1.4.54
May 27, 2019
Important changes
- behavior change: strict URL parsing and normalization (configurable)
- performance enhancements, bug fixes
Downloads
- lighttpd-1.4.54.tar.gz (GPG signature)
- SHA256:
5151d38cb7c4c40effa13710e77ebdbef899f945b062cf32befc02d128ac424c
- SHA256:
- lighttpd-1.4.54.tar.xz (GPG signature)
- SHA256:
cf14cce2254a96d8fcb6d3181e1a3c29a8f832531c3e86ff6f2524ecda9a8721
- SHA256:
- SHA256 checksums
Highlights
- behavior change: strict URL parsing and normalization (configurable)
- behavior change: mod_webdav now rejects partial PUT (configurable)
- mod_auth: HTTP Auth Digest algorithm=SHA-256
- mod_webdav: major rewrite: robustness, performance, RFC compliance
- mod_maxminddb: new; obsoletes discontinued mod_geoip
Behavior Change
lighttpd now performs strict URL parsing and normalization on HTTP requests. This is configurable, but the defaults are now strict unless explicitly configured otherwise.
Enabling strict URL parsing and normalization by default provides more consistent behavior for mod_redirect and mod_rewrite, which match against the (url-encoded) URL request. However, decoding %2F by default, while generally desirable for consistency, is potentially a breaking change for those encoding URLs in the url-path and relying on the literal ‘/’ as a delimiter. For those uses, “url-path-2f-decode” => “disable” will need to be explicitly set in the lighttpd config.
https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails
The recommended settings for server.http-parseopts are the following, unless specific use requires looser settings:
server.http-parseopts = ( "header-strict" => "enable", "host-strict" => "enable", "host-normalize" => "enable", "url-normalize" => "enable", "url-normalize-unreserved" => "enable", "url-normalize-required" => "enable", "url-ctrls-reject" => "enable", "url-path-2f-decode" => "enable", "url-path-dotseg-remove" => "enable", "url-query-20-plus" => "enable" )