2016-10-05
17:13 rzalamena usr.sbin/httpd/proc.c 1.30
Check if oldd == newd before dup2(), if that is the case we need to remove the CLOEXEC flag ourselves.
ok bluhm@, deraadt@
17:09 reyk usr.sbin/httpd/proc.c 1.29
Call setsid() to create a new session for the executed processes.
From deraadt@ OK rzalamena@
16:58 reyk usr.sbin/httpd/httpd.h 1.121
usr.sbin/httpd/proc.c 1.28
sync proc.c with vmd: add p_pw to specify a non-standard user for a process.
OK rzalamena@
2016-09-28
12:02 reyk usr.sbin/httpd/Makefile 1.29
Add -Wcast-qual after syncing proc.c fix
12:01 reyk usr.sbin/httpd/httpd.c 1.62
usr.sbin/httpd/httpd.h 1.120
usr.sbin/httpd/proc.c 1.27
sync proc.c from switchd, includes minor cast qual fix and removal of p_env.
2016-09-15
20:57 jmc usr.sbin/httpd/httpd.8 1.53
add some Xr for acme-client(1);
2016-09-03
14:44 reyk usr.sbin/httpd/httpd.h 1.119
usr.sbin/httpd/parse.y 1.82
usr.sbin/httpd/proc.c 1.26
Replace [RELAY|SERVER]_MAXPROC with the new PROC_MAX_INSTANCES variable and limit it from 128 to 32 instances (the old value). While here, move a few PROC_ defines around.
OK rzalamena@
10:02 reyk usr.sbin/httpd/proc.c 1.25
Use DPRINTF instead of #ifdef DEBUG + log_debug().
Pointed out by benno@
2016-09-02
11:25 reyk usr.sbin/httpd/httpd.c 1.61
usr.sbin/httpd/httpd.h 1.118
usr.sbin/httpd/proc.c 1.24
proc.c tweaks: Rename proc_listento() to proc_accept() as it is the receiving side of proc_connect(). Move some code from main into proc_init(), the function is now called by parent and children, not just the parent and it is less copy + paste for other daemons.
OK florian@
2016-09-01
16:07 reyk usr.sbin/httpd/config.c 1.48
The fork+exec diff broke "what?!", the ps_what field determines the configuration that has to be initialized in each process and was inherited from the parent instead of setting it everywhere. I'm surprised that it worked.
OK florian
14:50 reyk usr.sbin/httpd/proc.c 1.23
Don't print "lost child" if the child process exited okay. This is the old behaviour and unbreaks the regress tests.
11:13 florian usr.sbin/httpd/httpd.h 1.117
usr.sbin/httpd/server_fcgi.c 1.71
struct client starts to become the kitchen sink. Move fastcgi data to its own struct. Requested by and OK reyk@
10:59 reyk usr.sbin/httpd/control.c 1.11
usr.sbin/httpd/httpd.h 1.116
usr.sbin/httpd/logger.c 1.20
usr.sbin/httpd/proc.c 1.22
usr.sbin/httpd/server_fcgi.c 1.70
spacing
10:57 reyk usr.sbin/httpd/proc.c 1.21
Adjust log message, use process title now that it works again
09:47 rzalamena usr.sbin/httpd/httpd.c 1.60
usr.sbin/httpd/httpd.h 1.115
usr.sbin/httpd/proc.c 1.20
Teach httpd/proc.c how to fork+exec.
This commit implemented the basic functions to proc.c to make it not rely on global variables, malloc()ed memory and CLOEXEC pipes.
Fix child proc titles from reyk@ ok reyk@, florian@
2016-08-30
14:31 rzalamena usr.sbin/httpd/httpd.h 1.114
usr.sbin/httpd/logger.c 1.19
usr.sbin/httpd/proc.c 1.19
usr.sbin/httpd/server.c 1.95
Kill (remove) the ps_pid from privsep struct since it is not being used anymore. Also fix the process initialization prototypes.
ok reyk@
13:46 rzalamena usr.sbin/httpd/httpd.c 1.59
usr.sbin/httpd/proc.c 1.18
Terminate daemon using the socket status instead of watching SIGCHLD or kill()ing child process.
"Looks good to me" millert@ ok benno@
13:37 rzalamena usr.sbin/httpd/httpd.h 1.113
Remove duplicated prototypes from header.
"Looks good to me" natano@
10:54 florian usr.sbin/httpd/httpd.h 1.112
usr.sbin/httpd/server_fcgi.c 1.69
Do not assume that the full http response header is in the first fastcgi stdout record. Keep processing stdout records until we found the header / body separator and only then generate the header response. Problem reported by many.
OK jung@
2016-08-27
11:13 rzalamena usr.sbin/httpd/control.c 1.10
usr.sbin/httpd/httpd.h 1.111
usr.sbin/httpd/logger.c 1.18
usr.sbin/httpd/proc.c 1.17
usr.sbin/httpd/server.c 1.94
Kill p_instance from proc.c and remove static proc_id unused variables.
To keep the debug functionality intact and correct we'll use the pid field in the imsg header to pass the instance number. Remember to always pass 'ps_instance + 1' otherwise libutil will fill imsg header pid field with the imsgbuf pid (which is the current process pid).
ok reyk@
2016-08-26
12:24 rzalamena usr.sbin/httpd/httpd.c 1.58
usr.sbin/httpd/httpd.h 1.110
usr.sbin/httpd/proc.c 1.16
Kill the ps_ninstances from proc.c.
We got the same information in ps_instances[proc] (more accurate) and we avoid allocating unnecessary memory for pipe storage.
ok reyk@
10:46 rzalamena usr.sbin/httpd/httpd.h 1.109
usr.sbin/httpd/logger.c 1.17
usr.sbin/httpd/server.c 1.93
usr.sbin/httpd/server_http.c 1.110
Replace the static env variables with a single global variable.
ok reyk@
2016-08-22
15:02 jsing usr.sbin/httpd/httpd.h 1.108
usr.sbin/httpd/parse.y 1.81
usr.sbin/httpd/server.c 1.92
Enable SNI support in httpd(8).
ok reyk@
2016-08-16
18:41 tedu usr.sbin/httpd/httpd.c 1.57
usr.sbin/httpd/httpd.h 1.107
usr.sbin/httpd/logger.c 1.16
usr.sbin/httpd/server.c 1.91
stop including sys/param.h for nitems. define locally as needed. ok natano reyk
17:10 reyk usr.sbin/httpd/server.c 1.90
Turn "TLS handshake failed -" log message into a debug message - it happens way too often and does not provide much information.
OK jung@
08:36 reyk usr.sbin/httpd/server.c 1.89
Rename server_handshake_tls() to server_tls_handshake() to align with the other server_tls_* functions (and I like the prefix notation better). No functional change.
2016-08-15
16:12 jsing usr.sbin/httpd/httpd.h 1.106
usr.sbin/httpd/parse.y 1.80
usr.sbin/httpd/server.c 1.88
Move server_match() from parse.y to server.c; use env instead of conf, which is actually the same thing (cluebat from reyk@).
14:14 jsing usr.sbin/httpd/config.c 1.47
usr.sbin/httpd/server.c 1.87
Use lowercase 'tls' in debug and log messages for consistency.
Requested by reyk@
13:48 jsing usr.sbin/httpd/httpd.h 1.105
usr.sbin/httpd/parse.y 1.79
usr.sbin/httpd/server.c 1.86
Make httpd stricter with respect to TLS configuration - in particular, do not allow TLS and non-TLS to be configured on the same port, do not allow TLS options to be specified without a TLS listener and ensure that the TLS options are the same when a server is specified on the same address/port. Currently, these configurations are permitted but do not work as intended.
Also factor out and reuse the server matching code, which was previously duplicated.
ok reyk@
2016-08-01
21:15 benno usr.sbin/httpd/http.h 1.14
sync http.h with relayd ok reyk@
2016-07-27
11:02 reyk usr.sbin/httpd/server_http.c 1.109
According to RFC 7231 4.3.7, OPTIONS may have body. "Although this specification does not define any use for such a payload, future extensions to HTTP might use the OPTIONS body to make more detailed queries about the target resource." The future has arrived.
Found and tested by Michael Lechtermann OK benno@
16:35 tag OPENBSD_6_0_BASE added
2016-07-13
16:35 jsing usr.sbin/httpd/httpd.h 1.104
Adjust existing tls_config_set_cipher() callers for TLS cipher group changes - map the previous configuration to the equivalent in the new groups. This will be revisited post release.
Discussed with beck@
2016-06-21
21:35 benno usr.sbin/httpd/parse.y 1.78
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
2016-06-10
18:32 jmc usr.sbin/httpd/httpd.8 1.52
grammar fix; from nick permyakov
12:09 florian usr.sbin/httpd/httpd.c 1.56
& expands to the maximum amount of needed space; fix comment. Pointed out by Frank Schoep, thanks!
2016-05-31
15:28 jsing usr.sbin/httpd/config.c 1.46
Unbreak compilation with -DDEBUG.
From Fabian Raetz <fabian dot raetz at gmail dot com>
2016-05-27
11:24 krw usr.sbin/httpd/server_http.c 1.108
Return "400 Bad Request" instead of "500 Server Internal Error" for requests lacking "HTTP/<version>".
This makes it more obvious that httpd(8) does not attempt to support HTTP v0.9 (circa 1991), when "GET <url>\r\n" was valid.
ok millert@ florian@
2016-05-22
19:20 jung usr.sbin/httpd/server_http.c 1.107
makes sure the value of the asprintf buffer is zeroed on error
from Hiltjo Posthuma
"do." deraadt
19:19 jung usr.sbin/httpd/httpd.c 1.55
fix unbalanced va_start and va_end macros
from Hiltjo Posthuma
"do." deraadt
2016-05-17
03:12 deraadt usr.sbin/httpd/server_file.c 1.62
Repair some file descriptor leaks. ok beck krw millert
2016-05-09
19:36 tj usr.sbin/httpd/httpd.conf.5 1.73
in the http redirect example, also include the requested url instead of just going to the home page.
requested by and ok beck
2016-04-28
22:16 schwarze usr.sbin/httpd/httpd.conf.5 1.72
Avoid unusual Content-Type: even in an example; people might get hurt when doing copy & paste. Patch from Hiltjo Posthuma <hiltjo at codemadness dot org>. OK florian@ jmc@
17:18 jsing usr.sbin/httpd/server.c 1.85
Include the TLS configuration errors in log messages. Also set the certificate and private key at the same time.
14:20 jsing usr.sbin/httpd/config.c 1.45
usr.sbin/httpd/httpd.h 1.103
Simplify TLS configuration handling. Instead of matching by address/port, match by configuration ID. This also prevents a memory leak when there are multiple certificates specified for the same server.
ok beck@
2016-04-24
21:06 jmc usr.sbin/httpd/httpd.conf.5 1.71
new sentence, new line;
20:12 chrisz usr.sbin/httpd/httpd.conf.5 1.70
Document CGI variables. Work done by Tim Baumgard <openbsd@bmgrd.com> I clarified DOCUMENT_URI and SCRIPT_NAME.
ok florian@
20:09 chrisz usr.sbin/httpd/server_fcgi.c 1.68
Always pass QUERY_STRING variable. According to the RFC it is empty when no query string was found. From Tim Baumgard <openbsd@bmgrd.com>o
ok florian@
2016-04-20
12:48 jmc usr.sbin/httpd/httpd.conf.5 1.69
from tim baumgard: a location section may not include hsts; to that, i've added alias and tls
no feedback on this diff, so let's hope i'm right/.
2016-04-19
16:22 jsing usr.sbin/httpd/server.c 1.84
Use log_warnx() instead of log_warn() when the failure will not have resulted in errno being set.
ok reyk@
2016-03-08
09:33 florian usr.sbin/httpd/server_file.c 1.61
usr.sbin/httpd/server_http.c 1.106
Set content charset for auto index generated page. Pointed out and diff by dhill, thanks! Tweaks and same change for error documents by me.
18:20 tag OPENBSD_5_9_BASE added
2016-02-14
18:20 semarie usr.sbin/httpd/patterns.c 1.5
httpd patterns double free
issue and diff from Alexander Schrijver alex at flupzor nl
ok reyk@
2016-02-11
19:30 tim usr.sbin/httpd/server_http.c 1.105
Back out previous; requested by jung@
16:14 tim usr.sbin/httpd/server_http.c 1.104
Include the server port number in the common and combined logs. This is useful to distinguish between http and https requests.
