Attachment #90657 for bug #127861

View | Details | Raw Unified | Return to bug 127861
Collapse All | Expand All

Lines 6-13 Link Here

(-)lighttpd.new/Makefile (-2 / +1 lines)
6	#	6	#
7		7
8	PORTNAME= lighttpd	8	PORTNAME= lighttpd
9	PORTVERSION= 1.4.19	9	PORTVERSION= 1.4.20
10	PORTREVISION= 3
11	CATEGORIES= www	10	CATEGORIES= www
12	MASTER_SITES= http://www.lighttpd.net/download/ \	11	MASTER_SITES= http://www.lighttpd.net/download/ \
13	http://mirrors.cat.pdx.edu/lighttpd/	12	http://mirrors.cat.pdx.edu/lighttpd/

Lines 1-3 Link Here

(-)lighttpd.new/distinfo (-3 / +3 lines)
1	MD5 (lighttpd-1.4.19.tar.bz2) = d787374e4e4aaa09d5cfa9ab9d23ad40	1	MD5 (lighttpd-1.4.20.tar.bz2) = ed6ee0bb714f393219a32768d86984d8
2	SHA256 (lighttpd-1.4.19.tar.bz2) = a239323239c3735a04290f7c063a14ed2c4560a88c15181c253fcd68c6c2f1d7	2	SHA256 (lighttpd-1.4.20.tar.bz2) = 3cda2ce779f24948062f765f2630b5865e483f5fab7149681a2a25422fd61176
3	SIZE (lighttpd-1.4.19.tar.bz2) = 610347	3	SIZE (lighttpd-1.4.20.tar.bz2) = 618018




Index: src/connections.c
===================================================================
--- src/connections.c (revision 2103)
+++ src/connections.c (revision 2136)
@@ -200,4 +200,5 @@
 	/* don't resize the buffer if we were in SSL_ERROR_WANT_* */
 
+	ERR_clear_error();
 	do {
 		if (!con->ssl_error_want_reuse_buffer) {
@@ -1670,4 +1671,5 @@
 			if (srv_sock->is_ssl) {
 				int ret;
+				ERR_clear_error();
 				switch ((ret = SSL_shutdown(con->ssl))) {
 				case 1:
@@ -1675,6 +1677,8 @@
 					break;
 				case 0:
-					SSL_shutdown(con->ssl);
-					break;
+					ERR_clear_error();
+					if ((ret = SSL_shutdown(con->ssl)) == 1) break;
+
+					// fall through
 				default:
 					log_error_write(srv, __FILE__, __LINE__, "sds", "SSL:",
Index: src/network_openssl.c
===================================================================
--- src/network_openssl.c (revision 2084)
+++ src/network_openssl.c (revision 2136)
@@ -86,4 +86,5 @@
 			 */
 
+			ERR_clear_error();
 			if ((r = SSL_write(ssl, offset, toSend)) <= 0) {
 				unsigned long err;
@@ -188,4 +189,5 @@
 				close(ifd);
 
+				ERR_clear_error();
 				if ((r = SSL_write(ssl, s, toSend)) <= 0) {
 					unsigned long err;
Index: src/connections.c
===================================================================
--- src/connections.c (revision 2136)
+++ src/connections.c (revision 2139)
@@ -1670,5 +1670,6 @@
 #ifdef USE_OPENSSL
 			if (srv_sock->is_ssl) {
-				int ret;
+				int ret, ssl_r;
+				unsigned long err;
 				ERR_clear_error();
 				switch ((ret = SSL_shutdown(con->ssl))) {
@@ -1678,14 +1679,40 @@
 				case 0:
 					ERR_clear_error();
-					if ((ret = SSL_shutdown(con->ssl)) == 1) break;
+					if (-1 != (ret = SSL_shutdown(con->ssl))) break;
 
