[mod_extforward] manage remote addr per request (fixes #3192)

manage remote addr per request for HTTP/2 requests,
rather than remote addr per connection.

Modern load balancers often provide options

[mod_extforward] manage remote addr per request (fixes #3192)

manage remote addr per request for HTTP/2 requests,
rather than remote addr per connection.

Modern load balancers often provide options to reuse connections for
*different* clients, and therefore mod_extforward might change the
remote addr per request.

x-ref:
"RFE: mod_extforward and multiplexed requests via HTTP/2"
https://redmine.lighttpd.net/issues/3192
"Evaluation of remote_addr for mod_maxminddb for multiplexed connections"
https://redmine.lighttpd.net/issues/3191

show more ...

[multiple] codespell: correct spelling in comments

[multiple] employ ck_calloc, ck_malloc shared code

employ ck_calloc(), ck_malloc() shared code to slightly reduce code size
(centralize the ck_assert() to check that memory allocation succeeded)

[multiple] mark mod_*_plugin_init() funcs cold

[mod_extforward] unix domain socket pedantic chks

unix domain socket pedantic checks when received via HAProxy PROXY
protocol (and should already be enabled only from trusted upstreams)

UNIX_PATH_M

[mod_extforward] unix domain socket pedantic chks

unix domain socket pedantic checks when received via HAProxy PROXY
protocol (and should already be enabled only from trusted upstreams)

UNIX_PATH_MAX might be different sizes in some OS, and might not be
defined. It is 108 on Linux, but might be 104 on BSD, MacOS, so be
a bit more pendantic about checking structure sizes and assigning
the path to the sock_addr.

show more ...

[mod_extforward] support addtl IPv6 syntax w/ "[]"

support addtl IPv6 syntax w/ "[...]" in extforward.forwarder
when used with CIDR masks (n.b. only support "[]" with CIDR masks)

[mod_extforward] adjust trust check for HTTP/2

adjust trust check for HTTP/2 streams, as trust is cached at the
connection level, but headers and scheme may need to be overwritten
per-request

[mod_extforward] fix out-of-bounds (OOB) write (fixes #3134)

(thx povcfe)

(edited: gstrauss)

There is a potential remote denial of service in lighttpd mod_extforward
under specific, non-default an

[mod_extforward] fix out-of-bounds (OOB) write (fixes #3134)

(thx povcfe)

(edited: gstrauss)

There is a potential remote denial of service in lighttpd mod_extforward
under specific, non-default and uncommon 32-bit lighttpd mod_extforward
configurations.

Under specific, non-default and uncommon lighttpd mod_extforward
configurations, a remote attacker can trigger a 4-byte out-of-bounds
write of value '-1' to the stack. This is not believed to be exploitable
in any way beyond triggering a crash of the lighttpd server on systems
where the lighttpd server has been built 32-bit and with compiler flags
which enable a stack canary -- gcc/clang -fstack-protector-strong or
-fstack-protector-all, but bug not visible with only -fstack-protector.

With standard lighttpd builds using -O2 optimization on 64-bit x86_64,
this bug has not been observed to cause adverse behavior, even with
gcc/clang -fstack-protector-strong.

For the bug to be reachable, the user must be using a non-default
lighttpd configuration which enables mod_extforward and configures
mod_extforward to accept and parse the "Forwarded" header from a trusted
proxy. At this time, support for RFC7239 Forwarded is not common in CDN
providers or popular web server reverse proxies. It bears repeating that
for the user to desire to configure lighttpd mod_extforward to accept
"Forwarded", the user must also be using a trusted proxy (in front of
lighttpd) which understands and actively modifies the "Forwarded" header
sent to lighttpd.

lighttpd natively supports RFC7239 "Forwarded"
hiawatha natively supports RFC7239 "Forwarded"

nginx can be manually configured to add a "Forwarded" header
https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/

A 64-bit build of lighttpd on x86_64 (not known to be affected by bug)
in front of another 32-bit lighttpd will detect and reject a malicious
"Forwarded" request header, thereby thwarting an attempt to trigger
this bug in an upstream 32-bit lighttpd.

The following servers currently do not natively support RFC7239 Forwarded:
nginx
apache2
caddy
node.js
haproxy
squid
varnish-cache
litespeed

Given the general dearth of support for RFC7239 Forwarded in popular
CDNs and web server reverse proxies, and given the prerequisites in
lighttpd mod_extforward needed to reach this bug, the number of lighttpd
servers vulnerable to this bug is estimated to be vanishingly small.
Large systems using reverse proxies are likely running 64-bit lighttpd,
which is not known to be adversely affected by this bug.

In the future, it is desirable for more servers to implement RFC7239
Forwarded. lighttpd developers would like to thank povcfe for reporting
this bug so that it can be fixed before more CDNs and web servers
implement RFC7239 Forwarded.

x-ref:
"mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1"
https://redmine.lighttpd.net/issues/3134
(not yet written or published)
CVE-2022-22707

show more ...

[mod_extforward] support longer PROXY v2 TLV vec

support longer HAProxy PROXY protocol v2 TLV vector
(allow up to 2k total for header + TLVs, saved on stack,
and expecting <= MTU size (typically 15

[mod_extforward] support longer PROXY v2 TLV vec

support longer HAProxy PROXY protocol v2 TLV vector
(allow up to 2k total for header + TLVs, saved on stack,
and expecting <= MTU size (typically 1536 bytes))

show more ...

