diff options
-rw-r--r-- | www/lighttpd/Makefile | 2 | ||||
-rw-r--r-- | www/lighttpd/files/patch-sa_2008_05 | 91 | ||||
-rw-r--r-- | www/lighttpd/files/patch-sa_2008_06 | 49 | ||||
-rw-r--r-- | www/lighttpd/files/patch-sa_2008_07 | 53 |
4 files changed, 194 insertions, 1 deletions
diff --git a/www/lighttpd/Makefile b/www/lighttpd/Makefile index affd957b697e..dcd085b7a286 100644 --- a/www/lighttpd/Makefile +++ b/www/lighttpd/Makefile @@ -7,7 +7,7 @@ PORTNAME= lighttpd PORTVERSION= 1.4.19 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= www MASTER_SITES= http://www.lighttpd.net/download/ \ http://mirrors.cat.pdx.edu/lighttpd/ diff --git a/www/lighttpd/files/patch-sa_2008_05 b/www/lighttpd/files/patch-sa_2008_05 new file mode 100644 index 000000000000..df64c197fa63 --- /dev/null +++ b/www/lighttpd/files/patch-sa_2008_05 @@ -0,0 +1,91 @@ +# +# http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt +# +Index: src/mod_rewrite.c +=================================================================== +--- src/mod_rewrite.c (revision 2148) ++++ src/mod_rewrite.c (revision 2278) +@@ -351,5 +351,9 @@ + if (!p->conf.rewrite) return HANDLER_GO_ON; + +- buffer_copy_string_buffer(p->match_buf, con->request.uri); ++ buffer_copy_string_buffer(p->match_buf, con->uri.path); ++ if (con->uri.query->used > 0) { ++ buffer_append_string_len(p->match_buf, CONST_STR_LEN("?")); ++ buffer_append_string_buffer(p->match_buf, con->uri.query); ++ } + + for (i = 0; i < p->conf.rewrite->used; i++) { +Index: src/response.c +=================================================================== +--- src/response.c (revision 2250) ++++ src/response.c (revision 2278) +@@ -233,25 +233,4 @@ + + +- /** +- * +- * call plugins +- * +- * - based on the raw URL +- * +- */ +- +- switch(r = plugins_call_handle_uri_raw(srv, con)) { +- case HANDLER_GO_ON: +- break; +- case HANDLER_FINISHED: +- case HANDLER_COMEBACK: +- case HANDLER_WAIT_FOR_EVENT: +- case HANDLER_ERROR: +- return r; +- default: +- log_error_write(srv, __FILE__, __LINE__, "sd", "handle_uri_raw: unknown return value", r); +- break; +- } +- + /* build filename + * +@@ -259,5 +238,4 @@ + * - remove path-modifiers (e.g. /../) + */ +- + + +@@ -275,4 +253,26 @@ + log_error_write(srv, __FILE__, __LINE__, "s", "-- sanatising URI"); + log_error_write(srv, __FILE__, __LINE__, "sb", "URI-path : ", con->uri.path); ++ } ++ ++ ++ /** ++ * ++ * call plugins ++ * ++ * - based on the raw URL ++ * ++ */ ++ ++ switch(r = plugins_call_handle_uri_raw(srv, con)) { ++ case HANDLER_GO_ON: ++ break; ++ case HANDLER_FINISHED: ++ case HANDLER_COMEBACK: ++ case HANDLER_WAIT_FOR_EVENT: ++ case HANDLER_ERROR: ++ return r; ++ default: ++ log_error_write(srv, __FILE__, __LINE__, "sd", "handle_uri_raw: unknown return value", r); ++ break; + } + +Index: NEWS +=================================================================== +--- NEWS (revision 2277) ++++ NEWS (revision 2278) +@@ -50,4 +50,5 @@ + * fixed dropping last character of evhost pattern (#161) + * print helpful error message on conditionals in global block (#1550) ++ * decode url before matching in mod_rewrite (#1720) + + - 1.4.19 - 2008-03-10 diff --git a/www/lighttpd/files/patch-sa_2008_06 b/www/lighttpd/files/patch-sa_2008_06 new file mode 100644 index 000000000000..e6cfa897b4d3 --- /dev/null +++ b/www/lighttpd/files/patch-sa_2008_06 @@ -0,0 +1,49 @@ +# +# http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt +# +Index: src/mod_userdir.c +=================================================================== +--- src/mod_userdir.c (revision 2120) ++++ src/mod_userdir.c (revision 2283) +@@ -263,4 +263,7 @@ + } + } ++ if (con->conf.force_lowercase_filenames) { ++ buffer_to_lower(p->username); ++ } + + buffer_copy_string_buffer(p->temp_path, p->conf.basepath); +@@ -285,6 +288,22 @@ + } + ++ /* the physical rel_path is basically the same as uri.path; ++ * but it is converted to lowercase in case of force_lowercase_filenames and some special handling ++ * for trailing '.', ' ' and '/' on windows ++ * we assume that no docroot/physical handler changed this ++ * (docroot should only set the docroot/server name, phyiscal should only change the phyiscal.path; ++ * the exception mod_secure_download doesn't work with userdir anyway) ++ */ + BUFFER_APPEND_SLASH(p->temp_path); +- buffer_append_string(p->temp_path, rel_url + 1); /* skip the / */ ++ /* if no second '/' is found, we assume that it was stripped from the uri.path for the special handling ++ * on windows. ++ * we do not care about the trailing slash here on windows, as we already ensured it is a directory ++ * ++ * TODO: what to do with trailing dots in usernames on windows? they may result in the same directory ++ * as a username without them. ++ */ ++ if (NULL != (rel_url = strchr(con->physical.rel_path->ptr + 2, '/'))) { ++ buffer_append_string(p->temp_path, rel_url + 1); /* skip the / */ ++ } + buffer_copy_string_buffer(con->physical.path, p->temp_path); + +Index: NEWS +=================================================================== +--- NEWS (revision 2281) ++++ NEWS (revision 2283) +@@ -53,4 +53,5 @@ + * fixed conditional patching of ldap filter (#1564) + * Match headers case insensitive in response (removing of X-{Sendfile,LIGHTTPD-*}, catching Date/Server) ++ * fixed bug with case-insensitive filenames in mod_userdir (#1589), spotted by "anders1" + + - 1.4.19 - 2008-03-10 diff --git a/www/lighttpd/files/patch-sa_2008_07 b/www/lighttpd/files/patch-sa_2008_07 new file mode 100644 index 000000000000..1af4865f5497 --- /dev/null +++ b/www/lighttpd/files/patch-sa_2008_07 @@ -0,0 +1,53 @@ +# +# http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt +# +Index: src/request.c +=================================================================== +--- src/request.c (revision 1947) ++++ src/request.c (revision 2305) +@@ -826,4 +826,5 @@ + con->request.request); + } ++ array_insert_unique(con->request.headers, (data_unset *)ds); + return 0; + } +@@ -875,4 +876,5 @@ + con->request.request); + } ++ array_insert_unique(con->request.headers, (data_unset *)ds); + return 0; + } +@@ -912,4 +914,5 @@ + con->request.request); + } ++ array_insert_unique(con->request.headers, (data_unset *)ds); + return 0; + } +@@ -937,4 +940,5 @@ + con->request.request); + } ++ array_insert_unique(con->request.headers, (data_unset *)ds); + return 0; + } +@@ -954,4 +958,5 @@ + con->request.request); + } ++ array_insert_unique(con->request.headers, (data_unset *)ds); + return 0; + } +@@ -977,4 +982,5 @@ + con->request.request); + } ++ array_insert_unique(con->request.headers, (data_unset *)ds); + return 0; + } +Index: NEWS +=================================================================== +--- NEWS (revision 2304) ++++ NEWS (revision 2305) +@@ -63,4 +63,5 @@ + * workaround ldap connection leak if a ldap connection failed (restarting ldap) + * fix auth.backend.ldap.bind-dn/pw problems (only read from global context for temporary ldap reconnects, thx ruskie) ++ * fix memleak in request header parsing (#1774, thx qhy) + + - 1.4.19 - 2008-03-10 |