OK florian@ reyk@ a while ago
2016-02-02
17:51 sthen usr.sbin/httpd/httpd.c 1.54
Remove setproctitle() for the parent process. Because rc.d(8) uses process titles (including flags) to distinguish between daemons, this makes it possible to manage multiple copies of a daemon using the normal infrastructure by symlinking rc.d scripts to a new name. ok jung@ ajacoutot@, smtpd ok gilles@
2015-12-12
19:59 mmcc usr.sbin/httpd/patterns.h 1.3
Remove a needless inclusion of sys/cdefs.h. Inspired by reyk's recent commit doing the same.
2015-12-07
20:30 mmcc usr.sbin/httpd/server_http.c 1.103
No need to check for NULL before free().
16:05 reyk usr.sbin/httpd/proc.c 1.15
Add imsg "peerid" to debug messages (only within -DDEBUG).
12:13 reyk usr.sbin/httpd/log.c 1.10
sync with vmd
2015-12-05
13:15 claudio usr.sbin/httpd/control.c 1.9
usr.sbin/httpd/proc.c 1.14
EAGAIN handling for imsg_read. OK henning@ benno@
2015-12-03
11:46 reyk usr.sbin/httpd/httpd.c 1.53
usr.sbin/httpd/server_http.c 1.102
Remove unnecessary NULL checks before free().
From Jan Schreiber
07:01 deraadt usr.sbin/httpd/httpd.c 1.52
the grammar can prompt DNS lookups, so pledge "dns" also. from Gregor Best, discussed with florian
2015-12-02
15:13 reyk usr.sbin/httpd/config.c 1.44
usr.sbin/httpd/httpd.c 1.51
usr.sbin/httpd/httpd.h 1.102
usr.sbin/httpd/logger.c 1.15
usr.sbin/httpd/proc.c 1.13
usr.sbin/httpd/server.c 1.83
sync with relayd, use proc_compose()
2015-11-23
20:56 reyk usr.sbin/httpd/control.c 1.8
usr.sbin/httpd/httpd.c 1.50
usr.sbin/httpd/httpd.h 1.101
usr.sbin/httpd/proc.c 1.12
usr.sbin/httpd/server.c 1.82
usr.sbin/httpd/server_fcgi.c 1.67
Retire socket_set_blockmode() in favor of the SOCK_NONBLOCK type flag. As done in iked and snmpd.
OK jung@
16:43 reyk usr.sbin/httpd/proc.c 1.11
Sync proc.c with iked.
2015-11-22
13:27 reyk usr.sbin/httpd/httpd.c 1.49
usr.sbin/httpd/httpd.h 1.100
usr.sbin/httpd/log.c 1.9
usr.sbin/httpd/parse.y 1.77
usr.sbin/httpd/proc.c 1.10
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
2015-11-21
13:46 reyk usr.sbin/httpd/log.c 1.8
Once again, fix the license text. After many years, we just cannot get rid of the "LOSS OF MIND" joke. Haha. We keep on removing it and it shows up again because it accidentally gets synced from somewhere else. bgpd and ospfd don't have it anymore, but their offsprings still carry it. If you see it, remove it, and, in the OpenBSD ISC case, use the original text from /usr/share/misc/license.template. All authors agree.
12:40 reyk usr.sbin/httpd/httpd.c 1.48
usr.sbin/httpd/httpd.h 1.99
usr.sbin/httpd/log.c 1.7
Move local logging functions into httpd.c, and sync log.c with relayd - both daemons are now sharing the same file. No functional changes.
2015-11-19
21:32 mmcc usr.sbin/httpd/httpd.c 1.47
Simplify all instances of get_string() and get_data() using malloc() and strndup().
ok millert@
2015-11-05
18:00 florian usr.sbin/httpd/httpd.c 1.46
usr.sbin/httpd/logger.c 1.14
usr.sbin/httpd/server.c 1.81
pledge(2) for httpd.
1) The main process listens on sockets and accepts connections. It creates and opens log files, creates and kills child processes. On start up and on receiving a HUP signal it parses the configuration. It passes on file descriptors for logging or requests to it's children. 2) The logger process writes log messages to a file descriptor passed in from the main process. 3) The server process reads the request from a file descriptor passed in from the main process. It reads a file or creates a directory index to send a response. Additionally this process handles fastcgi requests. It connects to AF_UNIX, AF_INET or AF_INET6 sockets. A re-factoring might make it possible to drop the additional fastcgi privileges when only static files are served.
with deraadt@ some time ago prodding & OK deraadt@ tweaks and OK reyk@
2015-10-31
10:10 jung usr.sbin/httpd/httpd.c 1.45
revert -r1.42 as it breaks slowcgi and php-fpm setups as reported by jturner
2015-10-28
15:50 mmcc usr.sbin/httpd/httpd.c 1.44
Remove a few more NULL-checks before free.
15:45 mmcc usr.sbin/httpd/httpd.c 1.43
While I'm in here, drop a NULL-check before free.
2015-10-26
11:03 jung usr.sbin/httpd/httpd.c 1.42
fix PATH_INFO for / requests
diff from Denis Fondras
ok reyk
2015-10-14
08:02 reyk usr.sbin/httpd/httpd.c 1.41
Two more char -> unsigned char in ctype functions.
2015-10-13
08:33 sunil usr.sbin/httpd/server_http.c 1.101
Plug a leak.
Ok gilles@, reyk@
07:57 reyk usr.sbin/httpd/httpd.c 1.40
usr.sbin/httpd/server_http.c 1.100
Pass unsigned chars to ctype functions.
From Michael McConville
2015-10-08
09:40 jsg usr.sbin/httpd/server_fcgi.c 1.66
fix an fd leak if socket connection fails; from Carlin Bingham ok reyk@
09:32 jsg usr.sbin/httpd/server_fcgi.c 1.65
fix a typo; from Carlin Bingham
2015-09-11
13:21 jsing usr.sbin/httpd/server.c 1.80
Fix server_handshake_tls() - we should only call server_input() in the case where the handshake has successfully completed.
ok beck@
2015-09-10
13:53 beck usr.sbin/httpd/server.c 1.79
fix return type for tls_read/write jointly with jsing@
10:42 beck usr.sbin/httpd/server.c 1.78
fix after libtls api changes ok jsing@
10:15 jsing usr.sbin/httpd/server.c 1.77
Update httpd to call tls_handshake() after tls_accept_socket().
ok beck@
2015-09-07
14:46 reyk usr.sbin/httpd/httpd.h 1.98
usr.sbin/httpd/server.c 1.76
usr.sbin/httpd/server_http.c 1.99
Fix a regression that was introduced with server.c r1.64: Do NOT free srv_conf->auth in serverconfig_free() because it was not allocated in config_getserver() but assigned as a reference by id from a global list that is maintained independently. This fixes a potential double-free. This fix also makes srv_conf->auth "const" to emphasize that the read-only auth pointer was not allocated here.
OK jsing@
2015-08-21
07:30 reyk usr.sbin/httpd/server_http.c 1.98
The WebDAV MOVE method was not included in the switch statement handling the HTTP methods in server_http.c which resulted in a 405 method not allowed error when trying to use it.
Fix by jaminh on github
2015-08-20
22:39 deraadt usr.sbin/httpd/parse.y 1.76
stdlib.h is in scope; do not cast malloc/calloc/realloc* ok millert krw
13:00 reyk usr.sbin/httpd/config.c 1.43
usr.sbin/httpd/httpd.c 1.39
usr.sbin/httpd/httpd.h 1.97
usr.sbin/httpd/log.c 1.6
usr.sbin/httpd/logger.c 1.13
usr.sbin/httpd/parse.y 1.75
usr.sbin/httpd/proc.c 1.9
usr.sbin/httpd/server.c 1.75
usr.sbin/httpd/server_fcgi.c 1.64
usr.sbin/httpd/server_http.c 1.97
Change httpd(8) to use C99-style fixed-width integers (uintN_t instead of u_intN_t) and replace u_int with unsigned int. Mixing both variants is a bad style and most contributors seem to prefer this style; it also helps us to get used to it, portability, and standardization.
Theoretically no binary change, except one in practice: httpd.o has a different checksum because gcc with -O2 pads/optimizes "struct privsep" differently when using "unsigned int" instead "u_int" for the affected members. "u_int" is just a typedef of "unsigned int", -O0 doesn't build the difference and clang with -O2 doesn't do it either - it is just another curiosity from gcc-land.
OK semarie@
2015-08-19
21:26 reyk usr.sbin/httpd/parse.y 1.74
spacing
2015-08-18
08:26 reyk usr.sbin/httpd/patterns.c 1.4
str_match() checked the return value of str_find_aux() incorrectly: it might return a negative number; the return value of match_error() which returns (-1). This was technically a bug, and it exists in 5.8, but there is no impact because the error is correctly catched with the returned non-NULL error string.
Found by Leandro Pereira
11:45 tag OPENBSD_5_8_BASE added
2015-08-03
11:45 florian usr.sbin/httpd/httpd.h 1.96
usr.sbin/httpd/server.c 1.74
usr.sbin/httpd/server_fcgi.c 1.63
usr.sbin/httpd/server_file.c 1.60
Fix rev 1.70 of server.c by only re-enabling the bufferevent if we previously disabled it because we were reading to fast (from disk). Problem noted and tracked down to that commit by weerd@ and independently by stsp@. Tested by weerd@, stsp@, reyk@ OK bluhm@, reyk@
2015-07-31
00:10 benno usr.sbin/httpd/httpd.h 1.95
usr.sbin/httpd/server_fcgi.c 1.62
usr.sbin/httpd/server_http.c 1.96
repair hsts header output, wrong format strings caused broken Strict-Transport-Security headers. Add __format__ attribute to kv_set() and kv_setkey() to make it easier to spot such problems.
Found by and fix from Donovan Watteau <tsoomi -AT- gmail -DOT- com>, thanks for your help.
ok deraadt@
2015-07-29
22:03 reyk usr.sbin/httpd/httpd.h 1.94
usr.sbin/httpd/server.c 1.73
usr.sbin/httpd/server_fcgi.c 1.61
usr.sbin/httpd/server_http.c 1.95
backout the previous: it broke wordpress somehow. we need more care to find a proper fix for the fastcgi headers.
acknowledged by deraadt@
20:03 florian usr.sbin/httpd/httpd.h 1.93
usr.sbin/httpd/server.c 1.72
usr.sbin/httpd/server_fcgi.c 1.60
usr.sbin/httpd/server_http.c 1.94
Read fcgi response records until we have the whole http header and can parse it. Otherwise http headers can leak into the body. Pointed out by Jean-Philippe Ouellet on bugs@ Thanks! OK reyk, commit ASAP deraadt@
2015-07-28
10:13 florian usr.sbin/httpd/server_fcgi.c 1.59
add HSTS to fcgi responses OK reyk
2015-07-23
09:36 semarie usr.sbin/httpd/server_http.c 1.93
The realm in authenticate directive of config file isn't escaped for '"' char. The diff corrects this problem by using VIS_DQ.
ok reyk@ florian@
2015-07-20
11:38 semarie usr.sbin/httpd/server_file.c 1.59
ensure http_path is escaped before using it in Location redirection.
OK reyk@
2015-07-19
16:34 blambert usr.sbin/httpd/server_fcgi.c 1.58
handle error returns from bufferevent_write()
ok florian@
05:17 reyk usr.sbin/httpd/config.c 1.42
usr.sbin/httpd/httpd.conf.5 1.68
usr.sbin/httpd/httpd.h 1.92
usr.sbin/httpd/parse.y 1.73
usr.sbin/httpd/server_http.c 1.92
For the completeness of HSTS, add the non-standard preload option.
OK florian@
2015-07-18
22:42 blambert usr.sbin/httpd/server_fcgi.c 1.57
remove XXX and handle error return from evbuffer_add()
ok florian@
22:19 reyk usr.sbin/httpd/httpd.h 1.91
usr.sbin/httpd/server.c 1.71
libtls has been changed to set SSL_MODE_ENABLE_PARTIAL_WRITE and SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER by default. This gives tls_write() a similar short write semantics as write(2) and a workaround in httpd to cope with the previous differences can be removed. Specifically, httpd can stop copying data into a local buffer that was used to keep it around for repeated writes.
