Module name: src
Changes by: florian@cvs.openbsd.org 2014/07/31 03:23:53

Modified files:
usr.sbin/httpd : Makefile httpd.h server_http.c
Added files:
usr.sbin/httpd : server_fcgi.c

Log message:
Put in first stab at fastcgi. Very early work in progress. Putting it
in now so that we can quickly work on it in tree. Requested by reyk@.
deraadt@ is OK with this according to reyk@.

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/07/31 03:34:57

Modified files:
usr.sbin/httpd : config.c httpd.conf.5 httpd.h parse.y
server_http.c

Log message:
Add a configuration variable "fastcgi" to enable it per server or location.

http://undeadly.org/cgi?action=article&sid=20140731130633

Contributed by [pitrh](http://bsdly.blogspot.com/) on Thu Jul 31 13:05:27 2014 (GMT)
from the states of confusion dept.

[Sevan Janiyan]() writes:

> It's possible to misuse NAT to load balance outbound traffic across multiple internet connections from different service providers,see the [Load Balance Outgoing Traffic](http://www.openbsd.org/faq/pf/pools.html#outgoing) section of [PF FAQ](http://www.openbsd.org/faq/pf).

The shortfall with this configuration is when implemented alongside unstable links, forwarding will continue to be attempted over the links which are down, this will cause issues such as long hangs for users behind the NAT while connections time out. To mitigate this, `ifstated` can be used to smooth things over.


Read the rest at [geeklan.co.uk](https://www.geeklan.co.uk/?p=1564), Sevan's blog site.

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/07/31 07:28:15

Modified files:
usr.sbin/httpd : config.c httpd.h parse.y server_file.c

Log message:
Rename the "docroot" variable to "path" because it will be used for
either files or the fastcgi socket (and there's no need to use a union yet).

Module name: ports
Changes by: ajacoutot@cvs.openbsd.org 2014/07/31 07:40:26

Modified files:
print/cups : Tag: OPENBSD_5_5 Makefile
print/cups/patches: Tag: OPENBSD_5_5 patch-scheduler_client_c

Log message:
Security: Addressed some more situations where symlinked files would be
served by the web interface (STR #4455).
(Incomplete fix for CVE-2014-3537 (CVE-2014-5029/5030/5031))

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/07/31 08:18:38

Modified files:
usr.sbin/httpd : config.c httpd.conf.5 httpd.h parse.y
server_fcgi.c

Log message:
Allow to specify a non-default fastcgi socket.

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/07/31 08:25:14

Modified files:
usr.sbin/httpd : httpd.h server.c server_fcgi.c server_file.c

Log message:
One bufferevent can be shared by file and fcgi.

Module name: src
Changes by: ajacoutot@cvs.openbsd.org 2014/07/31 08:57:41

Modified files:
etc/rc.d : rc.subr

Log message:
In debug mode, properly sort and drop duplicates so that we don't end
up with a confusing output like:
multicast_host >NO<
<...>
multicast_host >YES<

Also properly evaluate values _after_ running _rc_quirks() because these
can modify flags.

ok robert@ halex@

Module name: src
Changes by: pelikan@cvs.openbsd.org 2014/07/31 11:37:52

Modified files:
sys/ufs/ext2fs : ext2fs_bswap.c ext2fs_dinode.h ext2fs_inode.c
ext2fs_vfsops.c

Log message:
use proper on-disk inode size: no more, no less.

Reported by Roman Yakovlev, thanks!

"do it now" deraadt

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/07/31 11:55:09

Modified files:
usr.sbin/httpd : httpd.h server_fcgi.c server_file.c
server_http.c

Log message:
some fastcgi improvements:
- DPRINTF instead of log_info for internal debugging.
- submit QUERY_STRING, if it exists
- use a proper function to create an HTTP header.
- use server_file_error() to detect EOF and fastcgi stream errors.
- disable keep-alive/persist for now until we have a reliable way to
get the content length from the cgi response or support chunked
encoding.

"Cool, jep" florian@

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/07/31 12:07:11

Modified files:
usr.sbin/httpd : httpd.h server_fcgi.c server_http.c

Log message:
Only write the HTTP header for the first fastcgi chunk.

