src/sbbs3 websrvr.c 1.558 1.559
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv25394

Modified Files:
websrvr.c
Log Message:
Remove herp derp.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.ne

src/sbbs3 websrvr.c 1.559 1.560
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv7698

Modified Files:
websrvr.c
Log Message:
Add support for > 1MB post data through mmap()ed files. This does not yet solve all the problems involved in a file upload though, so don't get too excited.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.560 1.561
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv19802

Modified Files:
websrvr.c
Log Message:
Only create and parse http_reqeust.post_data if the size is less than MAX_POST_LEN.

This makes the previous change effectively useless except for using up
space on the hard drive, but is stops from malloc()ing a copy of the data
that is unusable.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.561 1.562
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv20182

Modified Files:
websrvr.c
Log Message:
C99 uses SIZE_MAX, not SIZE_T_MAX.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet:

src/sbbs3 websrvr.c 1.563 1.564
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv19431

Modified Files:
websrvr.c
Log Message:
*_TO_STRING() considered harmful.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet:/

src/sbbs3 websrvr.c 1.565 1.566
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv848

Modified Files:
websrvr.c
Log Message:
#include "xpprintf.h" for xp_asprintf()



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ teln

src/sbbs3 websrvr.c 1.566 1.567
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv12009

Modified Files:
websrvr.c
Log Message:
Added typecasts to address MSVC10 assertions (in debug builds).
Added comment about stack variable buffer overflow sighting.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.567 1.568
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv9836

Modified Files:
websrvr.c
Log Message:
Document observed exception in js_log() -> JS_SUSPENDREQUEST()

---
þ Synchronet þ Vertrauen þ Home

src/sbbs3 websrvr.c 1.568 1.569
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv30344

Modified Files:
websrvr.c
Log Message:
<Deuce> I found the crash in websrv.c js_log().
<Deuce> It sohuldn't be passing strchr(str, 0) as a macro argument.
<Deuce> Pop that bugger into a temp char * and she'll be golden.
<Deuce> If you could make/commit that change for me, that'd be great

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.569 1.570
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv4895

Modified Files:
websrvr.c
Log Message:
Fix MSVC warning:
warning C4133: 'function' : incompatible types - from 'int *' to 'char *'
with typecast.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.571 1.572
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv29902

Modified Files:
websrvr.c
Log Message:
Fix observed NULL pointer deference (pass to sub_mkgmt(), from time_gm()). Added comment about usage of gmtime() vs. gmtime_r().

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.573 1.574
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv1852

Modified Files:
websrvr.c
Log Message:
HTTP authentication failures actually use the failed login attempt logic for throttling, logging, and blocking/filtering brute-force user/password hackers. Failed HTTP digest authentication failures actually log the failure (including the detailed reason for the failure).
But for some reason, I've only been able to get IE, FF and Chrome to use
BASIC authentication (not digest), so presumably there is a bug somewhere in regards to support for digest auth.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.574 1.575
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv13774

Modified Files:
websrvr.c
Log Message:
Added call to loginSuccess() upon successful (non-guest) user authentication via BASIC or DIGEST auth - this clears the client IP from the login attempt list (as is supposed to happen).
Currently, the JS "login" method does not do this (and a JS login failure does not get added to the login attempt list).

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.575 1.576
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv15274

Modified Files:
websrvr.c
Log Message:
badlogin() only delays if the number of failed login attempts from the client IP is greater than one (failed attempts are normal for digest auth).
Fix printf format problem ("(null)") in the digest-auth response due to 64-bit time() implementation.
Added new connection throttling from hacking clients (really only works for basic auth).


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.577 1.578
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv13869

Modified Files:
websrvr.c
Log Message:
As theorized by Digital Man, the HTTP server did indeed have the same bug as the
FTP server.

Bug-fix: daily statistics and free-credits-per-day were not reset when the user logged in via HTTP. This affected: posts_today, emails_today, free_credits, timeon_today, and extra time values (e.g. posts_today would contnue to accumulate potentially affecting uh... hand-wavey stuff). getuserdat() does the necessary value resets, we just needed to write the entire user record back to disk upon successfull login, rather than just updating specific fields in the user record on disk.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.578 1.579
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv28054

Modified Files:
websrvr.c
Log Message:
Fix compile error and warnings introduced in http_logon() in last commit.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.580 1.581
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv29745

Modified Files:
websrvr.c
Log Message:
Do not use chunked mode for HEAD requests. This prevented returning the Content-Length header for static files.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.581 1.582
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv29812

Modified Files:
websrvr.c
Log Message:
Even if there's a Connection: Close, still include the Content-Length header for HEAD requests.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.582 1.583
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv31068

Modified Files:
websrvr.c
Log Message:
Log a warning upon failure to open a .ini file.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.584 1.585
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv17195

Modified Files:
websrvr.c
Log Message:
Fix stripping of port numbers from host values.
Was broken on IPv6 literals such as http://[dead::beef]/ as well as any other URI containing a colon.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.585 1.586
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv17294

Modified Files:
websrvr.c
Log Message:
Fix bugs in last commit.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.586 1.587
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv17374

Modified Files:
websrvr.c
Log Message:
And another bug squashed...



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.587 1.588
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv17537

Modified Files:
websrvr.c
Log Message:
And the last bug...



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.588 1.589
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv17600

Modified Files:
websrvr.c
Log Message:
Back0out last change.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.589 1.590
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv17701

Modified Files:
websrvr.c
Log Message:
THAT is the last bug.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.590 1.591
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv18240

Modified Files:
websrvr.c
Log Message:
Use getsockname() to read the server port since we don't know that it's
the same as startup->port anymore.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.594 1.595
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv32344

Modified Files:
websrvr.c
Log Message:
Fix warnings.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.596 1.597
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv15106

Modified Files:
websrvr.c
Log Message:
Use cryptGetAttributeString() to detect the "right" length for the call.

This needs to be moved elsewhere and used everywhere an attribute is read.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.597 1.598
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv15163

Modified Files:
websrvr.c
Log Message:
Fix bug and warning from last commit.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.598 1.599
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv15335

Modified Files:
websrvr.c
Log Message:
free() temp error string.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.601 1.602
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv24068

Modified Files:
websrvr.c
Log Message:
Fix warning.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.602 1.603
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv839

Modified Files:
websrvr.c
Log Message:
We can't close a session socket until there's an allocated ringbuffer.
Create a new function to close without one and use it instead until the
ring buffer is created.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.603 1.604
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv27958

Modified Files:
websrvr.c
Log Message:
Don't use the client-supplied "Host" header value for the http access log filename if it contains any path delimiters.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.604 1.605
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv32644

Modified Files:
websrvr.c
Log Message:
Ensure the host and vhost are valid hostnames (which can't contain path seperators) and return a 400 error otherwise. With this check before the
vhost is set, eliminates the need to check when setting the log file name.

