diff --git a/libexec/httpd/CHANGES b/libexec/httpd/CHANGES index 3ba7e1268d17..6cd188314a96 100644 --- a/libexec/httpd/CHANGES +++ b/libexec/httpd/CHANGES @@ -1,4 +1,11 @@ -$NetBSD: CHANGES,v 1.42 2020/09/12 12:39:28 rhialto Exp $ +$NetBSD: CHANGES,v 1.43 2020/10/15 02:19:23 mrg Exp $ + +changes in bozohttpd 20201014: + o also set -D_GNU_SOURCE in Makefile.boot. from + hadrien.lacour@posteo.net. + o fix array size botch (assertion, not exploitable.) from + martin@netbsd.org. + o also match %2F as well as %2f. from leah@vuxu.org. changes in bozohttpd 20200912: o add .m4a and .m4v file extensions. diff --git a/libexec/httpd/auth-bozo.c b/libexec/httpd/auth-bozo.c index 3d58d7a44194..a2f2ee4304c1 100644 --- a/libexec/httpd/auth-bozo.c +++ b/libexec/httpd/auth-bozo.c @@ -1,9 +1,9 @@ -/* $NetBSD: auth-bozo.c,v 1.25 2020/07/11 08:10:52 jruoho Exp $ */ +/* $NetBSD: auth-bozo.c,v 1.26 2020/10/15 02:19:23 mrg Exp $ */ /* $eterna: auth-bozo.c,v 1.17 2011/11/18 09:21:15 mrg Exp $ */ /* - * Copyright (c) 1997-2019 Matthew R. Green + * Copyright (c) 1997-2020 Matthew R. Green * All rights reserved. * * Redistribution and use in source and binary forms, with or without diff --git a/libexec/httpd/bozohttpd.8 b/libexec/httpd/bozohttpd.8 index c2a20de8c5bd..58ea324e3145 100644 --- a/libexec/httpd/bozohttpd.8 +++ b/libexec/httpd/bozohttpd.8 @@ -1,8 +1,8 @@ -.\" $NetBSD: bozohttpd.8,v 1.84 2020/08/20 07:55:10 mrg Exp $ +.\" $NetBSD: bozohttpd.8,v 1.85 2020/10/15 02:19:23 mrg Exp $ .\" .\" $eterna: bozohttpd.8,v 1.101 2011/11/18 01:25:11 mrg Exp $ .\" -.\" Copyright (c) 1997-2019 Matthew R. Green +.\" Copyright (c) 1997-2020 Matthew R. Green .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -26,7 +26,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd July 11, 2020 +.Dd October 14, 2020 .Dt BOZOHTTPD 8 .Os .Sh NAME @@ -642,7 +642,7 @@ The focus has always been simplicity and security, with minimal features and regular code audits. This manual documents .Nm -version 20190116. +version 20201014. .Sh AUTHORS .An -nosplit .Nm diff --git a/libexec/httpd/bozohttpd.c b/libexec/httpd/bozohttpd.c index 71561e728491..1b4873bab9bc 100644 --- a/libexec/httpd/bozohttpd.c +++ b/libexec/httpd/bozohttpd.c @@ -1,4 +1,4 @@ -/* $NetBSD: bozohttpd.c,v 1.121 2020/09/05 13:38:24 mrg Exp $ */ +/* $NetBSD: bozohttpd.c,v 1.122 2020/10/15 02:19:23 mrg Exp $ */ /* $eterna: bozohttpd.c,v 1.178 2011/11/18 09:21:15 mrg Exp $ */ @@ -109,7 +109,7 @@ #define INDEX_HTML "index.html" #endif #ifndef SERVER_SOFTWARE -#define SERVER_SOFTWARE "bozohttpd/20200820" +#define SERVER_SOFTWARE "bozohttpd/20201014" #endif #ifndef PUBLIC_HTML #define PUBLIC_HTML "public_html" @@ -651,7 +651,7 @@ bozo_read_request(bozohttpd_t *httpd) * if passed through a proxy that doesn't rewrite the port. */ if (httpd->bindport) { - if (strcmp(httpd->bindport, "80") != 0) + if (strcmp(httpd->bindport, BOZO_HTTP_PORT) != 0) port = httpd->bindport; else port = NULL; @@ -1099,7 +1099,7 @@ handle_redirect(bozo_httpreq_t *request, const char *url, int absolute) hostname = ""; portbuf[0] = '\0'; } else { - const char *defport = httpd->sslinfo ? "443" : "80"; + const char *defport = httpd->sslinfo ? BOZO_HTTPS_PORT : BOZO_HTTP_PORT; if (request->hr_serverport && strcmp(request->hr_serverport, defport) != 0) @@ -1335,7 +1335,8 @@ check_virtual(bozo_httpreq_t *request) * canonicalise hr_host - that is, remove any :80. */ len = strlen(request->hr_host); - if (len > 3 && strcmp(request->hr_host + len - 3, ":80") == 0) { + if (len > 3 && + strcmp(request->hr_host + len - 3, ":" BOZO_HTTP_PORT) == 0) { request->hr_host[len - 3] = '\0'; len = strlen(request->hr_host); } @@ -1554,7 +1555,7 @@ bozo_decode_url_percent(bozo_httpreq_t *request, char *str) if (s[1] == '0' && s[2] == '0') return bozo_http_error(httpd, 404, request, "percent hack was %00"); - if (s[1] == '2' && s[2] == 'f') + if (s[1] == '2' && (s[2] == 'f' || s[2] == 'F')) return bozo_http_error(httpd, 404, request, "percent hack was %2f (/)"); @@ -2213,7 +2214,7 @@ bozo_http_error(bozohttpd_t *httpd, int code, bozo_httpreq_t *request, } if (request && request->hr_serverport && - strcmp(request->hr_serverport, "80") != 0) + strcmp(request->hr_serverport, BOZO_HTTP_PORT) != 0) snprintf(portbuf, sizeof(portbuf), ":%s", request->hr_serverport); else diff --git a/libexec/httpd/bozohttpd.h b/libexec/httpd/bozohttpd.h index f0c6d1d398a9..c278e302ded7 100644 --- a/libexec/httpd/bozohttpd.h +++ b/libexec/httpd/bozohttpd.h @@ -1,4 +1,4 @@ -/* $NetBSD: bozohttpd.h,v 1.63 2020/08/20 05:46:31 spz Exp $ */ +/* $NetBSD: bozohttpd.h,v 1.64 2020/10/15 02:19:23 mrg Exp $ */ /* $eterna: bozohttpd.h,v 1.39 2011/11/18 09:21:15 mrg Exp $ */ @@ -253,6 +253,9 @@ void debug__(bozohttpd_t *, int, const char *, ...) BOZO_PRINTFLIKE(3, 4); #define have_debug (1) #endif /* NO_DEBUG */ +#define BOZO_HTTP_PORT "80" +#define BOZO_HTTPS_PORT "443" + /* * bozohttpd special files. avoid serving these out. * diff --git a/libexec/httpd/dir-index-bozo.c b/libexec/httpd/dir-index-bozo.c index 77f4455a63ee..7afa0836059f 100644 --- a/libexec/httpd/dir-index-bozo.c +++ b/libexec/httpd/dir-index-bozo.c @@ -1,9 +1,9 @@ -/* $NetBSD: dir-index-bozo.c,v 1.33 2020/07/06 23:31:36 jmcneill Exp $ */ +/* $NetBSD: dir-index-bozo.c,v 1.34 2020/10/15 02:19:23 mrg Exp $ */ /* $eterna: dir-index-bozo.c,v 1.20 2011/11/18 09:21:15 mrg Exp $ */ /* - * Copyright (c) 1997-2019 Matthew R. Green + * Copyright (c) 1997-2020 Matthew R. Green * All rights reserved. * * Redistribution and use in source and binary forms, with or without diff --git a/libexec/httpd/main.c b/libexec/httpd/main.c index 04e0312777f1..121e50b6e8bf 100644 --- a/libexec/httpd/main.c +++ b/libexec/httpd/main.c @@ -1,10 +1,10 @@ -/* $NetBSD: main.c,v 1.23 2020/07/06 23:31:36 jmcneill Exp $ */ +/* $NetBSD: main.c,v 1.24 2020/10/15 02:19:23 mrg Exp $ */ /* $eterna: main.c,v 1.6 2011/11/18 09:21:15 mrg Exp $ */ /* from: eterna: bozohttpd.c,v 1.159 2009/05/23 02:14:30 mrg Exp */ /* - * Copyright (c) 1997-2018 Matthew R. Green + * Copyright (c) 1997-2020 Matthew R. Green * All rights reserved. * * Redistribution and use in source and binary forms, with or without diff --git a/libexec/httpd/ssl-bozo.c b/libexec/httpd/ssl-bozo.c index 2e6ce4c2b23e..1b4fd0f88672 100644 --- a/libexec/httpd/ssl-bozo.c +++ b/libexec/httpd/ssl-bozo.c @@ -1,4 +1,4 @@ -/* $NetBSD: ssl-bozo.c,v 1.27 2020/08/20 05:46:31 spz Exp $ */ +/* $NetBSD: ssl-bozo.c,v 1.28 2020/10/15 02:19:23 mrg Exp $ */ /* $eterna: ssl-bozo.c,v 1.15 2011/11/18 09:21:15 mrg Exp $ */ @@ -328,7 +328,7 @@ bozo_ssl_set_opts(bozohttpd_t *httpd, const char *cert, const char *priv) sslinfo->certificate_file, sslinfo->privatekey_file)); if (!httpd->bindport) - httpd->bindport = bozostrdup(httpd, NULL, "https"); + httpd->bindport = bozostrdup(httpd, NULL, BOZO_HTTPS_PORT); } void