project/uhttpd.git
4 years agoclient: fix spurious keepalive connection timeouts openwrt-19.07
Jo-Philipp Wich [Thu, 1 Oct 2020 12:59:09 +0000 (14:59 +0200)]
client: fix spurious keepalive connection timeouts

When an uhttpd dispatch_handler provides a data_done callback which is
synchroneously finishing the request through ops->request_done(), the
calling client_poll_post_data() procedure incorrectly resets the resulting
client state from CLIENT_STATE_INIT to CLIENT_STATE_DONE which causes the
next uh_client_read_cb() invocation to bail out since no callback is
available for the CLIENT_STATE_DONE state, effectively discarding the
just received inbound request and sending the persistent connection state
into a deadlock sitation where the http client waits for a response to
its just sent request and uhttpd for further data to read.

Fix this issue by only setting CLIENT_STATE_DONE if the data_done callback
has not modified the state in the meanwhile.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 0f38b0370718518e66dabeaa5522f546cb459393)

4 years agoclient: allow keep-alive for POST requests
Jo-Philipp Wich [Fri, 13 Mar 2020 11:57:44 +0000 (12:57 +0100)]
client: allow keep-alive for POST requests

Allow POST requests via persistent connections to improve performance
especially when using HTTPS on older devices.

After this change, average page load times in LuCI improve significantly
once the TLS connections are initiated.

When testing an ar71xx 19.07.2 build on an ethernet connected TL-WR1043nd
using luci-ssl-openssl and the ustream-openssl backend, the average page
load time for the main status page decreased to 1.3s compared to 4.7s
before, the interface and wireless configuration pages loaded in 1.2s
seconds each compared to the 4.2s and 4.9s respectively before.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 5e9c23c6f40ff26209ef22cfeeda4904a5918f3d)

4 years agofile: poke ustream after starting deferred program
Jo-Philipp Wich [Tue, 11 Feb 2020 07:59:48 +0000 (08:59 +0100)]
file: poke ustream after starting deferred program

When we're starting a deferred request, the related input ustream might
have gone into read_blocked mode because incoming client request data
exhausted the ustreams internal buffer space. When this happens, edge
triggered uloop read events are "lost" and never re-triggered causing
the script input to never complete.

In order to avoid that deadlock situation, manually poke the input
ustream using ustream_poll() after invoking client_poll_post_data()
which should have drained (some) of the buffered input ustream contents.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 2ee323c01079248baa9465969df9e25b5fb68cdf)

4 years agoclient: fix invalid data access through invalid content-length values
Jo-Philipp Wich [Sun, 22 Dec 2019 21:32:00 +0000 (22:32 +0100)]
client: fix invalid data access through invalid content-length values

An invalid data access can be triggered with an HTTP POST request to a CGI
script specifying both `Transfer-Encoding: chunked` and a large negative
`Content-Length`.

The negative content length is assigned to `r->content_length` in
`client_parse_header` and passed as a negative read length to
`ustream_consume` in `client_poll_post_data` which will set the internal
ustream buffer pointer to an invalid address, causing out of bounds memory
reads later on in the code flow.

A similar implicit unsigned to signed conversion happens when parsing
chunk sizes emitted by a CGI program.

Address these issues by rejecting negative values in `r->content_length`
after assigning the `strtoul()` result.

Reported-by: Jan-Niklas Sohn <jan-niklas.sohn@gmx.de>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
5 years agoubus: increase maximum ubus request size to 64KB
Jo-Philipp Wich [Sat, 17 Aug 2019 19:53:38 +0000 (21:53 +0200)]
ubus: increase maximum ubus request size to 64KB

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
5 years agouhttpd: Fix multiple format string problems
Hauke Mehrtens [Sun, 16 Jun 2019 20:24:36 +0000 (22:24 +0200)]
uhttpd: Fix multiple format string problems

After format string checks were activated in libubox the compiler
started to complain about multiple missuses in uhttpd. This fixes the
format strings without changing the behavior.

blobmsg_get_string() just checks if the parameter is not NULL and then
calls blobmsg_data() and casts the result.

I think non of these problem is security relevant.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
6 years agocgi: escape url in 403 error output
Jo-Philipp Wich [Wed, 28 Nov 2018 11:36:35 +0000 (12:36 +0100)]
cgi: escape url in 403 error output

Escape the untrusted request URL input in the permission denied HTML output.

