--- lighttpd-1.4.11.orig/debian/lighttpd.examples +++ lighttpd-1.4.11/debian/lighttpd.examples @@ -0,0 +1 @@ +doc/lighttpd.conf --- lighttpd-1.4.11.orig/debian/TODO.Debian +++ lighttpd-1.4.11/debian/TODO.Debian @@ -0,0 +1,7 @@ +urgent: +* better package descriptions +* tweak Recommends: and Suggests: + +not-so-urgent: +* create a dirlisting template that slightly advertises Debian + --- lighttpd-1.4.11.orig/debian/create-mime.assign.pl +++ lighttpd-1.4.11/debian/create-mime.assign.pl @@ -0,0 +1,20 @@ +#!/usr/bin/perl -w +use strict; +open MIMETYPES, "/etc/mime.types"; +print "mimetype.assign = (\n"; +my %extensions; +while() { + chomp; + s/\#.*//; + next if /^\w*$/; + if(/^([a-z0-9\/+-.]+)\s+((?:[a-z0-9.+-]+[ ]?)+)$/) { + foreach(split / /, $2) { + # mime.types can have same extension for different + # mime types + next if $extensions{$_}; + $extensions{$_} = 1; + print "\".$_\" => \"$1\",\n"; + } + } +} +print ")\n"; --- lighttpd-1.4.11.orig/debian/lighty-enable-mod +++ lighttpd-1.4.11/debian/lighty-enable-mod @@ -0,0 +1,108 @@ +#!/usr/bin/perl -w +# +# Copyright (c) 2006 Krzysztof Krzyzaniak +# +# Contains changes from: +# - Tobias Gruetzmacher +# +# You may distribute under the terms of either the GNU General Public +# License[1] or the Artistic License[2]. +# +# [1] http://www.gnu.org/licenses/gpl.html +# [2] http://www.perl.com/pub/a/language/misc/Artistic.html +# + +use strict; +use Term::ReadLine; +use File::Basename; +use File::Glob ':glob'; +use File::stat; + +#--- some initializations +my $confdir = "/etc/lighttpd/"; +my %available = (); +my %enabled = (); +my @todo = (); + +my %moduledeps = (); + +my $enabling = 1; + + +#--- first check if we enabling or disabling +if ($0 =~ /disable-mod$/) { + #--- disabling mode + $enabling = 0; +} + + +#--- list of available modules +my @files = bsd_glob($confdir.'conf-available/*.conf'); +print "Available modules: "; +foreach my $file (@files) { + if (basename($file) =~ /^\d+\-([\w\-]+)\.conf$/) { + $available{$1} = $file; + print qq{$1 }; + } +} +print "\n"; + +#--- list of already enabled modules +@files = bsd_glob($confdir.'conf-enabled/*.conf'); +print "Already enabled modules: "; +foreach my $file (@files) { + if (basename($file) =~ /^\d+\-([\w\-]+)\.conf$/) { + $enabled{$1} = $file; + print qq{$1 }; + } +} +print "\n"; + +unless (defined($ARGV[0])) { + my $prompt = $enabling ? 'Enable module: ' : 'Disable module: '; + my $term = new Term::ReadLine $prompt; + my $OUT = $term->OUT || \*STDOUT; + my $var = lc($term->readline($prompt)); + @todo = split(/ /, $var); +} +else { + @todo = @ARGV; +} + + +#--- activate (link) or deactivate (remove) module +foreach my $do (@todo) { + + my $target = sprintf("%s/conf-enabled/%s", $confdir,basename($available{$do})); + if ($enabling) { + print qq{Enabling $do: }; + + my $st = stat($target); + unless ( -f $target ) { + if (symlink($available{$do}, $target)) { + print "ok\n"; + } + else { + print "failure: $!\n"; + } + } + else { + print "already enabled\n"; + } + + #--- check dependencies + for my $module (@{$moduledeps{$do}}) + { + unless ( -f $target && -l $target ) + { + print qq{Module $do depends on module $module which is not activated.\n}; + } + } + } + else { + print qq{Disabling $do\n}; + unlink($target); + } +} + +print "Run /etc/init.d/lighttpd force-reload to enable changes\n"; --- lighttpd-1.4.11.orig/debian/init.d +++ lighttpd-1.4.11/debian/init.d @@ -0,0 +1,73 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: lighttpd +# Required-Start: networking +# Required-Stop: networking +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Start the lighttpd web server. +### END INIT INFO + + +PATH=/sbin:/bin:/usr/sbin:/usr/bin +DAEMON=/usr/sbin/lighttpd +NAME=lighttpd +DESC="web server" +PIDFILE=/var/run/$NAME.pid +SCRIPTNAME=/etc/init.d/$NAME + +DAEMON_OPTS="-f /etc/lighttpd/lighttpd.conf" + +test -x $DAEMON || exit 0 + +set -e + +. /lib/lsb/init-functions + +case "$1" in + start) + log_daemon_msg "Starting $DESC" $NAME + if ! start-stop-daemon --start --quiet\ + --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS ; then + log_end_msg 1 + else + log_end_msg 0 + fi + ;; + stop) + log_daemon_msg "Stopping $DESC" $NAME + if start-stop-daemon --quiet --stop --oknodo --retry 30\ + --pidfile $PIDFILE --exec $DAEMON; then + rm -f $PIDFILE + log_end_msg 0 + else + log_end_msg 1 + fi + ;; + reload) + log_daemon_msg "Reloading $DESC configuration" $NAME + if start-stop-daemon --stop --signal 2 --oknodo --retry 30\ + --quiet --pidfile $PIDFILE --exec $DAEMON; then + if start-stop-daemon --start --quiet \ + --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS ; then + log_end_msg 0 + else + log_end_msg 1 + fi + else + log_end_msg 1 + fi + ;; + restart|force-reload) + $0 stop + [ -r $PIDFILE ] && while pidof lighttpd |\ + grep -q `cat $PIDFILE 2>/dev/null` 2>/dev/null ; do sleep 1; done + $0 start + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 + exit 1 + ;; +esac + +exit 0 --- lighttpd-1.4.11.orig/debian/lighttpd-mod-mysql-vhost.install +++ lighttpd-1.4.11/debian/lighttpd-mod-mysql-vhost.install @@ -0,0 +1 @@ +debian/tmp/usr/lib/lighttpd/mod_mysql_vhost.so --- lighttpd-1.4.11.orig/debian/include-conf-enabled.pl +++ lighttpd-1.4.11/debian/include-conf-enabled.pl @@ -0,0 +1,23 @@ +#!/usr/bin/perl -wl + +use strict; +use File::Glob ':glob'; + +my $confdir = "/etc/lighttpd/conf-enabled/"; + +#--- read filenames in $confdir, only with .conf extension counts +chdir($confdir); +my @files = bsd_glob('*.conf'); + +@files = sort grep {/\.conf$/} @files; + +for my $file (@files) +{ + open( FILE, "<", $file ) or die "Can't open file $file: $!"; + print "## content of $file"; + while () + { + chomp $_; print $_; + } +} + --- lighttpd-1.4.11.orig/debian/rules +++ lighttpd-1.4.11/debian/rules @@ -0,0 +1,17 @@ +#!/usr/bin/make -f + +include /usr/share/cdbs/1/rules/debhelper.mk +include /usr/share/cdbs/1/class/autotools.mk +include /usr/share/cdbs/1/rules/dpatch.mk + +include /usr/share/dpatch/dpatch.make + +DEB_CONFIGURE_EXTRA_FLAGS += --libdir=/usr/lib/lighttpd \ + --with-openssl --with-pcre --with-bz2 --with-ldap \ + --with-mysql --with-lua --with-gdbm + +configure/lighttpd:: + -mkdir debian/conf-enabled + chmod a+x debian/create-mime.assign.pl + chmod a+x debian/include-conf-enabled.pl + chmod a+x debian/lighty-enable-mod --- lighttpd-1.4.11.orig/debian/index.html +++ lighttpd-1.4.11/debian/index.html @@ -0,0 +1,57 @@ + + + + +Welcome page + + + +
+ +
+

You should replace this page with your own web pages as soon as possible.

+ Unless you changed its configuration, your new server is configured as follows: +
    +
  • Configuration files can be found in /etc/lighttpd. Please read /etc/lighttpd/conf-available/README file.
    • +
  • The DocumentRoot, which is the directory under which all your HTML files should exist, is set to /var/www.
    • +
  • CGI scripts are looked for in /usr/lib/cgi-bin, which is where Debian packages will place their scripts. You can enable cgi module by using command "lighty-enable-mod cgi".
    • +
  • Log files are placed in /var/log/lighttpd, and will be rotated weekly. The frequency of rotation can be easily changed by editing /etc/logrotate.d/lighttpd.
    • +
  • The default directory index is index.html, meaning that requests for a directory /foo/bar/ will give the contents of the file /var/www/foo/bar/index.html if it exists (assuming that /var/www is your DocumentRoot).
