From the lighttpd-announce-list (see URL): ------------------------------------------------------------------ Dear users, in lighttpd 1.3.7 and below it is possible to fetch the source files which should be handled by CGI or FastCGI applications. - How to reproduce: append a %00 to the filename: http://www.example.org/index.php%00 - Description Control-Sequences are not mapped out in buffer_urldecode() in buffer.c which leeds to a \0 sequence in the filename while lighttpd ignores is handles the %00 as part of the filename. - Fix 1. upgrade to the latest version 1.3.10 2. apply the fixes referenced at http://wiki.lighttpd.net/7.html#A12 3. apply the attached fix - affected versions 1.3.7 and below - not affected 1.3.8 and above 1.3.7 and below if - no CGI or FastCGI is used - no CGI is used and FastCGI is running on a remote host ------------------------------------------------------------------ Reproducible: Always Steps to Reproduce:
Sorry, there is one thing I forgot to mention: The license of the lighttpd-package has changed from QPL-1.0 to a BSD-style-Licence with version 1.3.5. This change should be reflected when bumping to a current version.
web-apps please bump. http://www.lighttpd.net/news/
I actually have a 1.3.10 ebuild I've been working on; I just need to integrate the spawn-fcgi init/conf scripts into lighttpd as it is now a part of lighttpd. I'll see if I cannot get this finished today.
Have a look at 76575 - here I changed some things like that for 1.3.7
see http://bugs.gentoo.org/show_bug.cgi?id=76575#4
argh, sorry, that's the comment I meant: http://bugs.gentoo.org/show_bug.cgi?id=76575#c4
Committed. Sorry for not getting this done as soon as I said I would.
Thx Aaron. This one is ready for GLSA. Security please vote. I tend to vote YES on this one.
Voting yes too.
I'm testing at the moment, some things I noticed in http://www.gentoo.org/cgi-bin/viewcvs.cgi/*checkout*/www-servers/lighttpd/lighttpd-1.3.10.ebuild?rev=1.1&content-type=text/plain - a lighttpd user & group is created, but I cannot find where they are put into lighttpd.conf, to replace the following lines : #server.username = "wwwrun" #server.groupname = "wwwrun" (replace "wwwrun" with "lighttpd" and remove #) In my ebuild I used the following lines to do this: sed -i -e 's:^#server.username.*:server.username = "lighttpd":1' ${D}/etc/lighttpd.conf sed -i -e 's:^#server.groupname.*:server.groupname = "lighttpd":1' ${D}/etc/lighttpd.conf But that's not nice, I think the better way would be to use lighttpd-1.1.8-gentoo.diff, perhaps change it to lighttpd-1.3.10-gentoo.diff (${P}-gentoo.diff). an issue with: http://www.gentoo.org/cgi-bin/viewcvs.cgi/*checkout*/www-servers/lighttpd/files/lighttpd-1.3.10-php.diff?rev=1.1&content-type=text/plain in the following diff diff -urN lighttpd-1.3.10.orig/doc/lighttpd.1 lighttpd-1.3.10/doc/lighttpd.1 -/etc/lighttpd/lighttpd.conf +/etc/lighttpd.conf is this change only necessary if used with php? Because as I understand this patch is conditional in lighttpd-1.3.10.ebuild: use php && epatch ${FILESDIR}/${P}-php.diff Perhaps the "lighttpd.1 diff" should be moved to ${FILESDIR}/${P}-gentoo.diff
the lighttpd author also recommends using the following patches: http://wiki.lighttpd.net/7.html#A14
Ok, there's a few things I need to fix but do not hinder the status of this bug: - I forgot that the licensing has changed to BSD - Yes, the default lighttpd.conf should contain the new change to lighttpd user/group - Yes, the man page should be patched regardless of USE=php ; this is a bug I should've caught when porting the php patch to 1.3.10, so my mistake. I'll release a -r1 asap, but like I said these are minor and have no affect on this bug.
1.3.10-r1 is in cvs.
Drafted
GLSA 200502-21