diff options
author | Jose dos Santos Junior <j.s.junior@live.com> | 2015-09-03 14:59:53 -0300 |
---|---|---|
committer | Dmitry Bogatov <KAction@debian.org> | 2018-11-15 15:59:23 +0000 |
commit | 61ea5949cff07ab7d48370718eca7b9afa32b19f (patch) | |
tree | 16445cb2c1595678a5e80c79f1ad76fa9938e395 /debian | |
parent | c3c061430d85cda66505a98ab62919acce4349d7 (diff) | |
parent | ef18215493fbf5180b9a9b016ac70e0f3766f59c (diff) |
Import Debian changes 1.21-1
mini-httpd (1.21-1) unstable; urgency=medium
* New upstream release.
* New maintainer. (Closes: #780194)
* Fix CVE-2015-1548
- Patch fix-add_to_response-buffer-overflow. (Closes: #778925)
* d/control:
- Bump Standard-Version to 3.9.6.
- Bump debhelper to 9.
- Remove deprecated dpatch.
- Upgrade packaging format "3.0 (quilt)". (Closes: #664363)
- Remove article in description synopsis.
- Add ${misc:Depends}.
* d/copyright
- Update to DEP5 format.
- Formatting copyright.
* d/rules:
- Upgrade to dh sequencer.
- Added upstream changelog extracted from mini-httpd website.
* d/mini-httpd.init.d:
- Fix restart error. (Closes: #510905, #755892)
* d/patches:
- Fix and add SCRIPT_FILENAME in patch 03-cgi-php. (Closes: #569599)
- Ensure hardening is enabled for mini_httpd.c.
- Don't install htpasswd.1.
- Add index.mini-httpd.html to the list of index names.
* d/mini-httpd.init.d
- Source /lib/lsb/init-functions.
- Add "status" command.
* d/mini-httpd.postinst
- Copy index.mini-httpd.html. (Closes: #730373)
- Use "set -e" and don't install htpasswd. (Closes: #520941)
Diffstat (limited to 'debian')
25 files changed, 603 insertions, 176 deletions
diff --git a/debian/changelog b/debian/changelog index ecdb514..653a42e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,38 @@ +mini-httpd (1.21-1) unstable; urgency=medium + + * New upstream release. + * New maintainer. (Closes: #780194) + * Fix CVE-2015-1548 + - Patch fix-add_to_response-buffer-overflow. (Closes: #778925) + * d/control: + - Bump Standard-Version to 3.9.6. + - Bump debhelper to 9. + - Remove deprecated dpatch. + - Upgrade packaging format "3.0 (quilt)". (Closes: #664363) + - Remove article in description synopsis. + - Add ${misc:Depends}. + * d/copyright + - Update to DEP5 format. + - Formatting copyright. + * d/rules: + - Upgrade to dh sequencer. + - Added upstream changelog extracted from mini-httpd website. + * d/mini-httpd.init.d: + - Fix restart error. (Closes: #510905, #755892) + * d/patches: + - Fix and add SCRIPT_FILENAME in patch 03-cgi-php. (Closes: #569599) + - Ensure hardening is enabled for mini_httpd.c. + - Don't install htpasswd.1. + - Add index.mini-httpd.html to the list of index names. + * d/mini-httpd.init.d + - Source /lib/lsb/init-functions. + - Add "status" command. + * d/mini-httpd.postinst + - Copy index.mini-httpd.html. (Closes: #730373) + - Use "set -e" and don't install htpasswd. (Closes: #520941) + + -- Jose dos Santos Junior <j.s.junior@live.com> Thu, 03 Sep 2015 14:59:53 -0300 + mini-httpd (1.19-9.3) unstable; urgency=low * Non-maintainer upload. diff --git a/debian/compat b/debian/compat index b8626c4..ec63514 100644 --- a/debian/compat +++ b/debian/compat @@ -1 +1 @@ -4 +9 diff --git a/debian/config/mini-httpd.conf b/debian/config/mini-httpd.conf index 087ca5c..5388717 100644 --- a/debian/config/mini-httpd.conf +++ b/debian/config/mini-httpd.conf @@ -1,5 +1,8 @@ # Example config for mini_httpd. # Author: Marvin Stark <marv@der-marv.de> +# Author-Update: 2015 Jose dos Santos Junior <j.s.junior@live.com> +# Description Update: Changed the default document root (data_dir)/var/www/html +# Last-Update: 2015-09-05 # Uncomment this line for turning on ssl support. #ssl @@ -22,7 +25,7 @@ nochroot # no # We are the web files stored? # Please change this to your needs. -data_dir=/usr/share/mini-httpd/html +data_dir=/var/www/html # CGI path cgipat=cgi-bin/* diff --git a/debian/control b/debian/control index de382c8..98e4422 100644 --- a/debian/control +++ b/debian/control @@ -1,17 +1,17 @@ Source: mini-httpd Section: web Priority: optional -Maintainer: Marvin Stark <marv@der-marv.de> -Build-Depends: debhelper (>= 4), dpatch, libssl-dev +Maintainer: Jose dos Santos Junior <j.s.junior@live.com> +Build-Depends: debhelper (>= 9), libssl-dev Homepage: http://www.acme.com/software/mini_httpd -Standards-Version: 3.8.0 +Standards-Version: 3.9.6 Package: mini-httpd Architecture: any -Depends: ${shlibs:Depends} +Depends: ${shlibs:Depends}, ${misc:Depends} Provides: httpd, httpd-cgi Recommends: apache2-utils -Description: a small HTTP server +Description: Small HTTP server mini-httpd implements all basic features of a HTTPD, including: GET,HEAD,POST methods, common