    • +
  • You can enable user directories by using command "lighty-enable-mod userdir"
    • +
+

About this page

+

+ This is a placeholder page installed by the Debian release of the Lighttpd server package. +

+

+ This computer has installed the Debian GNU/Linux operating system, but it has nothing to do with the Debian Project. Please do not contact the Debian Project about it. +

+

+ If you find a bug in this Lighttpd package, or in Lighttpd itself, please file a bug report on it. Instructions on doing this, and the list of known bugs of this package, can be found in the + Debian Bug Tracking System. +

+

+ Valid XHTML 1.0 Transitional +

+
+
+ + + --- lighttpd-1.4.11.orig/debian/control +++ lighttpd-1.4.11/debian/control @@ -0,0 +1,70 @@ +Source: lighttpd +Section: web +Priority: optional +Maintainer: Debian lighttpd maintainers +Uploaders: Krzysztof Krzyzaniak (eloy) , Torsten Marek +Build-Depends: debhelper (>= 5.0.0), cdbs, libssl-dev, zlib1g-dev, libbz2-dev, libpcre3-dev, libmysqlclient15-dev, libldap2-dev, libfcgi-dev, libgdbm-dev, liblua50-dev, liblualib50-dev, dpatch, patchutils +Standards-Version: 3.6.2.0 + +Package: lighttpd +Architecture: any +Depends: ${shlibs:Depends}, lsb-base (>= 3.0-3), mime-support, libterm-readline-perl-perl +Provides: httpd, httpd-cgi +Suggests: openssl, rrdtool, apache2-utils +Recommends: php4-cgi, php5-cgi +Description: A fast webserver with minimal memory footprint + lighttpd is a small webserver and fast webserver developed with + security in mind and a lot of features. + It has support for + * CGI, FastCGI and SSI + * virtual hosts + * URL rewriting + * authentication (plain files, htpasswd, ldap) + * transparent content compression + * conditional configuration + and configuration is straight-forward and easy. + . + Homepage: http://www.lighttpd.net + +Package: lighttpd-doc +Architecture: all +Section: doc +Suggests: lighttpd +Description: Documentation for lighttpd + This package contains all documentation files for lighttpd. + . + Homepage: http://www.lighttpd.net + +Package: lighttpd-mod-mysql-vhost +Architecture: any +Depends: lighttpd (= ${Source-Version}), ${shlibs:Depends} +Description: MySQL-based virtual host configuration for lighttpd + This package contains the myqsl_vhost module for lighttpd. With + this module, it is possible to write the configuration for virtual + hosts into a MySQL table instead of including it in the lighttpd + configuration file. + . + Homepage: http://www.lighttpd.net + +Package: lighttpd-mod-trigger-b4-dl +Architecture: any +Depends: lighttpd (= ${Source-Version}), ${shlibs:Depends} +Replaces: lighttpd (<< 1.4.10-5) +Recommends: memcached +Description: Anti-deep-linking module for lighttpd + The trigger-b4-dl module for lighttpd can prevent deep linking + from other sites by requiring users to visit a trigger URL to + be able to download certain files. + . + Homepage: http://www.lighttpd.net + +Package: lighttpd-mod-cml +Architecture: any +Depends: lighttpd (= ${Source-Version}), ${shlibs:Depends} +Recommends: memcached +Description: Cache meta language module for lighttpd + With the cache meta language, it is possible to describe to the + dependencies of a cached file to its source files/scripts. For the + cache files, the scripting language LUA is used. + . + Homepage: http://www.lighttpd.net --- lighttpd-1.4.11.orig/debian/lighttpd.postinst +++ lighttpd-1.4.11/debian/lighttpd.postinst @@ -0,0 +1,22 @@ +#! /bin/sh +# postinst script for lighttpd + +set -e + +if [ "$1" = "configure" ]; then + if [ ! -r /var/www/index.html ]; + then + cp /usr/share/lighttpd/index.html /var/www/index.html + else + if grep -s '853e9a42efca88ae0dd1a83aeb215047' /var/www/index.html + then + cp /usr/share/lighttpd/index.html /var/www/index.html + fi + fi + chown www-data:www-data /var/log/lighttpd + chown www-data:www-data /var/www +fi + +#DEBHELPER# + +exit 0 --- lighttpd-1.4.11.orig/debian/lighttpd-doc.install +++ lighttpd-1.4.11/debian/lighttpd-doc.install @@ -0,0 +1 @@ +doc/*.txt usr/share/doc/lighttpd-doc --- lighttpd-1.4.11.orig/debian/changelog +++ lighttpd-1.4.11/debian/changelog @@ -0,0 +1,267 @@ +lighttpd (1.4.11-3ubuntu3.6) dapper-security; urgency=low + + * SECURITY UPDATE: + + debian/patches/90_maxfds_crash_fix.dpatch: + - added patch from upstream to fix the maxfds issue (LP: #195380) + * References + + http://trac.lighttpd.net/trac/ticket/1562 + + -- Emanuele Gentili Mon, 25 Feb 2008 16:58:32 +0100 + +lighttpd (1.4.11-3ubuntu3.5) dapper-security; urgency=low + + * SECURITY UPDATE: fix DoS crash from improper EOL handling in mod_cgi.c + (backported from upstream 1.4.17) + * SECURITY UPDATE: fix potential DoS crash in etag.c. This patch also fixes + possible dereferencing a NULL pointer in buffer.c (both backported from + upstream 1.4.17) + * SECURITY UPDATE: fix arbitrary code execution in mod_fastcgi.c due to + improper handling of content length in HTTP headers. Patch from upstream + * References + https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/138309 + https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/138310 + http://www.lighttpd.net/assets/2007/9/9/lighttpd_sa_2007_12.txt + CVE-2007-4727 + + -- Jamie Strandboge Sat, 08 Sep 2007 17:09:41 -0400 + +lighttpd (1.4.11-3ubuntu3.4) dapper-security; urgency=low + + * SECURITY UPDATE: remote crash on duplicate header keys with line-wrapping, + various mod_auth bugs, mod_access bug and mod_fastcgi local DOS bug + (LP:#127718) + * debian/patches/06_security_lighttpd-1.4.x_duplicated_headers_with_folding_crash.dpatch: + - Fixes header parsing bug (Lighttpd SA 2007:03, CVE 2007-3947) + - Description: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_03.txt + - Patch: http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_duplicated_headers_with_folding_crash.patch + * debian/patches/07_security_lighttpd-1.4.x_mod_auth_sec.dpatch: + - Fixes various mod_auth bugs (Lighttpd SA 2007:04-07, CVE 2007-3946) + - Description: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_04.txt, + http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_05.txt, + http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_06.txt, + http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_07.txt + - Patch: http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_mod_auth_sec.patch + * debian/patches/08_security_lighttpd-1.4.x_mod_access_bypass.dpatch: + - Fixes mod_access bug (Lighttpd SA 2007:08, CVE 2007-3949) + - Description: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_08.txt + - Patch: http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_mod_access_bypass.patch + * debian/patches/09_security_lighttpd-1.4.x_connections.dpatch: + - Fixes crashes with accessing out of bound fd array index (CVE 2007-3948) + - Description: http://secunia.com/cve_reference/CVE-2007-3948/ + - Patch: http://trac.lighttpd.net/trac/changeset/1873?format=diff&new=1873 + * debian/patches/10_security_lighttpd-1.4.x_mod_scgi_segfault.dpatch + - Fixes segmentation fault in mod_scgi, ... (CVE 2007-3950) + - Description: http://secunia.com/cve_reference/CVE-2007-3950/ + - Patch: http://trac.lighttpd.net/trac/changeset/1882?format=diff&new=1882 + * References: + - Summary: http://www.lighttpd.net/2007/7/24/1-4-16-let-s-ship-it + - External references: http://secunia.com/advisories/26130/ + + -- Aron Sisak Wed, 08 Aug 2007 22:32:43 +0200 + +lighttpd (1.4.11-3ubuntu3.3) dapper-updates; urgency=low + + * Push SRU to dapper-updates + + -- Scott Kitterman Sat, 04 Aug 2007 16:14:27 -0400 + +lighttpd (1.4.11-3ubuntu3.2) dapper-proposed; urgency=low + + * Added relevant security fix from 1.4.14 (Closes LP: #107628) + - DOS with files with mtime 0 (CVE-2007-1870) + security_zero_mtime_crash + + -- Scott Kitterman Tue, 24 Apr 2007 12:04:01 -0400 + +lighttpd (1.4.11-3ubuntu3.1) dapper-proposed; urgency=low + + * debian/init.d: Update to current Debian script + (Closes: Malone #59269, Malone #68401) + + -- Lukas Fittl Sat, 4 Nov 2006 15:57:26 +0100 + +lighttpd (1.4.11-3ubuntu3) dapper; urgency=low + + * debian/control + + Added depends on libterm-readline-perl-perl. (Closes: Malone #43895) + + -- Chuck Short Wed, 10 May 2006 18:11:24 -0400 + +lighttpd (1.4.11-3ubuntu2) dapper; urgency=low + + * Rebuild against the new libmysqlclient15off with correct symbols. + + -- Adam Conrad Thu, 6 Apr 2006 15:10:02 +1000 + +lighttpd (1.4.11-3ubuntu1) dapper; urgency=low + + * Sync with Debian: + + Removed B-D on libmemcache-dev as we don't have it in dapper, needs to be + re-enabled for dapper+1 + + -- Sebastian Dröge Mon, 27 Mar 2006 13:52:44 +0200 + +lighttpd (1.4.11-3) unstable; urgency=low + + * debian/lighttpd.conf - added dir-listing.encoding = "utf-8", suggested + by Silvestre Zabala (closes: #359100) + * debian/lighttpd.install - fix bug with installing *.conf files + + -- Krzysztof Krzyzaniak (eloy) Mon, 27 Mar 2006 09:50:55 +0200 + +lighttpd (1.4.11-2) unstable; urgency=low + + * Provide debian/conf-available/10-ssl.conf, (closes: #355868) + + -- Krzysztof Krzyzaniak (eloy) Fri, 24 Mar 2006 13:53:54 +0100 + +lighttpd (1.4.11-1) unstable; urgency=low + + * New upstream release (closes: #356496) + * init.d script - added --background to "start" (thanks goes to + Marcello Nuccio ) (closes: #355865) + + -- Krzysztof Krzyzaniak (eloy) Fri, 10 Mar 2006 09:51:10 +0100 + +lighttpd (1.4.10-6) unstable; urgency=low + + * Patch from on lighty-enable-mod + (closes: #355773) + + -- Krzysztof Krzyzaniak (eloy) Wed, 8 Mar 2006 11:17:07 +0100 + +lighttpd (1.4.10-5) unstable; urgency=low + + [ Krzysztof Krzyzaniak (eloy) ] + * debian/control - libmysqlclient14-dev have to be removede because is not + available in debian/sid + + [ Torsten Marek ] + * debian/rules - build with support for LUA, libmemcache and GDBM + * debian/lighttpd.install - install mod_evasive into lighttpd package + * debian/control - own packages for mod_trigger_b4_dl and mod_cml + * debian/control - small fixes + * debian/conf-available/10-ssi.conf - comment out link to web documentation + + -- Torsten Marek Mon, 6 Mar 2006 12:07:29 +0100 + +lighttpd (1.4.10-4) unstable; urgency=low + + * bugfix release + * Fixed bug with 10-fastcgi.conf, (closes: #353964) + + -- Krzysztof Krzyzaniak (eloy) Thu, 23 Feb 2006 16:14:42 +0100 + +lighttpd (1.4.10-3) unstable; urgency=low + + * lighttpd.conf - changed configuration for /images/ & /doc/ handling + + -- Krzysztof Krzyzaniak (eloy) Tue, 14 Feb 2006 09:57:15 +0100 + +lighttpd (1.4.10-2) unstable; urgency=low + + * debian/control - libmysqlclient14-dev added as alternative (will be easier for + backports.org) + * lighty-enable-mod script fixed - files with dash were skipped, thanks + to Silvester Zabala for patch (closes: #352577) + * install doc/lighttpd.conf as example (closes: #344961) + + -- Krzysztof Krzyzaniak (eloy) Mon, 13 Feb 2006 12:58:54 +0100 + +lighttpd (1.4.10-1) unstable; urgency=low + + * New upstream release + + -- Krzysztof Krzyzaniak (eloy) Wed, 8 Feb 2006 16:02:16 +0100 + +lighttpd (1.4.9-5) unstable; urgency=low + + * Properly fixed bug with overwritting index.html (closes: #349676) + + -- Krzysztof Krzyzaniak (eloy) Mon, 30 Jan 2006 10:17:57 +0100 + +lighttpd (1.4.9-4) unstable; urgency=low + + [ Krzysztof Krzyzaniak (eloy) ] + * Fixed bug with 10-userdir.conf, (closes: #349821) + * index.html is not replaced when md5 string desn't match (closes: #349676) + + -- Krzysztof Krzyzaniak (eloy) Wed, 25 Jan 2006 16:33:34 +0100 + +lighttpd (1.4.9-3) unstable; urgency=low + + [ Torsten Marek ] + * Added some configuration examples from upstream sample + configuration + * Implement "reload" init.d action with graceful restart, + taken from http://trac.lighttpd.net/trac/ticket/267 (Closes: #346038) + * ssi, auth, fastcgi, proxy and simple-vhost are now in separte + config files + * Put path to plugin documentation into every config snippet + * Build against libmysqlclient15 + + -- Torsten Marek Sat, 21 Jan 2006 15:16:01 +0100 + +lighttpd (1.4.9-2) unstable; urgency=low + + [ Krzysztof Krzyzaniak (eloy) ] + * mod_alias enabled by default - removed conf-avaiable/00-alias.conf + * Added handling of http://localhost/doc/ & http://localhost/images/ + (closes: #348823) + + -- Krzysztof Krzyzaniak (eloy) Thu, 19 Jan 2006 12:39:04 +0100 + +lighttpd (1.4.9-1) unstable; urgency=low + + * New upstream release + * Closing bug from not uploaded release 1.4.8-5, (closes: #347737) + + -- Krzysztof Krzyzaniak (eloy) Mon, 16 Jan 2006 20:06:39 +0100 + +lighttpd (1.4.8-5) unstable; urgency=low + + * create /var/www directory (closes: #347737), default /var/www/index.html + added (based on apache2 index.html file). + + -- Krzysztof Krzyzaniak (eloy) Thu, 12 Jan 2006 16:54:32 +0100 + +lighttpd (1.4.8-4) unstable; urgency=low + + * fixed permissions and directories (closes: #347565) + + -- Krzysztof Krzyzaniak (eloy) Wed, 11 Jan 2006 17:15:12 +0100 + +lighttpd (1.4.8-3) unstable; urgency=low + + * New configuration layout (closes: #345554) (closes: #344959), + read /etc/lighttpd/conf-available/README + - conf-available directory for all templates + - conf-enabled directory for enabled modules + + -- Krzysztof Krzyzaniak (eloy) Mon, 9 Jan 2006 13:49:34 +0100 + +lighttpd (1.4.8-2) unstable; urgency=low + + [ Krzysztof Krzyzaniak (eloy) ] + * debian/control: lsb-base dependency narrowed to (>= 3.0-3) + * create-mime.assign.pl set as executable (closes: #344938) + + -- Krzysztof Krzyzaniak (eloy) Wed, 28 Dec 2005 12:40:55 +0100 + +lighttpd (1.4.8-1) unstable; urgency=low + + * New upstream version (closes: #304271) + * Does not rely on $SHELL to execute external commands + + -- Torsten Marek Sat, 26 Nov 2005 11:48:51 +0100 + +lighttpd (1.4.7-1) unstable; urgency=low + + * New upstream version, Initial debian version + * Better debian/rules file + * Split mysql vhost module into separate package + * Create separate package for documentation + * Create a better init script + + -- Torsten Marek Sat, 5 Nov 2005 18:56:53 +0100 + --- lighttpd-1.4.11.orig/debian/copyright +++ lighttpd-1.4.11/debian/copyright @@ -0,0 +1,70 @@ +This package was debianized by Vincent Wagelaar on +Wed, 24 Mar 2004 08:20:58 +0100. + +It was downloaded from http://www.incremental.de/products/lighttpd/download/ + +Upstream Author: Jan Kneschke + +Copyright: + +Copyright (c) 2004, Jan Kneschke, incremental + All rights reserved. + +You are free to distribute this software under the terms of the BSD License. +On Debian systems, the complete text of the BSD License can be found in +/usr/share/common-licenses/BSD. + +src/fastcgi.h +Copyright (c) 1995-1996 Open Market, Inc + +This FastCGI application library source and object code (the +"Software") and its documentation (the "Documentation") are +copyrighted by Open Market, Inc ("Open Market"). The following terms +apply to all files associated with the Software and Documentation +unless explicitly disclaimed in individual files. + +Open Market permits you to use, copy, modify, distribute, and license +this Software and the Documentation for any purpose, provided that +existing copyright notices are retained in all copies and that this +notice is included verbatim in any distributions. No written +agreement, license, or royalty fee is required for any of the +authorized uses. Modifications to this Software and Documentation may +be copyrighted by their authors and need not follow the licensing +terms described here. If modifications to this Software and +Documentation have new licensing terms, the new terms must be clearly +indicated on the first page of each file where they apply. + +OPEN MARKET MAKES NO EXPRESS OR IMPLIED WARRANTY WITH RESPECT TO THE +SOFTWARE OR THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION ANY +WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN +NO EVENT SHALL OPEN MARKET BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY +DAMAGES ARISING FROM OR RELATING TO THIS SOFTWARE OR THE +DOCUMENTATION, INCLUDING, WITHOUT LIMITATION, ANY INDIRECT, SPECIAL OR +CONSEQUENTIAL DAMAGES OR SIMILAR DAMAGES, INCLUDING LOST PROFITS OR +LOST DATA, EVEN IF OPEN MARKET HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. THE SOFTWARE AND DOCUMENTATION ARE PROVIDED "AS IS". +OPEN MARKET HAS NO LIABILITY IN CONTRACT, TORT, NEGLIGENCE OR +OTHERWISE ARISING OUT OF THIS SOFTWARE OR THE DOCUMENTATION. + + +src/md5.h, src/md5.c +Copyright (c) 1991-2, RSA Data Security , Inc. + All rights reserved. + +License to copy and use this software is granted provided that it +is identified as the "RSA Data Security, Inc. MD5 Message-Digest +Algorithm" in all material mentioning or referencing this software +or this function. + +License is also granted to make and use derivative works provided +that such works are identified as "derived from the RSA Data +Security, Inc. MD5 Message-Digest Algorithm" in all material +mentioning or referencing the derived work. + +RSA Data Security, Inc. makes no representations concerning either +the merchantability of this software or the suitability of this +software for any particular purpose. It is provided "as is" +without express or implied warranty of any kind. + +These notices must be retained in any copies of any part of this +documentation and/or software. --- lighttpd-1.4.11.orig/debian/lighttpd-mod-cml.install +++ lighttpd-1.4.11/debian/lighttpd-mod-cml.install @@ -0,0 +1,2 @@ +debian/tmp/usr/lib/lighttpd/mod_cml.so +debian/conf-available/10-cml.conf etc/lighttpd/conf-available --- lighttpd-1.4.11.orig/debian/lighttpd.dirs +++ lighttpd-1.4.11/debian/lighttpd.dirs @@ -0,0 +1,10 @@ +var +var/www +var/log +var/log/lighttpd +etc +etc/lighttpd/ +etc/lighttpd/conf-available +etc/lighttpd/conf-enabled +usr +usr/sbin --- lighttpd-1.4.11.orig/debian/lighttpd-mod-trigger-b4-dl.install +++ lighttpd-1.4.11/debian/lighttpd-mod-trigger-b4-dl.install @@ -0,0 +1,2 @@ +debian/tmp/usr/lib/lighttpd/mod_trigger_b4_dl.so +debian/conf-available/10-trigger-b4-dl.conf etc/lighttpd/conf-available --- lighttpd-1.4.11.orig/debian/lighttpd.manpages +++ lighttpd-1.4.11/debian/lighttpd.manpages @@ -0,0 +1 @@ +debian/lighty-enable-mod.1 --- lighttpd-1.4.11.orig/debian/lighttpd.postrm +++ lighttpd-1.4.11/debian/lighttpd.postrm @@ -0,0 +1,12 @@ +#!/bin/sh +# postrm script for lighttpd + +set -e + +if [ "$1" = "purge" ]; then + rm -rf /var/log/lighttpd +fi + +#DEBHELPER# + +exit 0 --- lighttpd-1.4.11.orig/debian/lighttpd.links +++ lighttpd-1.4.11/debian/lighttpd.links @@ -0,0 +1,2 @@ +usr/sbin/lighty-enable-mod usr/sbin/lighty-disable-mod +usr/share/man/man1/lighty-enable-mod.1.gz usr/share/man/man1/lighty-disable-mod.1.gz --- lighttpd-1.4.11.orig/debian/lighttpd.install +++ lighttpd-1.4.11/debian/lighttpd.install @@ -0,0 +1,38 @@ +debian/tmp/usr/bin/* +debian/tmp/usr/sbin/* +debian/tmp/usr/share/man/* +debian/tmp/usr/lib/lighttpd/mod_access.so +debian/tmp/usr/lib/lighttpd/mod_accesslog.so +debian/tmp/usr/lib/lighttpd/mod_alias.so +debian/tmp/usr/lib/lighttpd/mod_auth.so +debian/tmp/usr/lib/lighttpd/mod_cgi.so +debian/tmp/usr/lib/lighttpd/mod_compress.so +debian/tmp/usr/lib/lighttpd/mod_dirlisting.so +debian/tmp/usr/lib/lighttpd/mod_evasive.so +debian/tmp/usr/lib/lighttpd/mod_evhost.so +debian/tmp/usr/lib/lighttpd/mod_expire.so +debian/tmp/usr/lib/lighttpd/mod_fastcgi.so +debian/tmp/usr/lib/lighttpd/mod_flv_streaming.so +debian/tmp/usr/lib/lighttpd/mod_indexfile.so +debian/tmp/usr/lib/lighttpd/mod_proxy.so +debian/tmp/usr/lib/lighttpd/mod_redirect.so +debian/tmp/usr/lib/lighttpd/mod_rewrite.so +debian/tmp/usr/lib/lighttpd/mod_rrdtool.so +debian/tmp/usr/lib/lighttpd/mod_scgi.so +debian/tmp/usr/lib/lighttpd/mod_secdownload.so +debian/tmp/usr/lib/lighttpd/mod_setenv.so +debian/tmp/usr/lib/lighttpd/mod_simple_vhost.so +debian/tmp/usr/lib/lighttpd/mod_ssi.so +debian/tmp/usr/lib/lighttpd/mod_staticfile.so +debian/tmp/usr/lib/lighttpd/mod_status.so +debian/tmp/usr/lib/lighttpd/mod_userdir.so +debian/tmp/usr/lib/lighttpd/mod_usertrack.so +debian/tmp/usr/lib/lighttpd/mod_webdav.so +debian/lighttpd.conf /etc/lighttpd +debian/conf-enabled /etc/lighttpd +debian/conf-available/*.conf /etc/lighttpd/conf-available +debian/conf-available/README /etc/lighttpd/conf-available +debian/create-mime.assign.pl /usr/share/lighttpd/ +debian/include-conf-enabled.pl /usr/share/lighttpd/ +debian/lighty-enable-mod /usr/sbin/ +debian/index.html /usr/share/lighttpd/ --- lighttpd-1.4.11.orig/debian/lighty-enable-mod.1 +++ lighttpd-1.4.11/debian/lighty-enable-mod.1 @@ -0,0 +1,17 @@ +.TH LIGHTYENABLEMOD 1 2006-01-11 +.SH NAME +lighty-enable-mod, lighty-disable-mod \- enable or disable configuration in lighttpd server +.SH SYNOPSIS +lighty-enable-mod [module] +lighty-disable-mod [module] +.SH DESCRIPTION +This manual page documents briefly the lighty-enable-mod and +lighty-disable-mod commands. + +lighty-enable-mod and lighty-disable-mod are programs that enable +(and respectively disable) the specified configuration file within +lighttpd configuration. +.SH SEE ALSO +lighttpd(1) +.SH AUTHOR +eloy@debian.org --- lighttpd-1.4.11.orig/debian/compat +++ lighttpd-1.4.11/debian/compat @@ -0,0 +1 @@ +5 --- lighttpd-1.4.11.orig/debian/watch +++ lighttpd-1.4.11/debian/watch @@ -0,0 +1,2 @@ +version=3 +http://www.lighttpd.net/download/lighttpd-(.