o reduce default timeouts, and add expand timeouts to handle the
initial line, each header, and the total time spent
o add -T option to expose new timeout settings
o minor RFC fixes related to timeout handling responses
old timeouts:
60 seconds for initial request like, 60 seconds per header line,
and no whole timeout (though the recent total header size changes
do introduce one that would be about 11 hours.)
new timeouts:
30 seconds for initial request like, 10 seconds per header line,
and a total request time of 600 seconds.
the new global timeout is implemented using CLOCK_MONOTONIC, with
a fallback to CLOCK_REALTIME if monotonic time is unavailable.
reject multiple Host: headers. besides being protocol standard,
this closes one additional memory leak found by JP. add a simple
test to check this.
clean up option and usage handling some.
o add search-word support for CGI
o fix a security issue in CGI suffix handler support which would
allow remote code execution, from shm@netbsd.org
o -C option supports now CGI scripts only
will be included in the HTTP reply. We define this as we are about to
add an authentication method that may need to have a conversation with
the client.
- don't call getpwuid(0) if we don't need to, or fail it it fails,
and remove the 'username' member of bozohttpd_t since it is not
used outside of bozo_setup().
- bozostrdup() gains a request parameter, and uses it to determine
what sort of error handling is required
- bozo_strdup() dies
- size_arrays() reduced slightly, pushing error handling into the caller
- convert to size_t for some array indices
- bozo_set_pref() and bozo_init_prefs() gain httpd parameters
- apply a bunch of manual CSE to vastly reduce the number of times the
string "request->hr_httpd" appears.
- CGI parse_header() takes a request not httpd now
XXX: lua glue updated to call bozo_init_prefs() with htttpd parameter,
but i'm only guessing here.
code duplication.
Note that bozo_strdup is different that bozostrdup; the _ routines exit
loging error to syslog or stderr, whereas the non _ routines send error
responses to the http client.
* add redirects to ~user translation
* fix bugs around ~user translation
* add schema detection for absolute redirects
* fixed few memory leaks
* bunch of minor tweaks
* removed -r support
* smarter redirects
OK mrg@
- handle errors in many places they weren't properly
- make SSL_accept() an error the main code notices
- expand bozo_ssl_err() to include bozo_ssl_warn(), bozo_clear_ssl_queue()
- remove empty bozo_ssl_flush()
- memory leaks in virtual host plugged
- ensure hr_host is only the host/port part when the request
contains the hostname in the URI not Host: header.
also update the references to the old http/1.1 draft rev 06
to RFC 2616 (fortunately, most sections hadn't moved.)
virtual server support - in daemonized mode mixed virtual and "main"
server usage would alter the virtual hostname depending on order of
requests.
To fix, move the effective virtual hostname into the request structure
and leave the httpd server description static.
CGI handling, including bin/40355 . There are two main changes here:
1) call process_cgi() after transform_request(), not before. Now it is
possible to have a default cgi handler catch a request for a path that
was produced by transformation, e.g. by index generation -- so now the
index can be "generated" by a CGI if that is what the user desires.
2) More clearly distinguish "file" from "query" portions of the request
URL, so we do not feed ?-suffixed "arguments" to plain files, fail to
match filename extensions due to ?-suffixes, etc.
After this change, there are only two cases which use the "query"
portion of the request (the portion after the ?):
a) A redirect issued by HTTPD will redirect to the new file, but
with the same query string.
b) process_cgi() will, of course continue to use the query string.