OK bluhm@
16:42 blambert usr.sbin/httpd/server_fcgi.c 1.56
treat asprintf failure in REQUEST_URI case as a fatal error
ok florian@
14:36 kili usr.sbin/httpd/server_file.c 1.58
Fix check against NULL which was reverted by accident in r1.56.
ok reyk@
09:29 jmc usr.sbin/httpd/httpd.conf.5 1.67
tweak previous;
06:00 reyk usr.sbin/httpd/config.c 1.41
usr.sbin/httpd/httpd.c 1.38
usr.sbin/httpd/httpd.conf.5 1.66
usr.sbin/httpd/httpd.h 1.90
usr.sbin/httpd/parse.y 1.72
usr.sbin/httpd/server_file.c 1.57
usr.sbin/httpd/server_http.c 1.91
Allow to change the default media type globally or per-location, eg. default type text/html.
OK florian@
05:41 florian usr.sbin/httpd/config.c 1.40
usr.sbin/httpd/httpd.conf.5 1.65
usr.sbin/httpd/httpd.h 1.89
usr.sbin/httpd/parse.y 1.71
usr.sbin/httpd/server_http.c 1.90
Implement HTTP Strict Transport Security (HSTS). Input & OK reyk
2015-07-17
21:53 reyk usr.sbin/httpd/server_file.c 1.56
Adjust server_file_modified_since() to our style. Please keep httpd clean.
20:44 reyk usr.sbin/httpd/server_fcgi.c 1.55
According to RFC 3875 PATH_INFO should either contain a full path or be empty (""). It was not set at all when there is nothing to set which caused problems with some FastCGI applications (like Flask/Python through uWSGI).
From hrkfdn via github
2015-07-16
19:05 reyk usr.sbin/httpd/parse.y 1.70
usr.sbin/httpd/server_file.c 1.55
usr.sbin/httpd/server_http.c 1.89
spacing
16:29 florian usr.sbin/httpd/httpd.h 1.88
usr.sbin/httpd/server.c 1.70
If we can read faster from disk than send data to the client stop reading from disk when we hold a certain amount of data in RAM. Re-enable reading once we send enough data to the client. Otherwise we might end up with the whole file (which can be huge) in RAM. Reported by Matthew Martin ( matt.a.martin AT gmail ) on bugs@, thanks! OK reyk@, benno@
04:46 reyk usr.sbin/httpd/httpd.h 1.87
VIS_QUOTE is not there yet, unbreak the tree. Noticed by semarie@
2015-07-15
23:16 reyk usr.sbin/httpd/httpd.h 1.86
usr.sbin/httpd/server.c 1.69
usr.sbin/httpd/server_http.c 1.88
Escape the message in server_log() as well.
OK benno@
22:23 reyk usr.sbin/httpd/server_http.c 1.87
For some values like the User-Agent, use vis(3) instead of url_encode(). This makes the output more readable and matches Apache's log encoding.
OK sthen@ brynet@
17:52 reyk usr.sbin/httpd/server_http.c 1.86
Simplify the error path of the previous commit: by using ret = -1 by default and only setting it to 0 on success, we don't have to set it in each error case. While here, also remove two superfluous NULL checks (as pointed out by semarie).
OK semarie@
17:29 jsing usr.sbin/httpd/server.c 1.68
Close connections that fail to complete a TLS handshake.
Based on a diff from Jack Burton <jack at saosce dot com dot au>.
ok reyk@
17:14 jsing usr.sbin/httpd/parse.y 1.69
Unbreak configurations that have a non-TLS listen statement followed by a TLS listen statement. A bug was introduced in r1.68 of parse.y, which results in flags being directly copied from the parent, meaning that the TLS flag for the second server gets lost.
ok reyk@
17:11 jsing usr.sbin/httpd/server.c 1.67
Fix typo in comment.
17:10 jsing usr.sbin/httpd/httpd.conf.5 1.64
Document default locations for TLS certificate and key.
ok reyk@
16:02 semarie usr.sbin/httpd/server_http.c 1.85
httpd don't sanitize variables before putting them in logs. It is possible for an attacker to push arbitaries characters in logs (newline for forging entries, or some control escaping interpreted by terminal emulator).
OK reyk@
16:00 jsing usr.sbin/httpd/config.c 1.39
usr.sbin/httpd/httpd.h 1.85
usr.sbin/httpd/server.c 1.66
Send the TLS certificate and key via separate imsgs, rather than including them in the IMSG_CFG_SERVER imsg. This allows the certificate and key to each be almost 16KB (the maximum size for an imsg), rather than having a combined total of less than 16KB (which can be reached with large keys, certificate bundles or by including text versions of certificates).
ok reyk@
14:49 jsing usr.sbin/httpd/server.c 1.65
Explicitly check for and handle EOF on a TLS connection.
ok reyk@
14:39 jsing usr.sbin/httpd/config.c 1.38
usr.sbin/httpd/server.c 1.64
Fix memory leaks that can occur when config_getserver() fails.
config.c r1.34 and r1.30 introduced potential memory leaks for auth and return_uri when config_getserver fails. Fix this by switching to serverconfig_free() and adding the missing free for srv_conf->auth. While here, make serverconfig_free() a little more bulletproof by explicit_bzero()ing key material.
ok reyk@
2015-06-30
19:01 jmc usr.sbin/httpd/patterns.7 1.5
new sentence, new line; my apologies to semarie for not pointing this out when he asked for an ok...
08:28 semarie usr.sbin/httpd/patterns.7 1.4
Add a small paragraph about some difference with Lua implementation. Suggestion from Theo Buehler.
OK jmc@ reyk@
2015-06-27
04:22 semarie usr.sbin/httpd/patterns.7 1.3
Corrects the manpage for patterns(7): the indexing for empty capture follow C-style (starting from 0) and not the Lua-style (starting from 1).
Patch from Theo Buehler.
OK reyk@
2015-06-26
17:26 semarie usr.sbin/httpd/patterns.h 1.2
move #include inside #ifndef PATTERNS_H
OK reyk@
10:07 semarie usr.sbin/httpd/patterns.c 1.3
Corrects some minors nits. Patch from Theo Buehler.
- cleanup in included headers (removing unsed assert.h, and reorder) - one remaining '%%' in an error string corrected in '%'
while here, add sys/types.h for off_t type.
OK reyk@
2015-06-23
17:29 jmc usr.sbin/httpd/httpd.conf.5 1.63
usr.sbin/httpd/patterns.7 1.2
various tweaks;
17:25 semarie usr.sbin/httpd/server_http.c 1.84
escape the matched substrings before using it in expansion.
ok reyk@
15:35 semarie usr.sbin/httpd/patterns.c 1.2
remove a deprecated character class.
it was deprecated in lua code, but here the code is new. The documentation don't mention it either.
ok reyk@
15:23 reyk usr.sbin/httpd/Makefile 1.28
usr.sbin/httpd/httpd.conf.5 1.62
usr.sbin/httpd/httpd.h 1.84
usr.sbin/httpd/parse.y 1.68
usr.sbin/httpd/patterns.7 1.1
usr.sbin/httpd/patterns.c 1.1
usr.sbin/httpd/patterns.h 1.1
usr.sbin/httpd/server_http.c 1.83
Add initial support for pattern matching using Lua's pattern matching code.
With important help on the pattern matcher from semarie@
OK semarie@
2015-06-22
11:46 reyk usr.sbin/httpd/server_http.c 1.82
After the last change, we also have to url_encode $SERVER_NAME and $REMOTE_USER before using them in the Location.
From Sebastien Marie (semarie)
2015-06-21
13:08 reyk usr.sbin/httpd/server_http.c 1.81
When encoding the Location url, only encode the query and path elements from the user input and not the constants from the configuration. This makes it possible to specify chars like '?' in the uri.
OK Sebastien Marie
2015-06-11
18:49 reyk usr.sbin/httpd/http.h 1.13
Use "compliant" header guards by avoiding the reserved '_' namespace.
Pointed out by Markus Elfring
OK mikeb@ millert@
2015-06-09
08:50 jung usr.sbin/httpd/server_fcgi.c 1.54
plug fd leak found by Todd Mortimer
ok claudio deraadt florian
2015-06-03
02:24 millert usr.sbin/httpd/httpd.c 1.37
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
2015-05-28
19:29 jmc usr.sbin/httpd/httpd.conf.5 1.61
use "uri"; from yegor timoschenko
17:08 florian usr.sbin/httpd/control.c 1.7
usr.sbin/httpd/httpd.c 1.36
Do not try to unlink the control socket in an unprivileged child process on shutdown. Found while working on tame(2). OK benno@
2015-05-20
09:28 kettenis usr.sbin/httpd/httpd.h 1.83
usr.sbin/httpd/server_http.c 1.80
Use off_t instead of size_t to pass file size and print it using %lld when constructing the Content-Length header field. Should fix some, but probably not all, problems with serving files bigger than 2G on 32-bit architectures.
ok reyk@, florian@
2015-05-19
18:16 sobrado usr.sbin/httpd/httpd.conf.5 1.60
better spacing in media types.
ok reyk@
18:12 sobrado usr.sbin/httpd/httpd.conf.5 1.59
sort media type extensions for text/html and image/jpeg as given in /usr/share/misc/mime.types; do not include shtml as it is for Server Side Includes (SSI) -- we will never do SSI.
joint work with reyk@
ok reyk@
18:03 sobrado usr.sbin/httpd/httpd.conf.5 1.58
drop comment about being possible to include /etc/nginx/mime.types, we do not have to care about nginx anymore.
ok jmc@ (who thinks previously suggested removing it), and reyk@
2015-05-05
11:10 florian usr.sbin/httpd/server_file.c 1.54
Implement If-Modified-Since. From Kyle Thompson <jmp AT giga DOT moe>. Tweaks by me. OK benno@
2015-05-03
18:39 florian usr.sbin/httpd/server_file.c 1.53
usr.sbin/httpd/server_http.c 1.79
Implement byte ranges. From Sunil Nimmagadda <sunil At nimmagadda DOT net> OK benno@
2015-04-30
22:18 sthen usr.sbin/httpd/server.c 1.60.2.1
usr.sbin/httpd/server.c 1.39.2.2
MFC usr.sbin/httpd/server.c:1.62->1.63, req by florian@
We cannot log errors with server_close() before allocating clt_log evbuffer. server_close() calls server_log() which uses ctl_log. Crash reported by Daniel Jakots <vigdis AT chown DOT me>, thanks! OK benno
2015-04-25
14:40 florian usr.sbin/httpd/server_file.c 1.52
Prepend files or directories containing ":" with "./" in directory indexes as per RFC 3986: A path segment that contains a colon character (e.g., "this:that") cannot be used as the first segment of a relative-path reference, as it would be mistaken for a scheme name. Such a segment must be preceded by a dot-segment (e.g., "./this:that") to make a relative- path reference.
While here add a "/" to the end of directory names, this saves us one redirect round trip.
Found the hard way & "functionality wise, OK" ajacoutot@ RFC pointer & OK benno@
2015-04-23
16:59 florian usr.sbin/httpd/server.c 1.63
We cannot log errors with server_close() before allocating clt_log evbuffer. server_close() calls server_log() which uses ctl_log. Crash reported by Daniel Jakots <vigdis AT chown DOT me>, thanks! OK benno
2015-04-18
09:27 jsg usr.sbin/httpd/server_http.c 1.78
Regis Leroy reported that httpd does not strictly accept CRLF for newlines which could lead to http response splitting/smuggling if a badly behaved proxy is in front of httpd.
Switch from evbuffer_readline() to evbuffer_readln() with EVBUFFER_EOL_CRLF_STRICT to avoid this.
ok florian@
2015-04-11
14:52 jsing usr.sbin/httpd/config.c 1.37
usr.sbin/httpd/logger.c 1.12
usr.sbin/httpd/server.c 1.62
Always check the return value of proc_composev_imsg() and handle failures appropriately. Otherwise imsg construction can silently fail, resulting in non-obvious problems.