MIME types, basic authentication, virtual hosting, CGI, directory listing, trailing-slash redirection, standard logging, custom error diff --git a/debian/copyright b/debian/copyright index 73460d0..5eea48b 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,28 +1,38 @@ -This package was debianized by Marvin Stark <marv@der-marv.de> on -Mon, 3 Jul 2006 20:12:42 +0200. +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: mini-httpd +Source: http://www.acme.com/software/mini_httpd/ -It was downloaded from <http://www.acme.com/software/mini_httpd/>. +Files: * +Copyright: 1999-2000 Jef Poskanzer <jef@acme.com> +License: BSD-2-clause -Copyright Holder: Jef Poskanzer <jef@acme.com> +Files: match.c match.h mini_httpd.c tdate_parse.c tdate_parse.h +Copyright: 1999-2000 Jef Poskanzer <jef@acme.com> +License: BSD-2-clause -License: +Files: debian/* +Copyright: 2006-2015 Marvin Stark <marv@der-marv.de> + 2015 Jose dos Santos Junior <j.s.junior@live.com> +License: BSD-2-clause - Copyright (C) 1999-2000 Jef Poskanzer <jef@acme.com> - - Redistribution and use in source and binary forms, with or without - modification, are permitted under the terms of the BSD License. - - THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS - BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF - THE POSSIBILITY OF SUCH DAMAGE. - -On Debian systems, the complete text of the BSD License -can be found in `/usr/share/common-licenses/BSD'. +License: BSD-2-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE HOLDERS OR + CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
\ No newline at end of file diff --git a/debian/mini-httpd.default b/debian/mini-httpd.default index 7d9799f..831e14d 100644 --- a/debian/mini-httpd.default +++ b/debian/mini-httpd.default @@ -1,7 +1,8 @@ -# Defaults for mini_httpd initscript +# Description: Defaults for mini_httpd initscript # Author: Marvin Stark <marv@der-marv.de> # Start daemon? +# Default 1 # 0 = no # 1 = yes START=0 diff --git a/debian/mini-httpd.init.d b/debian/mini-httpd.init.d index 0a7cdae..07db432 100644 --- a/debian/mini-httpd.init.d +++ b/debian/mini-httpd.init.d @@ -9,11 +9,14 @@ # Description: this script starts mini-httpd ### END INIT INFO +. /lib/lsb/init-functions + # Globals PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin -DAEMON=/usr/sbin/mini-httpd -NAME=mini-httpd +DAEMON=/usr/sbin/mini_httpd +NAME=mini_httpd DESC="web server" +PIDFILE=/var/run/mini_httpd.pid test -x $DAEMON || exit 0 @@ -35,6 +38,7 @@ start() { echo "$NAME." else printf "You have to edit /etc/mini-httpd.conf and\n/etc/default/mini-httpd before running mini-httpd!\n" + printf " " exit 0 fi } @@ -69,7 +73,9 @@ case "$1" in stop) stop ;; - + status) + status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $? + ;; restart|force-reload) stop start @@ -77,7 +83,7 @@ case "$1" in *) N=/etc/init.d/$NAME - echo "Usage: $N {start|stop|restart|force-reload}" >&2 + echo "Usage: $N {start|stop|status|restart|force-reload}" >&2 exit 1 ;; esac diff --git a/debian/mini-httpd.install b/debian/mini-httpd.install new file mode 100644 index 0000000..b8e5366 --- /dev/null +++ b/debian/mini-httpd.install @@ -0,0 +1,2 @@ +debian/config/mini-httpd.conf etc/ +debian/html/index.html usr/share/mini-httpd/html/
\ No newline at end of file diff --git a/debian/mini-httpd.manpages b/debian/mini-httpd.manpages new file mode 100644 index 0000000..3562f15 --- /dev/null +++ b/debian/mini-httpd.manpages @@ -0,0 +1 @@ +mini_httpd.8
\ No newline at end of file diff --git a/debian/mini-httpd.postinst b/debian/mini-httpd.postinst index 6623b1d..956bc01 100644 --- a/debian/mini-httpd.postinst +++ b/debian/mini-httpd.postinst @@ -1,9 +1,15 @@ -#!/bin/sh -e +#!/bin/sh +set -e if [ "$1" = "configure" ] && dpkg --compare-versions "1.19-9.3" gt "$2" then - dpkg-divert --package mini-httpd --rename --remove /usr/share/man/man1/htpasswd.1.gz - dpkg-divert --package mini-httpd --rename --remove /usr/bin/htpasswd + dpkg-divert --package mini-httpd --rename --remove /usr/share/man/man1/htpasswd.1.gz + dpkg-divert --package mini-httpd --rename --remove /usr/bin/htpasswd fi -#DEBHELPER# +if [ ! -r /var/www/html/index.mini-httpd.html ]; then + mkdir -p /var/www/html + cp /usr/share/mini-httpd/html/index.html /var/www/html/index.mini-httpd.html +fi + +#DEBHELPER#
