Created attachment 179563 [details] www___obhttpd.diff There was a recent OpenBSD 6.0 errata for httpd (see below). Since www/obhttpd seems to be based on the 6.0 version it's probably affected too. --------- From: Bob Beck <beck@openbsd.org> Date: Wed, 1 Feb 2017 23:07:12 -0700 Subject: OpenBSD errata, Jan 31, 2017 To: announce@openbsd.org, tech <tech@openbsd.org> An issue has been identified whereby httpd(8) could be subject to a denial of service attack. Repeated crafted requests could be made from a client using file-range requests, making the server consume excessive amounts of memory. This issue has been fixed in current. For 5.9 and 6.0 the following errata will disable range header processing in httpd(8) to prevent the problem. Thanks to Pierre Kim <pierre.kim.sec@gmail.com> for reporting the issue. https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/017_httpd.patch.sig https://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/034_httpd.patch.sig
Created attachment 179564 [details] www___obhttpd.diff Sorry, for some reason the patch comment was missing from the diff.
Should the default configuration file include something like chroot "/usr/local/www" and logs/ under it? Should they be set owned by www:www? The obhttpd.conf man page says if a chroot is not specified, then the home directory of the www user is used (/var/www on OpenBSD, but nonexistent on FreeBSD). Does it make sense to replace references to httpd with obhttpd in the man pages?
At the end of the first sentence I meant to ask if the chroot directory should be created and a logs/ directory created under it? What about a default HTML root directory to match the default configuration file so things work by default without requiring users to tinker?
Hi Joseph, Yep, I'm agree with your recommendations and will include them in the next version of the port. Regards, Nikola
Nikola and Tobias, I have created a review at https://reviews.freebsd.org/D9574. Could you comment/test. Nikola if you are satisfied with these changes could you let me know you approve? For the next version, I can either submit a pull request or you can incorporate the changes yourself if that makes things easier for you in the future.
I updated the patch so that a default chroot directory need not be specified in the configuration file, as Tobias suggested. https://reviews.freebsd.org/D9574 Nikola, we await your feedback and/or approval.
A commit references this bug: Author: jrm Date: Thu Feb 16 21:43:12 UTC 2017 New revision: 434257 URL: https://svnweb.freebsd.org/changeset/ports/434257 Log: www/obhttpd: Apply OpenBSD errata from January 31st, 2017. Errata text: https://marc.info/?l=openbsd-announce&m=148604065924319&w=2 PR: 216752 Submitted by: t@tobik.me Approved by: swills (mentor, implicit) koue@chaosophia.net (maintainer) Changes: head/www/obhttpd/Makefile head/www/obhttpd/files/patch-usr.sbin_httpd_server__file.c