This fixes certain XSS vulnerabilities which can be leveraged to further
exploit the system.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agouhttpd: fix building without TLS and Lua support
Paul Willoughby [Wed, 26 Sep 2018 17:53:14 +0000 (11:53 -0600)]
uhttpd: fix building without TLS and Lua support

Adds ifdefs to fix building without TLS and Lua support

Signed-off-by: Paul Willoughby <paulw@spacemonkey.com>
6 years agohelp: document -A option
Karl Pálsson [Thu, 1 Nov 2018 12:50:32 +0000 (12:50 +0000)]
help: document -A option

It's one of the parameters used by default in LuCI, so it should be
included in the help output.

Signed-off-by: Karl Palsson <karlp@etactica.com>
6 years agofile: fix CPP syntax error
Jo-Philipp Wich [Mon, 24 Sep 2018 05:25:55 +0000 (07:25 +0200)]
file: fix CPP syntax error

Fixes: 77b774b ("build: avoid redefining _DEFAULT_SOURCE")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agobuild: avoid redefining _DEFAULT_SOURCE
Jo-Philipp Wich [Thu, 23 Aug 2018 07:36:06 +0000 (09:36 +0200)]
build: avoid redefining _DEFAULT_SOURCE

Work around further glibc toolchain annoyances.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agolua: support multiple Lua prefixes
Jo-Philipp Wich [Thu, 23 Aug 2018 05:51:56 +0000 (07:51 +0200)]
lua: support multiple Lua prefixes

Allow -l / -L arguments to be repeated to register multiple Lua prefix
handlers in the same process.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agobuild: use _DEFAULT_SOURCE
Jo-Philipp Wich [Tue, 21 Aug 2018 12:24:48 +0000 (14:24 +0200)]
build: use _DEFAULT_SOURCE

Add _DEFAULT_SOURCE FTM in order to avoid warnings with recent glibc.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agouhttpd: recognize PATCH, PUT and DELETE HTTP methods
Jo-Philipp Wich [Tue, 21 Aug 2018 09:39:15 +0000 (11:39 +0200)]
uhttpd: recognize PATCH, PUT and DELETE HTTP methods

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoclient: flush buffered SSL output when tearing down client ustream
Jo-Philipp Wich [Tue, 26 Jun 2018 06:35:06 +0000 (08:35 +0200)]
client: flush buffered SSL output when tearing down client ustream

When the outer SSL ustream triggers a change notification due to
encountering EOF, the inner connection ustream might still have
pending data buffered.

Previously, such a condition led to truncated files delivered by
uhttpd via HTTPS and could be triggered by requesting large resources
via slow network links.

Mitigate the problem by propagating the EOF status indicator from
the outer ustream to the inner one and by deferring the client
connection shutdown until the inner ustream output buffer has been
completely drained.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoproc: expose HTTP Origin header in process environment
Jo-Philipp Wich [Tue, 24 Apr 2018 18:03:19 +0000 (20:03 +0200)]
proc: expose HTTP Origin header in process environment

Map the "Origin:" header as $HTTP_ORIGIN environment variable for use by
request handling processes.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agofile: escape strings in HTML output
Jo-Philipp Wich [Wed, 4 Apr 2018 14:58:11 +0000 (16:58 +0200)]
file: escape strings in HTML output

Escape untrusted input like the request URL or filesystem paths in HTML
outputs such as the directory listing or 404 error messages.

This fixes certain XSS vulnerabilities which can be leveraged to further
exploit the system.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoutils: add uh_htmlescape() helper
Jo-Philipp Wich [Wed, 4 Apr 2018 14:56:49 +0000 (16:56 +0200)]
utils: add uh_htmlescape() helper

The uh_htmlescape() function returns a copy of the given string with the
HTML special characters `<`, `>`, `"` and `'` replaced by HTML entities in
hexadecimal notation.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoRevert "proc: avoid stdio deadlocks"
Jo-Philipp Wich [Wed, 4 Apr 2018 13:56:21 +0000 (15:56 +0200)]
Revert "proc: avoid stdio deadlocks"

This reverts commit ccd9717ba5d501b45fda957f0ea41c4660ef414c.