 					// fall through
 				default:
-					log_error_write(srv, __FILE__, __LINE__, "sds", "SSL:",
-							SSL_get_error(con->ssl, ret),
-							ERR_error_string(ERR_get_error(), NULL));
-					return -1;
+
+					switch ((ssl_r = SSL_get_error(con->ssl, ret))) {
+					case SSL_ERROR_WANT_WRITE:
+					case SSL_ERROR_WANT_READ:
+						break;
+					case SSL_ERROR_SYSCALL:
+						/* perhaps we have error waiting in our error-queue */
+						if (0 != (err = ERR_get_error())) {
+							do {
+								log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
+										ssl_r, ret,
+										ERR_error_string(err, NULL));
+							} while((err = ERR_get_error()));
+						} else {
+							log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):",
+									ssl_r, r, errno,
+									strerror(errno));
+						}
+	
+						break;
+					default:
+						while((err = ERR_get_error())) {
+							log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
+									ssl_r, ret,
+									ERR_error_string(err, NULL));
+						}
+	
+						break;
+					}
 				}
 			}
+			ERR_clear_error();
 #endif
 
Index: src/connections.c
===================================================================
--- src/connections.c (revision 2139)
+++ src/connections.c (revision 2144)
@@ -1681,5 +1681,5 @@
 					if (-1 != (ret = SSL_shutdown(con->ssl))) break;
 
-					// fall through
+					/* fall through */
 				default:
 
@@ -1698,5 +1698,5 @@
 						} else {
 							log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):",
-									ssl_r, r, errno,
+									ssl_r, ret, errno,
 									strerror(errno));
 						}




#
# http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt
#
Index: src/mod_rewrite.c
===================================================================
--- src/mod_rewrite.c (revision 2148)
+++ src/mod_rewrite.c (revision 2278)
@@ -351,5 +351,9 @@
 	if (!p->conf.rewrite) return HANDLER_GO_ON;
 
-	buffer_copy_string_buffer(p->match_buf, con->request.uri);
+	buffer_copy_string_buffer(p->match_buf, con->uri.path);
+	if (con->uri.query->used > 0) {
+		buffer_append_string_len(p->match_buf, CONST_STR_LEN("?"));
+		buffer_append_string_buffer(p->match_buf, con->uri.query);
+	}
 
 	for (i = 0; i < p->conf.rewrite->used; i++) {
Index: src/response.c
===================================================================
--- src/response.c (revision 2250)
+++ src/response.c (revision 2278)
@@ -233,25 +233,4 @@
 
 
-		/**
-		 *
-		 * call plugins
-		 *
-		 * - based on the raw URL
-		 *
-		 */
-
-		switch(r = plugins_call_handle_uri_raw(srv, con)) {
-		case HANDLER_GO_ON:
-			break;
-		case HANDLER_FINISHED:
-		case HANDLER_COMEBACK:
-		case HANDLER_WAIT_FOR_EVENT:
-		case HANDLER_ERROR:
-			return r;
-		default:
-			log_error_write(srv, __FILE__, __LINE__, "sd", "handle_uri_raw: unknown return value", r);
-			break;
-		}
-
 		/* build filename
 		 *
@@ -259,5 +238,4 @@
 		 * - remove path-modifiers (e.g. /../)
 		 */
-
 
 
@@ -275,4 +253,26 @@
 			log_error_write(srv, __FILE__, __LINE__,  "s",  "-- sanatising URI");
 			log_error_write(srv, __FILE__, __LINE__,  "sb", "URI-path     : ", con->uri.path);
+		}
+
+
+		/**
+		 *
+		 * call plugins
+		 *
+		 * - based on the raw URL
+		 *
+		 */
+
+		switch(r = plugins_call_handle_uri_raw(srv, con)) {
+		case HANDLER_GO_ON:
+			break;
+		case HANDLER_FINISHED:
+		case HANDLER_COMEBACK:
+		case HANDLER_WAIT_FOR_EVENT:
+		case HANDLER_ERROR:
+			return r;
+		default:
+			log_error_write(srv, __FILE__, __LINE__, "sd", "handle_uri_raw: unknown return value", r);
+			break;
 		}
 
Index: NEWS
===================================================================
--- NEWS (revision 2277)
+++ NEWS (revision 2278)
@@ -50,4 +50,5 @@
   * fixed dropping last character of evhost pattern (#161)
   * print helpful error message on conditionals in global block (#1550)
+  * decode url before matching in mod_rewrite (#1720)
 
