- update CHANGES with recent changes

- export esacpe_html() and use it in directory indexing
- update manual to include recent contributors

libexec/httpd/CHANGES

@@ -1,6 +1,10 @@
 $eterna: CHANGES,v 1.78 2011/11/18 01:25:11 mrg Exp $
 
 changes since bozohttpd 20111118:
+	o  properly escape generated HTML
+	o  add authentication for redirections, from martin@netbsd.org
+	o  handle chained ssl certifications, from elric@netbsd.org
+	o  add basic support for gzipped files, from elric@netbsd.org
 	o  properly escape generated URIs
 
 changes since bozohttpd 20100920:

libexec/httpd/bozohttpd.8

@@ -1,8 +1,8 @@
-.\"	$NetBSD: bozohttpd.8,v 1.36 2013/03/02 16:45:31 ryoon Exp $
+.\"	$NetBSD: bozohttpd.8,v 1.37 2013/07/11 07:44:19 mrg Exp $
 .\"
 .\"	$eterna: bozohttpd.8,v 1.101 2011/11/18 01:25:11 mrg Exp $
 .\"
-.\" Copyright (c) 1997-2010 Matthew R. Green
+.\" Copyright (c) 1997-2013 Matthew R. Green
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd February 20, 2012
+.Dd June 11, 2013
 .Dt HTTPD 8
 .Os
 .Sh NAME
@@ -485,7 +485,7 @@ The focus has always been simplicity and security, with minimal features
 and regular code audits.
 This manual documents
 .Nm
-version 20100920.
+version 20130711.
 .Sh AUTHORS
 .Nm
 was written by Matthew R. Green
@@ -531,13 +531,17 @@ Alistair G. Crooks
 cleaned up many internal interfaces, made bozohttpd linkable as a
 library and provided the lua binding.
 .It
+Roland Dowdeswell
+.Aq elric@netbsd.org
+added support for serving gzipped files and better SSL handling
+.It
 Jun-ichiro itojun Hagino, KAME
 .Aq itojun@iijlab.net
 provided initial IPv6 support
 .It
 Martin Husemann
 .Aq martin@netbsd.org
-provided .bzabsredirect support
+provided .bzabsredirect support, and fixed various redirection issues
 .It
 Arto Huusko
 .Aq arto.huusko@pp2.inet.fi
@@ -555,6 +559,10 @@ Nicolas Jombart
 .Aq ecu@ipv42.net
 provided fixes for HTTP basic authorisation support
 .It
+Antti Kantee
+.Aq pooka@netbsd.org
+provided fixes for HTTP basic authorisation support
+.It
 Thomas Klausner
 .Aq wiz@danbala.ifoer.tuwien.ac.at
 provided many fixes and enhancements for the man page
@@ -563,6 +571,12 @@ Johnny Lam
 .Aq jlam@netbsd.org
 provided man page fixes
 .It
+Julio Merino
+.Aq jmmv@netbsd.org
+Added the
+.Fl P
+option.
+.It
 Luke Mewburn
 .Aq lukem@netbsd.org
 provided many various fixes, including cgi-bin fixes and enhancements,
@@ -590,6 +604,10 @@ provided the
 .Fl V
 option.
 .It
+Thor Lancelot Simon
+.Aq tls@netbsd.org
+enhanced cgi-bin support.
+.It
 Joerg Sonnenberger
 .Aq joerg@netbsd.org
 implemented If-Modified-Since support

libexec/httpd/bozohttpd.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: bozohttpd.c,v 1.39 2013/06/27 13:11:11 martin Exp $	*/
+/*	$NetBSD: bozohttpd.c,v 1.40 2013/07/11 07:44:19 mrg Exp $	*/
 
 /*	$eterna: bozohttpd.c,v 1.178 2011/11/18 09:21:15 mrg Exp $	*/
 
@@ -109,7 +109,7 @@
 #define INDEX_HTML		"index.html"
 #endif
 #ifndef SERVER_SOFTWARE
-#define SERVER_SOFTWARE		"bozohttpd/20111118"
+#define SERVER_SOFTWARE		"bozohttpd/20130711"
 #endif
 #ifndef DIRECT_ACCESS_FILE
 #define DIRECT_ACCESS_FILE	".bzdirect"
@@ -854,7 +854,7 @@ parse_http_date(const char *val, time_t *timestamp)
  * to be updated for any sort of parallel processing.
  */
 char *
-escape_rfc3986(bozohttpd_t *httpd, const char *url)
+bozo_escape_rfc3986(bozohttpd_t *httpd, const char *url)
 {
 	static char *buf;
 	static size_t buflen = 0;
@@ -965,7 +965,7 @@ handle_redirect(bozo_httpreq_t *request,
 		url = urlbuf;
 	} else
 		urlbuf = NULL;
-	url = escape_rfc3986(request->hr_httpd, url);
+	url = bozo_escape_rfc3986(request->hr_httpd, url);
 