6 years agoproc: avoid stdio deadlocks
Jo-Philipp Wich [Wed, 24 Jan 2018 20:02:46 +0000 (21:02 +0100)]
proc: avoid stdio deadlocks

When a request handler accepting post data is too slow in consuming stdin,
uhttpd might deadlock with the master process stuck in a blocking write()
to the child and the child stuck with a blocking write() to the master.

Avoid this issue by putting the master side write end of the child pipe
into nonblocking mode right away and by raising the data_blocked flag
when attempts to write to the child yield EAGAIN.

Setting the flag ensures that client_poll_post_data() does not immediately
trigger a write attempt again, which effectively yields the master write
cycle so that the relay ustream has a chance to consume output of the
client process, thus solving the deadlock.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agolua: honour size argument in recv() function
Jo-Philipp Wich [Wed, 24 Jan 2018 18:45:00 +0000 (19:45 +0100)]
lua: honour size argument in recv() function

The existing implementation incorrectly attempted to read the entire stdin
instead of fetching at most the given amount of bytes.

While we're at it, also make the size argument optional and let it default
to Luas internal buffer size.

Suggested-by: Bryan Mayland <bmayland+lede@capnbry.net>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agofile: fix query string handling
Jo-Philipp Wich [Sat, 4 Nov 2017 13:31:40 +0000 (14:31 +0100)]
file: fix query string handling

Instead of storing a pointer to the beginning of the query string within the
request url, store a copy in a static buffer instead. This aligns handling
the query string portion of the url with other elements like physical path
or path info information.

Since the URL is usually kept in the per-client blob buffer which might
change its memory location due to reallocations triggered by blobmsg_add_*,
it is not safe to point to it early in the request life cycle.

This fixes invalid memory access usually manifesting itself as corrupted
query string data in CGI scripts.

Reported-by: P. Wassi <p.wassi@gmx.at>
Suggested-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agouhttpd: add manifest support
Adrian Panella [Fri, 21 Jul 2017 19:17:36 +0000 (14:17 -0500)]
uhttpd: add manifest support

Add "text/cache-manifest" mimetype support to enable the possibility of
using Application Cache.

Signed-off-by: Adrian Panella <ianchi74@outlook.com>
7 years agofile: fix basic auth regression
Jo-Philipp Wich [Sun, 9 Jul 2017 18:43:36 +0000 (20:43 +0200)]
file: fix basic auth regression

Previous refactoring of the basic auth handling code broke the logic in
such a way that basic auth was only performed if a client sent an
Authorization header in its request, but it was never prompted for by
the server.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agofile: remove unused "auth" member from struct path_info
Jo-Philipp Wich [Sun, 2 Jul 2017 14:24:07 +0000 (16:24 +0200)]
file: remove unused "auth" member from struct path_info

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agoproc: expose HTTP_AUTH_USER and HTTP_AUTH_PASS
Jo-Philipp Wich [Sun, 2 Jul 2017 14:20:45 +0000 (16:20 +0200)]
proc: expose HTTP_AUTH_USER and HTTP_AUTH_PASS

Mimic other web servers like Nginx or Apache and expose the parsed basic
auth information as HTTP_AUTH_USER and HTTP_AUTH_PASS environment variables
to CGI processes.

This also restores login-from-basic-auth functionality in LuCI.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agoauth: store parsed username and password
Jo-Philipp Wich [Sun, 2 Jul 2017 14:19:16 +0000 (16:19 +0200)]
auth: store parsed username and password

Store the parsed username and password information as HTTP headers in the
clients header blob buffer for later use by proc.c

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agoproc: do not declare empty process variables
Jo-Philipp Wich [Sun, 2 Jul 2017 14:06:46 +0000 (16:06 +0200)]
proc: do not declare empty process variables

If a HTTP header variable has no corresponding value, then do not set it
to the empty string but to NULL, so that cgi.c will later skip it when
setting up the process environment.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agouhttpd: Add TCP_FASTOPEN support
Rosen Penev [Thu, 26 Jan 2017 01:14:23 +0000 (17:14 -0800)]
uhttpd: Add TCP_FASTOPEN support

Provides a small speedup when resuming the connection.