[mod_extforward] keep remote IP thru request reset

preserve remote IP until request reset

(historical IP restore in request_done hook was obsoleted by
commit fea5bdc8 in which request plugin conte

[mod_extforward] keep remote IP thru request reset

preserve remote IP until request reset

(historical IP restore in request_done hook was obsoleted by
commit fea5bdc8 in which request plugin context was split from
connection plugin context, and by much older commits which
ensured that request_reset hook was always run)

x-ref:
"Remote address behind reverse proxy not logged"
https://redmine.lighttpd.net/boards/2/topics/10041

show more ...

[mod_extforward] HAProxy PROXY env PP2_UNIQUE_ID

propagate PP2_TYPE_UNIQUE_ID into request env as PP2_UNIQUE_ID

[core] quiet compiler warnings

cast away signedness warning in request_check_hostname()
mod_gnutls https_add_ssl_client_entries crts allocated if crt_size != 0
(which is already checked earlier in

[core] quiet compiler warnings

cast away signedness warning in request_check_hostname()
mod_gnutls https_add_ssl_client_entries crts allocated if crt_size != 0
(which is already checked earlier in routine)

report from FaceBook Infer static analysis tool (https://fbinfer.com/)
- quiet dead store warnings
- check return != NULL from allocation funcs

show more ...

[multiple] inline struct in con->dst_addr_buf

(mod_extforward recently changed to use buffer_move() to save addr
instead of swapping pointers)

[mod_extforward] inline some more data structures

[multiple] buffer_copy_string_len_lc()

convenience wrapper combining
buffer_copy_string_len()
buffer_to_lower()
and making a single pass over string

[core] lowercase r->http_host, r->uri.authority

always lowercase r->http_host, r->uri.authority for consistency

[multiple] reduce redundant NULL buffer checks

This commit is a large set of code changes and results in removal of
hundreds, perhaps thousands, of CPU instructions, a portion of which
are on hot co

[multiple] reduce redundant NULL buffer checks

This commit is a large set of code changes and results in removal of
hundreds, perhaps thousands, of CPU instructions, a portion of which
are on hot code paths.

Most (buffer *) used by lighttpd are not NULL, especially since buffers
were inlined into numerous larger structs such as request_st and chunk.

In the small number of instances where that is not the case, a NULL
check is often performed earlier in a function where that buffer is
later used with a buffer_* func. In the handful of cases that remained,
a NULL check was added, e.g. with r->http_host and r->conf.server_tag.

- check for empty strings at config time and set value to NULL if blank
string will be ignored at runtime; at runtime, simple pointer check
for NULL can be used to check for a value that has been set and is not
blank ("")
- use buffer_is_blank() instead of buffer_string_is_empty(),
and use buffer_is_unset() instead of buffer_is_empty(),
where buffer is known not to be NULL so that NULL check can be skipped
- use buffer_clen() instead of buffer_string_length() when buffer is
known not to be NULL (to avoid NULL check at runtime)
- use buffer_truncate() instead of buffer_string_set_length() to
truncate string, and use buffer_extend() to extend

Examples where buffer known not to be NULL:
- cpv->v.b from config_plugin_values_init is not NULL if T_CONFIG_BOOL
(though we might set it to NULL if buffer_is_blank(cpv->v.b))
- address of buffer is arg (&foo)
(compiler optimizer detects this in most, but not all, cases)
- buffer is checked for NULL earlier in func
- buffer is accessed in same scope without a NULL check (e.g. b->ptr)

internal behavior change:
callers must not pass a NULL buffer to some funcs.
- buffer_init_buffer() requires non-null args
- buffer_copy_buffer() requires non-null args
- buffer_append_string_buffer() requires non-null args
- buffer_string_space() requires non-null arg

show more ...

[core] adjust r->http_host ptr caching

faster to use http_header_request_set_ptr() and buffer_copy_string_len()
than to use http_header_request_set() and http_header_request_get()

check r->http_hos

[core] adjust r->http_host ptr caching

faster to use http_header_request_set_ptr() and buffer_copy_string_len()
than to use http_header_request_set() and http_header_request_get()

check r->http_host for NULL instead of relying on buffer_copy_* to do so

show more ...

[mod_extforward] shared mod_extforward_bad_request

[multiple] http_header APIs to reduce str copies

[multiple] add attrs from gcc -Wsuggest-attribute=

[multiple] replace buffer_is_equal_caseless_string

buffer_is_equal_caseless_string() -> buffer_eq_icase_slen()

[multiple] use HTTP_HEADER_* enum before strcmp

When known, use HTTP_HEADER_* enum before string comparisons

[mod_extforward] fix extforward.headers defaults (fixes #3051)

(thx glen)

Regression in lighttpd 1.4.56 - 1.4.58 when extforward.headers is
not set in lighttpd.conf.

Workaround: extforward.headers

[mod_extforward] fix extforward.headers defaults (fixes #3051)

(thx glen)

Regression in lighttpd 1.4.56 - 1.4.58 when extforward.headers is
not set in lighttpd.conf.

Workaround: extforward.headers = ("X-Forwarded-For")
(or appropriate value depending on header sent by upstream proxy)

x-ref:
"mod_extforward regression 1.4.56"
https://redmine.lighttpd.net/issues/3051

show more ...

[mod_extforward] config warning for module order

expand config warning for module load order to include other TLS modules