '+' param and error handling.
- remove unused parameter to daemon_poll_err().
- avoid sign extension in % handling
fix a few problems pointed out by clang static analyzer:
- bozostrnsep() may return with "in = NULL", so check for it.
- nul terminating in bozo_escape_rfc3986() can be simpler
- don't use uniinit variables in check_remap()
- don't use re-used freed data in check_virtual().
- fix bozoprefs->size setting when increasing the size (new total was
being added to the prior total.)
however, bozostrdup() may reference request->hr_file.
---
Add ssl specific timeout value (30s). If SSL_accept() doesn't
work with in this timeout value, ssl setup now fails.
---
Fix handling of bozo_set_timeout() timeouts (and `-T' option parsing)
---
Avoid .htpasswd exposure to authenticated users when .htpasswd is
in the slashdir too.
---
Avoid possible NULL dereference when sending a big request that timeout.
---
Use strings.h for strcasecmp (on linux)
---
Account for cgihandler being set when counting the number of CGI environment
headers we are about to set. Avoids an assertion failure (and overruninng
the array) later.
 1.4.10.1  24-Nov-2018  martin Sync to HEAD (requested by mrg in ticket #1104)

libexec/httpd/testsuite/data/.bzremap up to 1.1
libexec/httpd/testsuite/t12.out up to 1.1
libexec/httpd/testsuite/t12.in up to 1.1
libexec/httpd/testsuite/t13.out up to 1.1
libexec/httpd/testsuite/t13.in up to 1.1
libexec/httpd/testsuite/t14.out up to 1.1
libexec/httpd/testsuite/t14.in up to 1.1
libexec/httpd/testsuite/t15.out up to 1.1
libexec/httpd/testsuite/t15.in up to 1.1
libexec/httpd/CHANGES up to 1.28
libexec/httpd/auth-bozo.c up to 1.22
libexec/httpd/bozohttpd.8 up to 1.74
libexec/httpd/bozohttpd.c up to 1.96
libexec/httpd/bozohttpd.h up to 1.56
libexec/httpd/cgi-bozo.c up to 1.44
libexec/httpd/content-bozo.c up to 1.16
libexec/httpd/daemon-bozo.c up to 1.19
libexec/httpd/dir-index-bozo.c up to 1.28
libexec/httpd/main.c up to 1.21
libexec/httpd/ssl-bozo.c up to 1.25
libexec/httpd/tilde-luzah-bozo.c up to 1.16
libexec/httpd/lua/bozo.lua up to 1.3
libexec/httpd/lua/glue.c up to 1.5
libexec/httpd/lua/optparse.lua up to 1.2
libexec/httpd/testsuite/Makefile up to 1.11
libexec/httpd/testsuite/html_cmp up to 1.6
libexec/httpd/testsuite/t3.out up to 1.4
libexec/httpd/testsuite/t5.out up to 1.4
libexec/httpd/testsuite/t6.out up to 1.4
libexec/httpd/testsuite/test-bigfile up to 1.5
libexec/httpd/testsuite/test-simple up to 1.5


Cosmetic changes to Lua binding in bozohttpd.

- Don't use negative indicies to read arguments of Lua functions.
- On error, return nil, "error string".
- Use ssize_t for return values from bozo_read() and bozo_write().
- Prefer lstring especially when if saves you from appending NUL and
doing len + 1 which can potentially wraparound.
- Don't mix C allocations with Lua functions marked with "m" in the Lua
manual. Those functions may throw (longjump) and leak data allocated
by C function. In one case, I use luaL_Buffer, in the other case,
I rearranged calls a bit.


fix ordering of a couple of words. from Edgar Pettijohn in PR#52375.
thanks!


s/u_int/unsigned/.

from Jan Danielsson. increases/fixes portability.


PR bin/52194: bozohttpd fails to exec scripts via the -C mechanism
sometimes with EFAULT due to not NULL terminated environment.


Document script handler issues with httpd(8).
From martin@, addressing PR 52194.

While here, use American spelling consistently and upper-case some
abbreviations.

Bump date.


fix output since protocol agnostic change went in.

XXX: i thought someone hooked this into atf already, please do :)


Add support for remapping requested paths via a .bzredirect file.
Fixes PR 52772. Ok: mrg@


Bump date


Remove trailing whitespace.


use __func__ in debug().


fix a denial of service attack against header contents, which
is now bounded at 16KiB. reported by JP.


avoid memory leak in sending multiple auth headers.
mostly mitigated by previous patch to limit total header size,
but still a real problem here.


note the changes present in bozohttpd 20181118:

o add url remap support via .bzremap file, from martin%netbsd.org@localhost
o handle redirections for any protocol, not just http:
o fix a denial of service attack against header contents, which
is now bounded at 16KiB. reported by JP.


from CHANGES:

o reduce default timeouts, and add expand timeouts to handle the
initial line, each header, and the total time spent
o add -T option to expose new timeout settings
o minor RFC fixes related to timeout handling responses

old timeouts:
60 seconds for initial request like, 60 seconds per header line,
and no whole timeout (though the recent total header size changes
do introduce one that would be about 11 hours.)
new timeouts:
30 seconds for initial request like, 10 seconds per header line,
and a total request time of 600 seconds.

the new global timeout is implemented using CLOCK_MONOTONIC, with
a fallback to CLOCK_REALTIME if monotonic time is unavailable.

reject multiple Host: headers. besides being protocol standard,
this closes one additional memory leak found by JP. add a simple
test to check this.

clean up option and usage handling some.


move some #if support into bozohttpd.h.


fix previous: have_debug was reversed.


also fix have_dynamic_content from the previous previous. re-order
the debug and dynamic content to match the same pattern as everything
else so similar problems are less likely in the future.