Signed-off by: Rosen Penev <rosenp@gmail.com>

8 years agolua: ensure that PATH_INFO starts with a slash
Jo-Philipp Wich [Tue, 25 Oct 2016 15:10:14 +0000 (17:10 +0200)]
lua: ensure that PATH_INFO starts with a slash

When calculating the matching prefix length, make sure to not take the trailing
slash into account in order to ensure that the resulting PATH_INFO string
always starts with a slash.

This ensures that an url like "/foo" against the matching prefix "/" or
"/foo/bar" against "/foo/" result in "/foo" and "/bar" respectively.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agoutils: add proper handling of "/" special case in uh_path_match()
Jo-Philipp Wich [Tue, 25 Oct 2016 14:23:05 +0000 (16:23 +0200)]
utils: add proper handling of "/" special case in uh_path_match()

The special prefix of "/" should match any url by definition but the final
assertion which ensures that the matched prefix ends in '\0' or '/' is causing
matches against the "/" prefix to fail.

Add some extra code to handle this special case to implemented the expected
behaviour.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agocgi: allow conf.cgi_docroot_path to be NULL
Jo-Philipp Wich [Thu, 8 Oct 2015 17:45:00 +0000 (19:45 +0200)]
cgi: allow conf.cgi_docroot_path to be NULL

The check_cgi_path() function would segfault if we ever support running
uhttpd without any CGI prefix.

Add a check to prevent running uh_patch_match() when the prefix is unset.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
8 years agofile: re-run json handler script after file fallback redirect
Felix Fietkau [Thu, 6 Oct 2016 13:16:20 +0000 (15:16 +0200)]
file: re-run json handler script after file fallback redirect

This allows the request handler to add extra headers to the response
even in the redirect case.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
8 years agocmake: Find libubox/usock.h
Florian Fainelli [Mon, 11 Jul 2016 21:01:15 +0000 (14:01 -0700)]
cmake: Find libubox/usock.h

Add a CMake FIND_PATH and INCLUDE_DIRECTORIES searching for libubox/usock.h.
Some external toolchains which do not include standard locations would fail to
find the header otherwise.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
8 years agofile: add support for disabling cache related precondition checks via handlers
Felix Fietkau [Thu, 16 Jun 2016 16:29:59 +0000 (18:29 +0200)]
file: add support for disabling cache related precondition checks via handlers

Signed-off-by: Felix Fietkau <nbd@nbd.name>
8 years agouhttpd: add support for adding arbitrary headers via handler scripts
Felix Fietkau [Thu, 16 Jun 2016 16:26:18 +0000 (18:26 +0200)]
uhttpd: add support for adding arbitrary headers via handler scripts

Signed-off-by: Felix Fietkau <nbd@nbd.name>
9 years agofile: on redirect, only send content-length header when not using chunked transfer
Felix Fietkau [Sun, 8 Nov 2015 19:23:31 +0000 (20:23 +0100)]
file: on redirect, only send content-length header when not using chunked transfer

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
9 years agohandler: only send content-length header when not using chunked transfer
Felix Fietkau [Sun, 8 Nov 2015 19:22:18 +0000 (20:22 +0100)]
handler: only send content-length header when not using chunked transfer

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
9 years agohandler: add support for overriding redirect status code + message
Felix Fietkau [Sun, 8 Nov 2015 19:21:07 +0000 (20:21 +0100)]
handler: add support for overriding redirect status code + message

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
9 years agohandler: rename set_uri to rewrite
Felix Fietkau [Sun, 8 Nov 2015 19:10:02 +0000 (20:10 +0100)]
handler: rename set_uri to rewrite

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
9 years agoadd support for handling redirects via a script
Felix Fietkau [Sun, 8 Nov 2015 10:41:42 +0000 (11:41 +0100)]
add support for handling redirects via a script

In a json_script file you can specify rules for rewriting the URL or
redirecting the browser either unconditionally, or as a fallback where
it would otherwise print a 404 error

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
9 years agomain: sort getopt characters
Felix Fietkau [Fri, 6 Nov 2015 15:50:13 +0000 (16:50 +0100)]
main: sort getopt characters

