httpd

Martin Husemann Mon, 12 Jan 2015 02:02:44 -0800

Module Name:    src
Committed By:   martin
Date:           Mon Jan 12 10:02:30 UTC 2015


Modified Files:
        src/libexec/httpd [netbsd-7]: auth-bozo.c bozohttpd.8 bozohttpd.c
            bozohttpd.h content-bozo.c dir-index-bozo.c lua-bozo.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #408):
        libexec/httpd/content-bozo.c: revision 1.11
        libexec/httpd/dir-index-bozo.c: revision 1.20
        libexec/httpd/bozohttpd.h: revision 1.34
        libexec/httpd/bozohttpd.c: revision 1.57
        libexec/httpd/bozohttpd.8: revision 1.47
        libexec/httpd/bozohttpd.c: revision 1.58
        libexec/httpd/bozohttpd.8: revision 1.48
        libexec/httpd/bozohttpd.c: revision 1.59
        libexec/httpd/lua-bozo.c: revision 1.11
        libexec/httpd/bozohttpd.c: revision 1.60
        libexec/httpd/auth-bozo.c: revision 1.14
        libexec/httpd/auth-bozo.c: revision 1.15
        libexec/httpd/auth-bozo.c: revision 1.16

Update bozohttpd to 20141225:
- NUL terminate a string.
- don't truncate file sizes to 32 bits for directory indexes.
- Fixed off-by-one in virtualhost processing. Previous code was
  checking if Host header is a prefix of any existing vhost.
  This behaviour might be used to uncover existing vitual hosts
  from the remote.
- Fixed memory leak in case of multiple authentication headers sent
  by the client.
- Avoid array access out of bounds.


To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.13.2.1 src/libexec/httpd/auth-bozo.c
cvs rdiff -u -r1.46 -r1.46.4.1 src/libexec/httpd/bozohttpd.8
cvs rdiff -u -r1.56 -r1.56.2.1 src/libexec/httpd/bozohttpd.c
cvs rdiff -u -r1.33 -r1.33.2.1 src/libexec/httpd/bozohttpd.h
cvs rdiff -u -r1.10 -r1.10.2.1 src/libexec/httpd/content-bozo.c \
    src/libexec/httpd/lua-bozo.c
cvs rdiff -u -r1.19 -r1.19.4.1 src/libexec/httpd/dir-index-bozo.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/libexec/httpd/auth-bozo.c
diff -u src/libexec/httpd/auth-bozo.c:1.13 src/libexec/httpd/auth-bozo.c:1.13.2.1
--- src/libexec/httpd/auth-bozo.c:1.13	Tue Jul  8 14:01:21 2014
+++ src/libexec/httpd/auth-bozo.c	Mon Jan 12 10:02:29 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: auth-bozo.c,v 1.13 2014/07/08 14:01:21 mrg Exp $	*/
+/*	$NetBSD: auth-bozo.c,v 1.13.2.1 2015/01/12 10:02:29 martin Exp $	*/
 
 /*	$eterna: auth-bozo.c,v 1.17 2011/11/18 09:21:15 mrg Exp $	*/
 
@@ -118,6 +118,13 @@ bozo_auth_check(bozo_httpreq_t *request,
 }
 
 void
+bozo_auth_init(bozo_httpreq_t *request)
+{
+	request->hr_authuser = NULL;
+	request->hr_authpass = NULL;
+}
+
+void
 bozo_auth_cleanup(bozo_httpreq_t *request)
 {
 
@@ -150,6 +157,8 @@ bozo_auth_check_headers(bozo_httpreq_t *
 			return bozo_http_error(httpd, 400, request,
 			    "bad authorization field");
 		*pass++ = '\0';
+		free(request->hr_authuser);
+		free(request->hr_authpass);
 		request->hr_authuser = bozostrdup(httpd, authbuf);
 		request->hr_authpass = bozostrdup(httpd, pass);
 		debug((httpd, DEBUG_FAT,
@@ -229,6 +238,12 @@ base64_decode(const unsigned char *in, s
 	unsigned char *cp;
 	size_t	 i;
 
+	if (ilen == 0) {
+		if (olen)
+			*out = '\0';
+		return 0;
+	}
+
 	cp = out;
 	for (i = 0; i < ilen; i += 4) {
 		if (cp + 3 > out + olen)
@@ -250,7 +265,7 @@ base64_decode(const unsigned char *in, s
 			| decodetable[in[i + 3]];
 #undef IN_CHECK
 	}
-	while (in[i - 1] == '=')
+	while (i > 0 && in[i - 1] == '=')
 		cp--,i--;
 	return (cp - out);
 }