Found the hard way by Theodore Wynnychenko.
ok doug@ florian@
2015-04-09
16:48 florian usr.sbin/httpd/server_http.c 1.77
Revert previous as this breaks stuff. I fscked up the testing, sorry! Found the hard way by jsg@
2015-04-08
19:39 florian usr.sbin/httpd/server_http.c 1.76
Do not silently accept multiple Content-Length headers. Pointed out by Regis Leroy (regis.leroy AT makina-corpus DOT com), thanks! Tweak and OK reyk@
2015-04-01
04:51 jsg usr.sbin/httpd/parse.y 1.67
Zero the tls cert/key length variables when inheriting a server configuration for multiple listen statements in a server block. Otherwise httpd will crash when a listen statement with tls is followed by a listen statement without tls.
Problem reported by Kent Fritz on misc.
ok jsing@ looks good deraadt@
2015-03-26
19:16 jmc usr.sbin/httpd/httpd.8 1.51
usr.sbin/httpd/httpd.conf.5 1.57
pointers to slowcgi(8); from alexei malinin
09:01 florian usr.sbin/httpd/server_fcgi.c 1.53
Allow more characters in CGI environment variables as specified by RFC 7230 and RFC 3875. sthen@ suggested to add a comment to explain where the list of characters is coming from. Found the hard way and initial diff from Tim van der Molen (tbvdm at xs4all), thanks! Some more allowed characters added by me. OK sthen@
2015-03-15
22:08 florian usr.sbin/httpd/httpd.h 1.82
usr.sbin/httpd/server.c 1.61
Prevent use after free. While here unconditionally free clt and move declaration of server_inflight_dec() into server.c Found while investigating if (foo != NULL) free(foo) patterns pointed out by Markus Elfring. OK reyk
2015-03-11
21:52 reyk usr.sbin/httpd/httpd.conf.5 1.56
Wrap long line. This is another airplane commit from an 747-8 somewhere over Siberia and I think I'm just getting into minor turbulences.
2015-03-09
15:51 reyk usr.sbin/httpd/httpd.conf.5 1.55
Document the TLSv1.2-only change.
Figured out sthen@
15:46 reyk usr.sbin/httpd/parse.y 1.66
Make httpd TLSv1.2-only by default. Some older browsers, like IE 10, will be incompatible with this change. We do this early in the release cycle, so there is a good chance to get more experience with the impact of it and the upcoming restricted cipher modes.
OK jsing@ deraadt@ benno@ bmercer@ krw@ florian@
05:10 tag OPENBSD_5_7_BASE added
2015-03-06
05:10 reyk usr.sbin/httpd/httpd.conf.5 1.54
Fix minor manpage bug: it is a server, not a relay.
OK deraadt@
2015-02-24
07:56 bentley usr.sbin/httpd/httpd.8 1.50
Mark up filenames with Pa.
ok reyk@
2015-02-23
19:22 chrisz usr.sbin/httpd/server_fcgi.c 1.52
Use the rewritten (index file appended) uri as DOCUMENT_URI.
OK florian@
18:43 reyk usr.sbin/httpd/httpd.c 1.35
usr.sbin/httpd/httpd.conf.5 1.53
usr.sbin/httpd/httpd.h 1.81
usr.sbin/httpd/server_http.c 1.75
Allow to specify CGI variables as macros in redirection strings, eg. block return 301 "http://www.example.com/$REQUEST_URI"
OK tedu@ florian@
11:48 reyk usr.sbin/httpd/config.c 1.36
Fix an issues that was found by halex@: we didn't set the return_uri in non-location virtual hosts. Add comments clarify the variable-length values.
OK halex@
10:39 reyk usr.sbin/httpd/Makefile 1.27
Add -O0 to the DEBUG example. Figured out while analysing core dumps with halex@. No binary change - it is commented out.
09:52 reyk usr.sbin/httpd/server.c 1.60
Add return_uri to serverconfig_reset() to avoid using garbage from the imsg buffer.
Debugging & OK halex@
2015-02-19
09:19 florian usr.sbin/httpd/httpd.conf.5 1.52
Typo. From Navan Carson, thanks!
2015-02-15
13:43 jsing usr.sbin/httpd/httpd.conf.5 1.51
Document the tls protocols option.
2015-02-12
10:05 reyk usr.sbin/httpd/httpd.c 1.34
usr.sbin/httpd/httpd.h 1.80
usr.sbin/httpd/server_file.c 1.51
Rename escape_uri() to url_encode() because it is the opposite of url_decode(). No functional change.
04:40 jsing usr.sbin/httpd/httpd.h 1.79
usr.sbin/httpd/parse.y 1.65
usr.sbin/httpd/server.c 1.59
Allow TLS protocols to be specified via a "tls protocols" configuration option.
ok reyk@
04:23 jsing usr.sbin/httpd/server.c 1.58
Change TLS_PROTOCOLS_DEFAULT to be TLSv1.2 only. Add a TLS_PROTOCOLS_ALL that includes all currently supported protocols (TLSv1.0, TLSv1.1 and TLSv1.2). Change all users of libtls to use TLS_PROTOCOLS_ALL so that they maintain existing behaviour.
Discussed with tedu@ and reyk@.
2015-02-11
12:52 florian usr.sbin/httpd/http.h 1.12
More http status codes. OK benno@, reyk@
2015-02-10
08:12 florian usr.sbin/httpd/httpd.c 1.33
usr.sbin/httpd/httpd.h 1.78
usr.sbin/httpd/server_file.c 1.50
Encode directory listings. Problem pointed out by remco AT d-compu.dyndns.org some time ago. Input / OK reyk@
2015-02-08
04:50 reyk usr.sbin/httpd/parse.y 1.64
Use AI_ADDRCONFIG when resolv hosts on startup.
OK henning@
2015-02-07
23:59 reyk usr.sbin/httpd/server_http.c 1.73
usr.sbin/httpd/httpd.c 1.32
usr.sbin/httpd/logger.c 1.11
usr.sbin/httpd/parse.y 1.63
usr.sbin/httpd/server_file.c 1.49
usr.sbin/httpd/server_http.c 1.74
spacing
23:56 reyk usr.sbin/httpd/config.c 1.35
usr.sbin/httpd/httpd.h 1.77
usr.sbin/httpd/server.c 1.57
Remove server_load_file() in favor of tls_load_file(3)
08:12 jmc usr.sbin/httpd/httpd.conf.5 1.50
double word fix;
06:46 jsing usr.sbin/httpd/httpd.conf.5 1.49
Document tls dhe and tls ecdhe options.
06:26 jsing usr.sbin/httpd/httpd.h 1.76
usr.sbin/httpd/parse.y 1.62
usr.sbin/httpd/server.c 1.56
Add httpd configuration options to allow the specification of DHE parameters and the ECDHE curve. This primarily allows for DHE cipher suites to be enabled.
ok reyk@
01:23 reyk usr.sbin/httpd/config.c 1.34
usr.sbin/httpd/httpd.conf.5 1.48
usr.sbin/httpd/httpd.h 1.75
usr.sbin/httpd/parse.y 1.61
usr.sbin/httpd/server.c 1.55
usr.sbin/httpd/server_http.c 1.72
Add support for blocking, dropping, and redirecting requests.
OK florian@
2015-02-06
13:05 reyk usr.sbin/httpd/httpd.h 1.74
usr.sbin/httpd/parse.y 1.60
usr.sbin/httpd/server_http.c 1.71
Fix log options in locations.
Reported and tested by Markus Bergkvist OK florian@
2015-02-05
10:47 reyk usr.sbin/httpd/server_http.c 1.70
Fix potential NULL pointer dereference.
10:46 reyk usr.sbin/httpd/config.c 1.33
Add missing error case to free allocated server_config on failure.
2015-01-29
08:52 reyk usr.sbin/httpd/parse.y 1.59
Fix a regression that removed support for using service names instead of ports. It is now possible to use "listen on * port www" again.
Found by ajacoutot@ OK ajacoutot@ blambert@
2015-01-21
22:23 reyk usr.sbin/httpd/httpd.h 1.73
usr.sbin/httpd/server_fcgi.c 1.51
Ooops, no need to include sys/cdefs.h.
Pointed out by florian@
22:21 reyk usr.sbin/httpd/config.c 1.32
usr.sbin/httpd/control.c 1.6
usr.sbin/httpd/httpd.c 1.31
usr.sbin/httpd/httpd.h 1.72
usr.sbin/httpd/log.c 1.5
usr.sbin/httpd/logger.c 1.10
usr.sbin/httpd/parse.y 1.58
usr.sbin/httpd/proc.c 1.8
usr.sbin/httpd/server.c 1.54
usr.sbin/httpd/server_fcgi.c 1.50
usr.sbin/httpd/server_file.c 1.48
usr.sbin/httpd/server_http.c 1.69
httpd is based on relayd and had included many headers that are only needed by its ancestor. jsg@, include-what-you-use, and some manual review helped to cleanup the headers (take iwyu with a grain of salt). Based on common practice, httpd.h now also includes the necessary headers for itself.
OK florian@
2015-01-19
21:07 reyk usr.sbin/httpd/config.c 1.31
usr.sbin/httpd/parse.y 1.57
No need to include pfvar.h, another leftover from relayd. It was also used for portrange operators which weren't used in httpd.
OK florian@
20:01 florian usr.sbin/httpd/server_http.c 1.68
Log the remote user in the access.log. Pointed out by, tweak & OK reyk@
20:00 florian usr.sbin/httpd/httpd.h 1.71
usr.sbin/httpd/server_fcgi.c 1.49
usr.sbin/httpd/server_http.c 1.67
s/clt_fcgi_remote_user/clt_remote_user/ OK reyk@
19:37 reyk usr.sbin/httpd/config.c 1.30
usr.sbin/httpd/httpd.c 1.30
usr.sbin/httpd/httpd.conf.5 1.47
usr.sbin/httpd/httpd.h 1.70
usr.sbin/httpd/parse.y 1.56
usr.sbin/httpd/server.c 1.53
usr.sbin/httpd/server_fcgi.c 1.48
usr.sbin/httpd/server_http.c 1.66
Decouple auth parameters from struct server_config into struct auth.
OK florian@
2015-01-18
18:39 florian usr.sbin/httpd/httpd.conf.5 1.46
tweak previous with help from jmc@
14:01 florian usr.sbin/httpd/httpd.conf.5 1.45
usr.sbin/httpd/httpd.h 1.69
usr.sbin/httpd/parse.y 1.55
usr.sbin/httpd/server_fcgi.c 1.47
usr.sbin/httpd/server_http.c 1.65
First stab at implementing basic auth. Currently the htpasswd file needs to be in the chroot; will hopefully improved soonish. Based on a diff from Oscar Linderholm many months ago but turned into a complete rewrite. input/OK reyk@
2015-01-16
06:40 deraadt usr.sbin/httpd/httpd.c 1.29
usr.sbin/httpd/httpd.h 1.68
usr.sbin/httpd/logger.c 1.9
usr.sbin/httpd/parse.y 1.54
usr.sbin/httpd/server.c 1.52
usr.sbin/httpd/server_fcgi.c 1.46
usr.sbin/httpd/server_file.c 1.47
usr.sbin/httpd/server_http.c 1.64
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
2015-01-13
09:21 reyk usr.sbin/httpd/config.c 1.29
usr.sbin/httpd/http.h 1.11
usr.sbin/httpd/httpd.conf.5 1.44
usr.sbin/httpd/httpd.h 1.67
usr.sbin/httpd/parse.y 1.53
usr.sbin/httpd/server.c 1.51
usr.sbin/httpd/server_file.c 1.46
usr.sbin/httpd/server_http.c 1.63
bump copyright year
08:54 reyk usr.sbin/httpd/server_fcgi.c 1.45
Abort if fcgi_chunked is not true to avoid sending additional garbage after the response.
Found by Erik Lax
ok florian@
2015-01-07
16:57 reyk usr.sbin/httpd/http.h 1.10
SVG is common enough to add it to the default types.
11:04 reyk usr.sbin/httpd/parse.y 1.52
Relax configuration list parsing to allow multi-line blocks for tls, root, tcp etc.
Based on a diff from Nathanael Rensen. OK florian@
2015-01-06
17:55 stsp usr.sbin/httpd/server_file.c 1.45
Make httpd return "404 not found" if an intermediate component of a requested file path does not exist rather than returning "500 internal server error". ok reyk
17:48 reyk usr.sbin/httpd/server_http.c 1.62
I missed one goto abort instead of free(line).