 - 1.4.19 - 2008-03-10




#
# http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt
#
Index: src/mod_userdir.c
===================================================================
--- src/mod_userdir.c (revision 2120)
+++ src/mod_userdir.c (revision 2283)
@@ -263,4 +263,7 @@
 			}
 		}
+		if (con->conf.force_lowercase_filenames) {
+			buffer_to_lower(p->username);
+		}
 
 		buffer_copy_string_buffer(p->temp_path, p->conf.basepath);
@@ -285,6 +288,22 @@
 	}
 
+	/* the physical rel_path is basically the same as uri.path;
+	 * but it is converted to lowercase in case of force_lowercase_filenames and some special handling
+	 * for trailing '.', ' ' and '/' on windows
+	 * we assume that no docroot/physical handler changed this
+	 * (docroot should only set the docroot/server name, phyiscal should only change the phyiscal.path;
+	 *  the exception mod_secure_download doesn't work with userdir anyway)
+	 */
 	BUFFER_APPEND_SLASH(p->temp_path);
-	buffer_append_string(p->temp_path, rel_url + 1); /* skip the / */
+	/* if no second '/' is found, we assume that it was stripped from the uri.path for the special handling
+	 * on windows.
+	 * we do not care about the trailing slash here on windows, as we already ensured it is a directory
+	 *
+	 * TODO: what to do with trailing dots in usernames on windows? they may result in the same directory
+	 *       as a username without them.
+	 */
+	if (NULL != (rel_url = strchr(con->physical.rel_path->ptr + 2, '/'))) {
+		buffer_append_string(p->temp_path, rel_url + 1); /* skip the / */
+	}
 	buffer_copy_string_buffer(con->physical.path, p->temp_path);
 
Index: NEWS
===================================================================
--- NEWS (revision 2281)
+++ NEWS (revision 2283)
@@ -53,4 +53,5 @@
   * fixed conditional patching of ldap filter (#1564)
   * Match headers case insensitive in response (removing of X-{Sendfile,LIGHTTPD-*}, catching Date/Server)
+  * fixed bug with case-insensitive filenames in mod_userdir (#1589), spotted by "anders1"
 
 - 1.4.19 - 2008-03-10




#
# http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt
#
Index: src/request.c
===================================================================
--- src/request.c (revision 1947)
+++ src/request.c (revision 2305)
@@ -826,4 +826,5 @@
 												con->request.request);
 									}
+									array_insert_unique(con->request.headers, (data_unset *)ds);
 									return 0;
 								}
@@ -875,4 +876,5 @@
 												con->request.request);
 									}
+									array_insert_unique(con->request.headers, (data_unset *)ds);
 									return 0;
 								}
@@ -912,4 +914,5 @@
 												con->request.request);
 									}
+									array_insert_unique(con->request.headers, (data_unset *)ds);
 									return 0;
 								}
@@ -937,4 +940,5 @@
 												con->request.request);
 									}
+									array_insert_unique(con->request.headers, (data_unset *)ds);
 									return 0;
 								}
@@ -954,4 +958,5 @@
 												con->request.request);
 									}
+									array_insert_unique(con->request.headers, (data_unset *)ds);
 									return 0;
 								}
@@ -977,4 +982,5 @@
 												con->request.request);
 									}
+									array_insert_unique(con->request.headers, (data_unset *)ds);
 									return 0;
 								}
Index: NEWS
===================================================================
--- NEWS (revision 2304)
+++ NEWS (revision 2305)
@@ -63,4 +63,5 @@
   * workaround ldap connection leak if a ldap connection failed (restarting ldap)
   * fix auth.backend.ldap.bind-dn/pw problems (only read from global context for temporary ldap reconnects, thx ruskie)
+  * fix memleak in request header parsing (#1774, thx qhy)
 
 - 1.4.19 - 2008-03-10




#
# http://trac.lighttpd.net/trac/changeset/2143
#
Index: /branches/lighttpd-1.4.x/src/mod_fastcgi.c
===================================================================
--- src/mod_fastcgi.c (revision 2119)
+++ src/mod_fastcgi.c (revision 2143)
@@ -2545,5 +2545,8 @@
 
 					if (HANDLER_ERROR != stat_cache_get_entry(srv, con, ds->value, &sce)) {
-						data_string *dcls = data_string_init();
+						data_string *dcls;
+						if (NULL == (dcls = (data_string *)array_get_unused_element(con->response.headers, TYPE_STRING))) {
+							dcls = data_response_init();
+						}
 						/* found */
 						http_chunk_append_file(srv, con, ds->value, 0, sce->st.st_size);





