| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| post-wo-content-length.patch | [core] allow POST w/o Content-Length for HTTP/2 (#3273) HTTP/2 framing delineates request headers, body, and trailers. This differs from HTTP/1.x where combinations of Content-Length and/or Transfer-Encoding: chunked might be used in request smuggling or request splitting attacks. lighttpd has rejected POST without Content-Length (and without 1.4, and that restriction is being preserved for now, even if stricter than RFC requirements. Note: some other servers might interpret HTTP/1.0 requests with missing Content-Length to mean read body until EOF, and others may interpret that scenario as Content-Length: 0, and the inconsistency is potentially dangerous and abusable by request smuggling attacks. x-ref: "Content-Length request header is optional" https://redmine.lighttpd.net/issues/3273 |
Glenn Strauss <gstrauss@gluelogic.com> | no | upstream, https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/71c378217c91eaf466bf1d830e15138cc66c02c6 | 2025-01-14 | |
| ssi-exec.patch | [mod_ssi] fix #exec (fixes #3275) (regression since lighttpd 1.4.56) x-ref: "mod_ssi exec not working" https://redmine.lighttpd.net/issues/3275 |
Glenn Strauss <gstrauss@gluelogic.com> | no | upstream, https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/4bdd6363e26c6f5a6de1df82d17e3fa99416c282 | 2025-01-17 |