Found by Fabian Raetz at gmail
14:07 reyk usr.sbin/httpd/config.c 1.28
usr.sbin/httpd/parse.y 1.51
usr.sbin/httpd/server.c 1.50
Only open a socket once for each unique "listen on" statement. This prevents running out of file descriptors when loading a configuration with many aliases.
OK florian@
13:48 reyk usr.sbin/httpd/server_http.c 1.61
Instead of calling free(line) in each error case, call it once in fail:.
From Fabian Raetz at gmail
13:38 reyk usr.sbin/httpd/server_http.c 1.60
Return "400 Bad Request" instead of "500 Internal Server Error" for unknown/invalid HTTP requests.
From Fabian Raetz at gmail
2015-01-05
11:03 reyk usr.sbin/httpd/httpd.conf.5 1.43
Be more specific: path is a component of the URI/URL, so use "path" instead of "URI" or "URL" when referring to it.
2015-01-04
22:23 chrisz usr.sbin/httpd/httpd.conf.5 1.42
usr.sbin/httpd/httpd.h 1.66
usr.sbin/httpd/parse.y 1.50
usr.sbin/httpd/server_fcgi.c 1.44
usr.sbin/httpd/server_file.c 1.44
usr.sbin/httpd/server_http.c 1.59
add new url stripping option:
strip number Strip number path components from the beginning of the request URI before looking up the stripped-down URI at the document root.
reviewed with much patience and OK by reyk@
2015-01-03
23:54 reyk usr.sbin/httpd/parse.y 1.49
Reset tls key and cert to NULL when duplicating a server - avoids a possible double free in the error path of the parser.
Found by + OK doug@
16:20 reyk usr.sbin/httpd/parse.y 1.48
Tweak previous - add a missing free in the error path.
15:49 reyk usr.sbin/httpd/config.c 1.27
usr.sbin/httpd/httpd.conf.5 1.41
usr.sbin/httpd/parse.y 1.47
Support alias names and multiple listen statements per server block. The implementation is done in the parser by expanding each alias/listen into an independent server configuration; this makes it easier to handle internally without adding additional loops or conditions.
OK florian@
2015-01-02
19:09 reyk usr.sbin/httpd/httpd.h 1.65
Bump config flags field to 32bits. Makes room for future changes - but no functional change yet.
2015-01-01
14:15 reyk usr.sbin/httpd/server_file.c 1.43
usr.sbin/httpd/server_http.c 1.58
Use the HTML5 doctype for error and auto index pages because it is shorter, newer, and the recommendation. From James Jerkins.
Exclude the charset for now because it is not explicitly handled by httpd.
OK validator.w3.org (This document was successfully checked as HTML5!)
2014-12-28
13:53 reyk usr.sbin/httpd/httpd.conf.5 1.40
Change the default example from "listen on egress" to "listen on *". Listening on the egress group only works if you have a default route; this confused some people.
2014-12-21
00:54 guenther usr.sbin/httpd/config.c 1.26
usr.sbin/httpd/control.c 1.5
usr.sbin/httpd/log.c 1.4
usr.sbin/httpd/logger.c 1.8
usr.sbin/httpd/parse.y 1.46
usr.sbin/httpd/proc.c 1.7
usr.sbin/httpd/server.c 1.49
usr.sbin/httpd/server_fcgi.c 1.43
usr.sbin/httpd/server_file.c 1.42
usr.sbin/httpd/server_http.c 1.57
Stop pulling in <arpa/inet.h> or <arpa/nameser.h> when unnecessary. *Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
2014-12-18
10:18 reyk usr.sbin/httpd/httpd.conf.5 1.39
Document * and :: to listen on all IPv4 or IPv6 addresses.
10:10 reyk usr.sbin/httpd/parse.y 1.45
Accept * as an alias for the default ipv4 listen address.
OK jsg@
09:00 reyk usr.sbin/httpd/httpd.conf.5 1.38
"tcp nodelay" shouldn't be discussing relaying SSH; this was a remnant from relayd.conf.5.
From Ross L Richardson
2014-12-16
03:35 millert usr.sbin/httpd/proc.c 1.6
Replace setpgrp(0, getpid()) with setpgid(0, 0). OK deraadt@ tedu@
2014-12-12
14:45 reyk usr.sbin/httpd/config.c 1.25
usr.sbin/httpd/httpd.8 1.49
usr.sbin/httpd/httpd.conf.5 1.37
usr.sbin/httpd/httpd.h 1.64
usr.sbin/httpd/parse.y 1.44
usr.sbin/httpd/server.c 1.48
usr.sbin/httpd/server_fcgi.c 1.42
usr.sbin/httpd/server_file.c 1.41
Like previously done in relayd, change the keyword "ssl" to "tls" to reflect reality.
OK benno@
2014-12-11
17:06 schwarze usr.sbin/httpd/httpd.c 1.28
When scanning backwards for the last dot in a filename, stop at the '/' marking the beginning of the filename. This allows to configure a Content-Type for a filename without a dot. OK reyk@
2014-12-08
19:31 florian usr.sbin/httpd/server_http.c 1.56
Do not send an error body in a HEAD request answer. From Bertrand Janin (b at janin dot com), thanks! OK reyk@
2014-12-07
16:05 florian usr.sbin/httpd/config.c 1.24
Avoid NULL deref in error case; found with llvm. OK reyk
2014-12-04
02:44 tedu usr.sbin/httpd/httpd.c 1.27
usr.sbin/httpd/parse.y 1.43
usr.sbin/httpd/server.c 1.47
usr.sbin/httpd/server_fcgi.c 1.41
usr.sbin/httpd/server_file.c 1.40
usr.sbin/httpd/server_http.c 1.55
stop viral header propagation. none of this code uses sys/hash.h from Max Fillinger
2014-11-22
00:24 tedu usr.sbin/httpd/config.c 1.23
usr.sbin/httpd/httpd.c 1.26
use size_t where appropriate. ok deraadt reyk
2014-11-21
17:49 deraadt usr.sbin/httpd/httpd.c 1.25
white space begone
2014-11-20
07:48 jasper usr.sbin/httpd/config.c 1.21.2.1
usr.sbin/httpd/http.h 1.5.2.1
usr.sbin/httpd/httpd.c 1.17.4.1
usr.sbin/httpd/httpd.h 1.51.2.1
usr.sbin/httpd/logger.c 1.5.4.1
usr.sbin/httpd/parse.y 1.34.2.1
usr.sbin/httpd/server.c 1.39.2.1
usr.sbin/httpd/server_fcgi.c 1.29.2.1
usr.sbin/httpd/server_file.c 1.31.4.1
usr.sbin/httpd/server_http.c 1.42.2.1
httpd was developed very rapidly in the weeks before 5.6 release, and it has a few flaws. It would be nice to get these flaws fully remediated before the next release, and that requires the community to want to use it. Therefore here is a "jumbo" patch that brings in the most important fixes.
committing on behalf of reyk@
05:51 jsg usr.sbin/httpd/parse.y 1.42
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
2014-11-12
16:52 jmc usr.sbin/httpd/httpd.conf.5 1.36
tweak previous;
2014-11-11
15:54 beck usr.sbin/httpd/httpd.c 1.24
usr.sbin/httpd/httpd.conf.5 1.35
usr.sbin/httpd/httpd.h 1.63
usr.sbin/httpd/logger.c 1.7
usr.sbin/httpd/parse.y 1.41
Allow the log directory to be configurable in the config file, rather than fixed as /logs within the chroot. As this httpd is properly privesp'ed this has the nice property of allowing us to put the logs outside the chroot if we want to. ok reyk@
2014-11-10
14:16 beck usr.sbin/httpd/logger.c 1.6
Don't attempt to open log files when using syslog, as we are not going to use them. ok reyk@
2014-11-03
18:43 bluhm usr.sbin/httpd/httpd.h 1.62
usr.sbin/httpd/parse.y 1.40
Convert the logic in yyerror(). Instead of creating a temporary format string, create a temporary message. OK deraadt@
03:46 doug usr.sbin/httpd/parse.y 1.39
Add gcc format attributes to yyerror() in httpd.
Fix a few format characters as well. ok bluhm@
2014-10-31
13:49 jsing usr.sbin/httpd/Makefile 1.26
usr.sbin/httpd/httpd.h 1.61
usr.sbin/httpd/server.c 1.46
Update httpd(8) to use libtls instead of libressl.
2014-10-25
03:23 lteo usr.sbin/httpd/log.c 1.3
usr.sbin/httpd/proc.c 1.5
usr.sbin/httpd/server.c 1.45
usr.sbin/httpd/server_fcgi.c 1.40
usr.sbin/httpd/server_file.c 1.39
usr.sbin/httpd/server_http.c 1.54
Remove unnecessary netinet/in_systm.h include.
ok millert@
2014-10-22
09:48 reyk usr.sbin/httpd/httpd.c 1.23
usr.sbin/httpd/httpd.h 1.60
usr.sbin/httpd/server_http.c 1.53
URL-decode the request path.
Tested by ajacoutot@ and others OK doug@
2014-10-21
13:00 reyk usr.sbin/httpd/server_file.c 1.38
usr.sbin/httpd/server_http.c 1.52
Rework the error message a little bit: Do not send details of the error. Traditionally, web servers responsed with the request path on 40x errors which could be abused to inject JavaScript etc. Instead of sanitizing the path, we just don't reprint it. Also modify the style a little bit but keep Comic Sans.
With input from Jonas Lindemann and doug@
2014-10-03
13:41 jsing usr.sbin/httpd/server.c 1.44
Update ressl configuration to handle recent changes in the library.
ok tedu@
2014-10-02
19:22 reyk usr.sbin/httpd/server.c 1.43
usr.sbin/httpd/server_file.c 1.37
Fix an error case that was never handled ending up in an endless event loop that could eat all CPU. I thought that the previous (correct) commit fixed it which wasn't the case. But this one is obvious.
ok florian@
2014-09-29
19:30 deraadt usr.sbin/httpd/http.h 1.9
usr.sbin/httpd/httpd.c 1.22
usr.sbin/httpd/server_fcgi.c 1.39
usr.sbin/httpd/server_http.c 1.51
whitespace spotted while studying the code
2014-09-27
12:49 reyk usr.sbin/httpd/server_file.c 1.36
In addition to READ, disable WRITE events when closing the file descriptor of the file I/O bufferevent. This fixes a potential event flood.
OK florian@
2014-09-15
08:00 reyk usr.sbin/httpd/server_http.c 1.50
Make the HTTP version mandatory and abort if it is missing in the request.
2014-09-10
15:39 reyk usr.sbin/httpd/httpd.h 1.59
usr.sbin/httpd/server_http.c 1.49
Handle different possible variations of the Host header (eg. www.example.com, www.example.com:80, [2001:db8::1], [2001:db8::1]:80). The port is optional and is typically used on non-default ports. If the server name is a plain IPv6 address, it is commonly specified in square brackets.
Makes ajacoutot@ happy OK florian@
2014-09-05
15:06 reyk usr.sbin/httpd/http.h 1.8
usr.sbin/httpd/server_http.c 1.48
Add various RFC-based WebDAV methods to the list of accepted HTTP methods. This fixes (Fast)CGI-based WebDAV and CalDAV (calendar) servers with httpd.
ok benno@ stsp@
10:04 reyk usr.sbin/httpd/config.c 1.22
usr.sbin/httpd/httpd.c 1.21
usr.sbin/httpd/httpd.h 1.58
usr.sbin/httpd/parse.y 1.38
usr.sbin/httpd/server.c 1.42
usr.sbin/httpd/server_http.c 1.47
Remove a limitation that only allowed to specify a server name once. The key has been changed to server name + address + port and now it is possible to use the same server name for multiple servers with different addresses, eg. http://www.example.com and https://www.example.com/.
OK doug@ florian@
2014-09-04
13:45 reyk usr.sbin/httpd/parse.y 1.37
One line change adding the 'include' directive to the valid server options. This allows to include external configuration files from within server and location sections, not just from global context, for example to share common configuration within multiple servers (or virtual hosts).
2014-09-02
16:20 reyk usr.sbin/httpd/httpd.h 1.57
usr.sbin/httpd/server.c 1.41
usr.sbin/httpd/server_fcgi.c 1.38
FastCGI did not support persistent connections. Add initial support for persistent connections with FastCGI by implementing chunked Transfer-Encoding. This only works with HTTP/1.1.