Also, lower-case hostnames for consistency and simpler validity checking.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.606 1.607
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv24915

Modified Files:
websrvr.c
Log Message:
Fix typos in the protocol designator (TLS = HTTPS, not HTTP).

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.607 1.608
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv30047

Modified Files:
websrvr.c
Log Message:
Don't create the TLS context/certificate when TLS is disabled.
If the TLS context couldn't be created, don't listen on the TLS interfaces.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.608 1.609
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv28611

Modified Files:
websrvr.c
Log Message:
Add a "strip port" parameter to is_legal_hostname and set it to TRUE when testing the Host value (vhost value already has port stripped).

Zero-length host names are not legal either.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.609 1.610
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv23192

Modified Files:
websrvr.c
Log Message:
Add line number to logged HTTP error responses to get a better idea of the cause of Robb Starr's reported "ERROR: 400 Bad Request" problem.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.612 1.613
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv867

Modified Files:
websrvr.c
Log Message:
Fix Win32 errors and warnings in the FastCGI patch.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.613 1.614
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv3609

Modified Files:
websrvr.c
Log Message:
Fixes for FastCGI support.
Now tested on FreeBSD (should work for any *nix).
CGI and FastCGI still needs testing on Win32.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.614 1.615
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv5373

Modified Files:
websrvr.c
Log Message:
Support POST in FastCGI scripts by using read_post_data(). This will delay
the script until the entire POST data is read, so is sub-optimal, but it
works.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.615 1.616
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv10103

Modified Files:
websrvr.c
Log Message:
Set the high-order bit of the high order byte when parameter values are
longer than 127 bytes.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.616 1.617
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv10359

Modified Files:
websrvr.c
Log Message:
Use MSG_WAITALL in recv() calls to ensure we get what we ask for.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.617 1.618
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv14255

Modified Files:
websrvr.c
Log Message:
If the PathInfoIndex value is changed while parsing webctrl.ini files,
update the path info data and re-extract the filename so that widcards in section names can match path info index files.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.618 1.619
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv16710

Modified Files:
websrvr.c
Log Message:
Ensure that get_extra_path() is only executed once to prevent doubleing up
the extra path.

Set the SCRIPT_NAME to include the index filename... this was apparently changed to emulator a specific mod_rewrite rule for a specific package and
is wrong.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.619 1.620
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv19739

Modified Files:
websrvr.c
Log Message:
Add support for Rewrite JS Scripts in webctrl.ini.
Added by keys beginning with "Rewrite", ie:

RewriteDetail=var n=http_request.request_string.replace(/_detail\/(.*)/,"lib/exe/detail.php?media=$1"); if(n != http_request.request_string) { http_request.request_string=n; true }

If the expression returns "true", reparses http_request.request_string as
an internal redirect.

I plan to have another key that will pre-execute a script from a file so that these don't need to be an entire script on one line in the INI file.

This API is subject to change.

May contain peanuts.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.620 1.621
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv20317

Modified Files:
websrvr.c
Log Message:
Set the context private pointer in js_setup_cx so the error reporter will
work for rewrite scripts.

Fix up the rewrite logging to be more helpful and a bit less verbose.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.621 1.622
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv26628

Modified Files:
websrvr.c
Log Message:
Add a JSPreExec key to the webctrl.ini.
If present, this JS code will be executed before any SSJS or Rewrite code
for this request.

Also, populate js.startup_dir and js.exec_dir as the directory the webctrl.ini is in so that you cna do something like: JSPreExec=load(js.exec_dir+'/coolstuff.js');

This now allows super-cool rewrite thingies.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.622 1.623
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv28293

Modified Files:
websrvr.c
Log Message:
Get the extra path info as soon as we find that PathInfoIndex has been set
by a webctrl.ini... this allows redirect scripts to notice.

Also, clear extra_path_info when we handle an internal redirect so it doesn't use stale data.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.623 1.624
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv18738

Modified Files:
websrvr.c
Log Message:
Suppress warning and remove a bunch of useless logging.


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.624 1.625
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv14994

Modified Files:
websrvr.c
Log Message:
Resolve new MSVC2013 warning in fastCGI stuff.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.625 1.626
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv26772

Modified Files:
websrvr.c
Log Message:
Use the original request line, not the internal redirected request line
for the CGI REQUEST_URI variable.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.628 1.629
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv23444

Modified Files:
websrvr.c
Log Message:
When shutting down, recv() on the socket until recv() returns 0 or -1.

This ensures that all data that has been send()ed is transmitted. Timeout after max_inactivity (max delay is max_inactivity*2).



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.629 1.630
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv24551

Modified Files:
websrvr.c
Log Message:
Fix bug in last commit.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.630 1.631
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv26248

Modified Files:
websrvr.c
Log Message:
Hold the outpub_write mutex until the data is send, not just until it is removed from the ring buffer. This prevents the session thread from closing the socket before send() is called with the data.

Fixed issue seen on techdorks.net with the 404.ssjs file (and likely others where static files were truncated on send).



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.644 1.645
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv14728

Modified Files:
websrvr.c
Log Message:
Fix web server startup crash when run as an NT service, as reported by
Deepthaw (DS94):
This was broken in revision 1.584 by deuce, Thu Aug 20 05:19:45 2015 UTC:
The startup->socket_open callback is optional (may be NULL), and in the case
of sbbsNTsvcs.exe, it is NULL, thus the crash when it was called unconditionally during socket creation. I guess not many people are running sbbsNTsvcs these days. :-/

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

src/sbbs3 websrvr.c 1.647 1.648
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv17828

Modified Files:
websrvr.c
Log Message:
Ignore "normal" errors from cryptlib (TIMEOUT, COMPLETE), and supress some cause by Chromiums love of dropping a connection rather than an orderly shutdown.

Since we're dealing with that fallout, lower the read timeout to 1 second
since we select() first anyway.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.648 1.649
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv30929

Modified Files:
websrvr.c
Log Message:
Don't fail when popdata returns an error in the TX path.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.651 1.652
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv29321

Modified Files:
websrvr.c
Log Message:
Allow overriding AccessRequirements to a zero-length string.
This allows disabling authentication after a higher level specifies an AccessRequirements value, eliminating the last reason to keep access.ars around.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.652 1.653
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv9664

Modified Files:
websrvr.c
Log Message:
Down't lower the recv timeout until after the session is established.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.654 1.655
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv2875

Modified Files:
websrvr.c
Log Message:
Lower the log level in the "JavaScript FAILED to compile rewrite" log
entry - if there's an actual compile error, it should already be logged
via the exception/error-reporter callback. This should eliminate a lot of
the dokuwiki-related error chatter in my error.log.