*)\.tar\.gz --- lighttpd-1.4.11.orig/debian/patches/00list +++ lighttpd-1.4.11/debian/patches/00list @@ -0,0 +1,11 @@ +01_use_bin_sh +05_security_zero_mtime_crash +06_security_lighttpd-1.4.x_duplicated_headers_with_folding_crash.dpatch +07_security_lighttpd-1.4.x_mod_auth_sec.dpatch +08_security_lighttpd-1.4.x_mod_access_bypass.dpatch +09_security_lighttpd-1.4.x_connections.dpatch +10_security_lighttpd-1.4.x_mod_scgi_segfault.dpatch +11_security_lighttpd-1.4.x_etags.dpatch +12_security_lighttpd-1.4.x_eol.dpatch +13_CVE-2007-4727.dpatch +90_maxfds_crash_fix.dpatch --- lighttpd-1.4.11.orig/debian/patches/05_security_zero_mtime_crash.dpatch +++ lighttpd-1.4.11/debian/patches/05_security_zero_mtime_crash.dpatch @@ -0,0 +1,18 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 05_security_zero_mtime_crash.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad lighttpd-1.4.11~/src/server.c lighttpd-1.4.11/src/server.c +--- lighttpd-1.4.11~/src/server.c 2006-03-04 12:12:17.000000000 -0500 ++++ lighttpd-1.4.11/src/server.c 2007-04-24 12:06:32.000000000 -0400 +@@ -159,6 +159,7 @@ + #undef CLEAN + + for (i = 0; i < FILE_CACHE_MAX; i++) { ++ srv->mtime_cache[i].mtime = (time_t)-1; + srv->mtime_cache[i].str = buffer_init(); + } + --- lighttpd-1.4.11.orig/debian/patches/11_security_lighttpd-1.4.x_etags.dpatch +++ lighttpd-1.4.11/debian/patches/11_security_lighttpd-1.4.x_etags.dpatch @@ -0,0 +1,31 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 11_security_lighttpd-1.4.x_etags.dpatch.dpatch by Jamie Strandboge +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: etags dereference NULL pointer fix + +@DPATCH@ + +diff -Nru lighttpd-1.4.11.orig/src/buffer.c lighttpd-1.4.11/src/buffer.c +--- lighttpd-1.4.11.orig/src/buffer.c 2006-01-12 17:00:45.000000000 -0500 ++++ lighttpd-1.4.11/src/buffer.c 2007-09-08 17:57:18.000000000 -0400 +@@ -503,6 +503,7 @@ + } + + int buffer_is_empty(buffer *b) { ++ if (!b) return 1; + return (b->used == 0); + } + +diff -Nru lighttpd-1.4.11.orig/src/etag.c lighttpd-1.4.11/src/etag.c +--- lighttpd-1.4.11.orig/src/etag.c 2005-08-10 18:26:40.000000000 -0400 ++++ lighttpd-1.4.11/src/etag.c 2007-09-08 17:57:18.000000000 -0400 +@@ -4,7 +4,7 @@ + #include "etag.h" + + int etag_is_equal(buffer *etag, const char *matches) { +- if (0 == strcmp(etag->ptr, matches)) return 1; ++ if (etag && !buffer_is_empty(etag) && 0 == strcmp(etag->ptr, matches)) return 1; + return 0; + } + --- lighttpd-1.4.11.orig/debian/patches/07_security_lighttpd-1.4.x_mod_auth_sec.dpatch +++ lighttpd-1.4.11/debian/patches/07_security_lighttpd-1.4.x_mod_auth_sec.dpatch @@ -0,0 +1,117 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 07_lighttpd-1.4.x_mod_auth_sec.dpatch by Aron Sisak +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fixes various mod_auth bugs (Lighttpd SA 2007:04-07) +## DP: * http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_04.txt, +## DP: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_05.txt, +## DP: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_06.txt, +## DP: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_07.txt +## DP: * http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_mod_auth_sec.patch + +@DPATCH@ +diff -urNad lighttpd-1.4.11~/src/http_auth.c lighttpd-1.4.11/src/http_auth.c +--- lighttpd-1.4.11~/src/http_auth.c 2006-02-01 12:02:52.000000000 +0100 ++++ lighttpd-1.4.11/src/http_auth.c 2007-08-09 00:46:17.492393905 +0200 +@@ -672,7 +672,13 @@ + username = buffer_init(); + password = buffer_init(); + +- base64_decode(username, realm_str); ++ if (!base64_decode(username, realm_str)) { ++ buffer_free(username); ++ ++ log_error_write(srv, __FILE__, __LINE__, "sb", "decodeing base64-string failed", username); ++ ++ return 0; ++ } + + /* r2 == user:password */ + if (NULL == (pw = strchr(username->ptr, ':'))) { +@@ -808,7 +814,7 @@ + for (c = b->ptr; *c; c++) { + /* skip whitespaces */ + while (*c == ' ' || *c == '\t') c++; +- if (!c) break; ++ if (!*c) break; + + for (i = 0; dkv[i].key; i++) { + if ((0 == strncmp(c, dkv[i].key, dkv[i].key_len))) { +@@ -857,6 +863,21 @@ + + log_error_write(srv, __FILE__, __LINE__, "s", + "digest: missing field"); ++ ++ buffer_free(b); ++ return -1; ++ } ++ ++ /** ++ * protect the md5-sess against missing cnonce and nonce ++ */ ++ if (algorithm && ++ 0 == strcasecmp(algorithm, "md5-sess") && ++ (!nonce || !cnonce)) { ++ log_error_write(srv, __FILE__, __LINE__, "s", ++ "digest: (md5-sess: missing field"); ++ ++ buffer_free(b); + return -1; + } + +diff -urNad lighttpd-1.4.11~/tests/mod-auth.t lighttpd-1.4.11/tests/mod-auth.t +--- lighttpd-1.4.11~/tests/mod-auth.t 2006-02-01 12:05:22.000000000 +0100 ++++ lighttpd-1.4.11/tests/mod-auth.t 2007-08-08 23:32:30.094935530 +0200 +@@ -8,7 +8,7 @@ + + use strict; + use IO::Socket; +-use Test::More tests => 10; ++use Test::More tests => 13; + use LightyTest; + + my $tf = LightyTest->new(); +@@ -93,6 +93,43 @@ + $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 400 } ]; + ok($tf->handle_http($t) == 0, 'Digest-Auth: missing nc (noncecount instead), no crash'); + ++$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ]; ++ok($tf->handle_http($t) == 0, 'Basic-Auth: Invalid Base64'); ++ ++ ++$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ]; ++ok($tf->handle_http($t) == 0, 'Digest-Auth: md5-sess + missing cnonce'); ++ ++$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ]; ++ok($tf->handle_http($t) == 0, 'Digest-Auth: trailing WS'); ++ + + + ok($tf->stop_proc == 0, "Stopping lighttpd"); --- lighttpd-1.4.11.orig/debian/patches/10_security_lighttpd-1.4.x_mod_scgi_segfault.dpatch +++ lighttpd-1.4.11/debian/patches/10_security_lighttpd-1.4.x_mod_scgi_segfault.dpatch @@ -0,0 +1,63 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 10_security_lighttpd-1.4.x_mod_scgi_segfault.dpatch by Aron Sisak +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fixes CVE-2007-3950 +## DP: * http://secunia.com/cve_reference/CVE-2007-3950/ +## DP: * http://trac.lighttpd.net/trac/changeset/1882?format=diff&new=1873 + +@DPATCH@ +diff -urNad lighttpd-1.4.11~/src/mod_fastcgi.c lighttpd-1.4.11/src/mod_fastcgi.c +--- lighttpd-1.4.11~/src/mod_fastcgi.c 2006-03-09 12:18:39.000000000 +0100 ++++ lighttpd-1.4.11/src/mod_fastcgi.c 2007-08-09 02:03:51.459291577 +0200 +@@ -2949,7 +2949,7 @@ + * + */ + +- log_error_write(srv, __FILE__, __LINE__, "ssdsd", ++ log_error_write(srv, __FILE__, __LINE__, "ssosd", + "[REPORT ME] connection was dropped after accept(). reconnect() denied:", + "write-offset:", hctx->wb->bytes_out, + "reconnect attempts:", hctx->reconnects); +diff -urNad lighttpd-1.4.11~/src/mod_scgi.c lighttpd-1.4.11/src/mod_scgi.c +--- lighttpd-1.4.11~/src/mod_scgi.c 2006-03-04 16:15:26.000000000 +0100 ++++ lighttpd-1.4.11/src/mod_scgi.c 2007-08-09 02:03:51.459291577 +0200 +@@ -2286,7 +2286,7 @@ + * + */ + +- log_error_write(srv, __FILE__, __LINE__, "ssdsd", ++ log_error_write(srv, __FILE__, __LINE__, "ssosd", + "[REPORT ME] connection was dropped after accept(). reconnect() denied:", + "write-offset:", hctx->wb->bytes_out, + "reconnect attempts:", hctx->reconnects); +@@ -2536,7 +2536,7 @@ + return HANDLER_WAIT_FOR_FD; + } + +- log_error_write(srv, __FILE__, __LINE__, "sdsdsd", ++ log_error_write(srv, __FILE__, __LINE__, "sosdsd", + "response not sent, request sent:", hctx->wb->bytes_out, + "connection-fd:", con->fd, + "fcgi-fd:", hctx->fd); +diff -urNad lighttpd-1.4.11~/src/mod_webdav.c lighttpd-1.4.11/src/mod_webdav.c +--- lighttpd-1.4.11~/src/mod_webdav.c 2006-03-03 00:28:58.000000000 +0100 ++++ lighttpd-1.4.11/src/mod_webdav.c 2007-08-09 02:03:51.459291577 +0200 +@@ -936,7 +936,7 @@ + } + + if (XML_ERR_OK != (err = xmlParseChunk(ctxt, c->file.mmap.start + c->offset, weHave, 0))) { +- log_error_write(srv, __FILE__, __LINE__, "sddd", "xmlParseChunk failed at:", cq->bytes_out, weHave, err); ++ log_error_write(srv, __FILE__, __LINE__, "sodd", "xmlParseChunk failed at:", cq->bytes_out, weHave, err); + } + + c->offset += weHave; +@@ -954,7 +954,7 @@ + } + + if (XML_ERR_OK != (err = xmlParseChunk(ctxt, c->mem->ptr + c->offset, weHave, 0))) { +- log_error_write(srv, __FILE__, __LINE__, "sddd", "xmlParseChunk failed at:", cq->bytes_out, weHave, err); ++ log_error_write(srv, __FILE__, __LINE__, "sodd", "xmlParseChunk failed at:", cq->bytes_out, weHave, err); + } + + c->offset += weHave; --- lighttpd-1.4.11.orig/debian/patches/08_security_lighttpd-1.4.x_mod_access_bypass.dpatch +++ lighttpd-1.4.11/debian/patches/08_security_lighttpd-1.4.x_mod_access_bypass.dpatch @@ -0,0 +1,135 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 08_lighttpd-1.4.x_mod_access_bypass.dpatch by Aron Sisak +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fixes mod_access bug (Lighttpd SA 2007:08) +## DP: * http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_08.txt +## DP: * http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_mod_access_bypass.patch + +@DPATCH@ +diff -urNad lighttpd-1.4.11~/src/mod_access.c lighttpd-1.4.11/src/mod_access.c +--- lighttpd-1.4.11~/src/mod_access.c 2006-01-14 18:44:54.000000000 +0100 ++++ lighttpd-1.4.11/src/mod_access.c 2007-08-09 01:58:07.928006878 +0200 +@@ -111,6 +111,15 @@ + } + #undef PATCH + ++/** ++ * URI handler ++ * ++ * we will get called twice: ++ * - after the clean up of the URL and ++ * - after the pathinfo checks are done ++ * ++ * this handles the issue of trailing slashes ++ */ + URIHANDLER_FUNC(mod_access_uri_handler) { + plugin_data *p = p_d; + int s_len; +@@ -126,25 +135,38 @@ + data_string *ds = (data_string *)p->conf.access_deny->data[k]; + int ct_len = ds->value->used - 1; + +- if (ct_len > s_len) continue; ++ if (con->conf.log_request_handling) { ++ log_error_write(srv, __FILE__, __LINE__, "s", ++ "-- mod_access_uri_handler called"); ++ } ++ ++ int denied = 0; ++ + ++ if (ct_len > s_len) continue; + if (ds->value->used == 0) continue; + + /* if we have a case-insensitive FS we have to lower-case the URI here too */ + + if (con->conf.force_lowercase_filenames) { + if (0 == strncasecmp(con->uri.path->ptr + s_len - ct_len, ds->value->ptr, ct_len)) { +- con->http_status = 403; +- +- return HANDLER_FINISHED; ++ denied = 1; + } + } else { + if (0 == strncmp(con->uri.path->ptr + s_len - ct_len, ds->value->ptr, ct_len)) { +- con->http_status = 403; +- +- return HANDLER_FINISHED; ++ denied = 1; + } + } ++ if (denied) { ++ con->http_status = 403; ++ ++ if (con->conf.log_request_handling) { ++ log_error_write(srv, __FILE__, __LINE__, "sb", ++ "url denied as we match:", ds->value); ++ } ++ ++ return HANDLER_FINISHED; ++ } + } + + /* not found */ +@@ -158,7 +180,8 @@ + + p->init = mod_access_init; + p->set_defaults = mod_access_set_defaults; +- p->handle_uri_clean = mod_access_uri_handler; ++ p->handle_uri_clean = mod_access_uri_handler; ++ p->handle_subrequest_start = mod_access_uri_handler; + p->cleanup = mod_access_free; + + p->data = NULL; +diff -urNad lighttpd-1.4.11~/tests/docroot/www/Makefile.am lighttpd-1.4.11/tests/docroot/www/Makefile.am +--- lighttpd-1.4.11~/tests/docroot/www/Makefile.am 2005-09-21 18:03:28.000000000 +0200 ++++ lighttpd-1.4.11/tests/docroot/www/Makefile.am 2007-08-09 01:58:07.928006878 +0200 +@@ -1,5 +1,5 @@ + EXTRA_DIST=cgi.php cgi.pl dummydir index.html index.txt phpinfo.php \ + redirect.php cgi-pathinfo.pl get-env.php get-server-env.php \ + nph-status.pl prefix.fcgi get-header.pl ssi.shtml get-post-len.pl \ +- exec-date.shtml ++ exec-date.shtml index.html~ + SUBDIRS=go indexfile expire +diff -urNad lighttpd-1.4.11~/tests/docroot/www/index.html~ lighttpd-1.4.11/tests/docroot/www/index.html~ +--- lighttpd-1.4.11~/tests/docroot/www/index.html~ 1970-01-01 01:00:00.000000000 +0100 ++++ lighttpd-1.4.11/tests/docroot/www/index.html~ 2007-08-09 01:58:07.928006878 +0200 +@@ -0,0 +1 @@ ++ +diff -urNad lighttpd-1.4.11~/tests/mod-access.t lighttpd-1.4.11/tests/mod-access.t +--- lighttpd-1.4.11~/tests/mod-access.t 2005-09-01 13:43:05.000000000 +0200 ++++ lighttpd-1.4.11/tests/mod-access.t 2007-08-09 01:58:07.928006878 +0200 +@@ -8,7 +8,7 @@ + + use strict; + use IO::Socket; +-use Test::More tests => 3; ++use Test::More tests => 4; + use LightyTest; + + my $tf = LightyTest->new(); +@@ -23,5 +23,12 @@ + $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 403 } ]; + ok($tf->handle_http($t) == 0, 'forbid access to ...~'); + ++$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 403 } ]; ++ok($tf->handle_http($t) == 0, '#1230 - forbid access to ...~ - trailing slash'); ++ + ok($tf->stop_proc == 0, "Stopping lighttpd"); + +diff -urNad lighttpd-1.4.11~/tests/prepare.sh lighttpd-1.4.11/tests/prepare.sh +--- lighttpd-1.4.11~/tests/prepare.sh 2005-10-05 10:55:29.000000000 +0200 ++++ lighttpd-1.4.11/tests/prepare.sh 2007-08-09 01:58:07.928006878 +0200 +@@ -25,6 +25,7 @@ + # copy everything into the right places + cp $srcdir/docroot/www/*.html \ + $srcdir/docroot/www/*.php \ ++ $srcdir/docroot/www/*.html~ \ + $srcdir/docroot/www/*.pl \ + $srcdir/docroot/www/*.fcgi \ + $srcdir/docroot/www/*.shtml \ --- lighttpd-1.4.11.orig/debian/patches/01_use_bin_sh.dpatch +++ lighttpd-1.4.11/debian/patches/01_use_bin_sh.dpatch @@ -0,0 +1,27 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 01_use_bin_sh.dpatch by Torsten Marek +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Use /bin/sh to execute external programs instead of getting +## DP: the shell from $SHELL (See ticket #388) + +@DPATCH@ +diff -urNad lighttpd-1.4.8~/src/proc_open.c lighttpd-1.4.8/src/proc_open.c +--- lighttpd-1.4.8~/src/proc_open.c 2005-08-11 00:26:39.000000000 +0200 ++++ lighttpd-1.4.8/src/proc_open.c 2005-11-26 12:12:02.000000000 +0100 +@@ -223,12 +223,13 @@ + /* {{{ proc_open */ + int proc_open(proc_handler_t *proc, const char *command) { + pid_t child; +- const char *shell; ++ const char *shell = "/bin/sh"; + +- if (NULL == (shell = getenv(SHELLENV))) { ++/* if (NULL == (shell = getenv(SHELLENV))) { + fprintf(stderr, "env %s is required", SHELLENV); + return -1; + } ++*/ + + if (proc_open_pipes(proc) != 0) { + return -1; --- lighttpd-1.4.11.orig/debian/patches/09_security_lighttpd-1.4.x_connections.dpatch +++ lighttpd-1.4.11/debian/patches/09_security_lighttpd-1.4.x_connections.dpatch @@ -0,0 +1,65 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 09_security_lighttpd-1.4.x_connections.dpatch by Aron Sisak +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fixes CVE-2007-3948 +## DP: * http://secunia.com/cve_reference/CVE-2007-3948/ +## DP: * http://trac.lighttpd.net/trac/changeset/1873?format=diff&new=1873 + +@DPATCH@ +diff -urNad lighttpd-1.4.11~/src/connections.c lighttpd-1.4.11/src/connections.c +--- lighttpd-1.4.11~/src/connections.c 2006-03-05 21:14:53.000000000 +0100 ++++ lighttpd-1.4.11/src/connections.c 2007-08-09 01:05:56.616431188 +0200 +@@ -1230,6 +1230,16 @@ + socklen_t cnt_len; + /* accept it and register the fd */ + ++ /** ++ * check if we can still open a new connections ++ * ++ * see #1216 ++ */ ++ ++ if (srv->conns->used >= srv->max_conns) { ++ return NULL; ++ } ++ + cnt_len = sizeof(cnt_addr); + + if (-1 == (cnt = accept(srv_socket->fd, (struct sockaddr *) &cnt_addr, &cnt_len))) { +@@ -1661,6 +1671,9 @@ + srv->con_closed++; + + break; ++ case EMFILE: ++ /* out of fds */ ++ break; + default: + log_error_write(srv, __FILE__, __LINE__, "sdd", + "unknown state:", con->fd, con->state); +diff -urNad lighttpd-1.4.11~/src/server.c lighttpd-1.4.11/src/server.c +--- lighttpd-1.4.11~/src/server.c 2007-08-09 01:02:44.593589525 +0200 ++++ lighttpd-1.4.11/src/server.c 2007-08-09 01:02:45.093643008 +0200 +@@ -761,6 +761,22 @@ + return -1; + } + ++ /** ++ * we are not root can can't increase the fd-limit, but we can reduce it ++ */ ++ if (srv->srvconf.max_fds && srv->srvconf.max_fds < rlim.rlim_cur) { ++ /* set rlimits */ ++ ++ rlim.rlim_cur = srv->srvconf.max_fds; ++ ++ if (0 != setrlimit(RLIMIT_NOFILE, &rlim)) { ++ log_error_write(srv, __FILE__, __LINE__, ++ "ss", "couldn't set 'max filedescriptors'", ++ strerror(errno)); ++ return -1; ++ } ++ } ++ + if (srv->event_handler == FDEVENT_HANDLER_SELECT) { + srv->max_fds = rlim.rlim_cur < FD_SETSIZE - 200 ? rlim.rlim_cur : FD_SETSIZE - 200; + } else { --- lighttpd-1.4.11.orig/debian/patches/13_CVE-2007-4727.dpatch +++ lighttpd-1.4.11/debian/patches/13_CVE-2007-4727.dpatch @@ -0,0 +1,256 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 13_CVE-2007-4727.dpatch.dpatch by Jamie Strandboge +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: backported patch from 1.4.18 to fix CVE-2007-4727 + +@DPATCH@ + +diff -Nru lighttpd-1.4.11.orig/src/mod_fastcgi.c lighttpd-1.4.11/src/mod_fastcgi.c +--- lighttpd-1.4.11.orig/src/mod_fastcgi.c 2006-03-09 11:18:39.000000000 +0000 ++++ lighttpd-1.4.11/src/mod_fastcgi.c 2007-09-10 21:02:41.000000000 +0000 +@@ -45,6 +45,13 @@ + #include + #endif + ++#define FCGI_ENV_ADD_CHECK(ret, con) \ ++ if (ret == -1) { \ ++ con->http_status = 400; \ ++ con->file_finished = 1; \ ++ return -1; \ ++ }; ++ + + /* + * +@@ -1601,6 +1608,21 @@ + + len += key_len > 127 ? 4 : 1; + len += val_len > 127 ? 4 : 1; ++ ++ if (env->used + len >= FCGI_MAX_LENGTH) { ++ /** ++ * we can't append more headers, ignore it ++ */ ++ return -1; ++ } ++ ++ /** ++ * field length can be 31bit max ++ * ++ * HINT: this can't happen as FCGI_MAX_LENGTH is only 16bit ++ */ ++ if (key_len > 0x7fffffff) key_len = 0x7fffffff; ++ if (val_len > 0x7fffffff) val_len = 0x7fffffff; + + buffer_prepare_append(env, len); + +@@ -1631,6 +1653,8 @@ + } + + static int fcgi_header(FCGI_Header * header, unsigned char type, size_t request_id, int contentLength, unsigned char paddingLength) { ++ assert(contentLength <= FCGI_MAX_LENGTH); ++ + header->version = FCGI_VERSION_1; + header->type = type; + header->requestIdB0 = request_id & 0xff; +@@ -1785,7 +1809,7 @@ + } + srv->tmp_buf->ptr[srv->tmp_buf->used++] = '\0'; + +- fcgi_env_add(p->fcgi_env, CONST_BUF_LEN(srv->tmp_buf), CONST_BUF_LEN(ds->value)); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_BUF_LEN(srv->tmp_buf), CONST_BUF_LEN(ds->value)),con); + } + } + +@@ -1812,7 +1836,7 @@ + } + srv->tmp_buf->ptr[srv->tmp_buf->used++] = '\0'; + +- fcgi_env_add(p->fcgi_env, CONST_BUF_LEN(srv->tmp_buf), CONST_BUF_LEN(ds->value)); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_BUF_LEN(srv->tmp_buf), CONST_BUF_LEN(ds->value)), con); + } + } + +@@ -1856,10 +1880,10 @@ + buffer_prepare_copy(p->fcgi_env, 1024); + + +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("SERVER_SOFTWARE"), CONST_STR_LEN(PACKAGE_NAME"/"PACKAGE_VERSION)); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("SERVER_SOFTWARE"), CONST_STR_LEN(PACKAGE_NAME"/"PACKAGE_VERSION)),con) + + if (con->server_name->used) { +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("SERVER_NAME"), CONST_BUF_LEN(con->server_name)); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("SERVER_NAME"), CONST_BUF_LEN(con->server_name)),con) + } else { + #ifdef HAVE_IPV6 + s = inet_ntop(srv_sock->addr.plain.sa_family, +@@ -1870,10 +1894,10 @@ + #else + s = inet_ntoa(srv_sock->addr.ipv4.sin_addr); + #endif +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("SERVER_NAME"), s, strlen(s)); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("SERVER_NAME"), s, strlen(s)),con) + } + +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("GATEWAY_INTERFACE"), CONST_STR_LEN("CGI/1.1")); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("GATEWAY_INTERFACE"), CONST_STR_LEN("CGI/1.1")),con) + + ltostr(buf, + #ifdef HAVE_IPV6 +@@ -1883,7 +1907,7 @@ + #endif + ); + +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("SERVER_PORT"), buf, strlen(buf)); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("SERVER_PORT"), buf, strlen(buf)),con) + + /* get