- move special files defines into bozohttpd.h, so we can ...
- consolidate all the special file checks into
bozo_check_special_files() so that all builds check the same
list of special files, regardless of build options.
- convert "(void)bozo_http_error(...); return -1;" into plain
"return bozo_http_error(...);"
- fix the call to bozo_check_special_files() to be used on all
input types. part of the fixes for failure to reject access
to /.htpasswd as reported by JP on tech-security.
- use warn_unused_result attribute on bozo_check_special_files(),
and fix the failures to return failure. second part of the
htpasswd access fix.
- update testsuite to use a fixed fake hostname.

call this bozohttpd 20181121.


two fixes reported by mouse:
- don't check contents of 'st' if stat(2) failed.
- round up instead of truncate. now 10000 byte files say 10kB not 9kB.


use MAP_SHARED for the bzremap file. avoids netbsd kernel complaining:

WARNING: defaulted mmap() share type to MAP_PRIVATE (pid 15478 command bozohttpd)


many clean ups:
- keep a list of special files and their human names
- remove (void) casts on bozo_http_error()
- fix a few more misuses of bozo_http_error()
- rename check_mapping() to check_remap() and perform some CSE
- switch away from ``%s'' to '%s'
- remove a bunch of #ifdef using new have_feature defines


alpha sort the option switch.


add an assert() check on array bounds.


minor style fixes. simplify bozo_match_content_map().
 1.4.6.2  07-Mar-2017  snj Pull up following revision(s) (requested by mrg in ticket #1437):
libexec/httpd/CHANGES: up to 1.25
libexec/httpd/bozohttpd.8: up to 1.65
libexec/httpd/bozohttpd.c: up to 1.86
libexec/httpd/bozohttpd.h: up to 1.47
libexec/httpd/cgi-bozo.c: up to 1.37
libexec/httpd/content-bozo.c: up to 1.14
libexec/httpd/libbozohttpd/libbozohttpd.3: up to 1.4
libexec/httpd/main.c: up to 1.16
libexec/httpd/small/Makefile: up to 1.3
libexec/httpd/testsuite/Makefile: up to 1.7
libexec/httpd/testsuite/cgi-bin/empty: up to 1.1
libexec/httpd/testsuite/html_cmp: up to 1.5
libexec/httpd/testsuite/t11.in: up to 1.1
libexec/httpd/testsuite/t11.out: up to 1.1
libexec/httpd/testsuite/test-bigfile: up to 1.4
libexec/httpd/testsuite/test-simple: up to 1.4
Update bozohttpd to 20170201. Changes:
- fix an infinite loop in cgi processing
- fixes and clean up for the testsuite
- no longer sends encoding header for compressed formats
- add a bozo_get_version() function which returns the version number
 1.4.6.1  31-Jan-2017  snj file test-simple was added on branch netbsd-6 on 2017-03-07 07:25:19 +0000
 1.4.4.2  07-Mar-2017  snj Pull up following revision(s) (requested by mrg in ticket #1437:
libexec/httpd/CHANGES: up to 1.25
libexec/httpd/bozohttpd.8: up to 1.65
libexec/httpd/bozohttpd.c: up to 1.86
libexec/httpd/bozohttpd.h: up to 1.47
libexec/httpd/cgi-bozo.c: up to 1.37
libexec/httpd/content-bozo.c: up to 1.14
libexec/httpd/libbozohttpd/libbozohttpd.3: up to 1.4
libexec/httpd/main.c: up to 1.16
libexec/httpd/small/Makefile: up to 1.3
libexec/httpd/testsuite/Makefile: up to 1.7
libexec/httpd/testsuite/cgi-bin/empty: up to 1.1
libexec/httpd/testsuite/html_cmp: up to 1.5
libexec/httpd/testsuite/t11.in: up to 1.1
libexec/httpd/testsuite/t11.out: up to 1.1
libexec/httpd/testsuite/test-bigfile: up to 1.4
libexec/httpd/testsuite/test-simple: up to 1.4
Update bozohttpd to 20170201. Changes:
- fix an infinite loop in cgi processing
- fixes and clean up for the testsuite
- no longer sends encoding header for compressed formats
- add a bozo_get_version() function which returns the version number
 1.4.4.1  31-Jan-2017  snj file test-simple was added on branch netbsd-6-1 on 2017-03-07 07:21:54 +0000
 1.4.2.2  07-Mar-2017  snj Pull up following revision(s) (requested by mrg in ticket #1437):
libexec/httpd/CHANGES: up to 1.25
libexec/httpd/bozohttpd.8: up to 1.65
libexec/httpd/bozohttpd.c: up to 1.86
libexec/httpd/bozohttpd.h: up to 1.47
libexec/httpd/cgi-bozo.c: up to 1.37
libexec/httpd/content-bozo.c: up to 1.14
libexec/httpd/libbozohttpd/libbozohttpd.3: up to 1.4
libexec/httpd/main.c: up to 1.16
libexec/httpd/small/Makefile: up to 1.3
libexec/httpd/testsuite/Makefile: up to 1.7
libexec/httpd/testsuite/cgi-bin/empty: up to 1.1
libexec/httpd/testsuite/html_cmp: up to 1.5
libexec/httpd/testsuite/t11.in: up to 1.1
libexec/httpd/testsuite/t11.out: up to 1.1
libexec/httpd/testsuite/test-bigfile: up to 1.4
libexec/httpd/testsuite/test-simple: up to 1.4
Update bozohttpd to 20170201. Changes:
- fix an infinite loop in cgi processing
- fixes and clean up for the testsuite
- no longer sends encoding header for compressed formats
- add a bozo_get_version() function which returns the version number
 1.4.2.1  31-Jan-2017  snj file test-simple was added on branch netbsd-6-0 on 2017-03-07 07:16:08 +0000

RSS XML Feed