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.655 1.656
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv21107

Modified Files:
websrvr.c
Log Message:
Fix bug introduced in 1.649 for non-TLS sessions. That fix was only supposed to be for TLS sessions.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.657 1.658
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv17740

Modified Files:
websrvr.c
Log Message:
Resolve (?) clang crash on FreeBSD-CURRENT (!)



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.662 1.663
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv18955

Modified Files:
websrvr.c
Log Message:
Fix handling of cryptPushData() and cryptFlushData() success correctly.
Also, change READTIMEOUT back to zero since that issue is fixed now.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.665 1.666
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/home/rswindell/sbbs/src/sbbs3

Modified Files:
websrvr.c
Log Message:
Enabled GCC-assisted printf-style format/arg checking for lprintf() and
fix the resulting warnings.


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.667 1.668
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv20001

Modified Files:
websrvr.c
Log Message:
Break the loop when failed is set to true.
Also, use a stack pointer if the passed failed pointer is NULL.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.668 1.669
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv14230

Modified Files:
websrvr.c
Log Message:
zero-initialize the msg-scan (subscan) allocated array, so if an uninitialized is ever written to disk, it'll be zeroes not garbage.
Also, NULL the subscan pointer after freeing (and don't free if it's NULL).


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.670 1.671
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv2663

Modified Files:
websrvr.c
Log Message:
Added TODO comment regarding apparent RFC 2145 violation in the Status-Line HTTP-Version value we send (no functional change). My intepretation is we should be sending either nothing or "HTTP/1.1" here, never "HTTP/1.0". This interpretation appears to match the behavior of other web servers
(e.g. Apache httpd).


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.671 1.672
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv23667

Modified Files:
websrvr.c
Log Message:
Added TODO comment regarding the lack of a Content-Length header field
in GET responses when Connection: Keep-Alive is not enabled.


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.672 1.673
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv9577

Modified Files:
websrvr.c
Log Message:
1xx, 204, and 304 responses don't include an entity.

If we get one of these statuses from via a CGI, assume we have good headers.


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.673 1.674
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv1995

Modified Files:
websrvr.c
Log Message:
Header field values may (usually do) have leading linear white-space, so
skip any spaces before parsing the value (for CGI supplied headers).


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.674 1.675
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv25689

Modified Files:
websrvr.c
Log Message:
Fixed typo: deprecated, not depreciated.


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.675 1.676
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv29102

Modified Files:
websrvr.c
Log Message:
Fixed typo in error message.


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.680 1.681
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv23025

Modified Files:
websrvr.c
Log Message:
open_post_file(): if post_data is NULL, just log an error and return NULL (don't pass a NULL pointer to fwrite() which can assert or crash).


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.681 1.682
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv8139

Modified Files:
websrvr.c
Log Message:
Increase MAX_POST_LEN from 1MB to 4MB (QWK REP packets can be > 1MB) -
I think that > 1MB post data is supported, but the http_request.post_data
property won't be created if the length > MAX_POST_LEN. Perhaps would just
store the post data in a file (uh, it already is?) and expose the filename to
JS scripts? It'd be a lot cleaner than storing the data in a file and then
reading (or mem-mapping) the file and then copying the contents into a JS
property.

Allow the JS http_request.post_data property to contain NULs.

open_post_file() will now open the post file (and return the FILE*) even if
session->req.post_data is NULL, it just won't try to write to the file if the
post_data is NULL.

mem-map the large post data files using XPMAP_WRITE (read/write) rather than
XPMAP_READ (read-only) - without this change, this line in read_post_data()
would cause an exception:
session->req.post_data[session->req.post_len]=0;
Now, we seem to have the potential of an off-by-one here (if the length
mem-mapped is not post_len + 1), but that isn't happening. <shrug>

Fixed a couple of FILE pointer/descriptor leaks if post_to_file() failed.

Changed name of post data file to SBBS_POST.*.*.data (it's not necessarily html).

So now, uploads > 1MB work, but questions remain:
- wouldn't PUT be a more appropriate method (than POST) for file uploads?
- how can we support post_data > MAX_POST_LEN (now 4MB) in JS?


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.682 1.683
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/home/rswindell/sbbs/src/sbbs3

Modified Files:
websrvr.c
Log Message:
Fix observed segfault (NULL pointer dereference) in parse_headers
(strtok can return NULL).


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.684 1.685
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv8336

Modified Files:
websrvr.c
Log Message:
Some RFC nits.

1) Send Content-Length even if we will be closing the connection.
2) Send the highest HTTP version in the status line that has the same major version.


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.686 1.687
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv27170

Modified Files:
websrvr.c
Log Message:
send_headers() is called twice for chunked data. The second time is required for additional headers and the final terminating CRLF.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.687 1.688
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv4323

Modified Files:
websrvr.c
Log Message:
As with CGI, if a script specifies a Content-Length or Transfer-Encoding header, don't calculate either one and let the script shoot itself in the
foot.

Also, if a Location header is set, try an internal redirect rather than
forcing the client to handle it.

Now scripts can avoid chunked mode by specifying a correct content-length
if the content-length is wrong though, Bad Things will happen.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.688 1.689
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv4962

Modified Files:
websrvr.c
Log Message:
Update to last commit... only allow fiddling with things if the initial
headers haven't been sent yet.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.690 1.691
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv15156

Modified Files:
websrvr.c
Log Message:
Store the configured temp directory for the web server in scfg.temp_dir so that JS scripts using system.temp_dir to store files get a sensible value (and not the hard-coded default of just "temp").
This should fix the creation of ctrl/tempftelnet.url files.


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.691 1.692
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv18463

Modified Files:
websrvr.c
Log Message:
Fix an error nobody has ever seen.


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.692 1.693
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv20335

Modified Files:
websrvr.c
Log Message:
Add a terrible hack to see if the TLS POST issue is what I think it is.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.693 1.694
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv23121

Modified Files:
websrvr.c
Log Message:
De-hack and maybe fix?


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.694 1.695
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv23687

Modified Files:
websrvr.c
Log Message:
Don't crash of rd is NULL.


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.695 1.696
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv23917

Modified Files:
websrvr.c
Log Message:
Better anti-crash behaviour.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Re: src/sbbs3/websrvr.c
By: deuce to CVS commit on Fri Aug 02 2019 10:10 am

websrvr.c
Log Message:
Fix an error nobody has ever seen.

Thanks for fixing that. I was waiting for that fix. ;)

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com

src/sbbs3 websrvr.c 1.696 1.697
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/home/rswindell/sbbs/src/sbbs3

Modified Files:
websrvr.c
Log Message:
Remove unused variable in session_check()


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.697 1.698
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv13821

Modified Files:
websrvr.c
Log Message:
login() naw calls badlogin() upon login failure.


