| Commit message (Collapse) | Author | Age |
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Do not assume anymore single-threaded environment if external polling
is used.
The application is free to use multiple threads if MHD in the external
polling mode.
The new flag could be used to disable some thread-safety in MHD to
improve single-thread processing speed and resources usage. Basically
the new flag restores the old behaviour for external polling mode.
|
| |
|
| |
|
|
|
|
|
|
| |
This should provide better compatibility with platforms with ability
to override FD_SETSIZE.
The new option is used examples and tests.
|
| |
|
|
|
|
| |
This is a correction for a225047802d49add197983055005f55559d7b47f
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* The new algorithm parse the headers in one pass (including folded
headers) thus multiple passes over the same memory area are avoided
(efficiency for large headers should be improved).
* Strict implementation of RFC 9110 and 9112 requirements, including
replacing or reporting error for unacceptable characters.
* Implemented various levels of strictness for requests interpretations:
three levels within RFC requirements (more strict and more secure; less
strict and more compatible with various clients; balanced (default)),
one more relaxed level with violation of RFC's SHOULD/SHOULD NOT,
one even more relaxed level with violation of MUST/MUST NOT,
one stricter level then required by RFC, but absolutely compatible with
clients following RFC's MUST/MUST NOT, and one more even stricter level
compatible with clients following both MUST/MUST NOT and
SHOULD/SHOULD NOT.
* Added detection and handling of more erroneous situations, like space
at the start of the first line (as recommended by RFC).
* Added more detailed responses for invalid requests with descriptions
of the found problems (as recommended by RFC).
* If many chars have been replaced, only summary is reported instead
of flooding logs with messages when request is badly constructed.
* Whitespaces in headers values are trimmed at start and at the end. No
need to handle extra spaces in the app or when using headers in other
MHD parts, like cookie parsing.
* In overall: increased flexibility, the security must be improved,
much better compliance with the standards.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* New algorithm parse the request line in one pass thus multiple passes
over the same memory area are avoided (efficiency for large URI should
be improved)
* Strict implementation of RFC 9110 and 9112 requirements, unacceptable
characters are replaced or threaded as errors.
* Implemented various levels of strictness for requests interpretations:
three levels within RFC requirements (more strict and more secure; less
strict and more compatible with various clients; balanced (default)),
one more relaxed level with violation of RFC's SHOULD/SHOULD NOT,
one even more relaxed level with violation of MUST/MUST NOT,
one stricter level then required by RFC, but absolutely compatible with
clients following RFC's MUST/MUST NOT, and one more even stricter level
compatible with clients following both MUST/MUST NOT and
SHOULD/SHOULD NOT.
* Added more detailed responses for invalid requests with descriptions
of the found problems (as recommended by RFC).
* Limited number of empty lines skipped before the request (as
recommended by RFC).
* Implemented automatic redirection responses for requests targets
with forbidden characters (as recommended by RFC).
* In overall: increased flexibility, the security must be improved,
much better compliance with the standards.
|
|
|
|
|
|
|
| |
Reject URIs with spaces as per RFC.
Fixed check for space before colon in headers (previously it was checked
only when MHD was NOT strict).
Reject HTTP/1.1 requests without host by default (as per RFC).
|
|
|
|
|
|
|
|
| |
Now if some data has been processed by Access Handler Callback, zero
timeout is used for the next turn and at the same time more data is
read (if available) from the network.
If Access Handler Callback has not processed any data, MHD will wait
for additional data to come.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Give more flexibility for custom builds: MD5, SHA-256 and SHA-512/256
may be disabled individually.
|
| |
|
|
|
|
| |
check nonces for Digest Auth
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
This should improve readability of the code and simplify reset.
|
| |
|
|
|
|
|
| |
URL may have binary zeros after url-decoding, the length helps to detect
such situations.
|
| |
|
|
|
|
| |
Thanks Christian for spotting it.
|
| |
|
|
|
|
| |
This also saves some RAM for nonce-nc map array
|
|
|
|
| |
772 (0 != nn->nonce[noncelen]) )' by making buffer one element larger
|
|
|
|
|
|
|
|
|
| |
Added single function to parse all enabled authentication schemes header
strings.
The parsing result is cached and reused thus avoiding repetitive header
parsing.
The new function correctly "unquotes" values (backslashes are removed)
as required by RFC.
|
| |
|
| |
|