 	if (request->hr_query && strlen(request->hr_query))
 		query = 1;
@@ -1083,7 +1083,7 @@ check_virtual(bozo_httpreq_t *request)
 					/* found it, punch it */
 					debug((httpd, DEBUG_OBESE, "found it punch it"));
 					request->hr_virthostname =
-					    bozostrdup(httpd,d->d_name);
+					    bozostrdup(httpd, d->d_name);
 					if (asprintf(&s, "%s/%s", httpd->virtbase,
 					    request->hr_virthostname) < 0)
 						bozo_err(httpd, 1, "asprintf");
@@ -1739,12 +1739,20 @@ bozo_err(bozohttpd_t *httpd, int code, const char *fmt, ...)
 	exit(code);
 }
 
-/* this escape HTML tags */
-static void
-escape_html(bozo_httpreq_t *request)
+/*
+ * this escapes HTML tags.  returns allocated escaped
+ * string if needed, or NULL on allocation failure or
+ * lack of escape need.
+ * call with NULL httpd in error paths, to avoid recursive
+ * malloc failure.  call with valid httpd in normal paths
+ * to get automatic allocation failure handling.
+ */
+char *
+bozo_escape_html(bozohttpd_t *httpd, const char *url)
 {
 	int	i, j;
-	char	*url = request->hr_file, *tmp;
+	char	*tmp;
+	size_t	len;
 
 	for (i = 0, j = 0; url[i]; i++) {
 		switch (url[i]) {
@@ -1759,16 +1767,17 @@ escape_html(bozo_httpreq_t *request)
 	}
 
 	if (j == 0)
-		return;
+		return NULL;
 
-	if ((tmp = (char *) malloc(strlen(url) + j)) == 0)
-		/*
-		 * ouch, but we are only called from an error context, and
-		 * most paths here come from malloc(3) failures anyway...
-		 * we could completely punt and just exit, but isn't returning
-		 * an not-quite-correct error better than nothing at all?
-		 */
-		return;
+	/*
+	 * we need to handle being called from different
+	 * pathnames.
+	 */
+	len = strlen(url) + j;
+	if (httpd)
+		tmp = bozomalloc(httpd, len);
+	else if ((tmp = malloc(len)) == 0)
+			return NULL;
 
 	for (i = 0, j = 0; url[i]; i++) {
 		switch (url[i]) {
@@ -1790,8 +1799,7 @@ escape_html(bozo_httpreq_t *request)
 	}
 	tmp[j] = 0;
 
-	free(request->hr_file);
-	request->hr_file = tmp;
+	return tmp;
 }
 
 /* short map between error code, and short/long messages */
@@ -1865,14 +1873,19 @@ bozo_http_error(bozohttpd_t *httpd, int code, bozo_httpreq_t *request,
 		portbuf[0] = '\0';
 
 	if (request && request->hr_file) {
-		escape_html(request);
+		char *file = NULL;
+
+		/* bozo_escape_html() failure here is just too bad. */
+		file = bozo_escape_html(NULL, request->hr_file);
+		if (file == NULL)
+			file = request->hr_file;
 		size = snprintf(httpd->errorbuf, BUFSIZ,
 		    "<html><head><title>%s</title></head>\n"
 		    "<body><h1>%s</h1>\n"
 		    "%s: <pre>%s</pre>\n"
  		    "<hr><address><a href=\"http://%s%s/\">%s%s</a></address>\n"
 		    "</body></html>\n",
-		    header, header, request->hr_file, reason,
+		    header, header, file, reason,
 		    hostname, portbuf, hostname, portbuf);
 		if (size >= (int)BUFSIZ) {
 			bozo_warn(httpd,

libexec/httpd/bozohttpd.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: bozohttpd.h,v 1.24 2013/06/27 10:01:31 martin Exp $	*/
+/*	$NetBSD: bozohttpd.h,v 1.25 2013/07/11 07:44:19 mrg Exp $	*/
 