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
9 years agofix the alias support
John Crispin [Tue, 20 Oct 2015 18:12:24 +0000 (20:12 +0200)]
fix the alias support

the path compare return code was not honoured properly

Signed-off-by: John Crispin <blogic@openwrt.org>
9 years agoadd a -y parameter for cgi-bin redirects
John Crispin [Wed, 7 Oct 2015 14:21:10 +0000 (16:21 +0200)]
add a -y parameter for cgi-bin redirects

this allows an alias entry inside the root folder point at a cgi-bin script

-y foo=bar will redirect /foo to /cgi-bin/bar

Signed-off-by: John Crispin <blogic@openwrt.org>
9 years agofix chunked transfer encoding in keepalive mode
Jo-Philipp Wich [Wed, 7 Oct 2015 21:57:55 +0000 (23:57 +0200)]
fix chunked transfer encoding in keepalive mode

The two commits

  5162e3b0ee7bd1d0fd6e75e1ca7993a1834b5291
"allow request handlers to disable chunked reponses"

and

  618493e378e2239f0d30902e47adfa134e649fdc
"file: disable chunked encoding for file responses"

broke the chunked transfer encoding handling for proc responses in keep-alive
connections that followed a file response with http status 204 or 304.

The effect of this bug is that cgi responses following a 204 or 304 one where
sent neither in chunked encoding nor with a content-length header, causing
browsers to stall until the keep alive timeout was reached.

Fix the logic flaw by inverting the chunk prevention flag in the client state
and by testing the chunked encoding preconditions every time instead of
once upon client (re-)initialization.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
9 years agouhttpd: fix wrong header file inclusion for PRI* constant definitions
Andrej Krpic [Wed, 23 Sep 2015 21:33:57 +0000 (23:33 +0200)]
uhttpd: fix wrong header file inclusion for PRI* constant definitions

Signed-off-by: Andrej Krpic <ak77@tnode.com>
9 years agofile: fix processing POST data for deferred requests
Felix Fietkau [Mon, 7 Sep 2015 19:18:26 +0000 (21:18 +0200)]
file: fix processing POST data for deferred requests

Fixes https://dev.openwrt.org/ticket/20458

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
9 years agocgi: Support passing X-HTTP-Method-Override header.
Karl Palsson [Mon, 17 Aug 2015 15:19:48 +0000 (15:19 +0000)]
cgi: Support passing X-HTTP-Method-Override header.

As uhttpd doesn't currently support PUT/DELETE/PATCH, allow passing the
commonly used X-HTTP-Method-Override header to CGI scripts.

This is an optional "protocol specific metadata" variable as per rfc
3875 section 4.1.18.

Signed-off-by: Karl Palsson <karlp@remake.is>
9 years agoclient: use 307 instead of 302 for HTTPS redirects
Jo-Philipp Wich [Sat, 30 May 2015 21:13:08 +0000 (23:13 +0200)]
client: use 307 instead of 302 for HTTPS redirects

Use the 307 code to force agents to retain the original request method.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
9 years agoproc: add HTTPS environment variable
Jo-Philipp Wich [Sat, 30 May 2015 20:48:03 +0000 (22:48 +0200)]
proc: add HTTPS environment variable

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
9 years agoadd support for enforcing HTTPS
Jo-Philipp Wich [Sat, 30 May 2015 16:25:39 +0000 (18:25 +0200)]
add support for enforcing HTTPS

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
9 years agofile: disable chunked encoding for file responses
Jo-Philipp Wich [Sat, 30 May 2015 13:58:24 +0000 (15:58 +0200)]
file: disable chunked encoding for file responses

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
9 years agoallow request handlers to disable chunked reponses
Jo-Philipp Wich [Sat, 30 May 2015 13:48:42 +0000 (15:48 +0200)]
allow request handlers to disable chunked reponses

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
9 years agoproperly handle return codes
John Crispin [Sat, 28 Mar 2015 16:25:40 +0000 (17:25 +0100)]
properly handle return codes

Signed-off-by: John Crispin <blogic@openwrt.org>
9 years agofixes for json 0.12
John Crispin [Wed, 11 Mar 2015 08:32:37 +0000 (09:32 +0100)]
fixes for json 0.12
Signed-off-by: John Crispin <blogic@openwrt.org>
9 years agolua: don't make uhttpd_plugin symbol constant
Jo-Philipp Wich [Sun, 25 Jan 2015 20:36:42 +0000 (21:36 +0100)]
lua: don't make uhttpd_plugin symbol constant

uhttpd modifies the list_head member of the uhttpd_plugin struct when
loading a plugin, therefore we cannot make it const, otherwise we
trigger a security violation if uhttpd is built with RelRO support.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
9 years agofile: explicitely cast st_mtime to uint64_t when generating ETag
Jo-Philipp Wich [Sun, 25 Jan 2015 17:57:31 +0000 (18:57 +0100)]
file: explicitely cast st_mtime to uint64_t when generating ETag