#
# Respect EAGAIN and retry sendfile() instead close connection.
# Remove empty lines and add two more cases to switch(errno)
#
--- src/network_freebsd_sendfile.c.orig	2007-09-22 19:55:26.000000000 -0300
+++ src/network_freebsd_sendfile.c	2007-09-22 19:43:28.000000000 -0300
@@ -151,23 +151,23 @@
 			if (-1 == c->file.fd) {
 				if (-1 == (c->file.fd = open(c->file.name->ptr, O_RDONLY))) {
 					log_error_write(srv, __FILE__, __LINE__, "ss", "open failed: ", strerror(errno));
-
 					return -1;
 				}
-
 #ifdef FD_CLOEXEC
 				fcntl(c->file.fd, F_SETFD, FD_CLOEXEC);
 #endif
 			}
 
-			r = 0;
-
+eagain:
 			/* FreeBSD sendfile() */
+			r = 0;
 			if (-1 == sendfile(c->file.fd, fd, offset, toSend, NULL, &r, 0)) {
 				switch(errno) {
 				case EAGAIN:
+				case EINTR:
 					break;
 				case ENOTCONN:
+				case ENOTSOCK:
 					return -2;
 				default:
 					log_error_write(srv, __FILE__, __LINE__, "ssd", "sendfile: ", strerror(errno), errno);
@@ -190,12 +190,10 @@
 				if (offset >= sce->st.st_size) {
 					/* file shrinked, close the connection */
 					errno = oerrno;
-
 					return -1;
 				}
 
 				errno = oerrno;
-				return -2;
 			}
 
 			c->offset += r;