 /*	$eterna: bozohttpd.h,v 1.39 2011/11/18 09:21:15 mrg Exp $	*/
 
@@ -193,7 +193,8 @@ int	bozo_http_error(bozohttpd_t *, int, bozo_httpreq_t *, const char *);
 int	bozo_check_special_files(bozo_httpreq_t *, const char *);
 char	*bozo_http_date(char *, size_t);
 void	bozo_print_header(bozo_httpreq_t *, struct stat *, const char *, const char *);
-char	*escape_rfc3986(bozohttpd_t *httpd, const char *url);
+char	*bozo_escape_rfc3986(bozohttpd_t *httpd, const char *url);
+char	*bozo_escape_html(bozohttpd_t *httpd, const char *url);
 
 char	*bozodgetln(bozohttpd_t *, int, ssize_t *, ssize_t (*)(bozohttpd_t *, int, void *, size_t));
 char	*bozostrnsep(char **, const char *, ssize_t *);

libexec/httpd/content-bozo.c

@@ -1,9 +1,9 @@
-/*	$NetBSD: content-bozo.c,v 1.7 2011/11/18 09:51:31 mrg Exp $	*/
+/*	$NetBSD: content-bozo.c,v 1.8 2013/07/11 07:44:19 mrg Exp $	*/
 
 /*	$eterna: content-bozo.c,v 1.17 2011/11/18 09:21:15 mrg Exp $	*/
 
 /*
- * Copyright (c) 1997-2011 Matthew R. Green
+ * Copyright (c) 1997-2013 Matthew R. Green
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -73,6 +73,7 @@ static bozo_content_map_t static_content_map[] = {
 	{ ".z",		2, "unknown",			"x-pack",	"x-pack", NULL },
 	{ ".bz2",	4, "application/x-bzip2",	"x-bzip2",	"x-bzip2", NULL },
 	{ ".ogg",	4, "application/x-ogg",		"",		"", NULL },
+	{ ".mkv",	4, "video/x-matroska",		"",		"", NULL },
 	{ ".xbel",	5, "text/xml",			"",		"", NULL },
 	{ ".xml",	4, "text/xml",			"",		"", NULL },
 	{ ".xsl",	4, "text/xml",			"",		"", NULL },

libexec/httpd/dir-index-bozo.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: dir-index-bozo.c,v 1.15 2012/07/19 09:53:06 mrg Exp $	*/
+/*	$NetBSD: dir-index-bozo.c,v 1.16 2013/07/11 07:44:19 mrg Exp $	*/
 
 /*	$eterna: dir-index-bozo.c,v 1.20 2011/11/18 09:21:15 mrg Exp $	*/
 
@@ -127,7 +127,7 @@ bozo_dir_index(bozo_httpreq_t *request, const char *dirname, int isindex)
 	    j--; de++) {
 		int nostat = 0;
 		char *name = (*de)->d_name;
-		char *urlname;
+		char *urlname, *htmlname;
 
 		if (strcmp(name, ".") == 0 ||
 		    (strcmp(name, "..") != 0 &&
@@ -140,21 +140,26 @@ bozo_dir_index(bozo_httpreq_t *request, const char *dirname, int isindex)
 
 		l = 0;
 
-		urlname = escape_rfc3986(httpd, name);
+		urlname = bozo_escape_rfc3986(httpd, name);
+		htmlname = bozo_escape_html(httpd, name);
+		if (htmlname == NULL)
+			htmlname = name;
 		if (strcmp(name, "..") == 0) {
 			bozo_printf(httpd, "<a href=\"../\">");
 			l += bozo_printf(httpd, "Parent Directory");
 		} else if (S_ISDIR(sb.st_mode)) {
 			bozo_printf(httpd, "<a href=\"%s/\">", urlname);
-			l += bozo_printf(httpd, "%s/", name);
+			l += bozo_printf(httpd, "%s/", htmlname);
 		} else if (strchr(name, ':') != NULL) {
 			/* RFC 3986 4.2 */
 			bozo_printf(httpd, "<a href=\"./%s\">", urlname);
-			l += bozo_printf(httpd, "%s", name);
+			l += bozo_printf(httpd, "%s", htmlname);
 		} else {
 			bozo_printf(httpd, "<a href=\"%s\">", urlname);
-			l += bozo_printf(httpd, "%s", name);
+			l += bozo_printf(httpd, "%s", htmlname);
 		}
+		if (htmlname != name)
+			free(htmlname);
 		bozo_printf(httpd, "</a>");
 
 		/* NAMELEN spaces */