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.698 1.699
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv18232

Modified Files:
websrvr.c
Log Message:
Alterego reported a scenario where the web server's cleanup() would wait forever for 1 child thread (presumably the http_logging_thread) to terminate:

8/27 02:39:43p Waiting for HTTP logging thread to terminate...
8/27 02:39:43p HTTP logging thread started
8/27 02:39:43p HTTP logging thread received NULL linked list log entry
8/27 02:40:44p !TIMEOUT waiting for HTTP logging thread to terminate
8/27 02:40:44p Done waiting for HTTP logging thread to terminate
8/27 02:40:44p 0000 Waiting for 1 child threads to terminate

<infinite wait loop here>

- Add an extra terminate_http_logging_thread check to the top of the loop in
http_logging_thread().
- Signal the log_list semaphore in the "Waiting for HTTP logging thread" and
"Waiting for x child threads" loops.


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.699 1.700
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/home/rswindell/sbbs/src/sbbs3

Modified Files:
websrvr.c
Log Message:
Fix buffer (stack memory) overflow observed in parse_headers(). This is what brought down [cvs.]synchro.net this weekend. It's hard to believe we still
have unchecked calls sprintf() around, but we do.


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.700 1.701
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv23416

Modified Files:
websrvr.c
Log Message:
Allow redirects from non-existant URLs.
This allows redirect targets from paths that don't exist. Required to implement hard-coded API endpoints via ssjs.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.701 1.702
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv16639

Modified Files:
websrvr.c
Log Message:
While we're making ssllabs happy, disable TLS 1.0 and 1.1 in the web server only (you can still use them from JS etc).



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.702 1.703
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv13539

Modified Files:
websrvr.c
Log Message:
Comment out TLS 1.2 minver. Too many existing things don't support 1.2.

We don't need PCI DSS compliance I hope, we just want people doing things.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Re: src/sbbs3/websrvr.c
By: deuce to CVS commit on Thu Jan 23 2020 09:27:47

For what it's worth, we've been using the following list of ciphers where I work... seems to have decent security/compatibility currently.

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-ECDSA-CHACHA20-POLY1305

ECDHE-RSA-CHACHA20-POLY1305

DHE-RSA-AES128-GCM-SHA256

DHE-RSA-AES256-GCM-SHA384

--
Michael J. Ryan
+o roughneckbbs.com
bbs@tracker1.dev

---
þ Synchronet þ Roughneck BBS - coming back 2/2/20

src/sbbs3 websrvr.c 1.703 1.704
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/home/rswindell/sbbs/src/sbbs3

Modified Files:
websrvr.c
Log Message:
Fix NULL pointer dereference in CGI handling:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007fb3be8ce071 in do_cgi_stuff (session=0x7fb2fbfaac40, cgi=0x7fb2fbfaa850, orig_keep=1) at websrvr.c:4376
4376 SKIP_WHITESPACE(value);



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.705 1.706
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv12695

Modified Files:
websrvr.c
Log Message:
Since lprintf() sends to stdout in sbbscon foreground mode, we must call
it before redirecting stdout to the pipe.

Likely fixes CGI errors seen by alterego (and has been broken for almost fifteen years).



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.706 1.707
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv19117

Modified Files:
websrvr.c
Log Message:
Move lprintf() out of fork() child... it uses a mutex and the state of
mutexes are undefined in children.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.708 1.709
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv2052

Modified Files:
websrvr.c
Log Message:
Support CGI over TLS on *nix.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.709 1.710
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv24259

Modified Files:
websrvr.c
Log Message:
Don't attempt to read a FastCGI body if the header type is zero.
Should fix the POST/GET hangs on the wiki once DigitalMan updates.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.710 1.711
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv22341

Modified Files:
websrvr.c
Log Message:
Add some paranoia for handling FCGI_END_REQUEST.

While the FastCGI read_wait_timeout function should never return
CGI_*_READY with CGI_PROCESS_TERMINATED, it looks like somehow on some
systems, there's an additional select() happening after the process is
done.

Explicitly track this, and try to prevent it.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.711 1.712
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv757

Modified Files:
websrvr.c
Log Message:
Fix bug in last commit... !


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.712 1.713
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv4082

Modified Files:
websrvr.c
Log Message:
Just because there is a Location: header does not mean we should not send
a body. Broken by HSTS enhancement.

There's a (small) possibility that the HSTS enhancement is now broken.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.716 1.717
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/home/rswindell/sbbs/src/sbbs3

Modified Files:
websrvr.c
Log Message:
Fix transmission of files >= 2GB in size on systems that support large file offsets
(64-bit off_t), e.g. 64-bit Linux. Issue reported by plt via irc.


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.717 1.718
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv23357

Modified Files:
websrvr.c
Log Message:
Improve send-file performance on Windows (over Gb Ethernet LAN) from about 1 MBytes/second to 25+ MBytes/second by increasing the size of the ringbuffer (from 20 -> 256 KBytes) and the size of the file-read buffer in sock_sendfile().
Also log the through-put (in cps) when a file is sent.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.718 1.719
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/home/rswindell/sbbs/src/sbbs3

Modified Files:
websrvr.c
Log Message:
Address gcc warning: format '%d' expects argument of type 'int', but arg
has type 'long int'


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.719 1.720
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv17800

Modified Files:
websrvr.c
Log Message:
The problem: the sysop (me) is not notified of critical errors (e.g. synchro.net zone file problems) in a timely manner.
Part of the solution: notify a configured user (e.g. user #1) via short-message/telegram and email/netmail logged-errors when messages of a configured severity (e.g. "Critical") are logged.
The second part of the solution (coming next) will be allowing timed events to log a message of a configurable severity logged when the event fails (returns a non-zero error level to sbbs).

I'm saving the error-notification-user-number and log-severity as part of the node.cnf file because:
- that's where the validation user number is already set
- I can conceive of a large system were certain node ranges (different instances of sbbs) might want different operators to be notified of logged-errors

This also means I eliminated all the legacy com port/modem stuff from the end of the node.cnf file. None of that is used in sbbs v3.

Also included in this commit are improvements around logging:
- reduce the severity of UDP recvfrom failures in services
- a more detailed log message when the mail server successfully delivers an email (via SMTP) - easier to answer the question: was that email you/they sent delivered successfully?