\ No newline at end of file diff --git a/debian/patches/00list b/debian/patches/00list deleted file mode 100644 index a3a2cb2..0000000 --- a/debian/patches/00list +++ /dev/null @@ -1,6 +0,0 @@ -01-manpage.dpatch -02-makefile.dpatch -03-cgi-php.dpatch -04-kfreebsd.dpatch -05-manpage-hyphen.dpatch -10-bug-552844-ftbfs-htpasswd.c-onflicting-types.dpatch diff --git a/debian/patches/01-manpage.dpatch b/debian/patches/01-manpage index 0688334..61858df 100644 --- a/debian/patches/01-manpage.dpatch +++ b/debian/patches/01-manpage @@ -5,9 +5,11 @@ @DPATCH@ ---- mini-httpd-1.19/mini_httpd.8.orig 2006-07-05 00:14:37.000000000 +0200 -+++ mini-httpd-1.19/mini_httpd.8 2006-07-05 00:15:30.000000000 +0200 -@@ -432,7 +432,7 @@ +Index: mini-httpd-1.21/mini_httpd.8 +=================================================================== +--- mini-httpd-1.21.orig/mini_httpd.8 ++++ mini-httpd-1.21/mini_httpd.8 +@@ -432,7 +432,7 @@ You don't need cert.csr and privkey.pem, .SH "SEE ALSO" htpasswd(1), weblog_parse(1), http_get(1) .SH AUTHOR diff --git a/debian/patches/02-makefile.dpatch b/debian/patches/02-makefile index 19e3dda..19e3dda 100644 --- a/debian/patches/02-makefile.dpatch +++ b/debian/patches/02-makefile diff --git a/debian/patches/03-cgi-php b/debian/patches/03-cgi-php new file mode 100644 index 0000000..2b3bcc6 --- /dev/null +++ b/debian/patches/03-cgi-php @@ -0,0 +1,34 @@ +Description: mini_httpd does not run php cgi + shows following error: "No input file specified". + Thanks to Thorsten Schmale who has written this patch. +Author: Marvin Stark <marv@der-marv.de> +Last-Update: 2015-09-03 +Index: mini-httpd-1.21/mini_httpd.c +=================================================================== +--- mini-httpd-1.21.orig/mini_httpd.c ++++ mini-httpd-1.21/mini_httpd.c +@@ -1141,7 +1141,7 @@ handle_request( void ) + int r, file_len, i; + const char* index_names[] = { + "index.html", "index.mini-httpd.html", "index.htm", "index.xhtml", "index.xht", "Default.htm", +- "index.cgi" }; ++ "index.cgi", "index.php" }; + + /* Set up the timeout for reading. */ + #ifdef HAVE_SIGSET +@@ -2147,6 +2147,7 @@ make_envp( void ) + int envn; + char* cp; + char buf[256]; ++ char rp[MAXPATHLEN]; + + envn = 0; + envp[envn++] = build_env( "PATH=%s", CGI_PATH ); +@@ -2167,6 +2168,7 @@ make_envp( void ) + envp[envn++] = build_env( + "REQUEST_METHOD=%s", get_method_str( method ) ); + envp[envn++] = build_env( "SCRIPT_NAME=%s", path ); ++ envp[envn++] = build_env( "SCRIPT_FILENAME=%s", realpath(file, rp) ); + if ( pathinfo != (char*) 0 ) + { + envp[envn++] = build_env( "PATH_INFO=/%s", pathinfo ); diff --git a/debian/patches/03-cgi-php.dpatch b/debian/patches/03-cgi-php.dpatch deleted file mode 100644 index c4c8a7e..0000000 --- a/debian/patches/03-cgi-php.dpatch +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/sh /usr/share/dpatch/dpatch-run -## 03-cgi-php.dpatch by Marvin Stark <marv@der-marv.de> -## Thanks to Thorsten Schmale who has written this patch. -## -## DP: mini_httpd does not run php cgi's. -## DP: mini_httpd shows following error: "No input file specified". - -@DPATCH@ - ---- mini-httpd-1.19/mini_httpd.c.orig 2008-02-05 08:40:28.000000000 +0000 -+++ mini-httpd-1.19/mini_httpd.c 2008-02-05 08:50:35.000000000 +0000 -@@ -1129,7 +1129,7 @@ - int r, file_len, i; - const char* index_names[] = { - "index.html", "index.htm", "index.xhtml", "index.xht", "Default.htm", -- "index.cgi" }; -+ "index.cgi", "index.php" }; - - /* Set up the timeout for reading. */ - #ifdef HAVE_SIGSET -@@ -2117,6 +2117,7 @@ - int envn; - char* cp; - char buf[256]; -+ char rp[MAXPATHLEN]; - - envn = 0; - envp[envn++] = build_env( "PATH=%s", CGI_PATH ); -@@ -2134,7 +2135,7 @@ - envp[envn++] = build_env( "SERVER_PORT=%s", buf ); - envp[envn++] = build_env( - "REQUEST_METHOD=%s", get_method_str( method ) ); -- envp[envn++] = build_env( "SCRIPT_NAME=%s", path ); -+ envp[envn++] = build_env( "SCRIPT_FILENAME=%s", realpath(file, rp) ); - if ( pathinfo != (char*) 0 ) - { - envp[envn++] = build_env( "PATH_INFO=/%s", pathinfo ); diff --git a/debian/patches/05-manpage-hyphen.dpatch b/debian/patches/05-manpage-hyphen index 9178f2a..3bf27ad 100644 --- a/debian/patches/05-manpage-hyphen.dpatch +++ b/debian/patches/05-manpage-hyphen @@ -1,13 +1,12 @@ -#!/bin/sh /usr/share/dpatch/dpatch-run -## 05-manpage-hyphen.dpatch by Raphael Geissert <geissert@debian.org> -## -## DP: Escape minus signs as needed. +Description: Escape minus signs as needed. +Author: Raphael Geissert <geissert@debian.org> +Last-Update: 2015-09-05 -@DPATCH@ - ---- mini-httpd-1.19.orig/mini_httpd.8 2009-07-05 19:45:04.000000000 -0500 -+++ mini-httpd-1.19/mini_httpd.8 2009-07-05 19:50:45.000000000 -0500 -@@ -107,7 +107,7 @@ +Index: mini-httpd-1.21/mini_httpd.8 +=================================================================== +--- mini-httpd-1.21.orig/mini_httpd.8 ++++ mini-httpd-1.21/mini_httpd.8 +@@ -107,7 +107,7 @@ The config-file option name for this fla .B -dd Specifies a directory to chdir() to after chrooting. If