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
9 years agoubus: don't make uhttpd_plugin symbol constant
Jo-Philipp Wich [Sun, 25 Jan 2015 17:13:03 +0000 (18:13 +0100)]
ubus: don't make uhttpd_plugin symbol constant

uhttpd modifies the list_head member of the uhttpd_plugin struct when
loading a plugin, therefore we cannot make it const, otherwise we
trigger a security violation if uhttpd is built with RelRO support.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
9 years agoBuild with largefile support
Jo-Philipp Wich [Sun, 18 Jan 2015 15:07:04 +0000 (16:07 +0100)]
Build with largefile support

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
9 years agouhttpd: Fix possible memory leaks when generating directory listing
Andrej Krpic [Mon, 22 Dec 2014 17:55:11 +0000 (18:55 +0100)]
uhttpd: Fix possible memory leaks when generating directory listing

scandir() call requires free() of each returned dirent structure
and parent list. Code constructing HTML response of directory
listing is missing a call to free in some cases.

Signed-off-by: Andrej Krpic <ak77@tnode.com>
10 years agomimetypes: add json and jsonp (distinct from js)
Karl Palsson [Thu, 23 Oct 2014 13:00:29 +0000 (13:00 +0000)]
mimetypes: add json and jsonp (distinct from js)

.js files are being transferred as text/javascript, which, although
obsolete by RFC 4329 is most backward compatible.

.json and .jsonp are both transferred as application/octet-stream
however, causing warnings on the console for some browsers, even though
it works just fine.

Add the mimetypes for .json as per RFC 4627 and .jsonp as per RFC4329
(As jsonp _is_ javascript)

Signed-off-by: Karl Palsson <karlp@remake.is>
10 years agofile: do not emit Content-Length header for 304/412 responses
Jo-Philipp Wich [Mon, 27 Oct 2014 10:19:07 +0000 (11:19 +0100)]
file: do not emit Content-Length header for 304/412 responses

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
10 years agoutils: do not emit eof chunk for 204/304 responses
Jo-Philipp Wich [Mon, 27 Oct 2014 10:18:10 +0000 (11:18 +0100)]
utils: do not emit eof chunk for 204/304 responses

According to RFC2616 10.2.5 and 10.3.5, 204 and 304 responses MUST NOT contain any
message body, therfore do not emit an EOF chunk for such responses.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
10 years agoclient: store http code of last emitted response
Jo-Philipp Wich [Mon, 27 Oct 2014 10:15:35 +0000 (11:15 +0100)]
client: store http code of last emitted response

Certain response types (notably 204 and 304) require a slightly different
handling like emitting the response body entirely, therfore record the last
code to act on it in the appropriate places.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
10 years agolua: fix error reporting when Lua handler cannot be compiled
Jo-Philipp Wich [Wed, 3 Sep 2014 13:19:53 +0000 (15:19 +0200)]
lua: fix error reporting when Lua handler cannot be compiled

Reported-by: Sebastian Apel <sebastian.apel@gmx.de>
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
10 years agomain: use proper variable when warning about unsupported features
Jo-Philipp Wich [Wed, 3 Sep 2014 13:18:49 +0000 (15:18 +0200)]
main: use proper variable when warning about unsupported features

Reported-by: Sebastian Apel <sebastian.apel@gmx.de>
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
10 years agofile: invoke error handler in 403 case as well
Jo-Philipp Wich [Thu, 13 Feb 2014 19:43:43 +0000 (19:43 +0000)]
file: invoke error handler in 403 case as well

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
10 years agoubus: add CORS header support
Jo-Philipp Wich [Tue, 27 May 2014 12:40:58 +0000 (14:40 +0200)]
ubus: add CORS header support

In order to support cross-domain AJAX requests to the /ubus endpoint
we need to implement the Cross-Origin Resource Sharing (CORS) spec
in the ubus plugin.