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/sbbs/sbbs/-/commit/c9db48cec8efd56f8291443d
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Fix requests to the webserver using IPv6 address http://[1234:1234::] requests. The host portion contains ":" after split_port_part(), resulting in a 400 error.
Renaming is_legal_hostname() to is_legal_host(), since requests to webservers are to
"hosts" not "hostnames".
---
ï¿­ Synchronet ï¿­ Vertrauen ï¿­ Home of Synchronet ï¿­ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/sbbs/sbbs/-/commit/d17a5ce0ba8d80a29f136c9e
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Merge branch 'leenooks/sbbs-master'
---
ï¿­ Synchronet ï¿­ Vertrauen ï¿­ Home of Synchronet ï¿­ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/sbbs/sbbs/-/commit/37a23fea45bbdb3589e7d909
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Fix heap corruption that could occur when HSTS feature is enabled

At least on Windows, when realloc() is used to allocate a new buffer,
guess what's in that buffer initially? undefined values. So you can't
strcat() onto the end of that! Ouch. This was a fun one to track down.
---
ï¿­ Synchronet ï¿­ Vertrauen ï¿­ Home of Synchronet ï¿­ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/sbbs/sbbs/-/commit/987c1129e127fe9a7b67d430
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Fix 32-bit GCC warning on rPi about printf format

format '%ld' expects argument of type 'long int', but argument 7 has type '__off64_t'
---
ï¿­ Synchronet ï¿­ Vertrauen ï¿­ Home of Synchronet ï¿­ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/sbbs/sbbs/-/commit/c399ca73f145f7e8dc625ec6
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Some CGI programs know they're not running from a console because
QUERY_STRING is defined (even if blank).

Always define it.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/sbbs/sbbs/-/commit/2c66387d8a91bc26d226430a
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Merge remote-tracking branch 'origin/master'
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/22c6721d6f926ba5fce85a54
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Remove unused assignment.

No need to get time() here since it's never checked.

Resolves CID 174292
---
ï¿­ Synchronet ï¿­ Vertrauen ï¿­ Home of Synchronet ï¿­ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/6623cff0e3516937e38ae76a
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Always return 403 to requests for access.ars or webctrl.ini

Previously, 403 was only returned if they existed, and 404 if they
didn't.
---
ï¿­ Synchronet ï¿­ Vertrauen ï¿­ Home of Synchronet ï¿­ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/5d3de1eea3288155bc7a630e
Modified Files:
src/sbbs3/websrvr.c
Log Message:
For the cases we'll send a Content-Length of zero, do not send content.

Should fix #223
Introduced in d56ba01f which likely fixed some stuff on the wiki.
---
ï¿­ Synchronet ï¿­ Vertrauen ï¿­ Home of Synchronet ï¿­ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/bc5bfa5f6f9fb7208ed7bbe1
Modified Files:
src/sbbs3/websrvr.c
Log Message:
We still want the zero-length entity, just not any content.

Fixes last commit, which could cause infinite hangs on certain requests.
---
ï¿­ Synchronet ï¿­ Vertrauen ï¿­ Home of Synchronet ï¿­ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/b881935a0f28b65f66d6218c
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Track the active client "highwater mark" (highest number of concurrent clients)

Could be useful for knowing if you need to increase MaxClients for typical usage.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/9048b3d231b7ceeb823c2220
Modified Files:
src/sbbs3/websrvr.c
Log Message:
post_to_file() shouldn't close the file since it didn't open it.
---
ï¿­ Synchronet ï¿­ Vertrauen ï¿­ Home of Synchronet ï¿­ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/e2f3407c8cd1379184da9668
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Remove some unused variables.
---
ï¿­ Synchronet ï¿­ Vertrauen ï¿­ Home of Synchronet ï¿­ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/03b7b2f9443db9fa02989aec
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Fix socket descriptor leak in fastcgi_connect()

Found by Coverity-scan (CID 330051)

@Deuce should review this.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/22f130cad457cd21747dd6bc
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Fix resource leak in ssjs_send_headers()

IdArray returned by JS_Enumerate() was never freed.

Caught by Coverity-scan, CID 319627.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/9f7894575eed369cfd56ad40
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Remove incorrect and unnecessary comment.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/a487e0c681d380e01a76deeb
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Don't allow colons in web-requested path names on Windows

This fixes issue #269 (NTFS Alternate Data Stream vulnerability) and other potential pathname issues on Windows involving colons.

There are other illegal filename characters on Windows (e.g. <>|"?*), but filenames with these characters aren't expected to pass the later stat() test, so should fail with a 404 error.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/f38adc13f4b5169a0d59cbce
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Fix NULL pointer dereference in read_post_data()

What took down cvs/sbbs yesterday:
Program terminated with signal SIGSEGV, Segmentation fault.
6203 session->req.post_data[session->req.post_len]=0; [Current thread is 1 (Thread 0x7f2b989ff700 (LWP 17031))]
(gdb) print post_len
No symbol "post_len" in current context.
(gdb) print session->req.post_len
$1 = 0
(gdb) print session->req.post_data
$2 = 0x0
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/f2858ee600525704d27011e0
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Add support for web request path aliases (defined in web_alias.ini)

Similar to the ctrl/ftpalias.cfg file, the new ctrl/web_alias.ini file (optional) can be used to map a portion (the first portion, only) of a web request path to a different physical or virtual path. For example, I'm using it to map:
/Synchronet/ = /files/main/sbbs/
for filebase access to my main->sbbs directory of Vertrauen's filebase using a /Synchronet/* web request (i.e. for slightly prettier or shorter custom URLs, if desired).
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/005633b1fffb7b6df70cb13b
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Log requests that resolve outside of the web root as hack attempts

"Request for x is outside of the web root" was already logged (with a "NOTICE" log level), but would not sound the hack attempt alarm (on Windows) or log to the hack.log. Now it does.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

El 15/1/22 a las 23:09, Rob Swindell escribió:

https://gitlab.synchro.net/main/sbbs/-/commit/f2858ee600525704d27011e0 Modified Files:
src/sbbs3/websrvr.c
Log Message:
Add support for web request path aliases (defined in web_alias.ini)

Similar to the ctrl/ftpalias.cfg file, the new ctrl/web_alias.ini file (optional) can be used to map a portion (the first portion, only) of a web request path to a different physical or virtual path. For example, I'm using it to map:
/Synchronet/ = /files/main/sbbs/
for filebase access to my main->sbbs directory of Vertrauen's filebase using a /Synchronet/* web request (i.e. for slightly prettier or shorter custom URLs, if desired).
---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

alias portion (webrequest) can support multiple levels? like:

/ftp/main/ansis = /sbbs/data/main/ansis
/ftp/other/upload = /home/pepe/uploads

??

Re: Re: src/sbbs3/websrvr.c
By: Ragnarok to Rob Swindell on Mon Jan 17 2022 11:57 am

alias portion (webrequest) can support multiple levels? like:

/ftp/main/ansis = /sbbs/data/main/ansis
/ftp/other/upload = /home/pepe/uploads

Yes. But they likely should end in a '/' too.
--
digital man (rob)

This Is Spinal Tap quote #25:
Viv Savage: Have... a good... time... all the time. That's my philosophy. Norco, CA WX: 58.0øF, 80.0% humidity, 3 mph NW wind, 0.00 inches rain/24hrs
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/d8c099dbc962727df2723650
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Fix HTTP-requests for files >= 2GB in size

An int is 32-bits on all supported platforms, so this has always been broken. The actual file size/request-length sent would depend on fun 2's complement math (a 32GB file was being truncated to 433MB).