you're not chrooting, you might as well do a single chdir() with @@ -16,7 +15,7 @@ If you are chrooting, this lets you put the web files in a subdirectory of the chroot tree, instead of in the top level mixed in with the chroot files. -@@ -172,7 +172,7 @@ +@@ -172,7 +172,7 @@ which is just fine for most sites. The config-file option name for this flag is "maxage". .TP .B -S @@ -25,7 +24,7 @@ to enable this feature. The config-file option name for this flag is "ssl". .TP -@@ -207,7 +207,7 @@ +@@ -207,7 +207,7 @@ Shows mini_httpd's version and then exit mini_httpd supports the CGI 1.1 spec. .PP In order for a CGI program to be run, its name must match the pattern @@ -34,7 +33,7 @@ This is a simple shell-style filename pattern. You can use * to match any string not including a slash, or ** to match any string including slashes, -@@ -255,12 +255,12 @@ +@@ -255,12 +255,12 @@ so that mini_httpd can still generate sy Check your system's syslodg man page for how to do this. In FreeBSD you would put something like this in /etc/rc.conf: .nf @@ -49,7 +48,7 @@ .SH "MULTIHOMING" .PP Multihoming means using one machine to serve multiple hostnames. -@@ -308,7 +308,7 @@ +@@ -308,7 +308,7 @@ If your OS's version of ifconfig doesn't probably out of luck. .PP Third and last, you must set up mini_httpd to handle the multiple hosts. @@ -58,7 +57,7 @@ This works with either CNAME multihosting or multiple-IP multihosting. What it does is send each incoming request to a subdirectory based on the hostname it's intended for. -@@ -321,26 +321,26 @@ +@@ -321,26 +321,26 @@ With the example above, you'd do like so If you're using old-style multiple-IP multihosting, you should also create symbolic links from the numeric addresses to the names, like so: .nf @@ -94,7 +93,7 @@ .SH "CUSTOM ERRORS" .PP mini_httpd lets you define your own custom error pages for the various -@@ -416,15 +416,15 @@ +@@ -416,15 +416,15 @@ http://www.modssl.org/docs/2.4/ssl_faq.h You can also create one for yourself, using the openssl tool. Step one - create the key and certificate request: .nf @@ -115,9 +114,11 @@ .fi This creates four files. The ones you want are cert.pem and key.pem. ---- mini-httpd-1.19.orig/htpasswd.1 1999-09-28 13:49:35.000000000 -0500 -+++ mini-httpd-1.19/htpasswd.1 2009-07-05 19:57:50.000000000 -0500 -@@ -9,7 +9,7 @@ +Index: mini-httpd-1.21/htpasswd.1 +=================================================================== +--- mini-httpd-1.21.orig/htpasswd.1 ++++ mini-httpd-1.21/htpasswd.1 +@@ -9,7 +9,7 @@ htpasswd - manipulate HTTP-server passwo .SH DESCRIPTION .PP Sets a user's password in an httpd-style password file. diff --git a/debian/patches/10-bug-552844-ftbfs-htpasswd.c-onflicting-types.dpatch b/debian/patches/10-bug-552844-ftbfs-htpasswd.c-onflicting-types index 1fe5f5f..1fe5f5f 100644 --- a/debian/patches/10-bug-552844-ftbfs-htpasswd.c-onflicting-types.dpatch +++ b/debian/patches/10-bug-552844-ftbfs-htpasswd.c-onflicting-types diff --git a/debian/patches/fix-add_to_response-buffer-overflow b/debian/patches/fix-add_to_response-buffer-overflow new file mode 100644 index 0000000..33c90ac --- /dev/null +++ b/debian/patches/fix-add_to_response-buffer-overflow @@ -0,0 +1,163 @@ +Description: Fix buffer overflow in add_to_response bug Thanks Peter Kasza +Author: Jose dos Santos Junior <j.s.junior@live.com> +Last-Update: 2015-09-02 +Bug: http://bugs.debian.org/778925 +=================================================================== +Index: mini-httpd-1.21/mini_httpd.c +=================================================================== +--- mini-httpd-1.21.orig/mini_httpd.c ++++ mini-httpd-1.21/mini_httpd.c +@@ -270,7 +270,7 @@ static void start_request( void ); + static void add_to_request( char* str, size_t len ); + static char* get_request_line( void ); + static void start_response( void ); +-static void add_to_response( char* str, size_t len ); ++static void add_to_response( char* str, size_t len, size_t buflen ); + static void send_response( void ); + static void send_via_write( int fd, off_t size ); + static void send_via_sendfile( int fd, int s, off_t size ); +@@ -1655,7 +1655,7 @@ do_dir( void ) + + add_headers( 200, "Ok", "", "", "text/html; charset=%s", contents_len, sb.st_mtime ); + if ( method != METHOD_HEAD ) +- add_to_response( contents, contents_len ); ++ add_to_response( contents, contents_len, sizeof(contents) ); + send_response(); + } + +@@ -2426,9 +2426,9 @@ send_error_body( int s, char* title, cha + \n\ + <h4>%d %s</h4>\n", + s, title, s, title ); +- add_to_response( buf, buflen ); ++ add_to_response( buf, buflen, sizeof(buf) ); + buflen = snprintf( buf, sizeof(buf), "%s\n", text ); +- add_to_response( buf, buflen ); ++ add_to_response( buf, buflen, sizeof(buf) ); + } + + +@@ -2447,7 +2447,7 @@ send_error_file( char* filename ) + r = fread( buf, 1, sizeof(buf), fp ); + if ( r == 0 ) + break; +- add_to_response( buf, r ); ++ add_to_response( buf, r, sizeof(buf) ); + } + (void) fclose( fp ); + return 1; +@@ -2464,14 +2464,14 @@ send_error_tail( void ) + { + int n; + buflen = snprintf( buf, sizeof(buf), "<!