- Implement a new option "-X" to enable CORS support in ubus
- Implement rudimentary support for "OPTIONS" HTTP requests
- Implement essential CORS headers the ubus plugin

The current CORS response headers merely reflect the request headers
sent by the client, this way any requesting origin is automatically
allowed. Cross-domain cookies (Access-Control-Allow-Credentials) are
unconditionally enabled.

Restricting permitted origins and toggle the credential accepting can
be made configurable in a future commit to allow more fine grained
control over permitted AJAX clients.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
10 years agocgi: add _GNU_SOURCE define to fix build error on musl
Felix Fietkau [Sun, 8 Jun 2014 11:50:53 +0000 (13:50 +0200)]
cgi: add _GNU_SOURCE define to fix build error on musl

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agofix handling of / as cgi prefix
Felix Fietkau [Mon, 7 Apr 2014 22:42:04 +0000 (00:42 +0200)]
fix handling of / as cgi prefix

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agomain: strdup command line arguments that are modified
Felix Fietkau [Sat, 22 Mar 2014 19:28:17 +0000 (20:28 +0100)]
main: strdup command line arguments that are modified

This ensures that the process will show the correct command line in ps

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agocgi: compare the physical path instead of the url to detect quirky urls
Felix Fietkau [Sat, 22 Mar 2014 19:31:35 +0000 (20:31 +0100)]
cgi: compare the physical path instead of the url to detect quirky urls

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agorelay: do forward data if the http request type was HEAD
Felix Fietkau [Fri, 21 Mar 2014 20:27:30 +0000 (21:27 +0100)]
relay: do forward data if the http request type was HEAD

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agoubus: remove indentation and whitespace from JSON responses to conserve a bit of...
Jo-Philipp Wich [Wed, 27 Nov 2013 18:30:17 +0000 (18:30 +0000)]
ubus: remove indentation and whitespace from JSON responses to conserve a bit of bandwidth

11 years agouhttpd: fix crashes in the ubus plugin
Felix Fietkau [Thu, 21 Nov 2013 21:50:30 +0000 (22:50 +0100)]
uhttpd: fix crashes in the ubus plugin

The ubus plugin calls blocking ubus functions that loop back into
uloop_run. Protect the client data structure with refcounting to ensure
that the outer uloop_run call does not clean up the data that the inner
uloop_run call is still processing.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agolua: fix lua 5.2 compatibility
Felix Fietkau [Sun, 29 Sep 2013 13:38:34 +0000 (15:38 +0200)]
lua: fix lua 5.2 compatibility

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agomain: return after processing -d switch
Jo-Philipp Wich [Mon, 11 Nov 2013 20:12:12 +0000 (20:12 +0000)]
main: return after processing -d switch

11 years agoubus: use "ubus_rpc_session" instead of "sid" attribute name when querying session...
Jo-Philipp Wich [Fri, 13 Sep 2013 13:01:52 +0000 (15:01 +0200)]
ubus: use "ubus_rpc_session" instead of "sid" attribute name when querying session.access

11 years agoubus: fix session example script to conform to new rpc protocol
Jo-Philipp Wich [Fri, 13 Sep 2013 12:51:44 +0000 (14:51 +0200)]
ubus: fix session example script to conform to new rpc protocol

11 years agoubus: deny requests with a "ubus_rpc_session" toplevel attribute to prevent injecting...
Jo-Philipp Wich [Fri, 13 Sep 2013 12:44:57 +0000 (14:44 +0200)]
ubus: deny requests with a "ubus_rpc_session" toplevel attribute to prevent injecting different SIDs

11 years agoubus: pass current session id as ubus_rpc_session attribute to any called procedure
Jo-Philipp Wich [Thu, 8 Aug 2013 11:40:40 +0000 (13:40 +0200)]
ubus: pass current session id as ubus_rpc_session attribute to any called procedure

11 years agoubus: move sid into the params array of the json-rpc request to avoid information...
Jo-Philipp Wich [Wed, 7 Aug 2013 14:46:13 +0000 (16:46 +0200)]
ubus: move sid into the params array of the json-rpc request to avoid information leakage via the post url