Also fixed some wrong uses of PRIuOFF: off_t is a signed integer, so technically the maximum file size you can request now is 2^63 bytes, which is "big enough".
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/c0f42027dded92626251d686
Modified Files:
src/sbbs3/websrvr.c
Log Message:
I don't know what I was smoking when I did this, but it's fixed now.

Weird early failure return on TLS sends. Most noticible on local
(ie: fast) connections, but clearly stupid all around when you
look at the code.

Fixed, but some day, I should go back and look how we eneded up in
this mess.
---
ï¿­ Synchronet ï¿­ Vertrauen ï¿­ Home of Synchronet ï¿­ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/cd4066a287da2b52e7aec775
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Resolve warning about enum value not handled in switch() statement
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/a7f6b8549d24feb43c83ee44
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Include client IP address in HTTP-level error log messages
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/a82559e327b74c4513751593
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Use safe string formatting to squelch warnings

Attempt to address 2 GCC version 11.2.0 2 warnings reported by Nelgin
‘%s’ directive writing up to 3 bytes into a region of size between 1 and 4097
---
ï¿­ Synchronet ï¿­ Vertrauen ï¿­ Home of Synchronet ï¿­ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/2e67162225de28219d747ed1
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Perform a JS garbage collection for each new request in a reused session

A reused HTTP session would never (apparently) perform garbage collection.
The evidence of this was the collection of concurrent user.dat file opens
that would never close until the HTTP sessions were closed. Hundreds or
even thousands of open user.dat's have been seen. After this change,
active web server (webv4 UI) users have not caused these spikes in open user.dat files, at least in my testing.

If no garbage collection was being performed, then likely a lot of JS
heap was being needlessly wasted, which could eventually result in a JS
"out of memory" error. But that's just a theory.

Investigation is needed into why the js_CommonOperationCallback()'s calls to JS_MaybeGC() were not sufficient to actually perform garbage collection
in this case.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/639460420c349337f3d3ceef
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Update log messages for execle() or fork() failures

To be more consistent in syntax and include more details (e.g. the command being invoked).
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/b6cdc4730e6ca52fc0fc093b
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Log message improvements: include protocol (HTTP vs HTTPS) and IP address
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/2458bfc3e336939c4893a360
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Improve JavaScript-related error messages
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/94f85d5f1c8d8792975b5b03
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Fix MQTT-published action/login message for web server users

e.g. 20230130T171211-480 0 <unknown user> 76.89.231.66 <no name>

the user number name actually *are* known at this stage
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/fe30acd5338cf267c284f0c0
Modified Files:
src/sbbs3/websrvr.c
Log Message:
More details in "Failure to send header/request to FastCGI socket" log msg

Elevate the log level back to ERROR (from WARNING), as this is not an expected condition and the sysop (me) should be alerted right away. This had previously be lowered (along with some other log messages) from ERROR to WARNING.

When php-fpm is updated (on Debian, anyway), e.g. from 8.1 to 8.2, a new etc/php configuration (pool.d) directory was used which set me back to a default www.conf file that uses Unix domain sockets instead of TCP sockets.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/38b9bc8a15b819c87235b2c6
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Add UNIX domain FastCGI support

Resolves a long-standing todo comment and has made wiki.synchro.net page rendering even faster.

PHP-FPM defaults to creating/listening on UNIX domain sockets.

This resolves gitlab issue #507
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/d2ef0fe2ccfacd2b5805b6c4
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Fix webserver build on Windows - no UNIX domain socket support

According to https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/
it is possible, but I think I'm using an WinSDK that's too old, so let's just not support this feature on Windows just yet. Define UDS_SUPPORT when supported.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/6049bc00c20620b31d6f2d41
Modified Files:
src/sbbs3/websrvr.c
Log Message:
If the FastCGI address starts with a '/', it's obviously a UNIX domain socket

We don't really need the "unix:" prefix now, but just leave that support in
for backward compatibility.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/73a821b70820580fcf3bba9a
Modified Files:
src/sbbs3/websrvr.c
Log Message:
If the FastCGI address begins with a '.', treat as UNIX Domain Socket as well

<Deuce> So the [previous] change doesn't work with relative paths?

So... support relative UDS paths in this manner (without the "unix:" prefix) ---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/db6e54740d51622cfdda6ccc
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Include protocol and client IP address in FastCGI send error log msg
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/2dc32fab0bda70f194ecd6cf
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Don't query the active_clients count twice in a row
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/6697e52d90e024eb602aa2ac
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Don't try to send 0-byte files

Saves some opening, reading, and logging, but otherwise was harmeless.

Fix issue #422
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/5546278f0146522c886cca18
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Open SBBS_SSJS.*.html response file(s) only when actually writing data

The first write to a the temporary SBBS_SSJS.*.html file will open the file. This should reduce the number of 0-byte files left laying around in the the temp directory, which shouldn't be happening in the first place.

Also:
Fixed bug noticed in temp file clean up loop: POST data files would *also*
be retained when the DEBUG_SSJS option flag is set.

Also:
Replace some unsafe string operations with safe equivalents.

Happy Thanksgiving Nelgin!
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/274efc589d79d20711f04da2
Modified Files:
src/sbbs3/websrvr.c
Log Message:
A little clean-up around FILE* opening/closing, error handling

"HTTP Logging" replaced in log messages with "Web Server access-logging".

Using new FCLOSE_OPEN_FILE macro to close and NULify open FILE*'s.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/786add2421406f8f9ed9e113
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Replace IPv6 colons in access-log filenames with exclaimation marks on Windows

Colons are not legal filename characters on Windows and when virtual hosts are enabled, the IPv6 address of the server may be used in the access-log filename so we need to clean that up or errors opening/creating the access-log files occur.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/b4f04d357b85fcb615dd400e
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Log client address in "Sending file" and "Sent file" log messages

For symmetry
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/df3d7d09a69ec2fdf20a0d73
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Ensure do_cryptInit() is called before calling lock_ssl_cert()
---
ï¿­ Synchronet ï¿­ Vertrauen ï¿­ Home of Synchronet ï¿­ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/6180a88022c5d1e3f3a02dcd
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Look in mods dir for FileIndexScript before the exec dir

... unless the full path was specified.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/850a6595d70e78025c5a8f29
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Don't pass a TLS session ID of 0 js_CreateCommonObjects() for non-TLS sessions

The proper sentinel value here for "no TLS session" is -1, not 0.

This, at minimum, was causing a lot of extraneous calls to destroy_session() (from js_socket.c's do_js_close()) with an invalid (hopefully, not
otherwise used) cryptlib session ID of 0.