Return to bug 127861

Lines 1-119 Link Here

(-)lighttpd.new/files/patch-CVE-2008-1531 (-119 lines)
1	Index: src/connections.c
2	===================================================================
3	--- src/connections.c (revision 2103)
4	+++ src/connections.c (revision 2136)
5	@@ -200,4 +200,5 @@
6	/* don't resize the buffer if we were in SSL_ERROR_WANT_* */
7
8	+ ERR_clear_error();
9	do {
10	if (!con->ssl_error_want_reuse_buffer) {
11	@@ -1670,4 +1671,5 @@
12	if (srv_sock->is_ssl) {
13	int ret;
14	+ ERR_clear_error();
15	switch ((ret = SSL_shutdown(con->ssl))) {
16	case 1:
17	@@ -1675,6 +1677,8 @@
18	break;
19	case 0:
20	- SSL_shutdown(con->ssl);
21	- break;
22	+ ERR_clear_error();
23	+ if ((ret = SSL_shutdown(con->ssl)) == 1) break;
24	+
25	+ // fall through
26	default:
27	log_error_write(srv, __FILE__, __LINE__, "sds", "SSL:",
28	Index: src/network_openssl.c
29	===================================================================
30	--- src/network_openssl.c (revision 2084)
31	+++ src/network_openssl.c (revision 2136)
32	@@ -86,4 +86,5 @@
33	*/
34
35	+ ERR_clear_error();
36	if ((r = SSL_write(ssl, offset, toSend)) <= 0) {
37	unsigned long err;
38	@@ -188,4 +189,5 @@
39	close(ifd);
40
41	+ ERR_clear_error();
42	if ((r = SSL_write(ssl, s, toSend)) <= 0) {
43	unsigned long err;
44	Index: src/connections.c
45	===================================================================
46	--- src/connections.c (revision 2136)
47	+++ src/connections.c (revision 2139)
48	@@ -1670,5 +1670,6 @@
49	#ifdef USE_OPENSSL
50	if (srv_sock->is_ssl) {
51	- int ret;
52	+ int ret, ssl_r;
53	+ unsigned long err;
54	ERR_clear_error();
55	switch ((ret = SSL_shutdown(con->ssl))) {
56	@@ -1678,14 +1679,40 @@
57	case 0:
58	ERR_clear_error();
59	- if ((ret = SSL_shutdown(con->ssl)) == 1) break;
60	+ if (-1 != (ret = SSL_shutdown(con->ssl))) break;
61
62	// fall through
63	default:
64	- log_error_write(srv, __FILE__, __LINE__, "sds", "SSL:",
65	- SSL_get_error(con->ssl, ret),
66	- ERR_error_string(ERR_get_error(), NULL));
67	- return -1;
68	+
69	+ switch ((ssl_r = SSL_get_error(con->ssl, ret))) {
70	+ case SSL_ERROR_WANT_WRITE:
71	+ case SSL_ERROR_WANT_READ:
72	+ break;
73	+ case SSL_ERROR_SYSCALL:
74	+ /* perhaps we have error waiting in our error-queue */
75	+ if (0 != (err = ERR_get_error())) {
76	+ do {
77	+ log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
78	+ ssl_r, ret,
79	+ ERR_error_string(err, NULL));
80	+ } while((err = ERR_get_error()));
81	+ } else {
82	+ log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):",
83	+ ssl_r, r, errno,
84	+ strerror(errno));
85	+ }
86	+
87	+ break;
88	+ default:
89	+ while((err = ERR_get_error())) {
90	+ log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
91	+ ssl_r, ret,
92	+ ERR_error_string(err, NULL));
93	+ }
94	+
95	+ break;
96	+ }
97	}
98	}
99	+ ERR_clear_error();
100	#endif
101
102	Index: src/connections.c
103	===================================================================
104	--- src/connections.c (revision 2139)
105	+++ src/connections.c (revision 2144)
106	@@ -1681,5 +1681,5 @@
107	if (-1 != (ret = SSL_shutdown(con->ssl))) break;
108
109	- // fall through
110	+ /* fall through */
111	default:
112
113	@@ -1698,5 +1698,5 @@
114	} else {
115	log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):",
116	- ssl_r, r, errno,
117	+ ssl_r, ret, errno,
118	strerror(errno));
119	}

Lines 1-91 Link Here

(-)lighttpd.new/files/patch-sa_2008_05 (-91 lines)
1	#
2	# http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt
3	#
4	Index: src/mod_rewrite.c
5	===================================================================
6	--- src/mod_rewrite.c (revision 2148)
7	+++ src/mod_rewrite.c (revision 2278)
8	@@ -351,5 +351,9 @@
9	if (!p->conf.rewrite) return HANDLER_GO_ON;
10
11	- buffer_copy_string_buffer(p->match_buf, con->request.uri);
12	+ buffer_copy_string_buffer(p->match_buf, con->uri.path);
13	+ if (con->uri.query->used > 0) {
14	+ buffer_append_string_len(p->match_buf, CONST_STR_LEN("?"));
15	+ buffer_append_string_buffer(p->match_buf, con->uri.query);
16	+ }
17
18	for (i = 0; i < p->conf.rewrite->used; i++) {
19	Index: src/response.c
20	===================================================================
21	--- src/response.c (revision 2250)
22	+++ src/response.c (revision 2278)
23	@@ -233,25 +233,4 @@
24
25
26	- /**
27	- *
28	- * call plugins
29	- *
30	- * - based on the raw URL
31	- *
32	- */
33	-
34	- switch(r = plugins_call_handle_uri_raw(srv, con)) {
35	- case HANDLER_GO_ON:
36	- break;
37	- case HANDLER_FINISHED:
38	- case HANDLER_COMEBACK:
39	- case HANDLER_WAIT_FOR_EVENT:
40	- case HANDLER_ERROR:
41	- return r;
42	- default:
43	- log_error_write(srv, __FILE__, __LINE__, "sd", "handle_uri_raw: unknown return value", r);
44	- break;
45	- }
46	-
47	/* build filename
48	*
49	@@ -259,5 +238,4 @@
50	* - remove path-modifiers (e.g. /../)
51	*/
52	-
53
54
55	@@ -275,4 +253,26 @@
56	log_error_write(srv, __FILE__, __LINE__, "s", "-- sanatising URI");
57	log_error_write(srv, __FILE__, __LINE__, "sb", "URI-path : ", con->uri.path);
58	+ }
59	+
60	+
61	+ /**
62	+ *
63	+ * call plugins
64	+ *
65	+ * - based on the raw URL
66	+ *
67	+ */
68	+
69	+ switch(r = plugins_call_handle_uri_raw(srv, con)) {
70	+ case HANDLER_GO_ON:
71	+ break;
72	+ case HANDLER_FINISHED:
73	+ case HANDLER_COMEBACK:
74	+ case HANDLER_WAIT_FOR_EVENT:
75	+ case HANDLER_ERROR:
76	+ return r;
77	+ default:
78	+ log_error_write(srv, __FILE__, __LINE__, "sd", "handle_uri_raw: unknown return value", r);
79	+ break;
80	}
81
82	Index: NEWS
83	===================================================================
84	--- NEWS (revision 2277)
85	+++ NEWS (revision 2278)
86	@@ -50,4 +50,5 @@
87	* fixed dropping last character of evhost pattern (#161)
88	* print helpful error message on conditionals in global block (#1550)
89	+ * decode url before matching in mod_rewrite (#1720)
90
91	- 1.4.19 - 2008-03-10