Module name: src
Changes by: jasper@cvs.openbsd.org 2014/07/31 12:14:46

Modified files:
sys/dev/ic : aac.c

Log message:
unbreak aac(4) by re-adding uvm_extern.h for ptoa()

ok deraadt@ sthen@

Module name: src
Changes by: pelikan@cvs.openbsd.org 2014/07/31 13:11:39

Modified files:
sys/ufs/ext2fs : ext2fs_vfsops.c

Log message:
always use the little-endian copy of a superblock.

Damn those memcpy-wrapping macros!

"do it" deraadt

Module name: src
Changes by: pelikan@cvs.openbsd.org 2014/07/31 13:49:25

Modified files:
sbin/newfs_ext2fs: mke2fs.c

Log message:
unbreak the build - e2fs_isave now needs the superblock.

Module name: xenocara
Changes by: matthieu@cvs.openbsd.org 2014/07/31 14:13:40

Modified files:
app/xterm : Makefile
app/xterm/resize: Makefile

Log message:
Complete man page substitutions for xterm(1) and resize(1)

problem noticed by and tweaks by naddy@. ok deraadt@

Module name: src
Changes by: jsing@cvs.openbsd.org 2014/07/31 19:32:09

Modified files:
sys/dev : softraid.c

Log message:
When attempting to rebuild a softraid volume, use the actual data offset
from the volume metadata rather than the currently defined data offset.
This allows rebuilds to work correctly when the volume metadata has a
different data offset to that currently in use (for example, volumes
created prior to softraid gaining boot support).

Found the hard way by henning@

ok deraadt@

Module name: www
Changes by: nick@cvs.openbsd.org 2014/07/31 19:41:09

Modified files:
faq : faq11.html

Log message:
luna88k has X! Info and diff from aoyama@, thanks!

Module name: src
Changes by: rpe@cvs.openbsd.org 2014/07/31 22:57:01

Modified files:
etc/rc.d : rc.subr

Log message:
Don't return, just skip over non existing rc.conf or rc.conf.local file.

OK ajacoutot@ halex@

http://undeadly.org/cgi?action=article&sid=20140801081629

Contributed by [jj](http://www.inet6.se) on Fri Aug 1 08:14:46 2014 (GMT)
from the block-cipher-diaries dept.

On this week's [episode](http://www.bsdnow.tv/episodes/2014_07_30-liberating_ssl), the [BSDNow](http://www.bsdnow.tv) crew gabs about the BSD tribe, continues the recursive Undeadly mentions, interviews [LibreSSL](http://www.libressl.org) portable maintainer Brent Cook (bcook@), and Bob Beck (beck@) writes in to let the hosts know about arc4random-related FreeBSD porting issues.

**[** [Video](http://www.podtrac.com/pts/redirect.mp4/201406.jb-dl.cdn.scaleengine.net/bsdnow/2014/bsd-0048-432p.mp4) **|** [HD Video](http://www.podtrac.com/pts/redirect.mp4/201406.jb-dl.cdn.scaleengine.net/bsdnow/2014/bsd-0048.mp4) **|** [MP3 Audio](http://www.podtrac.com/pts/redirect.mp3/traffic.libsyn.com/jbmirror/bsd-0048.mp3) **|** [OGG Audio](http://www.podtrac.com/pts/redirect.ogg/traffic.libsyn.com/jbmirror/bsd-0048.ogg) **|** [Torrent](http://bitlove.org/jupiterbroadcasting/bsdnowhd) **]**

Module name: src
Changes by: florian@cvs.openbsd.org 2014/08/01 02:34:46

Modified files:
usr.sbin/httpd : httpd.h server.c server_fcgi.c

Log message:
Correctly parse fcgi records if we don't get the whole record in one
bufferevent_read().
Input/OK reyk@

Module name: src
Changes by: florian@cvs.openbsd.org 2014/08/01 12:26:32

Modified files:
usr.sbin/httpd : server_fcgi.c

Log message:
Rewrite fcgi_add_param and hand over a lot more http headers etc. to
the cgi script.
OK reyk@
"blanket OK" for changes in httpd for the time beeing from deraadt@

Module name: src
Changes by: doug@cvs.openbsd.org 2014/08/01 15:51:02

Modified files:
usr.sbin/httpd : httpd.conf.5 httpd.h parse.y server_http.c

Log message:
Add common and combined access logging to httpd.

ok reyk@

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/01 15:59:56

Modified files:
usr.sbin/httpd : httpd.c httpd.conf.5 httpd.h parse.y server.c

Log message:
remove the global "log updates/all" option that came from relayd.

