[core] remove extra HTTP/2 HEADERS frame len check

remove extra HTTP/2 HEADERS frame len check
(now that the check has been added to proper place in prior commit)

[core] fix HTTP/2 HEADERS frame parsing bug

(thx Sig Run for reproduction cases, ASAN logs, valgrind logs)

credit: sig.run https://hackerone.com/sigrun

2023.02.10 edit:
CVE ID assignment requested

[core] fix HTTP/2 HEADERS frame parsing bug

(thx Sig Run for reproduction cases, ASAN logs, valgrind logs)

credit: sig.run https://hackerone.com/sigrun

2023.02.10 edit:
CVE ID assignment requested a few days ago, but id not yet assigned

show more ...

[core] add missed h2 state transition (fixes #3186)

transition to h2 state half closed local if END_STREAM sent with HEADERS

(thx gjoe)

x-ref:
HTTP 2 connections not properly closed
https://re

[core] add missed h2 state transition (fixes #3186)

transition to h2 state half closed local if END_STREAM sent with HEADERS

(thx gjoe)

x-ref:
HTTP 2 connections not properly closed
https://redmine.lighttpd.net/issues/3186

show more ...

[multiple] codespell: correct spelling in comments

[multiple] employ ck_calloc, ck_malloc shared code

employ ck_calloc(), ck_malloc() shared code to slightly reduce code size
(centralize the ck_assert() to check that memory allocation succeeded)

[core] fix HTTP/2 downloads >= 4GiB (fixes #3166)

(thx flynn)

regression in lighttpd 1.4.60 - lighttpd 1.4.65

x-ref:
"GET requests hangs on big files after 10% using HTTP/2"
https://redmine.li

[core] fix HTTP/2 downloads >= 4GiB (fixes #3166)

(thx flynn)

regression in lighttpd 1.4.60 - lighttpd 1.4.65

x-ref:
"GET requests hangs on big files after 10% using HTTP/2"
https://redmine.lighttpd.net/issues/3166

show more ...

[core] h2: optim: send window update in 16k units

h2: optim: send window update in 16k units for both sessions and streams

[core] update cached tables with Priority header

(thx jens-maus)

[core] h2: avoid sending tiny DATA frames

h2: avoid sending tiny DATA frames when h2 window is tiny
and a larger amount of data is pending to be sent;
wait for slightly larger window to be available

[core] h2: avoid sending tiny DATA frames

h2: avoid sending tiny DATA frames when h2 window is tiny
and a larger amount of data is pending to be sent;
wait for slightly larger window to be available

note: must temporarily disable this when running h2spec since some
h2spec tests expect 1-byte DATA frame, not a deferred response

show more ...

[core] h2: avoid sending small WINDOW_UPDATE frames

Note this may slow down uploads due to delay in sending WINDOW_UPDATE
smaller than the default max frame size (16384), but as a trade-off
this aim

[core] h2: avoid sending small WINDOW_UPDATE frames

Note this may slow down uploads due to delay in sending WINDOW_UPDATE
smaller than the default max frame size (16384), but as a trade-off
this aims to reduce degenerative behavior from clients sending an
increasing number of tiny DATA frames. The default 65535 value for
SETTINGS_INITIAL_WINDOW_SIZE (which lighttpd immediately increases to
65536) is larger than 16384, so deferring small updates should not
exhaust the window (from lighttpd's perspective).

x-ref:
"Slow upload / Increase CPU/Memory usage with HTTP/2 enabled"
https://redmine.lighttpd.net/issues/3089
"libnghttp2 degenerative behavior possible when HTTP/2 window size exhausted"
https://github.com/nghttp2/nghttp2/issues/1722

show more ...

[core] increase session window size to 256k

(adjust the HTTP/2 frame value to match the comment;
previous value was actually adjusting only to 128k)

[core] h2 SETTINGS_INITIAL_WINDOW_SIZE 64k (fixes #3089)

Increase stream window size to 64k (from default 64k-1)
Increase session window size to 256k (from default 64k-1)
(multiple of SETTINGS_MAX

[core] h2 SETTINGS_INITIAL_WINDOW_SIZE 64k (fixes #3089)

Increase stream window size to 64k (from default 64k-1)
Increase session window size to 256k (from default 64k-1)
(multiple of SETTINGS_MAX_FRAME_SIZE (default 16k))
(rely on TCP window scaling and TCP congestion control
to manage client sending too much data)

Window size as multiple of SETTINGS_MAX_FRAME_SIZE (default 16k) may be
friendlier to client buffer management and more efficient for uploading.
Window sizes are not increased to arbitrarily large numbers as the
HTTP/2 flow control may be useful to help simplistic/naive clients
avoid symptoms of buffer bloat.

Bandwidth delay product on high bandwidth, high latency links may be
large, so increasing window sizes may increase performance. However,
lighttpd code does not check actual per-connection RTT or kernel
socket buffer sizes. 256k chosen as session window size, and 192k as
stream window size.

Above changes avoid degenerative behavior from the widely deployed
libnghttp2 which may devolve to sending 1 byte at a time in some cases.
https://redmine.lighttpd.net/issues/3089

x-ref:
"Slow upload / Increase CPU/Memory usage with HTTP/2 enabled"
https://redmine.lighttpd.net/issues/3089
Delivering HTTP/2 upload speed improvements
https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/

show more ...