11 years agoubus: use per-request blob buffer to fetch list results, fixes global buffer corrupti...
Jo-Philipp Wich [Sat, 8 Jun 2013 17:39:19 +0000 (19:39 +0200)]
ubus: use per-request blob buffer to fetch list results, fixes global buffer corruption with concurrent requests

11 years agoclient: prevent further read calls after a client has been freed
Felix Fietkau [Wed, 31 Jul 2013 16:29:03 +0000 (18:29 +0200)]
client: prevent further read calls after a client has been freed

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agoproc: consume all data after the pipe dies, instead of looping with 100% cpu usage
Felix Fietkau [Tue, 30 Jul 2013 22:32:40 +0000 (00:32 +0200)]
proc: consume all data after the pipe dies, instead of looping with 100% cpu usage

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agodetect chrome before safari, chrome includes Safari/ in the UA header
Felix Fietkau [Fri, 26 Jul 2013 11:25:06 +0000 (13:25 +0200)]
detect chrome before safari, chrome includes Safari/ in the UA header

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agodisable connection_close override if a keep-alive header is found
Felix Fietkau [Fri, 26 Jul 2013 09:36:45 +0000 (11:36 +0200)]
disable connection_close override if a keep-alive header is found

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agodisable keep-alive for POST requests to improve compatibility
Felix Fietkau [Fri, 26 Jul 2013 09:36:18 +0000 (11:36 +0200)]
disable keep-alive for POST requests to improve compatibility

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agoubus: fix handling of empty JSON-RPC batches
Felix Fietkau [Fri, 21 Jun 2013 09:25:29 +0000 (11:25 +0200)]
ubus: fix handling of empty JSON-RPC batches

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agoubus: duplicate request buffer to avoid memory corruption with multiple requests
Jo-Philipp Wich [Sat, 8 Jun 2013 10:10:52 +0000 (12:10 +0200)]
ubus: duplicate request buffer to avoid memory corruption with multiple requests

11 years agoubus: use half of the script timeout as timeout for acl lookup call
Jo-Philipp Wich [Sat, 8 Jun 2013 07:48:35 +0000 (09:48 +0200)]
ubus: use half of the script timeout as timeout for acl lookup call

11 years agoubus: implement list method to enumerate objects and signatures
Jo-Philipp Wich [Tue, 4 Jun 2013 14:43:43 +0000 (16:43 +0200)]
ubus: implement list method to enumerate objects and signatures

11 years agorelay: cancel the timeout on free
Felix Fietkau [Sat, 1 Jun 2013 21:43:04 +0000 (23:43 +0200)]
relay: cancel the timeout on free

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agoubus: clear the right timeout on rpc connection teardowns
Felix Fietkau [Thu, 30 May 2013 13:05:00 +0000 (15:05 +0200)]
ubus: clear the right timeout on rpc connection teardowns

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agoubus: fix script timeout unit (seconds, not milliseconds)
Felix Fietkau [Thu, 30 May 2013 10:38:25 +0000 (12:38 +0200)]
ubus: fix script timeout unit (seconds, not milliseconds)

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agorelay: do not process headers after the first error
Felix Fietkau [Thu, 23 May 2013 10:50:08 +0000 (12:50 +0200)]
relay: do not process headers after the first error

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agorelay: fix close handling
Felix Fietkau [Thu, 23 May 2013 10:41:03 +0000 (12:41 +0200)]
relay: fix close handling

When the relay process has exited, close the connection as soon as no
data can immediately be read from the socket anymore, and the read
buffer has been emptied.
This fixes timeouts with scripts that leave processes lingering around
without closing their fds.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agofix infinite loop when the initial two characters in a connection are \r\n
Felix Fietkau [Thu, 23 May 2013 10:35:44 +0000 (12:35 +0200)]
fix infinite loop when the initial two characters in a connection are \r\n

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agouhttpd: allow the config to override the default index file
Felix Fietkau [Thu, 16 May 2013 11:17:10 +0000 (13:17 +0200)]
uhttpd: allow the config to override the default index file

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
11 years agouhttpd: mark a TLS connections internally to clean up their state
Felix Fietkau [Tue, 14 May 2013 17:40:27 +0000 (19:40 +0200)]
uhttpd: mark a TLS connections internally to clean up their state

Fixes a per-SSL-connection memory leak

Signed-off-by: Felix Fietkau <nbd@openwrt.org>