Kevin Worthington | 1 Feb 23:45 2010

To Lighttpd for Windows Users

Hello Lighttpd for Windows Users, (apologies to all others for
"crashing" the list)

If you have a minute, please take a look at this post:

I'm just trying to get some feedback regarding Lighttpd for Windows.

Thanks very much!

Kindest regards,
Kevin Worthington

Stefan Bühler | 2 Feb 00:32 2010

slow request dos/oom attack [CVE-2010-0295]


Li Ming reported a serious bug in lighttpd:

If you send the request data very slow (e.g. sleep 0.01 after each byte), 
lighttpd will easily use all available memory and die (especially for parallel 
requests), allowing a DoS within minutes.

The problem is that is doesn't append to previous buffer but allocates a new 
buffer for each read; this means that for every received block (which could be 
only one byte) lighttpd may use either 4k or 16k.

In lighttpd 1.4.x this problem is not too bad, as the allocated buffer is just 
as big as the content available to be read (if the system supports FIONREAD); 
but even with ssl (or if the system doesn't support FIONREAD), lighttpd 1.4.x 
will allocate 4k or 16k buffers for each read.

Lighttpd 1.5 (our old development branch) always allocates 16k buffers for a 

Our solution is to append to the previous buffer if it is still in the raw-in 
queue (while waiting for a request header), and to pack the buffers if they 
get moved to the next queue (for the request body).

In order to append to the previous buffer in lighttpd 1.4.x we ignored a 
SSL_read requirement: we don't pass the same buffer in the next call after 
SSL_ERROR_WANT_*; there is no good reason for this, and it has worked in 1.5 
for a long time now.

Please note that lighttpd 1.x always trusts the backend: it will always try to 
(Continue reading)

Kelly Jones | 1 Feb 23:37 2010

Accessing entire raw HTTP request in Perl, PHP, Ruby (irb), etc

How does lighttpd pass the entire raw HTTP request to Perl/PHP/Ruby/etc?

In other words, what Perl/PHP/Ruby (environment?) variable holds the
string that shows *exactly* what my browser sent the server, including
POST data and multipart form data (for file uploads)?

I want to do something like only moreso.


We're just a Bunch Of Regular Guys, a collective group that's trying
to understand and assimilate technology. We feel that resistance to
new ideas and technology is unwise and ultimately futile.