Lines 1-49 Link Here

(-)lighttpd.new/files/patch-sa_2008_06 (-49 lines)
1	#
2	# http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt
3	#
4	Index: src/mod_userdir.c
5	===================================================================
6	--- src/mod_userdir.c (revision 2120)
7	+++ src/mod_userdir.c (revision 2283)
8	@@ -263,4 +263,7 @@
9	}
10	}
11	+ if (con->conf.force_lowercase_filenames) {
12	+ buffer_to_lower(p->username);
13	+ }
14
15	buffer_copy_string_buffer(p->temp_path, p->conf.basepath);
16	@@ -285,6 +288,22 @@
17	}
18
19	+ /* the physical rel_path is basically the same as uri.path;
20	+ * but it is converted to lowercase in case of force_lowercase_filenames and some special handling
21	+ * for trailing '.', ' ' and '/' on windows
22	+ * we assume that no docroot/physical handler changed this
23	+ * (docroot should only set the docroot/server name, phyiscal should only change the phyiscal.path;
24	+ * the exception mod_secure_download doesn't work with userdir anyway)
25	+ */
26	BUFFER_APPEND_SLASH(p->temp_path);
27	- buffer_append_string(p->temp_path, rel_url + 1); /* skip the / */
28	+ /* if no second '/' is found, we assume that it was stripped from the uri.path for the special handling
29	+ * on windows.
30	+ * we do not care about the trailing slash here on windows, as we already ensured it is a directory
31	+ *
32	+ * TODO: what to do with trailing dots in usernames on windows? they may result in the same directory
33	+ * as a username without them.
34	+ */
35	+ if (NULL != (rel_url = strchr(con->physical.rel_path->ptr + 2, '/'))) {
36	+ buffer_append_string(p->temp_path, rel_url + 1); /* skip the / */
37	+ }
38	buffer_copy_string_buffer(con->physical.path, p->temp_path);
39
40	Index: NEWS
41	===================================================================
42	--- NEWS (revision 2281)
43	+++ NEWS (revision 2283)
44	@@ -53,4 +53,5 @@
45	* fixed conditional patching of ldap filter (#1564)
46	* Match headers case insensitive in response (removing of X-{Sendfile,LIGHTTPD-*}, catching Date/Server)
47	+ * fixed bug with case-insensitive filenames in mod_userdir (#1589), spotted by "anders1"
48
49	- 1.4.19 - 2008-03-10