Nothing checks or logs the return value of destroy_session(), but I'd expect
it to be failing ... a lot.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/ec45b264572304e92c3e0839
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Log an error if ssl_sync() fails, for W6RAY

Hopefully help debug why HTTPS isn't working for him
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/5bea6c6be1f0e73a35176920
Modified Files:
src/sbbs3/websrvr.c
Log Message:
If socket is closed while in sess_sendbuf(), don't log a warning message

... with a socket descriptor value of -1.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/b973a74765fb50b36c045713
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Fix off_t printf warning.
---
ï¿­ Synchronet ï¿­ Vertrauen ï¿­ Home of Synchronet ï¿­ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/5bd8253c7c482272b9a4ea1f
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Temporary workaround for TLS issue.

It appears that if the timing is "just wrong", a large POST can
cause TLS to fail. This has shown up as an inability to edit
pages in the wiki.

This is not a fix however, but simple a workaround until this is
root-caused.
---
ï¿­ Synchronet ï¿­ Vertrauen ï¿­ Home of Synchronet ï¿­ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/6326f6d0d33019f5af7b31fb
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Set javascript callback "terminated" flag to true when recycling

(or terminating) the server.

This will allow background JS threads to terminate when recycling, so the server doesn't just hang indefinitelyi when recycling.

Add more logging in cleanup() when waiting for children threads to terminate.

Also, eliminate the global 'terminate' variable, answering the question:
Can this be changed to a if(ws_set!=NULL) check instead?

Yes, yes it can.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/95be5a80e00eebcb23370f92
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Simplify the child thread wait loop in cleanup()
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/8d7d9eb22fbabde369e6ab31
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Lower severity of "Response file path is NULL" log msg from CRIT to WARNING

This is not a completely unexpected thing to happen during ungraceful termination
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/50be44416dbf437e93f0f283
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Pass user_t as pointer.

Silly to pass a 728-byte object as a parameter.
---
ï¿­ Synchronet ï¿­ Vertrauen ï¿­ Home of Synchronet ï¿­ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/e9778331b2584afc731f45bc
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Fix a bunch of false "File sent" logs (and uploader-notifications)

Web browsers tend start a download and then immediately close the socket
(so now send_failed will be true), while on a secondary socket, do a range download of the same file.

So log the range requests/completions and don't log successful file sends
when the send was terminated due to a send failure.

We still count very small (e.g. 2 byte) ranges as successful file transfers
and notify the uploader (of a partial download), so we should fix those
issues still. But at least now, there's a whole lot less "noise" created
from HTTP[S} file downloads via browser.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/3711e03ad615c3183aa401b4
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Use volatile keyword to (maybe) fix CID 488122: Data race condition

Ideally, I'd use atomic_bool instead, but we're using an older WinSDK for Win7 compatibility and so... can't.

Perhaps an xpdev 'protected_bool_t' should be created.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/90de10cf0dc28c25fab197b4
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Grow another 4-byte string.
---
ï¿­ Synchronet ï¿­ Vertrauen ï¿­ Home of Synchronet ï¿­ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/920902f3db4c4eac5ebcaf57
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Fix bug with error files (e.g. 404.html) introduced in commit 90de10cf

Deuce expanded the local 'error_code' buf to not trip the SAFECOPY macro destionation buffer length check. Only this buffer needed to be 4 chars
exactly to truncate the 'message' string at 3 chars (e.g. just "404" for an error message string that starts with "404 "). Switch from SAFECOPY to strlcpy to eliminate this bug.

As reported by Ragnarok as part of issue #748

The web error files should work again.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/984e76515378b50e3593ca8e
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Update the previous commit to revert the error_code length to 4, since we can

And use sizeof, not the magic number (again).
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/5004246d797799638b7d2db9
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Fix off-by-one reporting of "active client highwater mark"

Only log the hightwater mark when it's > 1. :-)
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/75bb2cf6633fb51f56a23e53
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Publish client highwater mark (max concurrent client stat) to MQTT
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/7fb6c7b4d8ec2150eefe55df
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Add missing argument to new error log message upone putuserdat() failure

Fixes a couple CIDs and a GCC warning
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/d98359abefd58e43bb0e3115
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Move max concurrent connections check into http_session_thread()

We can't send a 4xx error (ie: client did something wrong) in
plaintext on a TLS connection.

Untested beyond a basic compile check.
---
ï¿­ Synchronet ï¿­ Vertrauen ï¿­ Home of Synchronet ï¿­ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/913092779871fdf4f4fc3e56
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Since this is after client_on() is called now, use > not >=
---
ï¿­ Synchronet ï¿­ Vertrauen ï¿­ Home of Synchronet ï¿­ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/91125d1b721525a9c7720d0c
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Track and report the concurrent connections per client highwater mark

It's possible now for clients to easily exceed the configured max concurrent connections limit, even though they just get an error 429 page. Let's at least track and log when a new highwater mark is reached.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/ce7d83eeda506e5f366fe31d
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Add/use errprintf() to reduce severity of repeated error messages

Part of solution for issue #619 (for the web server)
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/f2c891789734a9e783a1ac14
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Lower severity of repeated errors in js_ReportError()

This needed a custom solution (not errprintf) since the filename is passed-in is likely from dynamically allocated memory, so a pointer comparison isn't enough - and we don't get the function name.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/bbf9d5eac22ce15077a4599f
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Use errprintf() instead of lprintf() for one more log message
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/a4ac0be63a49cc98f4883bef
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Better NULL ptr checking in js_ErrorReporter, CID 516068
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/630b22ada39c50f871597b00
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Whitespace change only
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/91b5a37ca1155f71f28c6eda
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Check return value of JS_NewStringCopyZ (for NULL)

Kind of a shot in the dark here: Max (WESTLINE) is reporting HEAP CORRUPTION debug assertion in websrvr.dll. In the 2 instances reported, a long (336
char) JSON "query value" was logged by apparent spam-bot trying to create a
a new user account ("send-me-free-stuff" is one of the JSON properties).

JS_NewStringCopyZ() can return NULL in a low memory situation, though I don't know that explains possible heap corruption.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/196ad130ca1a7fbecc73807b
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Use errprintf for FastCGI related error log messages

I received 6853 duplicate FastCGI error emails today (sent in a 2 minute
time span). I wish I already had this in place. :-(
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/0afbc6a9ae33dc715e0125bc
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Fix NULL dereference when there are no directory vshortcuts defined

As reported by Accession in #synchronet at irc.synchro.net
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/3618930a6e23a5f3b5709a71
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Resolve GCC warning enumeration value ‘PARSED_VPATH_x’ not handled in switch
---
ï¿­ Synchronet ï¿­ Vertrauen ï¿­ Home of Synchronet ï¿­ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/0c6913fbd626457fb401aae8
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Another use of errprintf() to help de-dupe error logs/alerts
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/48ac38bbbed74e4e98830c36
Modified Files:
src/sbbs3/websrvr.c
Log Message:
More use of errprintf() to reduce duplicate error log messages
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/adf899cdeb60600fed167324
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Don't try to send 503 error for TLS connections that exceed maximum

since this doens't work and just generates/logs an error every time.

