[multiple] employ ck_calloc, ck_malloc shared code

employ ck_calloc(), ck_malloc() shared code to slightly reduce code size
(centralize the ck_assert() to check that memory allocation succeeded)

[multiple] mark mod_*_plugin_init() funcs cold

[mod_alias] fix typo in config error message

[mod_alias] fix use-after-free bug (fixes #3114)

(thx LoneFox)

bug introduced in 62a874df in lighttpd 1.4.59

x-ref:
"Use-after-free bug in mod_alias"
https://redmine.lighttpd.net/issues/3114

[multiple] reduce redundant NULL buffer checks

This commit is a large set of code changes and results in removal of
hundreds, perhaps thousands, of CPU instructions, a portion of which
are on hot co

[multiple] reduce redundant NULL buffer checks

This commit is a large set of code changes and results in removal of
hundreds, perhaps thousands, of CPU instructions, a portion of which
are on hot code paths.

Most (buffer *) used by lighttpd are not NULL, especially since buffers
were inlined into numerous larger structs such as request_st and chunk.

In the small number of instances where that is not the case, a NULL
check is often performed earlier in a function where that buffer is
later used with a buffer_* func. In the handful of cases that remained,
a NULL check was added, e.g. with r->http_host and r->conf.server_tag.

- check for empty strings at config time and set value to NULL if blank
string will be ignored at runtime; at runtime, simple pointer check
for NULL can be used to check for a value that has been set and is not
blank ("")
- use buffer_is_blank() instead of buffer_string_is_empty(),
and use buffer_is_unset() instead of buffer_is_empty(),
where buffer is known not to be NULL so that NULL check can be skipped
- use buffer_clen() instead of buffer_string_length() when buffer is
known not to be NULL (to avoid NULL check at runtime)
- use buffer_truncate() instead of buffer_string_set_length() to
truncate string, and use buffer_extend() to extend

Examples where buffer known not to be NULL:
- cpv->v.b from config_plugin_values_init is not NULL if T_CONFIG_BOOL
(though we might set it to NULL if buffer_is_blank(cpv->v.b))
- address of buffer is arg (&foo)
(compiler optimizer detects this in most, but not all, cases)
- buffer is checked for NULL earlier in func
- buffer is accessed in same scope without a NULL check (e.g. b->ptr)

internal behavior change:
callers must not pass a NULL buffer to some funcs.
- buffer_init_buffer() requires non-null args
- buffer_copy_buffer() requires non-null args
- buffer_append_string_buffer() requires non-null args
- buffer_string_space() requires non-null arg

show more ...

[multiple] buffer_has_slash_suffix()

buffer_has_slash_suffix()
buffer_has_pathsep_suffix()

[mod_alias] modify r->physical.path in place

(reduce string copying)

split out func mod_alias_remap() from handler func for unit testing

[mod_alias] validate given order, not sorted order

(bug on master branch)

x-ref:
"Debian Bullseye/sid arm64 - lighttp broken after update"
https://discussions.flightaware.com/t/debian-bullseye-

[mod_alias] validate given order, not sorted order

(bug on master branch)

x-ref:
"Debian Bullseye/sid arm64 - lighttp broken after update"
https://discussions.flightaware.com/t/debian-bullseye-sid-arm64-lighttp-broken-after-update/70756/20

show more ...

[multiple] split con, request (very large change)

NB: r->tmp_buf == srv->tmp_buf (pointer is copied for quicker access)

NB: request read and write chunkqueues currently point to connection
chun

[multiple] split con, request (very large change)

NB: r->tmp_buf == srv->tmp_buf (pointer is copied for quicker access)

NB: request read and write chunkqueues currently point to connection
chunkqueues; per-request and per-connection chunkqueues are
not distinct from one another
con->read_queue == r->read_queue
con->write_queue == r->write_queue

NB: in the future, a separate connection config may be needed for
connection-level module hooks. Similarly, might need to have
per-request chunkqueues separate from per-connection chunkqueues.
Should probably also have a request_reset() which is distinct from
connection_reset().

show more ...

[multiple] copy small struct instead of memcpy()

when patching config

[multiple] generic config array type checking

[multiple] connection hooks no longer get (srv *)

(explicit (server *) not passed; available in con->srv)

[multiple] plugin.c handles common FREE_FUNC code

(simpler for modules; less boilerplate to cut-n-paste)

[mod_alias] use config_plugin_values_init()

[core] const char *name in struct plugin

put void *data (always used) as first member of struct plugin

add int nconfig member to PLUGIN_DATA

calloc() inits p->data to NULL

[core] simpler config_check_cond()

optimize for common case where condition has been evaluated for
the request and a cached result exists

(also: begin isolating data_config)

[core] array a->sorted[] as ptrs rather than pos

While slightly more memory use in 64-bit (though same memory use as
prior versions of lighttpd), avoids bouncing through second array
when searching

[core] array a->sorted[] as ptrs rather than pos

While slightly more memory use in 64-bit (though same memory use as
prior versions of lighttpd), avoids bouncing through second array
when searching in sorted list. Most use of arrays in lighttpd is to
build a list once, and elements are not removed from the list.

show more ...

[core] keep a->data[] sorted (REVERT)

This reverts commit 2260a8062ee599ecf28d9b52b981603fd2084aff.

original ordering of array elements is significant
e.g. in lighttpd.conf lists where first match

[core] keep a->data[] sorted (REVERT)

This reverts commit 2260a8062ee599ecf28d9b52b981603fd2084aff.

original ordering of array elements is significant
e.g. in lighttpd.conf lists where first match to request is applied

show more ...

[core] inline buffer as part of data_string value

(instead of value being (buffer *))

[core] inline buffer key for *_patch_connection()

handle buffer key as part of DATA_UNSET in *_patch_connection()
(instead of key being (buffer *))

[core] inline buffer as part of DATA_UNSET key

(instead of key being (buffer *))

[core] keep a->data[] sorted; remove a->sorted[]

[multiple] cleaner calloc use in SETDEFAULTS_FUNC

github: closes #99

x-ref:
"cleaner calloc use in SETDEFAULTS_FUNC"
https://github.com/lighttpd/lighttpd1.4/pull/99

[multiple] code reuse: employ array_match_*()

[mod_alias] security: potential path traversal with specific configs

Security: potential path traversal of a single directory above the alias
target with a specific mod_alias config where the alias

[mod_alias] security: potential path traversal with specific configs

Security: potential path traversal of a single directory above the alias
target with a specific mod_alias config where the alias which is matched
does not end in '/', but alias target filesystem path does end in '/'.

e.g. server.docroot = "/srv/www/host/HOSTNAME/docroot"
alias.url = ( "/img" => "/srv/www/hosts/HOSTNAME/images/" )

If a malicious URL "/img../" were passed, the request would be
for directory "/srv/www/hosts/HOSTNAME/images/../" which would resolve
to "/srv/www/hosts/HOSTNAME/". If mod_dirlisting were enabled, which
is not the default, this would result in listing the contents of the
directory above the alias. An attacker might also try to directly
access files anywhere under that path, which is one level above the
intended aliased path.

credit: Orange Tsai(@orange_8361) from DEVCORE

show more ...