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/01 16:24:05

Modified files:
usr.sbin/httpd : httpd.h server.c server_http.c

Log message:
Use the log buffer to defer the logging until the connection is closed
or the request completed. Turn the old log message into a debug message.

ok doug@

Module name: src
Changes by: jmc@cvs.openbsd.org 2014/08/02 02:07:07

Modified files:
usr.sbin/httpd : httpd.conf.5

Log message:
remove nasty unclosed Xo in previous; ok reyk

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/02 03:46:51

Modified files:
usr.sbin/httpd : server_file.c

Log message:
scandir(3)-based directory auto index didn't work on NFS because the
file system is not filling in d_type properly. Using st_mode from the
stat call fixes the problem, eg. S_ISDIR(st.st_mode) instead of
dp->d_type == DT_DIR. Pointed out by pelikan@

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/02 03:54:13

Modified files:
usr.sbin/httpd : httpd.c server_fcgi.c server_file.c

Log message:
spacing

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/02 04:24:36

Modified files:
usr.sbin/httpd : httpd.conf.5

Log message:
'fastcgi socket "path"' is the correct syntax; update the manpage.
Found by jsg@

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/02 05:52:01

Modified files:
usr.sbin/httpd : httpd.h server.c server_fcgi.c

Log message:
Allow to specify a FastCGI TCP socket on localhost (eg. :9000). Used
for debugging, you should prefer local UNIX sockets, but it helped to
find an issue that will be fixed with the next commit.

OK florian@

Module name: src
Changes by: florian@cvs.openbsd.org 2014/08/02 05:59:04

Modified files:
usr.sbin/httpd : server_fcgi.c

Log message:
We need to read from the fcgi bufferevent until it's empty because the
event handler will not be called again if no new data arrives.
Debugged with and OK reyk@

Module name: www
Changes by: nick@cvs.openbsd.org 2014/08/02 09:58:32

Modified files:
faq : faq10.html

Log message:
typo; from vigdis + openbsd at chown dot me via misc@. Thanks!

Module name: src
Changes by: florian@cvs.openbsd.org 2014/08/02 11:05:18

Modified files:
usr.sbin/httpd : httpd.h server_fcgi.c

Log message:
Padding of fcgi records is optional, but if we receive padding data we
should read it.

Module name: src
Changes by: florian@cvs.openbsd.org 2014/08/02 11:42:25

Modified files:
usr.sbin/httpd : server_fcgi.c

Log message:
don't leak fcgi fd

Module name: src
Changes by: doug@cvs.openbsd.org 2014/08/02 15:21:47

Modified files:
usr.sbin/httpd : config.c httpd.conf.5 httpd.h parse.y
server_http.c

Log message:
Locations now inherit access log settings from the server.

Add log to the server flags.

input/"Looks ok" reyk@

Module name: www
Changes by: nick@cvs.openbsd.org 2014/08/02 20:31:32

Modified files:
faq : upgrade55.html

Log message:
ldap is fun^Wanother problem for upgraders. From Matthew Weigel, thanks!

Module name: www
Changes by: deraadt@cvs.openbsd.org 2014/08/02 20:53:06

Added files:
. : 56.html

Log message:
scaffold for 56 release

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/03 04:22:30

Modified files:
usr.sbin/httpd : server_http.c

Log message:
Prefer getnameinfo() with NI_NUMERICHOST over inet_ntop because it is also
aware of the IPv6 scope Id. We already have a function print_host() that
uses getnameinfo, so no need for the inet_ntop cases. Confirmed by florian@

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/03 04:26:44

Modified files:
usr.sbin/httpd : httpd.conf.5 httpd.h parse.y server.c
server_http.c

Log message:
Add another log mode "connection" for a relayd(8)-style log entry after
each connection, not every request. The code was already there and enabled
on debug, I just turned it into an alternative log format.

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/03 04:38:42

Modified files:
usr.sbin/httpd : server_fcgi.c

Log message:
Add missing log call for FastCGI requests.