the server-side of the connection to the client */ + our_addr_len = sizeof(our_addr); +@@ -1893,7 +1917,7 @@ + } else { + s = inet_ntop_cache_get_ip(srv, &(our_addr)); + } +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("SERVER_ADDR"), s, strlen(s)); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("SERVER_ADDR"), s, strlen(s)),con) + + ltostr(buf, + #ifdef HAVE_IPV6 +@@ -1903,14 +1927,13 @@ + #endif + ); + +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REMOTE_PORT"), buf, strlen(buf)); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REMOTE_PORT"), buf, strlen(buf)),con) + + s = inet_ntop_cache_get_ip(srv, &(con->dst_addr)); +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REMOTE_ADDR"), s, strlen(s)); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REMOTE_ADDR"), s, strlen(s)),con) + + if (!buffer_is_empty(con->authed_user)) { +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REMOTE_USER"), +- CONST_BUF_LEN(con->authed_user)); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REMOTE_USER"), CONST_BUF_LEN(con->authed_user)),con) + } + + if (con->request.content_length > 0 && host->mode != FCGI_AUTHORIZER) { +@@ -1918,7 +1941,7 @@ + + /* request.content_length < SSIZE_MAX, see request.c */ + ltostr(buf, con->request.content_length); +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("CONTENT_LENGTH"), buf, strlen(buf)); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("CONTENT_LENGTH"), buf, strlen(buf)),con) + } + + if (host->mode != FCGI_AUTHORIZER) { +@@ -1929,10 +1952,10 @@ + * For AUTHORIZER mode these headers should be omitted. + */ + +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("SCRIPT_NAME"), CONST_BUF_LEN(con->uri.path)); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("SCRIPT_NAME"), CONST_BUF_LEN(con->uri.path)),con) + + if (!buffer_is_empty(con->request.pathinfo)) { +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("PATH_INFO"), CONST_BUF_LEN(con->request.pathinfo)); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("PATH_INFO"), CONST_BUF_LEN(con->request.pathinfo)),con) + + /* PATH_TRANSLATED is only defined if PATH_INFO is set */ + +@@ -1942,9 +1965,9 @@ + buffer_copy_string_buffer(p->path, con->physical.doc_root); + } + buffer_append_string_buffer(p->path, con->request.pathinfo); +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("PATH_TRANSLATED"), CONST_BUF_LEN(p->path)); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("PATH_TRANSLATED"), CONST_BUF_LEN(p->path)),con) + } else { +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("PATH_INFO"), CONST_STR_LEN("")); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("PATH_INFO"), CONST_STR_LEN("")),con) + } + } + +@@ -1965,8 +1988,8 @@ + buffer_copy_string_buffer(p->path, host->docroot); + buffer_append_string_buffer(p->path, con->uri.path); + +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("SCRIPT_FILENAME"), CONST_BUF_LEN(p->path)); +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("DOCUMENT_ROOT"), CONST_BUF_LEN(host->docroot)); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("SCRIPT_FILENAME"), CONST_BUF_LEN(p->path)),con) ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("DOCUMENT_ROOT"), CONST_BUF_LEN(host->docroot)),con) + } else { + buffer_copy_string_buffer(p->path, con->physical.path); + +@@ -1978,8 +2001,8 @@ + buffer_append_string_buffer(p->path, con->request.pathinfo); + } + +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("SCRIPT_FILENAME"), CONST_BUF_LEN(p->path)); +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("DOCUMENT_ROOT"), CONST_BUF_LEN(con->physical.doc_root)); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("SCRIPT_FILENAME"), CONST_BUF_LEN(p->path)),con) ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("DOCUMENT_ROOT"), CONST_BUF_LEN(con->physical.doc_root)),con) + } + + if (host->strip_request_uri->used > 1) { +@@ -2005,34 +2028,34 @@ + con->request.orig_uri->ptr + (host->strip_request_uri->used - 2), + con->request.orig_uri->used - (host->strip_request_uri->used - 2)); + } else { +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REQUEST_URI"), CONST_BUF_LEN(con->request.orig_uri)); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REQUEST_URI"), CONST_BUF_LEN(con->request.orig_uri)),con) + } + } else { +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REQUEST_URI"), CONST_BUF_LEN(con->request.orig_uri)); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REQUEST_URI"), CONST_BUF_LEN(con->request.orig_uri)),con) + } + if (!buffer_is_equal(con->request.uri, con->request.orig_uri)) { +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REDIRECT_URI"), CONST_BUF_LEN(con->request.uri)); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REDIRECT_URI"), CONST_BUF_LEN(con->request.uri)),con) + } + if (!buffer_is_empty(con->uri.query)) { +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("QUERY_STRING"), CONST_BUF_LEN(con->uri.query)); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("QUERY_STRING"), CONST_BUF_LEN(con->uri.query)),con) + } else { +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("QUERY_STRING"), CONST_STR_LEN("")); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("QUERY_STRING"), CONST_STR_LEN("")),con) + } + + s = get_http_method_name(con->request.http_method); +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REQUEST_METHOD"), s, strlen(s)); +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REDIRECT_STATUS"), CONST_STR_LEN("200")); /* if php is compiled with --force-redirect */ ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REQUEST_METHOD"), s, strlen(s)),con) ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REDIRECT_STATUS"), CONST_STR_LEN("200")),con) /* if php is compiled with --force-redirect */ + s = get_http_version_name(con->request.http_version); +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("SERVER_PROTOCOL"), s, strlen(s)); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("SERVER_PROTOCOL"), s, strlen(s)),con) + + #ifdef USE_OPENSSL + if (srv_sock->is_ssl) { +- fcgi_env_add(p->fcgi_env, CONST_STR_LEN("HTTPS"), CONST_STR_LEN("on")); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("HTTPS"), CONST_STR_LEN("on")),con) + } + #endif + + +- fcgi_env_add_request_headers(srv, con, p); ++ FCGI_ENV_ADD_CHECK(fcgi_env_add_request_headers(srv, con, p), con); + + fcgi_header(&(header), FCGI_PARAMS, request_id, p->fcgi_env->used, 0); + buffer_append_memory(b, (const char *)&header, sizeof(header)); +@@ -2913,8 +2936,7 @@ + } + + /* fall through */ +- fcgi_create_env(srv, hctx, hctx->request_id); +- ++ if (-1 == fcgi_create_env(srv, hctx, hctx->request_id)) return HANDLER_ERROR; + fcgi_set_state(srv, hctx, FCGI_STATE_WRITE); + + /* fall through */ +@@ -3091,7 +3113,7 @@ + + buffer_reset(con->physical.path); + con->mode = DIRECT; +- con->http_status = 503; ++ if (con->http_status != 400) con->http_status = 503; + joblist_append(srv, con); /* really ? */ + + return HANDLER_FINISHED; --- lighttpd-1.4.11.orig/debian/patches/90_maxfds_crash_fix.dpatch +++ lighttpd-1.4.11/debian/patches/90_maxfds_crash_fix.dpatch @@ -0,0 +1,32 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 90_maxfds_crash_fix.dpatch by Emanuele Gentili +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad lighttpd-1.4.11~/src/fdevent_solaris_devpoll.c lighttpd-1.4.11/src/fdevent_solaris_devpoll.c +--- lighttpd-1.4.11~/src/fdevent_solaris_devpoll.c 2005-09-01 09:45:26.000000000 +0200 ++++ lighttpd-1.4.11/src/fdevent_solaris_devpoll.c 2008-02-25 16:57:34.000000000 +0100 +@@ -67,7 +67,7 @@ + int ret; + + dopoll.dp_timeout = timeout_ms; +- dopoll.dp_nfds = ev->maxfds; ++ dopoll.dp_nfds = ev->maxfds - 1; + dopoll.dp_fds = ev->devpollfds; + + ret = ioctl(ev->devpoll_fd, DP_POLL, &dopoll); +diff -urNad lighttpd-1.4.11~/src/server.c lighttpd-1.4.11/src/server.c +--- lighttpd-1.4.11~/src/server.c 2008-02-25 16:56:38.000000000 +0100 ++++ lighttpd-1.4.11/src/server.c 2008-02-25 16:57:56.000000000 +0100 +@@ -660,9 +660,6 @@ + } + } + +- /* #372: solaris need some fds extra for devpoll */ +- if (rlim.rlim_cur > 10) rlim.rlim_cur -= 10; +- + if (srv->event_handler == FDEVENT_HANDLER_SELECT) { + srv->max_fds = rlim.rlim_cur < FD_SETSIZE - 200 ? rlim.rlim_cur : FD_SETSIZE - 200; + } else { --- lighttpd-1.4.11.orig/debian/patches/12_security_lighttpd-1.4.x_eol.dpatch +++ lighttpd-1.4.11/debian/patches/12_security_lighttpd-1.4.x_eol.dpatch @@ -0,0 +1,225 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 12_security_lighttpd-1.4.x_eol.dpatch.dpatch by Jamie Strandboge +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: mod_cgi improper EOL handling fix + +@DPATCH@ + +diff -Nru lighttpd-1.4.11.orig/src/mod_cgi.c lighttpd-1.4.11/src/mod_cgi.c +--- lighttpd-1.4.11.orig/src/mod_cgi.c 2006-02-22 08:15:10.000000000 -0500 ++++ lighttpd-1.4.11/src/mod_cgi.c 2007-09-08 17:58:35.000000000 -0400 +@@ -222,7 +222,7 @@ + return 0; + } + +-static int cgi_response_parse(server *srv, connection *con, plugin_data *p, buffer *in, int eol) { ++static int cgi_response_parse(server *srv, connection *con, plugin_data *p, buffer *in) { + char *ns; + const char *s; + int line = 0; +@@ -232,14 +232,17 @@ + buffer_copy_string_buffer(p->parse_response, in); + + for (s = p->parse_response->ptr; +- NULL != (ns = (eol == EOL_RN ? strstr(s, "\r\n") : strchr(s, '\n'))); +- s = ns + (eol == EOL_RN ? 