Package: lighttpd Version: 1.69-1 Severity: normal I noticed the following regresion after upgrading to Debian 12 today:
When mod_dirindex is configured to include a header and/or readme into the directory index (using the dir-listing.show-header or dir-listing.show-readme options), said header/readme files are not included reliably into the HTTP response. Specifically, it looks as if the first request after a pause (or restart) gets the header/readme included, but any subsequent requests inside a certain period are rendered without the header/readme. I tried different stat-cache implementations: "disable", "inotify" and "simple" - they all could reproduce the same behaviour. When strace()ing lighttpd, one can clearly see that the README.txt file (I use dir-listing.show-readme = "README.txt") access pattern changes: Working case: newfstatat(AT_FDCWD, "/data/www/user_dir/HEADER.txt"... openat(AT_FDCWD, "/data/www/user_dir/HEADER.txt"... non-working case: newfstatat(AT_FDCWD, "/data/www/user_dir/HEADER.txt"... so somehow the file is not opened on the second request. Some debugging and instrumentation later, it seems that the file is opened on first access, and then kept open by the stat_cache (even when "disable" is used, which probably is a separate bug). However, the mod_dirlisting.c code read()s the file *without rewinding back after reading it*. This explains why on first read after open it succeeds, and subsequent reads then return no data as the read cursor is already at EOF. I've so far looked only at debians 1.69-1 sources. Will check upstream next and see if there's a fix already available. -- System Information: Debian Release: 12.0 APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages lighttpd depends on: ii init-system-helpers 1.65.2 ii libc6 2.36-9 ii libcrypt1 1:4.4.33-2 ii libnettle8 3.8.1-2 ii libpcre2-8-0 10.42-1 ii libxxhash0 0.8.1-1 ii lsb-base 11.6 ii media-types 10.0.0 ii mime-support 3.66 ii systemd-sysv 252.6-1 ii sysvinit-utils [lsb-base] 3.06-4 Versions of packages lighttpd recommends: pn lighttpd-mod-deflate <none> pn lighttpd-mod-openssl <none> ii perl 5.36.0-7 pn spawn-fcgi <none> Versions of packages lighttpd suggests: ii apache2-utils 2.4.57-2 pn lighttpd-doc <none> pn lighttpd-mod-webdav <none> pn lighttpd-modules-dbi <none> pn lighttpd-modules-lua <none> ii openssl 3.0.9-1 pn php-cgi <none> pn php-fpm <none>