set -D_GNU_SOURCE in Makefile.boot. from hadrien.lacour@posteo.net.

also match %2F as well as %2f.  from leah@vuxu.org.
introduce defines for "80" and "443".  copyright maint.

libexec/httpd/CHANGES

@@ -1,4 +1,11 @@
-$NetBSD: CHANGES,v 1.42 2020/09/12 12:39:28 rhialto Exp $
+$NetBSD: CHANGES,v 1.43 2020/10/15 02:19:23 mrg Exp $
+
+changes in bozohttpd 20201014:
+	o  also set -D_GNU_SOURCE in Makefile.boot.  from
+	   hadrien.lacour@posteo.net.
+	o  fix array size botch (assertion, not exploitable.)  from
+	   martin@netbsd.org.
+	o  also match %2F as well as %2f.  from leah@vuxu.org.
 
 changes in bozohttpd 20200912:
 	o  add .m4a and .m4v file extensions.

libexec/httpd/auth-bozo.c

@@ -1,9 +1,9 @@
-/*	$NetBSD: auth-bozo.c,v 1.25 2020/07/11 08:10:52 jruoho Exp $	*/
+/*	$NetBSD: auth-bozo.c,v 1.26 2020/10/15 02:19:23 mrg Exp $	*/
 
 /*	$eterna: auth-bozo.c,v 1.17 2011/11/18 09:21:15 mrg Exp $	*/
 
 /*
- * Copyright (c) 1997-2019 Matthew R. Green
+ * Copyright (c) 1997-2020 Matthew R. Green
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

libexec/httpd/bozohttpd.8

@@ -1,8 +1,8 @@
-.\"	$NetBSD: bozohttpd.8,v 1.84 2020/08/20 07:55:10 mrg Exp $
+.\"	$NetBSD: bozohttpd.8,v 1.85 2020/10/15 02:19:23 mrg Exp $
 .\"
 .\"	$eterna: bozohttpd.8,v 1.101 2011/11/18 01:25:11 mrg Exp $
 .\"
-.\" Copyright (c) 1997-2019 Matthew R. Green
+.\" Copyright (c) 1997-2020 Matthew R. Green
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd July 11, 2020
+.Dd October 14, 2020
 .Dt BOZOHTTPD 8
 .Os
 .Sh NAME
@@ -642,7 +642,7 @@ The focus has always been simplicity and security, with minimal features
 and regular code audits.
 This manual documents
 .Nm
-version 20190116.
+version 20201014.
 .Sh AUTHORS
 .An -nosplit
 .Nm

libexec/httpd/bozohttpd.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: bozohttpd.c,v 1.121 2020/09/05 13:38:24 mrg Exp $	*/
+/*	$NetBSD: bozohttpd.c,v 1.122 2020/10/15 02:19:23 mrg Exp $	*/
 
 /*	$eterna: bozohttpd.c,v 1.178 2011/11/18 09:21:15 mrg Exp $	*/
 
@@ -109,7 +109,7 @@
 #define INDEX_HTML		"index.html"
 #endif
 #ifndef SERVER_SOFTWARE
-#define SERVER_SOFTWARE		"bozohttpd/20200820"
+#define SERVER_SOFTWARE		"bozohttpd/20201014"
 #endif
 #ifndef PUBLIC_HTML
 #define PUBLIC_HTML		"public_html"
@@ -651,7 +651,7 @@ bozo_read_request(bozohttpd_t *httpd)
 	 * if passed through a proxy that doesn't rewrite the port.
 	 */
 	if (httpd->bindport) {
-		if (strcmp(httpd->bindport, "80") != 0)
+		if (strcmp(httpd->bindport, BOZO_HTTP_PORT) != 0)
 			port = httpd->bindport;
 		else
 			port = NULL;
@@ -1099,7 +1099,7 @@ handle_redirect(bozo_httpreq_t *request, const char *url, int absolute)
 		hostname = "";
 		portbuf[0] = '\0';
 	} else {
-		const char *defport = httpd->sslinfo ? "443" : "80";
+		const char *defport = httpd->sslinfo ? BOZO_HTTPS_PORT : BOZO_HTTP_PORT;
 