With input and help from florian@ who found some FastCGI edge cases.
OK florian@
2014-09-01
12:28 reyk usr.sbin/httpd/server_fcgi.c 1.37
Don't pass the local buffer array by reference.
OK florian@
12:22 jmc usr.sbin/httpd/httpd.conf.5 1.34
remove Xr, but not the reference, to nginx, after some discussion with reyk;
09:32 reyk usr.sbin/httpd/httpd.c 1.20
usr.sbin/httpd/httpd.h 1.56
usr.sbin/httpd/server_fcgi.c 1.36
Replace the code to get the FastCGI Status header with a proper way to parse and write the headers using the http response descriptor. This allows to add other tweaks, like support for chunked encoding, later.
OK florian@
2014-08-29
13:01 reyk usr.sbin/httpd/httpd.h 1.55
usr.sbin/httpd/server_fcgi.c 1.35
usr.sbin/httpd/server_file.c 1.35
usr.sbin/httpd/server_http.c 1.46
Use two instead of one http descriptor for request and response.
OK chrisz@
2014-08-27
09:51 reyk usr.sbin/httpd/server.c 1.40
Write all data before closing the server socket if the output buffer is not empty. This fixes a bug of short responses that could happen with large files or fcgi data on connections with a higher latency.
OK florian@
2014-08-25
14:27 reyk usr.sbin/httpd/httpd.conf.5 1.33
usr.sbin/httpd/parse.y 1.36
Add a generic system-wide /usr/share/misc/mime.types file that can be included in httpd.conf. httpd(8) now supports both mime.types flavours with or without semicolon at the end of the line (nginx- or apache-style).
Discussed with many, with input from halex@ OK halex@
2014-08-21
19:23 chrisz usr.sbin/httpd/httpd.h 1.54
usr.sbin/httpd/server_fcgi.c 1.34
usr.sbin/httpd/server_file.c 1.34
usr.sbin/httpd/server_http.c 1.45
Add Last-Modified: HTTP header.
OK reyk@
2014-08-17
18:46 jmc usr.sbin/httpd/httpd.conf.5 1.32
don;t mark up {};
2014-08-14
09:12 doug usr.sbin/httpd/http.h 1.7
Sync with RFC 7230-7235 phrases and IANA registered status codes.
ok reyk@
07:50 chrisz usr.sbin/httpd/server_file.c 1.33
Remove obsolete struct stat parameters.
ok reyk@
2014-08-13
18:00 chrisz usr.sbin/httpd/server_fcgi.c 1.33
For a non-existent root we don't want the root prefix to show up in PATH_INFO. Therefore put a lower bound of strlen(root) on scriptlen. This makes perfect sense for virtual FastCGI scripts which run chrooted in another directory from httpd.
ok reyk@
16:04 reyk usr.sbin/httpd/httpd.c 1.19
usr.sbin/httpd/httpd.h 1.53
usr.sbin/httpd/server_fcgi.c 1.32
Provide a failsafe version of the path_info() function that doesn't need a temporary path variable. Based on an initial diff from chrisz@.
"Commit any failsafe version and I'm ok with it" chrisz@
08:08 chrisz usr.sbin/httpd/httpd.c 1.18
fix early loop termination in httpd path_info() without this fix httpd always put at least the first path component in SCRIPT_NAME even when it did not exist. Now for completely non-existant paths everything goes into PATH_INFO.
2014-08-11
15:26 deraadt usr.sbin/httpd/server_fcgi.c 1.31
make a few variables more local
2014-08-09
09:07 jmc usr.sbin/httpd/httpd.conf.5 1.31
some minor tweaks;
08:54 jmc usr.sbin/httpd/httpd.conf.5 1.30
sort "prefork", and remove a useless macro;
08:49 jmc usr.sbin/httpd/httpd.8 1.48
basic cleanup;
07:35 reyk usr.sbin/httpd/parse.y 1.35
Allow to inclue the types section anywhere in the configuration file.
Found by chris@ OK doug@
2014-08-08
18:29 reyk usr.sbin/httpd/http.h 1.6
usr.sbin/httpd/httpd.h 1.52
usr.sbin/httpd/server_fcgi.c 1.30
usr.sbin/httpd/server_file.c 1.32
usr.sbin/httpd/server_http.c 1.44
When opening directories, re-match the location after the index file has been appended. This allows to use a fastcgi target as the default index, for example index.php.
OK florian@
15:46 reyk usr.sbin/httpd/server_http.c 1.43
Allow to serve emtpy (0 bytes) files.
Found by jasper@ OK florian@
18:21 tag OPENBSD_5_6_BASE added
2014-08-07
18:21 reyk usr.sbin/httpd/httpd.8 1.47
Fix and simplify the description of httpd(8)'s signal handling. httpd does not re-executed itself on SIGHUP, it simply reload the configuration and sends it to its child processes.
ok deraadt@
12:43 florian usr.sbin/httpd/server_fcgi.c 1.29
Don't try to ouput FCGI_STDERR into error.log if there is no data. Problem noticed by naddy@, OK reyk@
10:52 florian usr.sbin/httpd/server_fcgi.c 1.28
Opportunistically try to parse "Status: $code" in the very first response from the fcgi daemon and use that code as HTTP response code. If it doesn't work out fall back to code 200. This might fix naddy@'s issue with redirects in cvsweb. To be revisited after unlock. Discussed with & grudgingly OK reyk@
06:56 deraadt usr.sbin/httpd/httpd.8 1.46
shorten signal text a bit
2014-08-06
22:33 doug usr.sbin/httpd/httpd.8 1.45
Mention how httpd responds to SIGHUP and SIGUSR1.
Description from reyk@
21:08 reyk usr.sbin/httpd/server_fcgi.c 1.27
Write STDERR from the CGI to the web server error log as intended.
OK florian@
20:56 florian usr.sbin/httpd/server_fcgi.c 1.26
If the very first fcgi STDOUT record has length 0 the cgi script didn't send anything back. This is an internal server error. OK reyk@
20:29 reyk usr.sbin/httpd/httpd.conf.5 1.29
usr.sbin/httpd/parse.y 1.34
Change grammar to remove a shift/reduce conflict that was introduced with the ssl options. "listen on $ip port 443 ssl" turns into "listen on $ip ssl port 443".
ok florian@
18:40 reyk usr.sbin/httpd/server_fcgi.c 1.25
Always zero-out the fcgi record header for STDIN data.
OK florian@
18:38 reyk usr.sbin/httpd/server.c 1.39
usr.sbin/httpd/server_fcgi.c 1.24
Use memset(buf instead of memset(&buf.
Pointed out by deraadt@
18:21 reyk usr.sbin/httpd/config.c 1.21
usr.sbin/httpd/httpd.conf.5 1.28
usr.sbin/httpd/httpd.h 1.51
usr.sbin/httpd/parse.y 1.33
usr.sbin/httpd/server_http.c 1.42
Limit the body size in client requests (eg. POST data) to 1M by default; add a configuration option to change the limit.
ok florian@
16:31 jsing usr.sbin/httpd/httpd.conf.5 1.27
Document the SSL configuration for httpd (partly based on relayd.conf(5)).
16:11 jsing usr.sbin/httpd/parse.y 1.32
Provide configuration options that allow the SSL certificate, key and ciphers to be specified for each server.
ok deraadt@ reyk@
16:10 jsing usr.sbin/httpd/server.c 1.38
Also clean up the public key when it is no longer needed.
ok deraadt@ reyk@
16:09 jsing usr.sbin/httpd/httpd.h 1.50
usr.sbin/httpd/parse.y 1.31
usr.sbin/httpd/server.c 1.37
Configure the default SSL ciphers as HIGH:!aNULL.
ok deraadt@ reyk@
15:08 florian usr.sbin/httpd/httpd.h 1.49
usr.sbin/httpd/server.c 1.36
usr.sbin/httpd/server_fcgi.c 1.23
usr.sbin/httpd/server_http.c 1.41
http POST support with & OK reyk@
13:40 florian usr.sbin/httpd/server_fcgi.c 1.22
Content-Length and Content-Type are transmitted as CONTENT_LENGTH and CONTENT_TYPE environment variables to cgi scripts, without the HTTP_ prefix. OK reyk@
12:56 reyk usr.sbin/httpd/logger.c 1.5
usr.sbin/httpd/parse.y 1.30
usr.sbin/httpd/server.c 1.35
spacing
12:29 jsg usr.sbin/httpd/logger.c 1.4
avoid displaying a NULL pointer ok deraadt@ reyk@
11:24 reyk usr.sbin/httpd/server.c 1.34
usr.sbin/httpd/server_file.c 1.31
The watermark exposed a bug in server_write that broke keep-alive support. Instead of calling server_close from server_write, we have to proceed to the next connection by calling the error handler.
OK jsg@
09:40 reyk usr.sbin/httpd/server.c 1.33
Bring back the last read (done) / last write (done) messages instead of just "done" to simplify connection debugging.
09:36 reyk usr.sbin/httpd/httpd.h 1.48
usr.sbin/httpd/server.c 1.32
usr.sbin/httpd/server_file.c 1.30
Adjust the read/write watermarks according to the TCP send buffer. This fixes sending of large files. Previously, httpd was reading the input file too quickly and could run out of memory when filling the input buffer.
Found by jsg@ OK florian@
09:34 reyk usr.sbin/httpd/server_http.c 1.40
Add braces. Style-only change.
05:47 doug usr.sbin/httpd/httpd.8 1.44
Add an overview of the features for httpd in the description section.
"commit" deraadt@
04:39 jsg usr.sbin/httpd/server.c 1.31
add missing va_start/va_end calls ok deraadt@ guenther@
02:31 doug usr.sbin/httpd/httpd.8 1.43
Explain the options in httpd.8
ok deraadt@
02:04 jsing usr.sbin/httpd/config.c 1.20
usr.sbin/httpd/httpd.8 1.42
usr.sbin/httpd/httpd.h 1.47
usr.sbin/httpd/parse.y 1.29
usr.sbin/httpd/server.c 1.30
Load the SSL public/private keys in the parent process, then provide them to the privsep process via imsg. This allows the keys to be moved out of the chroot (now /etc/ssl/server.crt, /etc/ssl/private/server.key).
ok reyk@
2014-08-05
18:01 reyk usr.sbin/httpd/config.c 1.19
usr.sbin/httpd/httpd.conf.5 1.26
usr.sbin/httpd/httpd.h 1.46
usr.sbin/httpd/parse.y 1.28
usr.sbin/httpd/server_http.c 1.39
Add configuration options for the most-important connection limits: max requests (per connection) and timeout. We don't want to add too many button, and there are good defaults, but these ones are kind of mandatory.
17:13 reyk usr.sbin/httpd/httpd.conf.5 1.25
Tweak the httpd.conf manpage with "sub-lists".
17:03 reyk usr.sbin/httpd/httpd.conf.5 1.24
usr.sbin/httpd/parse.y 1.27
Bring back the tcp/ip configuration options. This code was already there and is from relayd. We can decide later which options should be added or removed, but it shouldn't do any harm.
16:46 reyk usr.sbin/httpd/parse.y 1.26
Add srv_conf helper variable to make the code more readable. No functional change.
16:30 reyk usr.sbin/httpd/httpd.h 1.45
usr.sbin/httpd/server_http.c 1.38
Limit the number of (Keep-Alive) requests per connection to 100. (Same default as in nginx and Apache).
15:36 reyk usr.sbin/httpd/config.c 1.18
usr.sbin/httpd/httpd.c 1.17
usr.sbin/httpd/httpd.conf.5 1.23
usr.sbin/httpd/httpd.h 1.44
usr.sbin/httpd/logger.c 1.3
usr.sbin/httpd/parse.y 1.25
usr.sbin/httpd/server.c 1.29
Improve logging to allow per- server/location log files. The log files can also be owned by root now: they're opened by the parent and send to the logger process with fd passing. This also works with reload.
ok deraadt@
14:36 deraadt usr.sbin/httpd/server_http.c 1.37
retire blink because this is serious software now; ok beck
14:35 deraadt usr.sbin/httpd/config.c 1.17
spaces
09:24 jsg usr.sbin/httpd/httpd.c 1.16
usr.sbin/httpd/httpd.conf.5 1.22
usr.sbin/httpd/httpd.h 1.43
usr.sbin/httpd/parse.y 1.24
add a config option to specify the chroot directory ok reyk@
2014-08-04
18:12 reyk usr.sbin/httpd/httpd.8 1.41
usr.sbin/httpd/httpd.h 1.42
usr.sbin/httpd/server.c 1.28
Temporarily move the default location of the SSL/TLS server key and certificate from /var/www/ to /var/www/conf/. Don't get scared - this will be changed soon! They're currently located in the chroot directory but will be moved outside as soon as we adopted some of the key privsep from relayd in ressl/httpd.