--\n" ); +- add_to_response( buf, buflen ); ++ add_to_response( buf, buflen, sizeof(buf) ); + for ( n = 0; n < 6; ++n ) + { + buflen = snprintf( buf, sizeof(buf), "Padding so that MSIE deigns to show this error instead of its own canned one.\n" ); +- add_to_response( buf, buflen ); ++ add_to_response( buf, buflen, sizeof(buf) ); + } + buflen = snprintf( buf, sizeof(buf), "-->\n" ); +- add_to_response( buf, buflen ); ++ add_to_response( buf, buflen, sizeof(buf) ); + } + + buflen = snprintf( buf, sizeof(buf), "\ +@@ -2483,7 +2483,7 @@ send_error_tail( void ) + \n\ + </html>\n", + SERVER_URL, SERVER_SOFTWARE ); +- add_to_response( buf, buflen ); ++ add_to_response( buf, buflen, sizeof(buf) ); + } + + +@@ -2502,44 +2502,44 @@ add_headers( int s, char* title, char* e + make_log_entry(); + start_response(); + buflen = snprintf( buf, sizeof(buf), "%s %d %s\015\012", protocol, status, title ); +- add_to_response( buf, buflen ); ++ add_to_response( buf, buflen, sizeof(buf) ); + buflen = snprintf( buf, sizeof(buf), "Server: %s\015\012", SERVER_SOFTWARE ); +- add_to_response( buf, buflen ); ++ add_to_response( buf, buflen, sizeof(buf) ); + now = time( (time_t*) 0 ); + (void) strftime( timebuf, sizeof(timebuf), rfc1123_fmt, gmtime( &now ) ); + buflen = snprintf( buf, sizeof(buf), "Date: %s\015\012", timebuf ); +- add_to_response( buf, buflen ); ++ add_to_response( buf, buflen, sizeof(buf) ); + s100 = status / 100; + if ( s100 != 2 && s100 != 3 ) + { + buflen = snprintf( buf, sizeof(buf), "Cache-Control: no-cache,no-store\015\012" ); +- add_to_response( buf, buflen ); ++ add_to_response( buf, buflen, sizeof(buf) ); + } + if ( extra_header != (char*) 0 && extra_header[0] != '\0' ) + { + buflen = snprintf( buf, sizeof(buf), "%s\015\012", extra_header ); +- add_to_response( buf, buflen ); ++ add_to_response( buf, buflen, sizeof(buf) ); + } + if ( me != (char*) 0 && me[0] != '\0' ) + { + buflen = snprintf( buf, sizeof(buf), "Content-Encoding: %s\015\012", me ); +- add_to_response( buf, buflen ); ++ add_to_response( buf, buflen, sizeof(buf) ); + } + if ( mt != (char*) 0 && mt[0] != '\0' ) + { + buflen = snprintf( buf, sizeof(buf), "Content-Type: %s\015\012", mt ); +- add_to_response( buf, buflen ); ++ add_to_response( buf, buflen, sizeof(buf) ); + } + if ( bytes >= 0 ) + { + buflen = snprintf( + buf, sizeof(buf), "Content-Length: %lld\015\012", (long long) bytes ); +- add_to_response( buf, buflen ); ++ add_to_response( buf, buflen, sizeof(buf) ); + } + if ( p3p != (char*) 0 && p3p[0] != '\0' ) + { + buflen = snprintf( buf, sizeof(buf), "P3P: %s\015\012", p3p ); +- add_to_response( buf, buflen ); ++ add_to_response( buf, buflen, sizeof(buf) ); + } + if ( max_age >= 0 ) + { +@@ -2548,17 +2548,17 @@ add_headers( int s, char* title, char* e + timebuf, sizeof(timebuf), rfc1123_fmt, gmtime( &expires ) ); + buflen = snprintf( buf, sizeof(buf), + "Cache-Control: max-age=%d\015\012Expires: %s\015\012", max_age, timebuf ); +- add_to_response( buf, buflen ); ++ add_to_response( buf, buflen, sizeof(buf) ); + } + if ( mod != (time_t) -1 ) + { + (void) strftime( + timebuf, sizeof(timebuf), rfc1123_fmt, gmtime( &mod ) ); + buflen = snprintf( buf, sizeof(buf), "Last-Modified: %s\015\012", timebuf ); +- add_to_response( buf, buflen ); ++ add_to_response( buf, buflen, sizeof(buf) ); + } + buflen = snprintf( buf, sizeof(buf), "Connection: close\015\012\015\012" ); +- add_to_response( buf, buflen ); ++ add_to_response( buf, buflen, sizeof(buf) ); + } + + +@@ -2611,8 +2611,11 @@ start_response( void ) + } + + static void +-add_to_response( char* str, size_t len ) ++add_to_response( char* str, size_t len, size_t buflen ) + { ++ if (buflen < len) { ++ len = buflen; ++ } + add_to_buf( &response, &response_size, &response_len, str, len ); + } + diff --git a/debian/patches/fix-append-portno-to-vhost b/debian/patches/fix-append-portno-to-vhost new file mode 100644 index 0000000..13e4df6 --- /dev/null +++ b/debian/patches/fix-append-portno-to-vhost @@ -0,0 +1,24 @@ +Description: Append port number to vhost. + Thanks Steffen Grunewald <steffen.grunewald@gmx.net> +Author: Jose dos Santos Junior <j.s.junior@live.com> +Last-Update:2015-09-05 +Bug: http://bugs.debian.org/491078 +=================================================================== +Index: mini-httpd-1.21/mini_httpd.c +=================================================================== +--- mini-httpd-1.21.orig/mini_httpd.c ++++ mini-httpd-1.21/mini_httpd.c +@@ -2349,7 +2349,13 @@ virtual_file( char* f ) + + /* Use the request's hostname, or fall back on the IP address. */ + if ( host != (char*) 0 ) ++ { + req_hostname = host; ++ char *portno; ++ portno = strpbrk(req_hostname, ":"); ++ if (portno != (char *) 0) ++ *portno++ = '\0'; ++ } + else + { + usockaddr usa; diff --git a/debian/patches/fix-change-index-document-root b/debian/patches/fix-change-index-document-root new file mode 100644 index 0000000..4ba29ad --- /dev/null +++ b/debian/patches/fix-change-index-document-root @@ -0,0 +1,19 @@ +Description: Change the default document root to /var/www/html + and added index.mini-httpd.html in /var/www/html +Author: Jose dos Santos Junior <j.s.junior@live.com> +Last-Update: 2015-09-14 +Bug: http://bugs.debian.org/730373 +=================================================================== +Index: mini-httpd-1.21/mini_httpd.c +=================================================================== +--- mini-httpd-1.21.orig/mini_httpd.c ++++ mini-httpd-1.21/mini_httpd.c +@@ -1140,7 +1140,7 @@ handle_request( void ) + char* cp; + int r, file_len, i; + const char* index_names[] = { +- "index.html", "index.htm", "index.xhtml", "index.xht", "Default.htm", ++ "index.html", "index.mini-httpd.html", "index.htm", "index.xhtml", "index.xht", "Default.htm", + "index.cgi" }; + + /* Set up the timeout for reading. */ diff --git a/debian/patches/fix-makefile b/debian/patches/fix-makefile new file mode 100644 index 0000000..17a8d60 --- /dev/null +++ b/debian/patches/fix-makefile @@ -0,0 +1,44 @@ +Description: Change DESTDIR and LCFLAGS +Autor: Jose dos Santos Junior <j.s.junior@live.com> +Last-Update: 2015-09-05 +=================================================================== +Index: mini-httpd-1.21/Makefile +=================================================================== +--- mini-httpd-1.21.orig/Makefile ++++ mini-httpd-1.21/Makefile +@@ -19,13 +19,12 @@ CRYPT_LIB = -lcrypt + #SSL_INC = -I$(SSL_TREE)/include + #SSL_LIBS = -L$(SSL_TREE)/lib -lssl -lcrypto + +- +-BINDIR = /usr/local/sbin +-MANDIR = /usr/local/man ++BINDIR =$(DESTDIR)/usr/sbin ++MANDIR =$(DESTDIR)/usr/share/man + CC = cc + CDEFS = $(SSL_DEFS) $(SSL_INC) +-CFLAGS = -O $(CDEFS) -ansi -pedantic -U__STRICT_ANSI__ -Wall -Wpointer-arith -Wshadow -Wcast-qual -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wredundant-decls -Wno-long-long +-LDFLAGS = -s ++CFLAGS+=-O $(CDEFS) -ansi -pedantic -U__STRICT_ANSI__ -Wall -Wpointer-arith -Wshadow -Wcast-qual -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wredundant-decls -Wno-long-long ++LDFLAGS+= -s `dpkg-buildflags --get CPPFLAGS` `dpkg-buildflags --get CFLAGS` `dpkg-buildflags --get LDFLAGS` + LDLIBS = $(CRYPT_LIB) $(SSL_LIBS) $(SYSV_LIBS) + + all: mini_httpd htpasswd +@@ -34,7 +33,7 @@ mini_httpd: mini_httpd.o match.o tdate_p + $(CC) $(LDFLAGS) mini_httpd.o match.o tdate_parse.o $(LDLIBS) -o mini_httpd + + mini_httpd.o: mini_httpd.c version.h port.h match.h tdate_parse.h mime_encodings.h mime_types.h +- $(CC) $(CFLAGS) -c mini_httpd.c ++ $(CC) $(LDFLAGS) -c mini_httpd.c + + match.o: match.c match.h + $(CC) $(CFLAGS) -c match.c +@@ -76,8 +75,6 @@ install: all + rm -f $(MANDIR)/man8/mini_httpd.8 $(MANDIR)/man1/htpasswd.1 + -mkdir -p $(MANDIR)/man8 + cp mini_httpd.8 $(MANDIR)/man8 +- -mkdir -p $(MANDIR)/man1 +- cp htpasswd.1 $(MANDIR)/man1 + + clean: + rm -f mini_httpd mime_encodings.h mime_types.h htpasswd mini_httpd.rnd *.o core core.* *.core diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..a8a186a --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,6 @@ +fix-change-index-document-root +fix-add_to_response-buffer-overflow +01-manpage +03-cgi-php +fix-makefile +05-manpage-hyphen diff --git a/debian/rules b/debian/rules index be0c02b..84cf36c 100755 --- a/debian/rules +++ b/debian/rules @@ -1,75 +1,11 @@ #!