 		if (request->hr_serverport &&
 		    strcmp(request->hr_serverport, defport) != 0)
@@ -1335,7 +1335,8 @@ check_virtual(bozo_httpreq_t *request)
 	 * canonicalise hr_host - that is, remove any :80.
 	 */
 	len = strlen(request->hr_host);
-	if (len > 3 && strcmp(request->hr_host + len - 3, ":80") == 0) {
+	if (len > 3 &&
+	    strcmp(request->hr_host + len - 3, ":" BOZO_HTTP_PORT) == 0) {
 		request->hr_host[len - 3] = '\0';
 		len = strlen(request->hr_host);
 	}
@@ -1554,7 +1555,7 @@ bozo_decode_url_percent(bozo_httpreq_t *request, char *str)
 		if (s[1] == '0' && s[2] == '0')
 			return bozo_http_error(httpd, 404, request,
 			    "percent hack was %00");
-		if (s[1] == '2' && s[2] == 'f')
+		if (s[1] == '2' && (s[2] == 'f' || s[2] == 'F'))
 			return bozo_http_error(httpd, 404, request,
 			    "percent hack was %2f (/)");
 
@@ -2213,7 +2214,7 @@ bozo_http_error(bozohttpd_t *httpd, int code, bozo_httpreq_t *request,
 	}
 
 	if (request && request->hr_serverport &&
-	    strcmp(request->hr_serverport, "80") != 0)
+	    strcmp(request->hr_serverport, BOZO_HTTP_PORT) != 0)
 		snprintf(portbuf, sizeof(portbuf), ":%s",
 				request->hr_serverport);
 	else

libexec/httpd/bozohttpd.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: bozohttpd.h,v 1.63 2020/08/20 05:46:31 spz Exp $	*/
+/*	$NetBSD: bozohttpd.h,v 1.64 2020/10/15 02:19:23 mrg Exp $	*/
 
 /*	$eterna: bozohttpd.h,v 1.39 2011/11/18 09:21:15 mrg Exp $	*/
 
@@ -253,6 +253,9 @@ void	debug__(bozohttpd_t *, int, const char *, ...) BOZO_PRINTFLIKE(3, 4);
 #define have_debug	(1)
 #endif /* NO_DEBUG */
 
+#define BOZO_HTTP_PORT	"80"
+#define BOZO_HTTPS_PORT	"443"
+
 /*
  * bozohttpd special files.  avoid serving these out.
  *

libexec/httpd/dir-index-bozo.c

@@ -1,9 +1,9 @@
-/*	$NetBSD: dir-index-bozo.c,v 1.33 2020/07/06 23:31:36 jmcneill Exp $	*/
+/*	$NetBSD: dir-index-bozo.c,v 1.34 2020/10/15 02:19:23 mrg Exp $	*/
 
 /*	$eterna: dir-index-bozo.c,v 1.20 2011/11/18 09:21:15 mrg Exp $	*/
 
 /*
- * Copyright (c) 1997-2019 Matthew R. Green
+ * Copyright (c) 1997-2020 Matthew R. Green
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

libexec/httpd/main.c

@@ -1,10 +1,10 @@
-/*	$NetBSD: main.c,v 1.23 2020/07/06 23:31:36 jmcneill Exp $	*/
+/*	$NetBSD: main.c,v 1.24 2020/10/15 02:19:23 mrg Exp $	*/
 
 /*	$eterna: main.c,v 1.6 2011/11/18 09:21:15 mrg Exp $	*/
 /* from: eterna: bozohttpd.c,v 1.159 2009/05/23 02:14:30 mrg Exp 	*/
 
 /*
- * Copyright (c) 1997-2018 Matthew R. Green
+ * Copyright (c) 1997-2020 Matthew R. Green
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

libexec/httpd/ssl-bozo.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ssl-bozo.c,v 1.27 2020/08/20 05:46:31 spz Exp $	*/
+/*	$NetBSD: ssl-bozo.c,v 1.28 2020/10/15 02:19:23 mrg Exp $	*/
 
 /*	$eterna: ssl-bozo.c,v 1.15 2011/11/18 09:21:15 mrg Exp $	*/
 
@@ -328,7 +328,7 @@ bozo_ssl_set_opts(bozohttpd_t *httpd, const char *cert, const char *priv)
 	    sslinfo->certificate_file,
 	    sslinfo->privatekey_file));
 	if (!httpd->bindport)
-		httpd->bindport = bozostrdup(httpd, NULL, "https");
+		httpd->bindport = bozostrdup(httpd, NULL, BOZO_HTTPS_PORT);
 }
 
 void