Index: src/libexec/httpd/bozohttpd.8
diff -u src/libexec/httpd/bozohttpd.8:1.46 src/libexec/httpd/bozohttpd.8:1.46.4.1
--- src/libexec/httpd/bozohttpd.8:1.46	Sun Feb  9 12:32:32 2014
+++ src/libexec/httpd/bozohttpd.8	Mon Jan 12 10:02:29 2015
@@ -1,4 +1,4 @@
-.\"	$NetBSD: bozohttpd.8,v 1.46 2014/02/09 12:32:32 mrg Exp $
+.\"	$NetBSD: bozohttpd.8,v 1.46.4.1 2015/01/12 10:02:29 martin Exp $
 .\"
 .\"	$eterna: bozohttpd.8,v 1.101 2011/11/18 01:25:11 mrg Exp $
 .\"
@@ -26,7 +26,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd February 9, 2014
+.Dd December 25, 2014
 .Dt HTTPD 8
 .Os
 .Sh NAME
@@ -513,7 +513,7 @@ The focus has always been simplicity and
 and regular code audits.
 This manual documents
 .Nm
-version 20140201.
+version 20141225.
 .Sh AUTHORS
 .An -nosplit
 .Nm

Index: src/libexec/httpd/bozohttpd.c
diff -u src/libexec/httpd/bozohttpd.c:1.56 src/libexec/httpd/bozohttpd.c:1.56.2.1
--- src/libexec/httpd/bozohttpd.c:1.56	Thu Jul 17 10:21:51 2014
+++ src/libexec/httpd/bozohttpd.c	Mon Jan 12 10:02:29 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: bozohttpd.c,v 1.56 2014/07/17 10:21:51 mrg Exp $	*/
+/*	$NetBSD: bozohttpd.c,v 1.56.2.1 2015/01/12 10:02:29 martin Exp $	*/
 
 /*	$eterna: bozohttpd.c,v 1.178 2011/11/18 09:21:15 mrg Exp $	*/
 
@@ -109,7 +109,7 @@
 #define INDEX_HTML		"index.html"
 #endif
 #ifndef SERVER_SOFTWARE
-#define SERVER_SOFTWARE		"bozohttpd/20140717"
+#define SERVER_SOFTWARE		"bozohttpd/20141225"
 #endif
 #ifndef DIRECT_ACCESS_FILE
 #define DIRECT_ACCESS_FILE	".bzdirect"
@@ -541,6 +541,7 @@ bozo_read_request(bozohttpd_t *httpd)
 	request->hr_virthostname = NULL;
 	request->hr_file = NULL;
 	request->hr_oldfile = NULL;
+	bozo_auth_init(request);
 
 	slen = sizeof(ss);
 	if (getpeername(0, (struct sockaddr *)(void *)&ss, &slen) < 0)
@@ -1093,8 +1094,8 @@ check_virtual(bozo_httpreq_t *request)
 				}
 				debug((httpd, DEBUG_OBESE, "looking at dir``%s''",
 			 	   d->d_name));
-				if (strncasecmp(d->d_name, request->hr_host,
-				    len) == 0) {
+				if (d->d_namlen == len && strcmp(d->d_name,
+				    request->hr_host) == 0) {
 					/* found it, punch it */
 					debug((httpd, DEBUG_OBESE, "found it punch it"));
 					request->hr_virthostname =

Index: src/libexec/httpd/bozohttpd.h
diff -u src/libexec/httpd/bozohttpd.h:1.33 src/libexec/httpd/bozohttpd.h:1.33.2.1
--- src/libexec/httpd/bozohttpd.h:1.33	Thu Jul 17 06:27:52 2014
+++ src/libexec/httpd/bozohttpd.h	Mon Jan 12 10:02:29 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: bozohttpd.h,v 1.33 2014/07/17 06:27:52 mrg Exp $	*/
+/*	$NetBSD: bozohttpd.h,v 1.33.2.1 2015/01/12 10:02:29 martin Exp $	*/
 
 /*	$eterna: bozohttpd.h,v 1.39 2011/11/18 09:21:15 mrg Exp $	*/
 
@@ -247,6 +247,7 @@ void	bozo_ssl_destroy(bozohttpd_t *);
 
