Created attachment 179563 [details]
There was a recent OpenBSD 6.0 errata for httpd (see below).
Since www/obhttpd seems to be based on the 6.0 version it's
probably affected too.
From: Bob Beck <firstname.lastname@example.org>
Date: Wed, 1 Feb 2017 23:07:12 -0700
Subject: OpenBSD errata, Jan 31, 2017
To: email@example.com, tech <firstname.lastname@example.org>
An issue has been identified whereby httpd(8) could be subject to a denial
of service attack. Repeated crafted requests could be made from a client
using file-range requests, making the server consume excessive amounts of
This issue has been fixed in current. For 5.9 and 6.0 the following errata
will disable range header processing in httpd(8) to prevent the problem.
Thanks to Pierre Kim <email@example.com> for reporting
Created attachment 179564 [details]
Sorry, for some reason the patch comment was missing from the diff.
Should the default configuration file include something like
and logs/ under it? Should they be set owned by www:www?
The obhttpd.conf man page says if a chroot is not specified, then the home directory of the www user is used (/var/www on OpenBSD, but nonexistent on FreeBSD).
Does it make sense to replace references to httpd with obhttpd in the man pages?
At the end of the first sentence I meant to ask if the chroot directory should be created and a logs/ directory created under it? What about a default HTML root directory to match the default configuration file so things work by default without requiring users to tinker?
Yep, I'm agree with your recommendations and will include them in the next version of the port.
Nikola and Tobias,
I have created a review at https://reviews.freebsd.org/D9574. Could you comment/test. Nikola if you are satisfied with these changes could you let me know you approve? For the next version, I can either submit a pull request or you can incorporate the changes yourself if that makes things easier for you in the future.
I updated the patch so that a default chroot directory need not be specified in the configuration file, as Tobias suggested.
Nikola, we await your feedback and/or approval.
A commit references this bug:
Date: Thu Feb 16 21:43:12 UTC 2017
New revision: 434257
www/obhttpd: Apply OpenBSD errata from January 31st, 2017.
Errata text: https://marc.info/?l=openbsd-announce&m=148604065924319&w=2
Submitted by: firstname.lastname@example.org
Approved by: swills (mentor, implicit) email@example.com (maintainer)