bearerand
basicrequests. This follows from conventional usage of bearer tokens.
bearerauthorisation tokens. These are described in RFC 6750. Fix khttp_fcgi_test(3) to work properly when in variable-pool mode.
make regress
would spam
some systems with erroneous warning messages.
debugging
parameter passed into
khttp_parse(3).
kutil_date2epoch
,
kutil_date_check
,
kutil_datetime2epoch
, and
kutil_datetime_check
in favour of
khttp_datetime2epoch(3) and
khttp_date2epoch(3).
These variants use portable implementations of
gmtime(3) and
timegm(3)
that are not
encumbered by per-system constraints such as FreeBSD not accepting
years prior to 1900 and of course the 32-bit problem.
kutil_epoch2str
,
kutil_epoch2utcstr
,
kutil_epoch2tmvals
, and
KUTIL_EPOCH2TM
as
khttp_epoch2str,
khttp_epoch2ustr,
khttp_epoch2tms, and
KHTTP_EPOCH2TM, respectively.
The new forms, besides having consistent naming, specifically
account for corner cases like negative dates, years with more than
four digits, etc.
These no longer use the system
strtime(3)
due to inconsistencies between implementations (e.g., Oracle Solaris
not printing >4 digit years) and the 32-bit problem.
kutil_urlpart
functions.
These are for the most part a re-name of the old functions that
remove the unused struct kreq
argument.
There are some small behaviour changes from the original in corner
case usage: they have an empty suffix (not just NULL
)
inhibit printing the dot-suffix, allow a NULL
page, and
have an empty or NULL
page also inhibit the suffix.
This way, these functions only produce valid URLs, and also allow
for some previously-disallowed (but valid) forms such as
/?foo=bar
.
khttp_vurlpart
and khttp_vurlpartx
forms, which accept a variable-length type, are also now exposed for
use.
kutil_urlabs
but
significantly more robust and accepts query string arguments.
The earlier kutil_urlabs
is retained, but deprecated.
kutil_urlencode
and
kutil_urldecode
. They're identical
except in how NULL
values are handled, in the first
case returning them as empty strings instead of NULL
,
in the second regarding them as errors.
For the encoder, this allows all URL formatting tools to pass
NULL
values as query string values without errors.
The earlier functions have been retained with the original behaviour
with one exception, in that a NULL
destination argument for kutil_urldecode
triggers a
KCGI_FORM
return.
KCGI_ENOMEM
.
KCGI_FORM
, such as when popping from an empty stack.
To prevent other KCGI_FORM
errors from being masked,
use KCGI_WRITER
to handle these situations.
uint16_t
for its entity value.
However, these values can legitimately be 32 bits.
It has been changed to uint32_t
.
KCGI_FORM
if given a stack position greater than the
current stack.
This is inconsistent with other functions, so such values are now
simply ignored.
It also masks other problems that cause KCGI_FORM
to
return.
Furthermore, if this function was invoked at the current depth, it
would close all scopes instead of none.
This has also been fixed.
KCGI_FORM
if used out-of-context, for example, trying
to open a named object in an array context.
To prevent other KCGI_FORM
errors from being masked,
introduce a new error code KCGI_WRITER
to handle these
situations.
NULL
pointer value to the string writing functions of
khttp_puts(3),
khttp_write(3),
kcgihtml(3) or
kcgijson(3) would cause undefined
behaviour.
Now these are noops.
a@b
) but tighten it
to require not starting or ending with a @
.
NULL
format strings being passed to the
logging functions.
href@random.sh
for access to a FreeBSD
machine for testing and solving this issue!
bmake
for
the build sequence.
nc
value in digest authentication to be hex
and adding support for application/xml
to the list of
supported MIME types.
Thanks!
\@@
, allowing for
the existence of delimeters as opaque text.
schwarze@) in an audit generously funded by CAPEM Solutions, Inc. Thank you so much!
FastCGI release: when running kcgi's FastCGI mode on nginx, processes were being mysteriously killed under high load. This was due to the end-point closing the connection before all data was being read or written. To wit, I now establish a difference (in FastCGI) between the connection closing (which is a recoverable error) and the manager killing the connection or the control socket exiting, which are not recoverable. Since most of this development was on Linux/ARM with nginx, the sandbox for Linux has also been tooled up. A big thanks to Elouan Pignet, who was kind enough to diagnose the problem and provide access to his system for a fix, including several failed attempts. Thanks, Elouan!
KCGI_EXIT
when the system has exited.
The KCGI_HUP
is reserved for when the output channel
has closed (after parsing) and the current connection is no longer
valid.
The documentation has been updated for relevant functions.
KCGI_HUP
), the system will still expect headers.
Earlier, it would assert with subsequent khttp_write(3) if the error
were not caught and the
In the modified behaviour, it will return KCGI_FORM
to
indicate that the system is out of state.
NULL
request.
This makes it possible to use these functions for consistent logging
without a request.
auth-intmode, most often used by CalDAV systems. Thanks to Charles Collicutt for the contribution!
schwarze@) in an audit generously funded by CAPEM Solutions, Inc. Thank you so much!
schwarze@) in an audit generously funded by CAPEM Solutions, Inc. Thank you so much!
kxml_open()
.
This must be manually printed with kxml_prologue()
.
khtml_text
function has been removed (it was deprecated).
NULL
on memory failure.