/usr/bin/make -f +# export DH_VERBOSE=1 -# Uncomment this to turn on verbose mode. -#export DH_VERBOSE=1 +%: + dh $@ -include /usr/share/dpatch/dpatch.make - -CFLAGS = -Wall -g - -ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) - CFLAGS += -O0 -else - CFLAGS += -O2 -endif - -build: patch - -clean: unpatch - dh_testdir - dh_testroot - rm -f build-stamp - - $(MAKE) clean - - dh_clean - -install: build - dh_testdir - dh_testroot - dh_clean -k - dh_installdirs - - CFLAGS="$(CFLAGS)" $(MAKE) all \ - MANDIR="debian/mini-httpd/usr/share/man" \ - SSL_TREE="/usr" \ - SSL_DEFS="-DUSE_SSL" \ - SSL_INC="-I${SSL_TREE}/include/openssl" \ - SSL_LIBS="-L${SSL_TREE}/lib -lssl -lcrypto" - - # Moving index.html to its designated directory. - install -D -m 0644 debian/html/index.html debian/mini-httpd/usr/share/mini-httpd/html/index.html - - # Moving mini_httpd to its designated directory. - install -D mini_httpd debian/mini-httpd/usr/sbin/mini-httpd - - # Moving htpasswd to its designated directory. - #install -D htpasswd debian/mini-httpd/usr/bin/htpasswd - - # Moving manpages to its designated directory. - #install -D htpasswd.1 debian/mini-httpd/usr/share/man/man1/htpasswd.1 - install -D mini_httpd.8 debian/mini-httpd/usr/share/man/man8/mini-httpd.8 - - # Moving example configuration to its designated directory. - install -D -m 0644 debian/config/mini-httpd.conf debian/mini-httpd/etc/mini-httpd.conf - -binary-indep: build install - -binary-arch: build install - dh_testdir - dh_testroot - dh_installchangelogs - dh_installdocs - dh_installinit - dh_link - dh_compress - dh_fixperms - dh_installdeb - dh_shlibdeps - dh_strip - dh_gencontrol - dh_md5sums - dh_builddeb - -binary: binary-indep binary-arch -.PHONY: build clean binary-indep binary-arch binary install +override_dh_auto_install: + dh_auto_install + install -D mini_httpd debian/mini-httpd/usr/sbin/mini_httpd + rm -f debian/mini-httpd/usr/sbin/htpasswd + dh_installchangelogs debian/upstream.changelog
\ No newline at end of file diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..46ebe02 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt)
\ No newline at end of file diff --git a/debian/upstream.changelog b/debian/upstream.changelog new file mode 100644 index 0000000..2998366 --- /dev/null +++ b/debian/upstream.changelog @@ -0,0 +1,176 @@ +# Extracted from http://www.acme.com/software/mini_httpd/ + +New in version 1.21: + - Disable SSL 3 because of the "poodle" attack. + +New in version 1.20: + - Better handling for very large files. + - Use TCP_CORK if it's available and TCP_NOPUSH is not. + - Ignore ECONNABORTED on accept(). + - Removed mailto: link from the default index page. + - Allow CGIs to provide both Location and Status headers. (A. Skrobov) + - Better logic for figuring out CGI SERVER_NAME environment variable. (Oleg) + - Updated for clang, and general cleanup. + +New in version 1.19: + - Prohibit "Host: ." and "Host: .." (David Leadbeater). + - Use the specified charset in directory listings and errors (Jonas Ohlsson). + - Close and re-open the log file on SIGHUP. This includes code to chown + the log file when starting up as root so that after switching + uids to nobody (or whatever user you configure) it can still be re-opened. + And there's also code to tweak the logfile pathname after a chroot so that + it still works. + - Generate multiple MIME encodings in the correct order, + and with the correct separator. + - Re-wrote the read() and write() loops to handle EINTR and EAGAIN. + - Save and restore errno in signal handlers. + - Corrected possible buffer overflow in building CGI + environment (Bernhard Reiter). + - Simplified handling of HAVE_INT64T (Trisk). If this causes problems, e.g. + if there are still systems which don't have "long long", we can back out the change. + - Automatically add no-cache control header on error responses. + +New in version 1.18: + - Added a bunch of MIME types. + - Allow blank lines in the config file. + - Digital Unix 4.0d doesn't have int64_t. + - Use unsigned short consistently for port number. + - Prohibit slashes in the Host: header (Marcus Breiing). + - For some reason there was never a timeout on writing the response, only on reading the request; fixed. + - Don't send Content-Length header on 304 Not Modified responses. + - Allow user-agent log entries to be up to 200 characters long, instead only of 80. + - Changed most uses of \r and \n to \015 and \012 (Jens Bauer). + - Got rid of extra slash in PATH_TRANSLATED (Benedikt Hochstrasser). + +New in version 1.17: + - Simplified the IPv6 ifdefs. + - Remove /./ in de_dotdot() (Dana Dahlstrom). + - Added an madvise(MADV_SEQUENTIAL) call for the cases that use mmap(). + - Added .xhtml and .xht to mime_types.txt (suggested by Dave Hodder). + - Made the list of possible index filenames into an array instead of hard-coded. + - Added a bunch of syslogs. + - On generated pages which set BGCOLOR, also set TEXT LINK and VLINK. + - Added some OpenOffice MIME types (Dave Hodder). + +New in version 1.16: + - Some fixes for unusual cases in the CGI file-descriptor shuffling (Michael Gorlick). + - On SysV use sigset() instead of signal() (David Koblas). + - Set up accept filters after listen() (Kris Spinka). + - Preserve