2 : 1), line++) { ++ NULL != (ns = strchr(s, '\n')); ++ s = ns + 1, line++) { + const char *key, *value; + int key_len; + data_string *ds; + ++ /* strip the \n */ + ns[0] = '\0'; + ++ if (ns > s && ns[-1] == '\r') ns[-1] = '\0'; ++ + if (line == 0 && + 0 == strncmp(s, "HTTP/1.", 7)) { + /* non-parsed header ... we parse them anyway */ +@@ -260,7 +263,7 @@ + } + } + } else { +- ++ /* parse the headers */ + key = s; + if (NULL == (value = strchr(s, ':'))) { + /* we expect: ": \r\n" */ +@@ -362,63 +365,81 @@ + /* split header from body */ + + if (con->file_started == 0) { +- char *c; +- int in_header = 0; +- int header_end = 0; +- int cp, eol = EOL_UNSET; +- size_t used = 0; ++ int is_header = 0; ++ int is_header_end = 0; ++ size_t last_eol = 0; ++ size_t i; + + buffer_append_string_buffer(hctx->response_header, hctx->response); + ++ /** ++ * we have to handle a few cases: ++ * ++ * nph: ++ * ++ * HTTP/1.0 200 Ok\n ++ * Header: Value\n ++ * \n ++ * ++ * CGI: ++ * Header: Value\n ++ * Status: 200\n ++ * \n ++ * ++ * and different mixes of \n and \r\n combinations ++ * ++ * Some users also forget about CGI and just send a response and hope ++ * we handle it. No headers, no header-content seperator ++ * ++ */ ++ + /* nph (non-parsed headers) */ +- if (0 == strncmp(hctx->response_header->ptr, "HTTP/1.", 7)) in_header = 1; +- +- /* search for the \r\n\r\n or \n\n in the string */ +- for (c = hctx->response_header->ptr, cp = 0, used = hctx->response_header->used - 1; used; c++, cp++, used--) { +- if (*c == ':') in_header = 1; +- else if (*c == '\n') { +- if (in_header == 0) { +- /* got a response without a response header */ +- +- c = NULL; +- header_end = 1; +- break; +- } +- +- if (eol == EOL_UNSET) eol = EOL_N; +- +- if (*(c+1) == '\n') { +- header_end = 1; +- break; +- } +- +- } else if (used > 1 && *c == '\r' && *(c+1) == '\n') { +- if (in_header == 0) { +- /* got a response without a response header */ +- +- c = NULL; +- header_end = 1; ++ if (0 == strncmp(hctx->response_header->ptr, "HTTP/1.", 7)) is_header = 1; ++ ++ for (i = 0; !is_header_end && i < hctx->response_header->used - 1; i++) { ++ char c = hctx->response_header->ptr[i]; ++ ++ switch (c) { ++ case ':': ++ /* we found a colon ++ * ++ * looks like we have a normal header ++ */ ++ is_header = 1; ++ break; ++ case '\n': ++ /* EOL */ ++ if (is_header == 0) { ++ /* we got a EOL but we don't seem to got a HTTP header */ ++ ++ is_header_end = 1; ++ + break; + } + +- if (eol == EOL_UNSET) eol = EOL_RN; +- +- if (used > 3 && +- *(c+2) == '\r' && +- *(c+3) == '\n') { +- header_end = 1; ++ /** ++ * check if we saw a \n(\r)?\n sequence ++ */ ++ if (last_eol > 0 && ++ ((i - last_eol == 1) || ++ (i - last_eol == 2 && hctx->response_header->ptr[i - 1] == '\r'))) { ++ log_error_write(srv, __FILE__, __LINE__, ++ "sdd", ++ "EOL at", ++ i, last_eol ++ ); ++ is_header_end = 1; + break; + } + +- /* skip the \n */ +- c++; +- cp++; +- used--; ++ last_eol = i; ++ ++ break; + } + } + +- if (header_end) { +- if (c == NULL) { ++ if (is_header_end) { ++ if (!is_header) { + /* no header, but a body */ + + if (con->request.http_version == HTTP_VERSION_1_1) { +@@ -428,15 +449,30 @@ + http_chunk_append_mem(srv, con, hctx->response_header->ptr, hctx->response_header->used); + joblist_append(srv, con); + } else { +- size_t hlen = c - hctx->response_header->ptr + (eol == EOL_RN ? 4 : 2); +- size_t blen = hctx->response_header->used - hlen - 1; +- +- /* a small hack: terminate after at the second \r */ +- hctx->response_header->used = hlen + 1 - (eol == EOL_RN ? 2 : 1); +- hctx->response_header->ptr[hlen - (eol == EOL_RN ? 2 : 1)] = '\0'; +- ++ const char *bstart; ++ size_t blen; ++ ++ /** ++ * i still points to the char after the terminating EOL EOL ++ * ++ * put it on the last \n again ++ */ ++ i--; ++ ++ /* the body starts after the EOL */ ++ bstart = hctx->response_header->ptr + (i + 1); ++ blen = (hctx->response_header->used - 1) - (i + 1); ++ ++ /* string the last \r?\n */ ++ if (i > 0 && (hctx->response_header->ptr[i - 1] == '\r')) { ++ i--; ++ } ++ ++ hctx->response_header->ptr[i] = '\0'; ++ hctx->response_header->used = i + 1; /* the string + \0 */ ++ + /* parse the response header */ +- cgi_response_parse(srv, con, p, hctx->response_header, eol); ++ cgi_response_parse(srv, con, p, hctx->response_header); + + /* enable chunked-transfer-encoding */ + if (con->request.http_version == HTTP_VERSION_1_1 && +@@ -444,8 +480,8 @@ + con->response.transfer_encoding = HTTP_TRANSFER_ENCODING_CHUNKED; + } + +- if ((hctx->response->used != hlen) && blen > 0) { +- http_chunk_append_mem(srv, con, c + (eol == EOL_RN ? 4: 2), blen + 1); ++ if (blen > 0) { ++ http_chunk_append_mem(srv, con, bstart, blen + 1); + joblist_append(srv, con); + } + } --- lighttpd-1.4.11.orig/debian/patches/06_security_lighttpd-1.4.x_duplicated_headers_with_folding_crash.dpatch +++ lighttpd-1.4.11/debian/patches/06_security_lighttpd-1.4.x_duplicated_headers_with_folding_crash.dpatch @@ -0,0 +1,130 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 06_security_lighttpd-1.4.x_duplicated_headers_with_folding_crash.dpatch by Aron Sisak +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fixes header parsing bug (Lighttpd SA 2007:03) +## DP: * http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_03.txt +## DP: * http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_duplicated_headers_with_folding_crash.patch + +@DPATCH@ +diff -urNad lighttpd-1.4.11~/src/request.c lighttpd-1.4.11/src/request.c +--- lighttpd-1.4.11~/src/request.c 2006-03-05 10:58:09.000000000 +0100 ++++ lighttpd-1.4.11/src/request.c 2007-08-09 02:03:31.457494016 +0200 +@@ -281,8 +281,6 @@ + + int done = 0; + +- data_string *ds = NULL; +- + /* + * Request: "^(GET|POST|HEAD) ([^ ]+(\\?[^ ]+|)) (HTTP/1\\.[01])$" + * Option : "^([-a-zA-Z]+): (.+)$" +@@ -712,12 +710,25 @@ + switch(*cur) { + case '\r': + if (con->parse_request->ptr[i+1] == '\n') { ++ data_string *ds = NULL; ++ + /* End of Headerline */ + con->parse_request->ptr[i] = '\0'; + con->parse_request->ptr[i+1] = '\0'; + + if (in_folding) { +- if (!ds) { ++ buffer *key_b; ++ /** ++ * we use a evil hack to handle the line-folding ++ * ++ * As array_insert_unique() deletes 'ds' in the case of a duplicate ++ * ds points somewhere and we get a evil crash. As a solution we keep the old ++ * "key" and get the current value from the hash and append us ++ * ++ * */ ++ ++ if (!key || !key_len) { ++ + /* 400 */ + + if (srv->srvconf.log_request_header_on_error) { +@@ -734,7 +745,15 @@ + con->response.keep_alive = 0; + return 0; + } +- buffer_append_string(ds->value, value); ++ ++ key_b = buffer_init(); ++ buffer_copy_string_len(key_b, key, key_len); ++ ++ if (NULL != (ds = (data_string *)array_get_element(con->request.headers, key_b->ptr))) { ++ buffer_append_string(ds->value, value); ++ } ++ ++ buffer_free(key_b); + } else { + int s_len; + key = con->parse_request->ptr + first; +@@ -959,7 +978,12 @@ + first = i+1; + is_key = 1; + value = 0; +- key_len = 0; ++#if 0 ++ /** ++ * for Bug 1230 keep the key_len a live ++ */ ++ key_len = 0; ++#endif + in_folding = 0; + } else { + if (srv->srvconf.log_request_header_on_error) { +diff -urNad lighttpd-1.4.11~/tests/core-request.t lighttpd-1.4.11/tests/core-request.t +--- lighttpd-1.4.11~/tests/core-request.t 2005-10-02 23:44:00.000000000 +0200 ++++ lighttpd-1.4.11/tests/core-request.t 2007-08-09 02:03:31.457494016 +0200 +@@ -8,7 +8,7 @@ + + use strict; + use IO::Socket; +-use Test::More tests => 33; ++use Test::More tests => 36; + use LightyTest; + + my $tf = LightyTest->new(); +@@ -273,6 +273,38 @@ + $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ]; + ok($tf->handle_http($t) == 0, 'uppercase filenames'); + ++$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ]; ++ok($tf->handle_http($t) == 0, '#1232 - duplicate headers with line-wrapping'); ++ ++$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ]; ++ok($tf->handle_http($t) == 0, '#1232 - duplicate headers with line-wrapping - test 2'); ++ ++$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ]; ++ok($tf->handle_http($t) == 0, '#1232 - duplicate headers with line-wrapping - test 3'); ++ ++ ++ + + ok($tf->stop_proc == 0, "Stopping lighttpd"); + --- lighttpd-1.4.11.orig/debian/conf-available/10-auth.conf +++ lighttpd-1.4.11/debian/conf-available/10-auth.conf @@ -0,0 +1,28 @@ +## Authentication for lighttpd +## +## Documentation: /usr/share/doc/lighttpd-doc/authentication.txt.gz +## http://www.lighttpd.net/documentation/authentication.html + +server.modules += ( "mod_auth" ) + +# auth.backend = "plain" +# auth.backend.plain.userfile = "lighttpd.user" +# auth.backend.plain.groupfile = "lighttpd.group" + +# auth.backend.ldap.hostname = "localhost" +# auth.backend.ldap.base-dn = "dc=my-domain,dc=com" +# auth.backend.ldap.filter = "(uid=$)" + +# auth.require = ( "/server-status" => +# ( +# "method" => "digest", +# "realm" => "download archiv", +# "require" => "group=www|user=jan|host=192.168.2.10" +# ), +# "/server-info" => +# ( +# "method" => "digest", +# "realm" => "download archiv", +# "require" => "group=www|user=jan|host=192.168.2.10" +# ) +# ) --- lighttpd-1.4.11.orig/debian/conf-available/10-fastcgi.conf +++ lighttpd-1.4.11/debian/conf-available/10-fastcgi.conf @@ -0,0 +1,18 @@ +## FastCGI programs have the same functionality as CGI programs, +## but are considerably faster through lower interpreter startup +## time and socketed communication +## +## Documentation: /usr/share/doc/lighttpd-doc/fastcgi.txt.gz +## http://www.lighttpd.net/documentation/fastcgi.html + +server.modules += ( "mod_fastcgi" ) + +## Start an FastCGI server for php4 (needs the php4-cgi package) +fastcgi.server = ( ".php" => + ( "localhost" => + ( + "bin-path" => "/usr/bin/php4-cgi", + "port" => 9000 + ) + ) + ) --- lighttpd-1.4.11.orig/debian/conf-available/10-userdir.conf +++ lighttpd-1.4.11/debian/conf-available/10-userdir.conf @@ -0,0 +1,14 @@ +## The userdir module provides a simple way to link user-based directories into +## the global namespace of the webserver. +## +## Documentation: /usr/share/doc/lighttpd-doc/userdir.txt +## http://www.lighttpd.net/documentation/userdir.html + +server.modules += ( "mod_userdir" ) + +## the subdirectory of a user's home dir which should be accessible +## under http://$host/~$user +userdir.path = "public_html" + +## The users whose home directories should not be accessible +userdir.exclude-user = ( "root", "postmaster" ) --- lighttpd-1.4.11.orig/debian/conf-available/10-cgi.conf +++ lighttpd-1.4.11/debian/conf-available/10-cgi.conf @@ -0,0 +1,20 @@ +## CGI programs allow you to enhance the functionality of the server in a very +## straight and simple way.. +## +## Documentation: /usr/share/doc/lighttpd-doc/cgi.txt +## http://www.lighttpd.net/documentation/cgi.html + +server.modules += ( "mod_cgi" ) + +$HTTP["url"] =~ "/cgi-bin/" { + cgi.assign = ( "" => "" ) +} + +alias.url += ( "/cgi-bin/" => "/usr/lib/cgi-bin/" ) + + +cgi.assign = ( + ".pl" => "/usr/bin/perl", + ".php" => "/usr/bin/php-cgi", + ".py" => "/usr/bin/python", + ) --- lighttpd-1.4.11.orig/debian/conf-available/10-proxy.conf +++ lighttpd-1.4.11/debian/conf-available/10-proxy.conf @@ -0,0 +1,28 @@ +## Let lighttpd act as a proxy server for special file types, hosts etc +## +## Documentation: /usr/share/doc/lighttpd-doc/proxy.txt +## http://www.lighttpd.net/documentation/proxy.html + +server.modules += ( "mod_proxy" ) + +## Balance algorithm, possible values are: "hash", "round-robin" or "fair" (default) +# proxy.balance = "hash" + + +## Redirect all queries to files ending with ".php" to 192.168.0.101:80 +#proxy.server = ( ".php" => +# ( +# ( "host" => "192.168.0.101", +# "port" => 80 +# ) +# ) +# ) + +## Redirect all connections on www.example.com to 10.0.0.1{0,1,2,3} +#$HTTP["host"] == "www.example.com" { +# proxy.balance = "hash" +# proxy.server = ( "" => ( ( "host" => "10.0.0.10" ), +# ( "host" => "10.0.0.11" ), +# ( "host" => "10.0.0.12" ), +# ( "host" => "10.0.0.13" ) ) ) +#} --- lighttpd-1.4.11.orig/debian/conf-available/README +++ lighttpd-1.4.11/debian/conf-available/README @@ -0,0 +1,22 @@ +ligghttpd Configuration under Debian GNU/Linux +============================================== + +Files and Directories in /etc/lighttpd: +--------------------------------------- + +lighttpd.conf: + main configuration file + +conf-available/ + This directory contains a series of .conf files. These files contain + configuration directives necessary to load and run webserver modules. + If you want to create your own files they names should be + build as nn-name.conf where "nn" is two digit number (number + is used to find order for loading files) + +conf-enabled/ + To actually enable a module for lighttpd, it is necessary to create a + symlink in this directory to the .conf file in conf-available/. + +Enabling and disabling modules could be done by provided +/usr/sbin/lighty-enable-mod and /usr/sbin/lighty-disable-mod scripts. --- lighttpd-1.4.11.orig/debian/conf-available/10-cml.conf +++ lighttpd-1.4.11/debian/conf-available/10-cml.conf @@ -0,0 +1,22 @@ +## CML is a Meta language to describe the dependencies of a page +## at one side and building a page from its fragments on the +## other side using LUA. +## +## Documentation: /usr/share/doc/lighttpd-doc/cml.txt +## http://www.lighttpd.net/documentation/cml.html + +server.modules += ( "mod_cml" ) + +## the extension for file with cache information. With .cml, +## the cache info file for index.html is index.cml +cml.extension = ".cml" + +index-file.names += ( "index" + cml.extension ) + +## the memcached used by mod_cml +# cml.memcache-hosts = ( "127.0.0.1:11211" ) + +## a cml file that is executed for each request +# cml.power-magnet = "/var/www/power-magnet.cml" + + --- lighttpd-1.4.11.orig/debian/conf-available/10-ssi.conf +++ lighttpd-1.4.11/debian/conf-available/10-ssi.conf @@ -0,0 +1,10 @@ +## Server-Side Include implements simple preprocessing of +## HTML files compatible to Apache SSI. +## +## Documentation: /usr/share/doc/lighttpd-doc/ssi.txt +## http://www.lighttpd.net/documentation/ssi.html + +server.modules += ( "mod_ssi" ) + +## The extension of the files which should be preprocessed (mostly .shtml) +ssi.extension = ( ".shtml" ) --- lighttpd-1.4.11.orig/debian/conf-available/10-simple-vhost.conf +++ lighttpd-1.4.11/debian/conf-available/10-simple-vhost.conf @@ -0,0 +1,14 @@ +## Simple name-based virtual hosting +## +## Documentation: /usr/share/doc/lighttpd-doc/simple-vhost.txt +## http://www.lighttpd.net/documentation/simple-vhost.html + +server.modules += ( "mod_simple_vhost" ) + +## The document root of a virtual host isdocument-root = +## simple-vhost.server-root + $HTTP["host"] + simple-vhost.document-root +simple-vhost.server-root = "/var/www" +simple-vhost.document-root = "/html/" + +## the default host if no host is sent +simple-vhost.default-host = "www.example.com" --- lighttpd-1.4.11.orig/debian/conf-available/10-ssl.conf +++ lighttpd-1.4.11/debian/conf-available/10-ssl.conf @@ -0,0 +1,10 @@ +## lighttpd support for SSLv2 and SSLv3 +## +## Documentation: /usr/share/doc/lighttpd-doc/ssl.txt +## http://www.lighttpd.net/documentation/ssl.html + +#### SSL engine +$SERVER["socket"] == "0.0.0.0:443" { + ssl.engine = "enable" + ssl.pemfile = "/etc/lighttpd/server.pem" +} --- lighttpd-1.4.11.orig/debian/conf-available/10-trigger-b4-dl.conf +++ lighttpd-1.4.11/debian/conf-available/10-trigger-b4-dl.conf @@ -0,0 +1,23 @@ +## A module to prevent deep-linking from other sites. +## +## Documentation: /usr/share/doc/lighttpd-doc/trigger-b4-dl.html +## http://www.lighttpd.net/documentation/trigger-b4-dl.txt + +server.modules += ( "mod_trigger_b4_dl" ) + +## guarded download URL, direct access is denied +#trigger-before-download.download-url = "^/download/" + +## trigger URL to allow downloads from +#trigger-before-download.trigger-url = "^/trigger/" + +## if access to a file is denied, the user is redirected to this URL +#trigger-before-download.deny-url = "/var/www/deny.html" + +## access to granted for seconds after the trigger +#trigger-before-download.trigger-timeout = 10 + +## storage of trigger information. If both destinations are provided, +## the GDBM file takes precedence. +#trigger-before-download.gdbm-filename = "/var/www/data/trigger.db" +#trigger-before-download.memcache-hosts = ( "127.0.0.1:11211" ) --- lighttpd-1.4.11.orig/debian/lighttpd.logrotate +++ lighttpd-1.4.11/debian/lighttpd.logrotate @@ -0,0 +1,18 @@ +/var/log/lighttpd/*.log { + daily + missingok + copytruncate + rotate 7 + compress + notifempty + sharedscripts + postrotate + if [ -f /var/run/lighttpd.pid ]; then \ + if [ -x /usr/sbin/invoke-rc.d ]; then \ + invoke-rc.d lighttpd reload > /dev/null; \ + else \ + /etc/init.d/lighttpd reload > /dev/null; \ + fi; \ + fi; + endscript +} --- lighttpd-1.4.11.orig/debian/lighttpd.conf +++ lighttpd-1.4.11/debian/lighttpd.conf @@ -0,0 +1,160 @@ +# Debian lighttpd configuration file +# + +############ Options you really have to take care of #################### + +## modules to load +# mod_access, mod_accesslog and mod_alias are loaded by default +# all other module should only be loaded if neccesary +# - saves some time +# - saves memory + +server.modules = ( + "mod_access", + "mod_alias", + "mod_accesslog", +# "mod_rewrite", +# "mod_redirect", +# "mod_status", +# "mod_evhost", +# "mod_compress", +# "mod_usertrack", +# "mod_rrdtool", +# "mod_webdav", +# "mod_expire", +# "mod_flv_streaming", +# "mod_evasive" + ) + +## a static document-root, for virtual-hosting take look at the +## server.virtual-* options +server.document-root = "/var/www/" + +## where to send error-messages to +server.errorlog = "/var/log/lighttpd/error.log" + +## files to check for if .../ is requested +index-file.names = ( "index.php", "index.html", + "index.htm", "default.htm" ) + + +## Use the "Content-Type" extended attribute to obtain mime type if possible +# mimetype.use-xattr = "enable" + +#### accesslog module +accesslog.filename = "/var/log/lighttpd/access.log" + +## deny access the file-extensions +# +# ~ is for backupfiles from vi, emacs, joe, ... +# .inc is often used for code includes which should in general not be part +# of the document-root +url.access-deny = ( "~", ".inc" ) + + + +######### Options that are good to be but not neccesary to be changed ####### + +## bind to port (default: 80) +#server.port = 81 + +## bind to localhost only (default: all interfaces) +server.bind = "localhost" + +## error-handler for status 404 +#server.error-handler-404 = "/error-handler.html" +#server.error-handler-404 = "/error-handler.php" + +## to help the rc.scripts +server.pid-file = "/var/run/lighttpd.pid" + +## +## Format: .html +## -> ..../status-404.html for 'File not found' +#server.errorfile-prefix = "/var/www/" + +## virtual directory listings +dir-listing.encoding = "utf-8" +server.dir-listing = "enable" + +## send unhandled HTTP-header headers to error-log +#debug.dump-unknown-headers = "enable" + +### only root can use these options +# +# chroot() to directory (default: no chroot() ) +#server.chroot = "/" + +## change uid to (default: don't care) +server.username = "www-data" + +## change uid to (default: don't care) +server.groupname = "www-data" + +#### compress module +#compress.cache-dir = "/var/tmp/lighttpd/cache/compress/" +#compress.filetype = ("text/plain", "text/html") + +#### status module +# status.status-url = "/server-status" +# status.config-url = "/server-config" + +#### url handling modules (rewrite, redirect, access) +# url.rewrite = ( "^/$" => "/server-status" ) +# url.redirect = ( "^/wishlist/(.+)" => "http://www.123.org/$1" ) + +# +# define a pattern for the host url finding +# %% => % sign +# %0 => domain name + tld +# %1 => tld +# %2 => domain name without tld +# %3 => subdomain 1 name +# %4 => subdomain 2 name +# +# evhost.path-pattern = "/home/storage/dev/www/%3/htdocs/" + +#### expire module +# expire.url = ( "/buggy/" => "access 2 hours", "/asdhas/" => "access plus 1 seconds 2 minutes") + +#### rrdtool +# rrdtool.binary = "/usr/bin/rrdtool" +# rrdtool.db-name = "/var/www/lighttpd.rrd" + +## this is a hack +alias.url = ("___invalid___" => "___invalid___") + +#### handle Debian Policy Manual, Section 11.5. urls +#### and by default allow them only from localhost + +$HTTP["host"] == "localhost" { + global { + alias.url += ( + "/doc/" => "/usr/share/doc/", + "/images/" => "/usr/share/images/" + ) + } + dir-listing.activate = "enable" +} + +#### variable usage: +## variable name without "." is auto prefixed by "var." and becomes "var.bar" +#bar = 1 +#var.mystring = "foo" + +## integer add +#bar += 1 +## string concat, with integer cast as string, result: "www.foo1.com" +#server.name = "www." + mystring + var.bar + ".com" +## array merge +#index-file.names = (foo + ".php") + index-file.names +#index-file.names += (foo + ".php") + + +#### external configuration files +## mimetype mapping +include_shell "/usr/share/lighttpd/create-mime.assign.pl" + +## load enabled configuration files, +## read /etc/lighttpd/conf-available/README first +include_shell "/usr/share/lighttpd/include-conf-enabled.pl"