[multiple] simplify bytes_in/bytes_out accounting

encapsulate accounting calculations in
http_request_stats_bytes_in()
http_request_stats_bytes_out()

more accurate accounting for HTTP/1.1 bytes_i

[multiple] simplify bytes_in/bytes_out accounting

encapsulate accounting calculations in
http_request_stats_bytes_in()
http_request_stats_bytes_out()

more accurate accounting for HTTP/1.1 bytes_in on keep-alive requests
(affects case where client pipelines HTTP/1.1 requests)

remove con->bytes_read and con->bytes_written
(no longer needed since request_st was split from connection struct
and request bytes_read_ckpt and bytes_written_ckpt are maintained
for HTTP/1.x bytes_in and bytes_out accounting. Also, further back,
chunkqueue internal accounting was simplified to maintain bytes_in
and bytes_out to always match chunkqueue length)

show more ...

[core] send Priority resp hdr w/ .css, .js re-prio

send Priority response header with .css, .js re-prioriziation

[core] h2 prio sort urgency, incr, then stream id

h2 priority sort based on urgency, incremental, then stream id

[core] stricter check of HTTP/2 GOAWAY frame size

[core] send HTTP/2 SETTINGS_NO_RFC7540_PRIORITIES

send HTTP/2 SETTINGS_NO_RFC7540_PRIORITIES=1 with server connection
preface

RFC9218 Extensible Prioritization Scheme for HTTP
2.1 Disabling RFC 7

[core] send HTTP/2 SETTINGS_NO_RFC7540_PRIORITIES

send HTTP/2 SETTINGS_NO_RFC7540_PRIORITIES=1 with server connection
preface

RFC9218 Extensible Prioritization Scheme for HTTP
2.1 Disabling RFC 7540 Priorities
If endpoints use SETTINGS_NO_RFC7540_PRIORITIES they MUST send it in
the first SETTINGS frame.

RFC7540 Hypertext Transfer Protocol Version 2 (HTTP/2)
6.5.3. Settings Synchronization
Unsupported parameters MUST be ignored.

x-ref:
https://datatracker.ietf.org/doc/html/rfc9218
https://datatracker.ietf.org/doc/html/rfc7540

show more ...

[core] HTTP/2 PRIORITY_UPDATE frame (experimental)

*experimental* support for HTTP/2 PRIORITY_UPDATE frame

x-ref:
"Extensible Prioritization Scheme for HTTP"
https://datatracker.ietf.org/doc/ht

[core] HTTP/2 PRIORITY_UPDATE frame (experimental)

*experimental* support for HTTP/2 PRIORITY_UPDATE frame

x-ref:
"Extensible Prioritization Scheme for HTTP"
https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-priority-12
https://datatracker.ietf.org/doc/html/rfc9218

show more ...

[core] short-circuit earlier parsing h2 trailers

[multiple] WebSockets over HTTP/2 (fixes #3151)

Add support for WebSockets over HTTP/2 to lighttpd core and to
mod_cgi w/ config: cgi.upgrade = "enable"
mod_proxy w/ config: proxy.head

[multiple] WebSockets over HTTP/2 (fixes #3151)

Add support for WebSockets over HTTP/2 to lighttpd core and to
mod_cgi w/ config: cgi.upgrade = "enable"
mod_proxy w/ config: proxy.header += ("upgrade" => "enable")
mod_wstunnel

HTTP/2 CONNECT extension defined in RFC8441 is translated to HTTP/1.1
'Upgrade: websocket' requests to mod_cgi or mod_proxy, and is handled
directly in mod_wstunnel.

x-ref:
WebSockets over HTTP/2
https://redmine.lighttpd.net/issues/3151
Bootstrapping WebSockets with HTTP/2
https://datatracker.ietf.org/doc/html/rfc8441

show more ...

[core] discard DATA from REFUSED_STREAM at h2 init

discard DATA from REFUSED_STREAM at h2 connection init
while waiting for SETTINGS ackn from client

This is not a bugfix in lighttpd, but rather is

[core] discard DATA from REFUSED_STREAM at h2 init

discard DATA from REFUSED_STREAM at h2 connection init
while waiting for SETTINGS ackn from client

This is not a bugfix in lighttpd, but rather is a workaround for
impolite/aggressive/dumb/lazy (take your picks) client behavior.

x-ref:
"POST request DATA part for non-existing URI closes HTTP/2 connection prematurely"
https://redmine.lighttpd.net/issues/3078
"HTTP/2 Error"
https://redmine.lighttpd.net/issues/3148
"Possible HTTP/2 error - GOAWAY sent"
https://redmine.lighttpd.net/issues/3149
"[WAD] HTTP/2 GOAWAY with excessive PUT requests exceeding stream concurrency limit"
https://redmine.lighttpd.net/boards/2/topics/10351

show more ...

[core] isolate plugins_*() funcs to main server

(future: might rename plugin.c -> plugins.c since the functions
contained within are all plugins_*())

[core] prep server_tag at startup for h2 resp hdr

[core] connection_handle_read_state() tweak

no need to set transient state CON_STATE_REQUEST_END

[core] fix reqpool mem corruption in 1.4.62 (fixes #3118)

x-ref:
"Segfault after updating to version 1.4.62"
https://redmine.lighttpd.net/issues/3118
"Segfault on closing connections"
https:

[core] fix reqpool mem corruption in 1.4.62 (fixes #3118)

x-ref:
"Segfault after updating to version 1.4.62"
https://redmine.lighttpd.net/issues/3118
"Segfault on closing connections"
https://redmine.lighttpd.net/issues/3119

show more ...