And for non-TLS connections, if the 503 send fails, just log it as a warning. ---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/8fe9b03cc155aee581fabce2
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Log output improvements

- include client protocol (HTTP or HTTPS) and IP address in more log messages
- include some more detail (e.g. send byte count) in "ERROR sending" message
- lower severity of "Executing FastCGI" log message from Info to Debug
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/38fde64dab9f2684f33ca3a6
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Fix max concurrent connections limit

broken in commit d98359abefd58e4

It'd send a 429 error, but keep accepting and processing client
requests, thus not really limiting the concurrent clients (from the same
IP) ever.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/e712db6e16c730fe515f9ea6
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Immediately reject non-TLS connections that exceed concurrent connections limit

Further revert commit d98359ab at least for non-HTTPS/TLS connections, so we
no longer needlessly create threads just to send a 429 error.

This along with the previous commit have restored my web severs to sustainable operation after the recent huge increase in volume of requests from a huge number of unique IP addresses of *.googleusercontent.com
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/14f0c3d11fda44d238ac4408
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Fix suspicion expressed by DigitalMan in IRC

Actually ensure the byte range starts with "bytes=".
If anyone defines something other than bytes in the future, this
will correctly give them an error instead of parsing everything after
the sixth byte as a byte range.

Also, fixes parsing of end-anchored ranges (ie: -100 and 100-)
and the special case of 0-0 (should send one byte)
---
ï¿­ Synchronet ï¿­ Vertrauen ï¿­ Home of Synchronet ï¿­ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/80e8cdc85ac76f4763d04b15
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Don't log an error if failed to sent error 429

Who cares if we fail to send the error to the client? No one cares, that's who cares. No one. No one cares. </trump>
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Re: src/sbbs3/websrvr.c
By: Rob Swindell (on Debian Linux) to Git commit to main/sbbs/master on Wed Jun 11 2025 05:17 pm

Who cares if we fail to send the error to the client? No one cares, that's who cares. No one. No one cares. </trump>

dont try to be funny. it doesn't work for you.
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

https://gitlab.synchro.net/main/sbbs/-/commit/2c63bdb3fb7578360a3350f9
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Improve logging around SSJS-generated error page/sending

Reduce severity (to DEBUG) of "Using SSJS error page" message
Include protocol and IP address and error code in each message.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/2588c5cf72d9fe4a9e825f0e
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Increment local "served" count upon termination and include highwater mark

... in "Session thread terminated" log message

The "served" value logged wasn't monotonically incrementing since it was incremented before session threads were created/released, making the log message out of sync with reality.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/83c0999b76ef8ce0c77513a4
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Fix issue #942

Session is initialized to HTTP/0.9 (which doesn't send headers) and
the HEAD method (which doesn't send a body). This was caught in
writebuf(), which returned 0 due to the body not being sent, which
caused the error to be logged.

Set the values to HTTP/1.0 and GET so we can call send_error()
before we read a request line and actually send an error.

Additionally, add a LOG_INFO to writebuf() when it returns 0 due
to body being disabled to make this kind of thing easier to find
in the future.

Finally, don't attempt to send an error body if send_headers()
fails or if we should not send a body.

This would also allow us to send a 408 if we wanted to, but I've
never been convinced that's useful.
---
ï¿­ Synchronet ï¿­ Vertrauen ï¿­ Home of Synchronet ï¿­ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/76acaac000c1bba5e025f115
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Output the User-Agent header value as a info-level log message

Useful for tracking (some/most) bots
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/2d4af7be9e8a92ebbbc4242b
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Reduce contention on protected-int thread_count

We can capture the new value upon atomic-decrement, use it
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/4090d823bba9fa4630bd79c2
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Solve the active_clients exceeds configured max_clients issue

e.g. with [Web] max_clients configured for 200, the following could occur: sbbs: web 0522 HTTP [34.45.142.114] Session thread terminated (220 clients, 378 threads remain, 128627 served)

The issue was that the active_client count is incremented in the http_session_thread(), but was being checked in the main web server/listening thread.

So now we'll check in both threads, but allow more HTTPS/TLS client threads
(10 more) than the configured max, to allow for successfull sending of error 503 (up to a point), while HTTP (non-TLS) connections exceeding the configured max will be immediately dropped without creating a session thread.

We now no longer increment the client highwater mark for connections that exceed the maximum.

Also fix send_error() to not log the Connection: close\r\nContent-Length: 0\r\n portion of 503 errors.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/1f480068adc0ac59c5b4e663
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Apply max connections per IP limit to filter-exempted IPs

This exemption could (did) cause confusing "works for me" situations when testing max concurrent connections settings that may fail for others.

So, just because an IP address is listed in ctrl/ipfilter_exempt.cfg, no
longer means that clients at that IP are exempt from concurrent connection limits (from a single IP address).
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/c0c3dbdf76d91f155a9371ca
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Revert "Apply max connections per IP limit to filter-exempted IPs"

This reverts commit 1f480068adc0ac59c5b4e6634dc827c52721a7da.

The other servers exempt ipfilter_exempt.cfg listed hosts still and it looks like I really need gitlab to be exempt from the concurrent connections limit for (all my) webhooks to work reliably since they run in parallel and I can't seem to configure that behavior in gitlab.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/a43ca30ea674ac77ca98d74e
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Pad "HTTP" to 5 chars for protocol field in log messages

... aligning display for easier reading with non-proportional fonts.

Includes the client's protocol and IP address in JS log messages/errors.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/2444d7baeedd80af330377b6
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Add protocol and IP address to more log messages (mostly JS-related)

error and debug-level messsages mostly
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/b1fc88d375c0a3ba9065162a
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Add protocol and IP address to more log messages
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/917f4933bd70546570101c75
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Log proper errno value upon lseek() failure

On Windows, SOCKET_ERRNO and errno are different things.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/6eed77574f0f016317b68f68
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Immediately remove client IP from connections list upon session termination

... don't wait for all the other logout/off/notification stuff to complete first. These waits before removing the client IP from the connected client
list were causing error 429 responses from the server even though the browser (i.e. Chrome) was actually opening just 6 connections at a time to the server:

!Maximum concurrent connections (10) exceeded
!ERROR: 429 Too Many Requests (line 6979) request:

The first group of 6 client sessions from the browser had actually completed, but the session threads hadn't fully terminated yet. So now, it is possible to have a high(er) number of session threads than before, but web pages will render more reliably (without having to increase the max connections per
client setting).

The test to reproduce this issue was to just to go to www.synchro.net with a fresh browser (nothing cached) or hit Ctrl-Refresh to fully reload the page, and the result was a lot of absent/broken page elements.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net