18:00 reyk usr.sbin/httpd/config.c 1.16
usr.sbin/httpd/server_fcgi.c 1.21
Add HTTPS = on CGI variable.
17:43 reyk usr.sbin/httpd/server_file.c 1.29
Redirect to https:// if SSL/TLS is enabled.
17:38 reyk usr.sbin/httpd/Makefile 1.25
usr.sbin/httpd/config.c 1.15
usr.sbin/httpd/httpd.conf.5 1.21
usr.sbin/httpd/httpd.h 1.41
usr.sbin/httpd/parse.y 1.23
usr.sbin/httpd/server.c 1.27
Proxy commit for jsing@: "Add TLS/SSL support to httpd, based on the recent ressl commits."
From jsing@ ok reyk@
17:12 reyk usr.sbin/httpd/httpd.8 1.40
usr.sbin/httpd/httpd.conf.5 1.20
manpage tweaks about logging
16:07 reyk usr.sbin/httpd/parse.y 1.22
Change grammar from "log [style]" to "log style [style]".
15:57 reyk usr.sbin/httpd/logger.c 1.2
Print error message if the log files cannot be opened.
15:49 reyk usr.sbin/httpd/Makefile 1.24
usr.sbin/httpd/config.c 1.14
usr.sbin/httpd/control.c 1.4
usr.sbin/httpd/httpd.c 1.15
usr.sbin/httpd/httpd.conf.5 1.19
usr.sbin/httpd/httpd.h 1.40
usr.sbin/httpd/logger.c 1.1
usr.sbin/httpd/parse.y 1.21
usr.sbin/httpd/proc.c 1.4
usr.sbin/httpd/server.c 1.26
Add initial support for log files in /var/www/logs/. Logging with syslog is still supported but disabled by default.
ok deraadt@
14:49 reyk usr.sbin/httpd/httpd.c 1.14
usr.sbin/httpd/httpd.h 1.39
usr.sbin/httpd/server_fcgi.c 1.20
Implement PATH_INFO and add DOCUMENT_ROOT. PATH_INFO was requested by naddy@ who successfully tested it with "cvsweb".
ok naddy@
11:09 reyk usr.sbin/httpd/Makefile 1.23
usr.sbin/httpd/config.c 1.13
usr.sbin/httpd/control.c 1.3
usr.sbin/httpd/httpd.c 1.13
usr.sbin/httpd/log.c 1.2
usr.sbin/httpd/parse.y 1.20
usr.sbin/httpd/proc.c 1.3
usr.sbin/httpd/server.c 1.25
usr.sbin/httpd/server_fcgi.c 1.19
usr.sbin/httpd/server_file.c 1.28
usr.sbin/httpd/server_http.c 1.36
httpd doesn't support SSL/TLS yet, remove the remaining bits. The secrect plan is to add it later using the ressl wrapper library.
06:35 deraadt usr.sbin/httpd/control.c 1.2
no need for param.h
06:35 deraadt usr.sbin/httpd/httpd.h 1.38
usr.sbin/httpd/proc.c 1.2
usr.sbin/httpd/server_http.c 1.35
whitespace
2014-08-03
22:47 reyk usr.sbin/httpd/server_file.c 1.27
Only allow GET and HEAD for static files or return 405.
ok florian@
22:38 reyk usr.sbin/httpd/server_file.c 1.26
usr.sbin/httpd/server_http.c 1.34
Also write log messages, like 404 Not Found, on error. This is a bit tricky because we couldn't guarantee a sane state after server_response_http() so fail hard afterwards and close the connection.
ok doug@
22:06 florian usr.sbin/httpd/server_fcgi.c 1.18
c-type functions / makros need a cast to unsigned char, not int "feel free to commit" reyk@
21:33 reyk usr.sbin/httpd/http.h 1.5
usr.sbin/httpd/server_http.c 1.33
Allocate http_host instead of carrying a buffer in the descriptor.
20:43 reyk usr.sbin/httpd/parse.y 1.19
usr.sbin/httpd/server.c 1.24
usr.sbin/httpd/server_fcgi.c 1.17
spacing
20:39 reyk usr.sbin/httpd/httpd.h 1.37
usr.sbin/httpd/server_fcgi.c 1.16
usr.sbin/httpd/server_http.c 1.32
Dynamically pass HTTP request headers as protocol-specific HTTP_* CGI meta-variables.
ok florian@
12:26 reyk usr.sbin/httpd/httpd.h 1.36
usr.sbin/httpd/server_fcgi.c 1.15
usr.sbin/httpd/server_http.c 1.31
Add function to iterate all headers. No functional change.
11:16 reyk usr.sbin/httpd/config.c 1.12
usr.sbin/httpd/httpd.h 1.35
usr.sbin/httpd/parse.y 1.18
usr.sbin/httpd/server_fcgi.c 1.14
usr.sbin/httpd/server_file.c 1.25
Split fastcgi socket path and document root option and add the SCRIPT_FILENAME CGI param with a prepended root. This fixes php-fpm that expects SCRIPT_FILENAME and also works with slowcgi if you configure the root correctly. For example, if SCRIPT_NAME and REQUEST_URI are /php/index.php, root is /htdocs, SCRIPT_FILENAME will be /htdocs/php/index.php. As tested and discussed with florian@
10:38 reyk usr.sbin/httpd/server_fcgi.c 1.13
Add missing log call for FastCGI requests.
10:26 reyk usr.sbin/httpd/httpd.conf.5 1.18
usr.sbin/httpd/httpd.h 1.34
usr.sbin/httpd/parse.y 1.17
usr.sbin/httpd/server.c 1.23
usr.sbin/httpd/server_http.c 1.30
Add another log mode "connection" for a relayd(8)-style log entry after each connection, not every request. The code was already there and enabled on debug, I just turned it into an alternative log format.
10:22 reyk usr.sbin/httpd/server_http.c 1.29
Prefer getnameinfo() with NI_NUMERICHOST over inet_ntop because it is also aware of the IPv6 scope Id. We already have a function print_host() that uses getnameinfo, so no need for the inet_ntop cases. Confirmed by florian@
2014-08-02
21:21 doug usr.sbin/httpd/config.c 1.11
usr.sbin/httpd/httpd.conf.5 1.17
usr.sbin/httpd/httpd.h 1.33
usr.sbin/httpd/parse.y 1.16
usr.sbin/httpd/server_http.c 1.28
Locations now inherit access log settings from the server.
Add log to the server flags.
input/"Looks ok" reyk@
17:42 florian usr.sbin/httpd/server_fcgi.c 1.12
don't leak fcgi fd
17:05 florian usr.sbin/httpd/httpd.h 1.32
usr.sbin/httpd/server_fcgi.c 1.11
Padding of fcgi records is optional, but if we receive padding data we should read it.
11:59 florian usr.sbin/httpd/server_fcgi.c 1.10
We need to read from the fcgi bufferevent until it's empty because the event handler will not be called again if no new data arrives. Debugged with and OK reyk@
11:52 reyk usr.sbin/httpd/httpd.h 1.31
usr.sbin/httpd/server.c 1.22
usr.sbin/httpd/server_fcgi.c 1.9
Allow to specify a FastCGI TCP socket on localhost (eg. :9000). Used for debugging, you should prefer local UNIX sockets, but it helped to find an issue that will be fixed with the next commit.
OK florian@
10:24 reyk usr.sbin/httpd/httpd.conf.5 1.16
'fastcgi socket "path"' is the correct syntax; update the manpage. Found by jsg@
09:54 reyk usr.sbin/httpd/httpd.c 1.12
usr.sbin/httpd/server_fcgi.c 1.8
usr.sbin/httpd/server_file.c 1.24
spacing
09:46 reyk usr.sbin/httpd/server_file.c 1.23
scandir(3)-based directory auto index didn't work on NFS because the file system is not filling in d_type properly. Using st_mode from the stat call fixes the problem, eg. S_ISDIR(st.st_mode) instead of dp->d_type == DT_DIR. Pointed out by pelikan@
08:07 jmc usr.sbin/httpd/httpd.conf.5 1.15
remove nasty unclosed Xo in previous; ok reyk
2014-08-01
22:24 reyk usr.sbin/httpd/httpd.h 1.30
usr.sbin/httpd/server.c 1.21
usr.sbin/httpd/server_http.c 1.27
Use the log buffer to defer the logging until the connection is closed or the request completed. Turn the old log message into a debug message.
ok doug@
21:59 reyk usr.sbin/httpd/httpd.c 1.11
usr.sbin/httpd/httpd.conf.5 1.14
usr.sbin/httpd/httpd.h 1.29
usr.sbin/httpd/parse.y 1.15
usr.sbin/httpd/server.c 1.20
remove the global "log updates/all" option that came from relayd.
21:51 doug usr.sbin/httpd/httpd.conf.5 1.13
usr.sbin/httpd/httpd.h 1.28
usr.sbin/httpd/parse.y 1.14
usr.sbin/httpd/server_http.c 1.26
Add common and combined access logging to httpd.
ok reyk@
18:26 florian usr.sbin/httpd/server_fcgi.c 1.7
Rewrite fcgi_add_param and hand over a lot more http headers etc. to the cgi script. OK reyk@ "blanket OK" for changes in httpd for the time beeing from deraadt@
08:34 florian usr.sbin/httpd/httpd.h 1.27
usr.sbin/httpd/server.c 1.19
usr.sbin/httpd/server_fcgi.c 1.6
Correctly parse fcgi records if we don't get the whole record in one bufferevent_read(). Input/OK reyk@
2014-07-31
18:07 reyk usr.sbin/httpd/httpd.h 1.26
usr.sbin/httpd/server_fcgi.c 1.5
usr.sbin/httpd/server_http.c 1.25
Only write the HTTP header for the first fastcgi chunk.
17:55 reyk usr.sbin/httpd/httpd.h 1.25
usr.sbin/httpd/server_fcgi.c 1.4
usr.sbin/httpd/server_file.c 1.22
usr.sbin/httpd/server_http.c 1.24
some fastcgi improvements: - DPRINTF instead of log_info for internal debugging. - submit QUERY_STRING, if it exists - use a proper function to create an HTTP header. - use server_file_error() to detect EOF and fastcgi stream errors. - disable keep-alive/persist for now until we have a reliable way to get the content length from the cgi response or support chunked encoding.
"Cool, jep" florian@
14:25 reyk usr.sbin/httpd/httpd.h 1.24
usr.sbin/httpd/server.c 1.18
usr.sbin/httpd/server_fcgi.c 1.3
usr.sbin/httpd/server_file.c 1.21
One bufferevent can be shared by file and fcgi.
14:18 reyk usr.sbin/httpd/config.c 1.10
usr.sbin/httpd/httpd.conf.5 1.12
usr.sbin/httpd/httpd.h 1.23
usr.sbin/httpd/parse.y 1.13
usr.sbin/httpd/server_fcgi.c 1.2
Allow to specify a non-default fastcgi socket.
13:28 reyk usr.sbin/httpd/config.c 1.9
usr.sbin/httpd/httpd.h 1.22
usr.sbin/httpd/parse.y 1.12
usr.sbin/httpd/server_file.c 1.20
Rename the "docroot" variable to "path" because it will be used for either files or the fastcgi socket (and there's no need to use a union yet).
09:34 reyk usr.sbin/httpd/config.c 1.8
usr.sbin/httpd/httpd.conf.5 1.11
usr.sbin/httpd/httpd.h 1.21
usr.sbin/httpd/parse.y 1.11
usr.sbin/httpd/server_http.c 1.23
Add a configuration variable "fastcgi" to enable it per server or location.