Earlier, this was inconsistent.
enum kcgi_err
to indicate a
failure condition.
enum kcgi_err
to indicate a failure condition
instead of whether compression was enabled.
enum kcgi_err
to indicate a failure
condition instead of whether compression was
enabled.
Furthermore, the comp
argument simply dictates whether
compression should be enabled or not, preventing confusion.
enum kcgi_err
to indicate a failure condition.
Furthermore, this function now dynamically allocates header lengths,
removing prior bounds on header length.
schwarze@) in an extensive audit generously funded by CAPEM Solutions, Inc. None of these change application behaviour except that standalone query parts are let through. For example,
localhost/foo?bar=baz&xyzzy
now passes
xyzzy
as a key-pair with a zero-length pair.
text/plain
enctypes is now
deprecated, as I'm yet to see this ever used.
uint32_t
size for the HTTP digest authorisation nonce
count. This follows RFC 7616,
sec. 3.4. Also add the kutil_err(3)
family of functions, which report an error and exit. Split that
into kutil_openlog(3) as well.
Lastly, commit considerable improvements to the khttp_parse(3) and other
manpages, as well as some extra warning messages due to RFC
violations during HTTP parse. Most of these were found and patched
by Ingo Schwarze (schwarze@) in an extensive audit generously funded by CAPEM Solutions, Inc. Thank you!
schwarze@) in an extensive audit generously funded by CAPEM Solutions, Inc. Thank you!
uninstall
rule to the GNUmakefile for those
not using a package-managed version of the library. No code
changes.
foo[bar]
and foo[baz]
, which
would be parsed for a type foo
that's passed a dynamic
value bar
or baz
.
xmalloc
-style internal functions so as not to override weak symbols in any interfacing
applications.
This was noted by Okan Demirmen—thanks!
featurefor the FastCGI implementation: it now has the same protection as the CGI implementation for all child processes. Add sandbox for OpenBSD's tame(2), although this technically isn't supported yet (in snapshots, anyway) and returns
ENOSYS
.
On OpenBSD machines with both sandboxes, this is tried first.
This effort derives from a patch submitted by Reyk Floeter—thanks!
khttp_fcgi_parsex()
function has been removed: all of the logic has been moved to the
initialisation function, making the parse function much simpler.
Cement this by adding several new regression tests that exercise the FastCGI functionality.
These, of course, required that FastCGI functionality be added to the regression suite.
This is documented in kcgiregress(3) (the manpage was renamed from kcgi_regress
).
STDIN_FILENO
to the FastCGI
application.
kcgi will then wait on this socket for incoming connections, which are acted upon with khttp_fcgi_parse(3).
In this release, this logic has been moved into its own process instead of being managed by the web application itself
during calls to khttp_fcgi_parse(3).
While here, I cleaned up and simplified a lot of the sandbox and inter-process socket logic.
The control socket is not yet sandboxed: that will come with later releases.
Again, the FastCGI implementation is experimental!
argfree
function to khttp_parse(3) wasn't
being invoked if the arg
was itself NULL.
(This is clearly bad behaviour—not all functions need that argument!)
This has been fixed as well.
txt
and xml
suffixes to the suffix table.
Fix that the request port number was erroneously disallowed to be >80.
uname -m
,
as the sandbox (ridiculously) needs to know the system architecture.
(Better yet: also send me the relevant AUDIT_ARCH_xxx
from /usr/include/linux/audit.h
.)
While here, allow for compilation on musl.
I've also moved the tutorial into a separate file and fleshed it out a little.
I'll probably add more tutorials in time.
Content-Encodingparameter themselves), and no compression (for applications taking full control of output themselves). While there, make the test for requested compression be sensitive to the RFC 2616
qvalue. Both functions now return whether compression has been enabled. This functionality augments existing behaviour: it does not change it.
khtml_close
to khtml_closeelem
in kcgihtml(3), then re-add the
close function and an open function to harmonise with kcgijson(3) and kcgixml(3).
In the process, allow the closing functions in all libraries to unwind any remaining context, and have the closing functions
return whether the request was out of bounds.
Prevent some bogus calls to kcgihtml(3) from aborting.
Bug-fix for detecting zlib on FreeBSD, found by Baptiste Daroussin. (Thanks!)
struct kreq
.
Have validation for document body correctly set the
ctypepos
prior to validation. While there, properly
decode the content-type field (i.e., discarding parameters) when
looking up the type in the known types.
Authentication
header, implementing
RFC 2617. This
was originally developed in kcaldav, but makes
more sense to be run here inside of the untrusted child. Values are
stored in the struct khttpauth
field documented in khttp_parse(3).
application/x-www-form-urlencoded
,
multipart/form-data
, or text/plain
(during
a POST only), then accept the HTTP body as a single object and
validate it against the empty-key validator. Add HTTP methods and
headers stipulated by HTTP Extensions
for Web Distributed Authoring and Versioning (WebDAV)
and Calendaring
Extensions to WebDAV (CalDAV). Allow for the HTTP
request headers to be exported to the struct kreq
object as both a list and, for common HTTP headers, an indexed map.
Added kcgixml(3) bits for some simple
XML support and added khtml_putc()
and
khtml_puts()
to kcgihtml(3) for consistency.
Specify that a NULL
template passed to the khttp_template(3) functions
simply causes the named file or buffer to be outputted without any
processing. Lastly, recognise getentropy(2)
as a white-listed system call in the systrace(4)
sandbox.
make regress
.