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/03 05:16:10

Modified files:
usr.sbin/httpd : config.c httpd.h parse.y server_fcgi.c
server_file.c

Log message:
Split fastcgi socket path and document root option and add the
SCRIPT_FILENAME CGI param with a prepended root. This fixes php-fpm
that expects SCRIPT_FILENAME and also works with slowcgi if you
configure the root correctly. For example, if SCRIPT_NAME and
REQUEST_URI are /php/index.php, root is /htdocs, SCRIPT_FILENAME will
be /htdocs/php/index.php. As tested and discussed with florian@

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/03 05:28:58

Modified files:
etc/examples : httpd.conf

Log message:
More examples, include FastCGI for php and cgi-bin and logging.

http://undeadly.org/cgi?action=article&sid=20140803122705

Contributed by [tbert](http://bsdly.blogspot.com/) on Sun Aug 3 05:54:09 2014 (GMT)
from the sandwich makes itself dept.

Christian Weisgerber wrote in with this report from g2k14:

> I updated the gettext port, of course. What'd you think I'd do at a hackathon?

The most interesting thing I worked on at g2k14 started out with a question: Why exactly do we run the fake step as root? (Hint: FreeBSD's corresponding stage infrastructure does not.)

> Because ports want to install with "install -o root -g bin"? But they only do so because we tell them to. We pass those flags to configure. We just need to stop doing this.
>
> Because some ports want to set a special user/group and chmod to suid/sgid? The vast majority of ports do not and the few that do already require corresponding annotations in the PLIST. Why not just use this metadata for the package, instead of the actual file modes?
>
> Really, most ports could be built just fine without sudo. Those that do not can be annotated, FAKE_AS_ROOT=Yes, and fixed eventually. (You will still need sudo for installing dependencies, though.) All that is required is a little bit of support in our infrastructure.
>
> To this end I came up with patches to bsd.port.mk and pkg_add that accomplish this. Initial testing revealed a number of ports modules that would also require minor tweaking, but as expected it became clear that rather few changes would go a long way to handling most of the ports tree.
>
> At this stage this is merely a proof of concept, showing that the approach is workable. To be revisited once the 5.6 release is out the door.

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/03 05:51:40

Modified files:
etc/examples : httpd.conf

Log message:
The first server example should be the "minimal default" to illustrate
that you don't have to push all kinds of buttons to run httpd.

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/03 06:26:19

Modified files:
usr.sbin/httpd : httpd.h server_fcgi.c server_http.c

Log message:
Add function to iterate all headers. No functional change.

Module name: src
Changes by: jsg@cvs.openbsd.org 2014/08/03 08:23:59

Modified files:
sys/dev/ic : bwi.c

Log message:
When stsp changed bwi_encap() for 30 bit addresses in rev 1.106 code
that used to always initialise the error variable is no longer run.

And at the end of bwi_encap() there is:

if (error)
m_freem(m);
return (error);

Fixing this prevents packet loss stsp was seeing.

ok stsp@ miod@ deraadt@

Module name: src
Changes by: jsg@cvs.openbsd.org 2014/08/03 08:30:28

Modified files:
sys/dev/usb : ehci.c

Log message:
don't return unitialised memory on error in ehci_alloc_sqtd()

It seems mpi introduced a problem into ehci.c rev 1.162
two weeks ago. An error check that used to return NULL
now jumps to the end of the function, but sqtd isn't
initialised at that point.

ok miod@ deraadt@

Module name: src
Changes by: jsg@cvs.openbsd.org 2014/08/03 08:35:30

Modified files:
lib/libressl : ressl_verify.c

Log message:
X509_NAME_get_text_by_NID() returns -1 on error so the type
the return value is stored in must be signed. Fixes a test for error.

ok jsing@ guenther@

Module name: www
Changes by: pascal@cvs.openbsd.org 2014/08/03 08:43:58

Modified files:
. : 56.html

Log message:
Update version numbers, create LibreSSL section, talk about ssp-strong, PIE
for powerpc and other security improvements.

Module name: www
Changes by: espie@cvs.openbsd.org 2014/08/03 08:52:58

Modified files:
. : 56.html

Log message:
locate databases
package updates much faster

Module name: src
Changes by: rpe@cvs.openbsd.org 2014/08/03 10:00:15

Modified files:
distrib/miniroot: upgrade.sh

Log message:
smtpd got privsep'ed and the _smtpq user is now used to manage these
directories. Ensure proper ownership in case smtpd has been started
before this change.

brought up by matthieu@
OK deraadt@