Small and lightweight web framework written in C99 and POSIX.1-2008. https://gitea.privatedns.org/xavi/libweb/atom?h=v0.4.0 2024-08-22T00:27:34+00:00 2024-08-22T00:27:34+00:00 Xavier Del Campo Romero xavi.dcr@tutanota.com 2024-08-21T23:56:20+00:00 urn:sha1:34b62bd0c47c915a12ff1b81f52b123fc3eb4a69 According to RFC 2046, section 5.1.1, end boundaries might not be followed by CRLF. However, so far libweb naively relied on this behaviour as major implementations, such as cURL, Chromium or Gecko always add the optional CRLF, whereas Dillo does not. 2024-08-22T00:27:34+00:00 Xavier Del Campo Romero xavi.dcr@tutanota.com 2024-08-21T21:33:00+00:00 urn:sha1:3a25e79f269aa171f4e5646d52eb2f90d275cb3c "multipart/form-data"-encoded POST requests might use double quotes for their boundaries. While this is required when invalid characters are otherwise used (e.g.: ':'), some web clients always insert double quotes. Additionally, according to RFC 2046 section 5.1.1, the boundary parameter consists of 1 to 70 characters, but libweb was not imposing such restrictions. 2024-08-22T00:27:34+00:00 Xavier Del Campo Romero xavi.dcr@tutanota.com 2024-08-21T21:55:21+00:00 urn:sha1:700ae79d57b1d78551d984ce2dc886a310cc6be8 This parameter was rendered obsolete after the following commit: commit b0accd099fa8c5110d4c3c68830ad6fd810ca3ec Author: Xavier Del Campo Romero <xavi.dcr@tutanota.com> Date: Fri Nov 24 00:52:50 2023 +0100 http.c: Unify read operations 2024-08-22T00:27:34+00:00 Xavier Del Campo Romero xavi.dcr@tutanota.com 2024-08-21T21:15:44+00:00 urn:sha1:915be88ddcebac61dc06cc47668961b602e01b38 2024-08-22T00:27:33+00:00 Xavier Del Campo Romero xavi.dcr@tutanota.com 2024-08-22T00:18:14+00:00 urn:sha1:15686de86f15866041107bd9830834636008fe1b For some unknown reason, ctx_free was only called by update_lstate, but this is not the only function that modifies a struct ctx instance. Since struct ctx is related to read operations, ctx_free must instead be called whenever http_read fails. 2024-08-22T00:24:42+00:00 Xavier Del Campo Romero xavi.dcr@tutanota.com 2024-08-21T21:14:20+00:00 urn:sha1:407b5d32156d60420f83d6e0567e9b3e9c878ad9 p->f is a FILE *, so it is invalid to check against negative values. This bug was introduced when p->fd, a file descriptor, was replaced with p->f, a FILE *, by the following commit: commit b0accd099fa8c5110d4c3c68830ad6fd810ca3ec Author: Xavier Del Campo Romero <xavi.dcr@tutanota.com> Date: Fri Nov 24 00:52:50 2023 +0100 http.c: Unify read operations 2024-02-19T22:00:56+00:00 Xavier Del Campo Romero xavi.dcr@tutanota.com 2024-02-19T22:00:56+00:00 urn:sha1:afe0681c0b26bb64bad55d7e86770f346cfa043e A malicious user could inject an infinite number of empty files or key/value pairs into a request in order to exhaust the device's resources. 2024-01-20T00:19:57+00:00 Xavier Del Campo Romero xavi.dcr@tutanota.com 2024-01-20T00:05:05+00:00 urn:sha1:43be8d95f681c8240847b4f69a524a0ab20d5c83 Profiling showed that reading multipart/form POST uploads byte-by-byte was too slow and typically led to maximum CPU usage. Therefore, the older approach (as done up to commit 7efc2b3a) was more efficient, even if the resulting code was a bit uglier. 2023-11-24T00:36:38+00:00 Xavier Del Campo Romero xavi.dcr@tutanota.com 2023-11-23T23:52:50+00:00 urn:sha1:b0accd099fa8c5110d4c3c68830ad6fd810ca3ec So far, libweb would perform different read operations depending on its state: - For HTTP headers or request bodies, one byte at a time was read. - For multipart/form-data, up to BUFSIZ bytes at a time were read. However, this caused a significant extra number of syscalls for no reason and would increase code complexity, specially when parsing multiform/form-data boundaries. Now, http_read always reads up to BUFSIZ bytes at a time and process them on a loop. Apart from reducing code complexity, this should increase performance due to the (much) lower number of syscalls required. 2023-11-20T15:34:24+00:00 Xavier Del Campo xavier.delcampo@midokura.com 2023-11-17T13:56:07+00:00 urn:sha1:1750bbd7ec7277375c0ccd815cd2aed541e7e862