Lines 1-53 Link Here

(-)lighttpd.new/files/patch-sa_2008_07 (-53 lines)
1	#
2	# http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt
3	#
4	Index: src/request.c
5	===================================================================
6	--- src/request.c (revision 1947)
7	+++ src/request.c (revision 2305)
8	@@ -826,4 +826,5 @@
9	con->request.request);
10	}
11	+ array_insert_unique(con->request.headers, (data_unset *)ds);
12	return 0;
13	}
14	@@ -875,4 +876,5 @@
15	con->request.request);
16	}
17	+ array_insert_unique(con->request.headers, (data_unset *)ds);
18	return 0;
19	}
20	@@ -912,4 +914,5 @@
21	con->request.request);
22	}
23	+ array_insert_unique(con->request.headers, (data_unset *)ds);
24	return 0;
25	}
26	@@ -937,4 +940,5 @@
27	con->request.request);
28	}
29	+ array_insert_unique(con->request.headers, (data_unset *)ds);
30	return 0;
31	}
32	@@ -954,4 +958,5 @@
33	con->request.request);
34	}
35	+ array_insert_unique(con->request.headers, (data_unset *)ds);
36	return 0;
37	}
38	@@ -977,4 +982,5 @@
39	con->request.request);
40	}
41	+ array_insert_unique(con->request.headers, (data_unset *)ds);
42	return 0;
43	}
44	Index: NEWS
45	===================================================================
46	--- NEWS (revision 2304)
47	+++ NEWS (revision 2305)
48	@@ -63,4 +63,5 @@
49	* workaround ldap connection leak if a ldap connection failed (restarting ldap)
50	* fix auth.backend.ldap.bind-dn/pw problems (only read from global context for temporary ldap reconnects, thx ruskie)
51	+ * fix memleak in request header parsing (#1774, thx qhy)
52
53	- 1.4.19 - 2008-03-10

Lines 1-18 Link Here

(-)lighttpd.new/files/patch-src__mod_fastcgi.c (-18 lines)
1	#
2	# http://trac.lighttpd.net/trac/changeset/2143
3	#
4	Index: /branches/lighttpd-1.4.x/src/mod_fastcgi.c
5	===================================================================
6	--- src/mod_fastcgi.c (revision 2119)
7	+++ src/mod_fastcgi.c (revision 2143)
8	@@ -2545,5 +2545,8 @@
9
10	if (HANDLER_ERROR != stat_cache_get_entry(srv, con, ds->value, &sce)) {
11	- data_string *dcls = data_string_init();
12	+ data_string *dcls;
13	+ if (NULL == (dcls = (data_string *)array_get_unused_element(con->response.headers, TYPE_STRING))) {
14	+ dcls = data_response_init();
15	+ }
16	/* found */
17	http_chunk_append_file(srv, con, ds->value, 0, sce->st.st_size);
18

Lines 1-47 Link Here

(-)lighttpd.new/files/patch-src__network_freebsd_sendfile.c (-47 lines)
1	#
2	# Respect EAGAIN and retry sendfile() instead close connection.
3	# Remove empty lines and add two more cases to switch(errno)
4	#
5	--- src/network_freebsd_sendfile.c.orig 2007-09-22 19:55:26.000000000 -0300
6	+++ src/network_freebsd_sendfile.c 2007-09-22 19:43:28.000000000 -0300
7	@@ -151,23 +151,23 @@
8	if (-1 == c->file.fd) {
9	if (-1 == (c->file.fd = open(c->file.name->ptr, O_RDONLY))) {
10	log_error_write(srv, __FILE__, __LINE__, "ss", "open failed: ", strerror(errno));
11	-
12	return -1;
13	}
14	-
15	#ifdef FD_CLOEXEC
16	fcntl(c->file.fd, F_SETFD, FD_CLOEXEC);
17	#endif
18	}
19
20	- r = 0;
21	-
22	+eagain:
23	/* FreeBSD sendfile() */
24	+ r = 0;
25	if (-1 == sendfile(c->file.fd, fd, offset, toSend, NULL, &r, 0)) {
26	switch(errno) {
27	case EAGAIN:
28	+ case EINTR:
29	break;
30	case ENOTCONN:
31	+ case ENOTSOCK:
32	return -2;
33	default:
34	log_error_write(srv, __FILE__, __LINE__, "ssd", "sendfile: ", strerror(errno), errno);
35	@@ -190,12 +190,10 @@
36	if (offset >= sce->st.st_size) {
37	/* file shrinked, close the connection */
38	errno = oerrno;
39	-
40	return -1;
41	}
42
43	errno = oerrno;
44	- return -2;
45	}
46
47	c->offset += r;