 /* auth-bozo.c */
 #ifdef DO_HTPASSWD
+void	bozo_auth_init(bozo_httpreq_t *);
 int	bozo_auth_check(bozo_httpreq_t *, const char *);
 void	bozo_auth_cleanup(bozo_httpreq_t *);
 int	bozo_auth_check_headers(bozo_httpreq_t *, char *, char *, ssize_t);
@@ -255,6 +256,7 @@ void	bozo_auth_check_401(bozo_httpreq_t 
 void	bozo_auth_cgi_setenv(bozo_httpreq_t *, char ***);
 int	bozo_auth_cgi_count(bozo_httpreq_t *);
 #else
+#define	bozo_auth_init(x)			do { /* nothing */ } while (0)
 #define	bozo_auth_check(x, y)			0
 #define	bozo_auth_cleanup(x)			do { /* nothing */ } while (0)
 #define	bozo_auth_check_headers(y, z, a, b)	0

Index: src/libexec/httpd/content-bozo.c
diff -u src/libexec/httpd/content-bozo.c:1.10 src/libexec/httpd/content-bozo.c:1.10.2.1
--- src/libexec/httpd/content-bozo.c:1.10	Sat May 17 05:50:01 2014
+++ src/libexec/httpd/content-bozo.c	Mon Jan 12 10:02:29 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: content-bozo.c,v 1.10 2014/05/17 05:50:01 mrg Exp $	*/
+/*	$NetBSD: content-bozo.c,v 1.10.2.1 2015/01/12 10:02:29 martin Exp $	*/
 
 /*	$eterna: content-bozo.c,v 1.17 2011/11/18 09:21:15 mrg Exp $	*/
 
@@ -164,6 +164,8 @@ static bozo_content_map_t static_content
 	{ ".mpeg",	5, "video/mpeg",		"",		"", NULL },
 	{ ".mpg",	4, "video/mpeg",		"",		"", NULL },
 	{ ".mpe",	4, "video/mpeg",		"",		"", NULL },
+	{ ".ts",	4, "video/mpeg",		"",		"", NULL },
+	{ ".vob",	4, "video/mpeg",		"",		"", NULL },
 	{ ".mp4",	4, "video/mp4",			"",		"", NULL },
 	{ ".qt",	3, "video/quicktime",		"",		"", NULL },
 	{ ".mov",	4, "video/quicktime",		"",		"", NULL },
Index: src/libexec/httpd/lua-bozo.c
diff -u src/libexec/httpd/lua-bozo.c:1.10 src/libexec/httpd/lua-bozo.c:1.10.2.1
--- src/libexec/httpd/lua-bozo.c:1.10	Sat Jul 19 18:38:34 2014
+++ src/libexec/httpd/lua-bozo.c	Mon Jan 12 10:02:29 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: lua-bozo.c,v 1.10 2014/07/19 18:38:34 lneto Exp $	*/
+/*	$NetBSD: lua-bozo.c,v 1.10.2.1 2015/01/12 10:02:29 martin Exp $	*/
 
 /*
  * Copyright (c) 2013 Marc Balmer <[email protected]>
@@ -276,6 +276,7 @@ lua_url_decode(lua_State *L, char *s)
 			*q++ = *p;
 		}
 	}
+	*q = '\0';
 	lua_pushstring(L, val);
 	lua_setfield(L, -2, s);
 	free(val);

Index: src/libexec/httpd/dir-index-bozo.c
diff -u src/libexec/httpd/dir-index-bozo.c:1.19 src/libexec/httpd/dir-index-bozo.c:1.19.4.1
--- src/libexec/httpd/dir-index-bozo.c:1.19	Thu Jan  2 08:21:38 2014
+++ src/libexec/httpd/dir-index-bozo.c	Mon Jan 12 10:02:29 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: dir-index-bozo.c,v 1.19 2014/01/02 08:21:38 mrg Exp $	*/
+/*	$NetBSD: dir-index-bozo.c,v 1.19.4.1 2015/01/12 10:02:29 martin Exp $	*/
 
 /*	$eterna: dir-index-bozo.c,v 1.20 2011/11/18 09:21:15 mrg Exp $	*/
 
@@ -189,8 +189,8 @@ bozo_dir_index(bozo_httpreq_t *request, 
 			spacebuf[i] = '\0';
 			bozo_printf(httpd, "%s", spacebuf);
 
-			bozo_printf(httpd, "%7ukB",
-			    ((unsigned)((unsigned)(sb.st_size) >> 10)));
+			bozo_printf(httpd, "%12llukB",
+				    (unsigned long long)sb.st_size >> 10);
 		}
 		bozo_printf(httpd, "\r\n");
 	}

CVS commit: [netbsd-7] src/libexec/httpd

Reply via email to