| commit | 1cf68f79eb1d57b279c906ee1e04c233c0bca615 | |
| author | Glenn Strauss <gstrauss@gluelogic.com> | |
| Sat, 4 May 2019 21:36:31 +0000 (4 17:36 -0400) | ||
| committer | Glenn Strauss <gstrauss@gluelogic.com> | |
| Sat, 4 May 2019 21:48:04 +0000 (4 17:48 -0400) | ||
| tree | a9a6397ef57d574217cc587220a166a8068fea37 | treesnapshot (tar.gz zip) |
| parent | 49e9f0acdcd68bb9b7e4b30b41a95cb5b8c8b811 | commitdiff |
[core] behavior change: stricter URL normalization
behavior change: stricter URL normalization
Prior behavior can be obtained by configuring lighttpd.conf with:
server.http-parseopts = (“url-normalize” => “disable” )
although this is not recommended.
This behavior change was pre-announced with the releases of
lighttpd 1.4.52 (2018.11.28)
lighttpd 1.4.53 (2019.01.27)
The recommended settings are:
server.http-parseopts = (
"header-strict" => "enable",
"host-strict" => "enable",
"host-normalize" => "enable",
"url-normalize" => "enable",
"url-normalize-unreserved" => "enable",
"url-normalize-required" => "enable",
"url-ctrls-reject" => "enable",
"url-path-2f-decode" => "enable",
"url-path-backslash-trans" => "enable",
"url-path-dotseg-remove" => "enable",
"url-query-20-plus" => "enable"
)
The lighttpd defaults with this commit are slightly less strict:
server.http-parseopts = (
"header-strict" => "enable",
"host-strict" => "enable",
"host-normalize" => "enable",
"url-normalize" => "enable",
"url-normalize-unreserved" => "enable",
#"url-normalize-required" => "enable",
"url-ctrls-reject" => "enable",
"url-path-2f-decode" => "enable",
#"url-path-backslash-trans" => "enable",
"url-path-dotseg-remove" => "enable",
#"url-query-20-plus" => "enable"
)
behavior change: stricter URL normalization
Prior behavior can be obtained by configuring lighttpd.conf with:
server.http-parseopts = (“url-normalize” => “disable” )
although this is not recommended.
This behavior change was pre-announced with the releases of
lighttpd 1.4.52 (2018.11.28)
lighttpd 1.4.53 (2019.01.27)
The recommended settings are:
server.http-parseopts = (
"header-strict" => "enable",
"host-strict" => "enable",
"host-normalize" => "enable",
"url-normalize" => "enable",
"url-normalize-unreserved" => "enable",
"url-normalize-required" => "enable",
"url-ctrls-reject" => "enable",
"url-path-2f-decode" => "enable",
"url-path-backslash-trans" => "enable",
"url-path-dotseg-remove" => "enable",
"url-query-20-plus" => "enable"
)
The lighttpd defaults with this commit are slightly less strict:
server.http-parseopts = (
"header-strict" => "enable",
"host-strict" => "enable",
"host-normalize" => "enable",
"url-normalize" => "enable",
"url-normalize-unreserved" => "enable",
#"url-normalize-required" => "enable",
"url-ctrls-reject" => "enable",
"url-path-2f-decode" => "enable",
#"url-path-backslash-trans" => "enable",
"url-path-dotseg-remove" => "enable",
#"url-query-20-plus" => "enable"
)
| src/server.c | diffblobblamehistory | |
| tests/core-request.t | diffblobblamehistory | |
| tests/mod-proxy.t | diffblobblamehistory |