query string when doing a missing-slash directory redirect. + - New port.h defines for NetBSD. + - Fix for security hole that exposed contents of .htpasswd in some cases (noticed by zeno@cgisecurity.com). + - Allow (and ignore) extra fields in .htpasswd files. + - Added PATH_INFO to CGI environment (Benedikt Hochstrasser). + - Close log file before running CGI (Damien Miller). + - Integrated directory lister (Damien Miller). + - Added a shutdown() call to cgi_interpose_output(). + - Added some Microsoft MIME types (Kevin Day). + - Use binary search to figure MIME types (suggested by Sascha Schumann and Rob Ekl). + - Linux's sendfile has a different calling sequence. + - Set TCP_NOPUSH socket option. + - Switch htpasswd from using tmpnam to mkstemp. + - Use memmove instead of memcpy. + - Fix to de_dotdot (Mark Dunlap). + - Added portability defines for Digital Unix. + - Off-by-one error in base-64 decoding (Archie Cobbs). + - URL-encoding in directory listings. + - Fix (harmless) subprocess SEGV on null requests (noticed by Tyler Mitchell). + - Ignore EINTR on select call when doing IPv4 and IPv6 (noticed by Tyler Mitchell). + - Added -V version flag. + - Added a timeout on request reading. + - Corrected some uses of size_t and off_t. + - Now able to serve files larger than 2GB. + - Default installation direction is now /usr/local/sbin, not /usr/local/bin. + - Added a scripts subdirectory with some sample code for FreeBSD systems. + - Added a -P flag for setting the P3P header. + - Added a -C config-file option similar to thttpd's. + - Added flags to specify the SSL certificate file and cipher set. + - Simplified the OS-detection ifdef maze in port.h (Damien Miller). + - Split match() into a separate file, like it is in thttpd. + - Added non-local referer filtering similar to thttpd's. + - Implemented content-encoding header. + - Added rudimentary option to set cache-control headers. + +New in version 1.15c: + - Fix for the garbage characters after POST data hack. + +New in version 1.15b: + - Fix syntax oops when SSL is defined. + +New in version 1.15: + - Update SSL support to current version of OpenSSL. + - Close extraneous file descriptors on CGI calls - from Russell Dill. + - Hack to deal with garbage characters after POST data generated by some browsers. + - Use sendfile() if available. + - Use accept filters if available. + +New in version 1.14: + - Added hack to prevent MSIE 5 from censoring error messages. + - IPv6/Linux fix from Tero Pelander. + - Documented the -D flag. + +New in version 1.13: + - Added some MIME types to support WAP/WML. + - Made MIME text character-set an option, with iso-8859-1 the default. + +New in version 1.12: + - Fix for directory indexes on Linux - symlinks were not indexing right + due to a bug in Linux's ls. + - Solaris/SysV fix - it was exitting after serving a single request, due + to SIGCHLD generating an EINTR. + - A change in the way wildcard matching works - now a single * only matches + strings that don't include a slash. To match entire pathnames including + slashes you have to use **. + - Fix for index.cgi - it was returning the file's contents instead of running it. + - On systems with IPv6, automatically bind to both v4 and v6 sockets. + - Added charset=iso-8859-1 to text MIME types. + +New in version 1.11: + - Portability fix for Debian, which lacks gai_strerror(). + - Couple of CGI tweaks from David Chaiken. + - A change to SIGPIPE handling. + +New in version 1.10: + - Support for filenames with spaces in them. + - Use standard isxdigit macro instead of is_hexit routine. + +New in version 1.09: + - IPv6 support. + - Fix to If-Modified-Since - some leap year problems. + - New version of match(). + - Minor fix to the page returned by authentication. + +New in version 1.08: + - Custom error pages. + - Better ".." handling. + - Disallow listing of virtual host directory. + +New in version 1.07: + - Fix for remote-user logging. + +New in version 1.06: + - Security fix to directory indexing, for dirs with a single quote. + +New in version 1.05: + - Minor fix to the directory indexing to handle dirs that start with a tilde. + +New in version 1.04: + - Tweak chroot() and setuid() calls, so that the username to switch uids to + gets looked up before the chroot(). + +New in version 1.03: + - Bugfix for CGI header parsing + if the CGI was sending binary data (e.g. images), + the result could get truncated or corrupted. + +New in version 1.02: + - Bugfix for CGI header parsing. + - Call setlogin() if it's available. + +New in version 1.01: + - CGI header parsing. + - If-Modified-Since / 304. + - Chroot. + +New in version 1.00: + - SSL. |