09:23 florian usr.sbin/httpd/Makefile 1.22
usr.sbin/httpd/httpd.h 1.20
usr.sbin/httpd/server_fcgi.c 1.1
usr.sbin/httpd/server_http.c 1.22
Put in first stab at fastcgi. Very early work in progress. Putting it in now so that we can quickly work on it in tree. Requested by reyk@. deraadt@ is OK with this according to reyk@.
2014-07-30
13:49 reyk usr.sbin/httpd/config.c 1.7
usr.sbin/httpd/httpd.h 1.19
usr.sbin/httpd/parse.y 1.10
usr.sbin/httpd/server.c 1.17
usr.sbin/httpd/server_http.c 1.21
Make "location" work with name-based virtual servers.
10:05 reyk usr.sbin/httpd/config.c 1.6
usr.sbin/httpd/httpd.conf.5 1.10
usr.sbin/httpd/httpd.h 1.18
usr.sbin/httpd/parse.y 1.9
usr.sbin/httpd/server.c 1.16
usr.sbin/httpd/server_http.c 1.20
Add "location" keyword to specify path-specific configuration in servers, for example auto index for a sub-directory only. Internally, a "location" is just a special type of a "virtual" server.
09:51 reyk usr.sbin/httpd/httpd.conf.5 1.9
Small fix and clarification
07:09 reyk usr.sbin/httpd/server_file.c 1.19
Reserve an extra file descriptor per connection instead of per request. This fixes fd accounting with persistent connections and reduces the complexity of the implementation.
ok benno@
2014-07-29
16:38 reyk usr.sbin/httpd/server.c 1.15
The inflight decremented message should only be printed with DEBUG.
16:17 reyk usr.sbin/httpd/httpd.conf.5 1.8
usr.sbin/httpd/httpd.h 1.17
usr.sbin/httpd/parse.y 1.8
usr.sbin/httpd/server_file.c 1.18
Add extended directory index options: "[no] index" and "[no] auto index". The option "directory auto index" implements basic directory listing and is turned off by default.
ok deraadt@
12:16 reyk usr.sbin/httpd/httpd.h 1.16
usr.sbin/httpd/server.c 1.14
Move configurable TCP options into struct server_config.
2014-07-27
23:52 deraadt usr.sbin/httpd/Makefile 1.21
turn of -Werror, unless you are sure both gcc work...
2014-07-26
22:38 reyk usr.sbin/httpd/server_file.c 1.17
Remove redundant slash
09:59 reyk usr.sbin/httpd/httpd.c 1.10
bzero is over, memset is cool. pointed out by halex@
2014-07-25
23:30 reyk usr.sbin/httpd/config.c 1.5
usr.sbin/httpd/httpd.h 1.15
usr.sbin/httpd/server.c 1.13
Differentiate servers by address and port, not just by address.
23:25 reyk usr.sbin/httpd/server_http.c 1.19
Reset the default Host for each request
23:23 reyk usr.sbin/httpd/http.h 1.4
usr.sbin/httpd/httpd.h 1.14
usr.sbin/httpd/server.c 1.12
usr.sbin/httpd/server_file.c 1.16
usr.sbin/httpd/server_http.c 1.18
It is recommended to use a URL in the Location header of 3xx responses. To accomplish this, add some semantics to retrieve the server host name of a connection: either IP, IP:PORT (if not 80) or [IP6]:PORT, or Host value (if valid).
21:48 reyk usr.sbin/httpd/server_http.c 1.17
Append mandatory Date header to each response.
21:36 reyk usr.sbin/httpd/server_http.c 1.16
New HTTP/1.1 RFC 7231 prefers IMF-fixdate from RFC 5322.
21:29 reyk usr.sbin/httpd/httpd.c 1.9
usr.sbin/httpd/httpd.h 1.13
usr.sbin/httpd/server_file.c 1.15
usr.sbin/httpd/server_http.c 1.15
Canonicalize the request path once without the docroot and prepend the docroot only only when it's needed. Suggested by deraadt@.
20:13 reyk usr.sbin/httpd/server_file.c 1.14
Don't leak docroot in the error message if the default index file is missing.
OK florian@
17:49 reyk usr.sbin/httpd/httpd.conf.5 1.7
Add multiple-servers "virtual hosts" example.
17:04 reyk usr.sbin/httpd/parse.y 1.7
Add a single line to fix the address matching of multiple server blocks with non-virtual hosts. I had this line in a previous diff.
16:23 reyk usr.sbin/httpd/config.c 1.4
usr.sbin/httpd/httpd.c 1.8
usr.sbin/httpd/httpd.h 1.12
usr.sbin/httpd/parse.y 1.6
usr.sbin/httpd/server.c 1.11
usr.sbin/httpd/server_http.c 1.14
Add support for "virtual hosts" aka. server blocks aka. multiple servers with the same or "overlapping" IP address but a different name.
ok beck@
15:47 reyk usr.sbin/httpd/httpd.conf.5 1.6
usr.sbin/httpd/parse.y 1.5
Add and document 'root' configuration option for the docroot.
13:10 reyk usr.sbin/httpd/httpd.h 1.11
usr.sbin/httpd/server.c 1.10
usr.sbin/httpd/server_file.c 1.13
usr.sbin/httpd/server_http.c 1.13
Split server and server_config.
12:46 reyk usr.sbin/httpd/httpd.h 1.10
usr.sbin/httpd/server.c 1.9
usr.sbin/httpd/server_file.c 1.12
usr.sbin/httpd/server_http.c 1.12
Rename a field, needed later, no functional change.
12:42 reyk usr.sbin/httpd/httpd.h 1.9
usr.sbin/httpd/parse.y 1.4
usr.sbin/httpd/server_file.c 1.11
Move the docroot into the server block.
2014-07-24
08:32 reyk usr.sbin/httpd/httpd.c 1.7
usr.sbin/httpd/server.c 1.8
usr.sbin/httpd/server_http.c 1.11
Plug a memleak by correctly free'ing the HTTP descriptor that contains all the headers etc. of a connection.
08:11 reyk usr.sbin/httpd/httpd.h 1.8
Remove unused fields from structure
2014-07-23
23:10 reyk usr.sbin/httpd/httpd.c 1.6
When canonicalizing the path, it is better to fail on truncation.
Pointed out by Doug Hogan.
22:56 reyk usr.sbin/httpd/httpd.c 1.5
I wanted to know if people pay attention.
Doug Hogan found an off-by-one. More improvements will follow.
22:20 reyk usr.sbin/httpd/server_file.c 1.10
The default index page shouldn't be a directory. It's a 500.
22:18 reyk usr.sbin/httpd/server_file.c 1.9
Don't expose the docroot on error.
22:02 reyk usr.sbin/httpd/httpd.c 1.4
usr.sbin/httpd/parse.y 1.3
The media_encoding is not used in parse.y but stack garbage could lead to a double free; set it to NULL.
This should fix a problem that was found by deraadt@
21:43 reyk usr.sbin/httpd/server_file.c 1.8
usr.sbin/httpd/server_http.c 1.10
First attempt at verifying the request path and the access permissions. We also have to redirect with 301 if a directory name was requested without the trailing slash.
19:03 reyk usr.sbin/httpd/httpd.c 1.3
usr.sbin/httpd/httpd.h 1.7
usr.sbin/httpd/server_file.c 1.7
Add canonicalize_path() to canonicalize the requested URL path.
13:26 reyk usr.sbin/httpd/config.c 1.3
usr.sbin/httpd/httpd.h 1.6
usr.sbin/httpd/server.c 1.7
Correctly shutdown the servers when the process is terminating; prevents a crash on exit. With debugging help from blambert@.
12:01 reyk usr.sbin/httpd/httpd.h 1.5
always enable DPRINTF with compiled with DEBUG
2014-07-22
19:03 jmc usr.sbin/httpd/httpd.8 1.39
usr.sbin/httpd/httpd.conf.5 1.5
some minor fixes;
18:31 ajacoutot usr.sbin/httpd/httpd.conf.5 1.4
Typo.
no ok needed miod@ guenther@
17:54 reyk usr.sbin/httpd/httpd.8 1.38
There is no httpctl yet.
Found by jturner
17:49 deraadt usr.sbin/httpd/httpd.8 1.37
floating ,
2014-07-17
11:35 stsp usr.sbin/httpd/server_http.c 1.9
Move comment about strcasecmp() to a more suitable spot. ok reyk benno
11:32 stsp usr.sbin/httpd/httpd.conf.5 1.3
Fix typo in example httpd config which caused error on startup. /etc/httpd.conf:8: failed to add media type ok reyk
2014-07-16
10:25 reyk usr.sbin/httpd/httpd.h 1.4
usr.sbin/httpd/server.c 1.6
usr.sbin/httpd/server_file.c 1.6
usr.sbin/httpd/server_http.c 1.8
Implement file descriptor accounting. The concept was taken from relayd but had to be adjusted for httpd. It now handles single-pass HTTP connections, persistent connections with multiple requests, and body-less HEAD requests. With input from benno@
2014-07-15
09:51 reyk usr.sbin/httpd/server_file.c 1.5
don't diplay the full path in error messages
2014-07-14
09:03 reyk usr.sbin/httpd/server_http.c 1.7
Track Connection: Keep-Alive
00:19 reyk usr.sbin/httpd/httpd.h 1.3
usr.sbin/httpd/server.c 1.5
usr.sbin/httpd/server_file.c 1.4
usr.sbin/httpd/server_http.c 1.6
first step towards keep-alive/persistent connections support
2014-07-13
15:39 reyk usr.sbin/httpd/server_http.c 1.5
Remove a debug message
15:11 reyk usr.sbin/httpd/http.h 1.3
Sync file to be identical in relayd(8) and httpd(8).
15:07 reyk usr.sbin/httpd/server.c 1.4
usr.sbin/httpd/server_file.c 1.3
Finish writing the output before closing the connection (adopted from relayd).
14:46 reyk usr.sbin/httpd/server.c 1.3
Close the connection after the response is completed (no Keepalive yet).
14:17 reyk usr.sbin/httpd/config.c 1.2
usr.sbin/httpd/http.h 1.2
usr.sbin/httpd/httpd.c 1.2
usr.sbin/httpd/httpd.conf.5 1.2
usr.sbin/httpd/httpd.h 1.2
usr.sbin/httpd/parse.y 1.2
usr.sbin/httpd/server.c 1.2
usr.sbin/httpd/server_file.c 1.2
usr.sbin/httpd/server_http.c 1.4
Add support for media types (aka. MIME types): the types section is compatible to nginx' mime.types file which can be included directly. If not present, use a few built-in defaults for html, css, txt, jpeg, gif, png, and js.
09:46 beck usr.sbin/httpd/server_http.c 1.3
Make error messages more obvious to the user. ok reyk@ florian@
2014-07-12
23:55 reyk usr.sbin/httpd/server_http.c 1.2
Use Comic Sans (or Chalkboard) as the default font for HTTP error messages because we love web hipsters.
ok beck@
23:34 reyk usr.sbin/httpd/Makefile 1.20
usr.sbin/httpd/config.c 1.1
usr.sbin/httpd/control.c 1.1
usr.sbin/httpd/http.h 1.1
usr.sbin/httpd/httpd.8 1.36
usr.sbin/httpd/httpd.c 1.1
usr.sbin/httpd/httpd.conf.5 1.1
usr.sbin/httpd/httpd.h 1.1
usr.sbin/httpd/log.c 1.1
usr.sbin/httpd/parse.y 1.1
usr.sbin/httpd/proc.c 1.1
usr.sbin/httpd/server.c 1.1
usr.sbin/httpd/server_file.c 1.1
usr.sbin/httpd/server_http.c 1.1
Add httpd(8), an attempt to turn the relayd(8) codebase into a simple web server. It is not finished yet and I just started it today, but the goal is to provide an HTTP server that a) provides minimal features, b) serves static files, c) provides FastCGI support, and d) follows common coding practices of OpenBSD.
It will neither support plugins, nor custom memory allocators, EBCDIC support, PCRE or any other things that can be found elsewhere. httpd(8) is not intended to provide a fully-featured replacement for nginx(8) or the Apache, but it will provide enough functionality that is needed in the OpenBSD base system.
ok deraadt@

This page was created on Tue Dec 20 15:03:23 2016 using cl2html written by Simon Josefsson.