headers
Michiel Boland | 5 Nov 2012 20:27

mailing list moving to mailman

Hi. Just a short note to indicate that this list is still alive. :)

I will be migrating this list from majordomo to mailman somewhere during this 
month. There will be another message when the migration is complete.

Cheers
Michiel
Permalink | Reply | 3 comments |
headers
David J. Weller-Fahy | 13 Sep 2012 04:29

Way to access a particular directory as user?

I've come across a need to access a directory as a particular user, but
without running a CGI script... so...

Is there any way to act as a particular user without executing a CGI
script?  Something like "AccesUser dave" which would allow mathopd to
access the directory and/or index file as the user "dave"?

I'm pretty sure there isn't a way to do this, but wanted to make sure.

Regards,
--

-- 
dave [ please don't CC me ]
Permalink | Reply | 2 comments |
headers
Michiel Boland | 3 Feb 2012 14:03

mathopd 1.5p8 released

Hi. The 1.5p7 release contains yet another embarassing bug that causes a crash 
when a HTTP/1.0 request without a Host header is made.

There is a new stable and a new beta. If you are running 1.5p7 by any chance 
please upgrade immediately.

Sorry about this. I should have known better than to ship a fix immediately 
without proper testing. :(

Cheers
Michiel
Permalink | Reply | 0 comments |
headers
Michiel Boland | 2 Feb 2012 22:24

security alert: directory traversal when using * in Location

Hi. I just released a security update for mathopd. (mathopd 1.5p7)

The problem:

If you use the * construct in your config, as in

  Control {
     Alias /
     Location /var/www/*
   }

then the * will be substituted with the value of the Host header that was 
supplied by the client. However this occurs after path translation, and without 
input verification could lead to directory traversal, exposing files outside of 
/var/www.

If you are still using Mathopd, and use the * feature, you should upgrade as 
soon as possible.

If you do not use the * feature, than you are not at risk. But you may still 
want to upgrade.

Vulnerable versions of the software: all 1.4 versions, and all 1.5 versions 
prior to 1.5p7

Thanks to Mateusz Goik for pointing this out.

Cheers
Michiel
(Continue reading)

Permalink | Reply | 0 comments |
headers
carbonated beverage | 14 Dec 2011 06:12

302 redirect patch

Hi all,

I recently had to deal with somewhat brain-dead web crawler -- it didn't
pay attention to 302 return codes and rejected the body when there was no
<html> tag.

Hence, this mini patch to get the 302 return codes to generate an HTML
meta refresh tag, as well as adding html/head/body tags.

-- DN
Daniel
Attachment (20-redirect.patch): text/x-diff, 1100 bytes
Permalink | Reply | 0 comments |
headers
Lars Täuber | 14 May 2010 09:40
X-Face
Picon
Favicon

is mathop subject to log escape sequence injection vulnerabilites?

Hi again,

I don't know if mathopd isn't tested against this or is not subject to this:

http://packetstormsecurity.org/1001-exploits/log-inject.txt

There are only webservers listed that are vulnerable to this.

What about mathopd?

Lars
Permalink | Reply | 0 comments |
headers
Lars Täuber | 12 May 2010 14:04
X-Face
Picon
Favicon

standard error page per virtual host

Hi there!

I'm new to mathopd but I thought it could serve all my wishes.

The question is: Does mathopd support setting standard error pages?

I have a small energy saving webserver that still runs when all other webservers are shut down due to power
out. This server is backuped by an ups.
It will be configured to take over the ip addresses of the shut down webservers and should serve a single
static webpage for each virtual host configuration.

The question is can mathopd redirect all requests to a single html file?

e.g.

http://abc.domain.org/xyz/file.html 
should not generate a 404 error page but reply the standard file:
/srv/www/abc.domain.org/index.html

And so for _all_other_ URLs under abc.domain.org
So it's a kind of universal redirect.

If you don't understand what I mean just ask. English is not my mother tongue.

Best regards
Lars
Permalink | Reply | 2 comments |
headers
carbonated beverage | 14 Oct 2009 08:44

mattoclf bug, question on proper fix

Hi all,

Recently, I was wondering why I was getting an odd failure from mattoclf
in my cron mails -- so I went digging.  Apparently, when the parameter $5
(the request's Host:) ends up being '-', gawk will puke -- it translates to:
printf <format> <args>  > -

This can be reproduced in the logs by:
telnet www.example.com 80
GET /index.html HTTP/1.0

mathopd will spit out a 400, and the log will have, with one field per line:
$1: Wed Oct 14 06:38:50 2009
$2: -
$3: 10.0.0.1
$4: 33886
$5: -
$7:GET
$8:/index.html
$9:400
etc.

Updating mattoclf to translate the - to "invalid" fixed it for me.  However,
I don't know what the expected results are for most people using log parsers.

Comments?

-- DN
Daniel
(Continue reading)

Permalink | Reply | 0 comments |
headers
Pedro Serotto | 14 Jul 2009 14:44
Picon
Picon
Favicon

mathopd big picture

Hi all,
I'm a old network and system administrator starting to study C language with great interest to socket, tcp/ip and daemon programming.

I've just read Stevens Networking API but now I would try whith some real life code.

Have someone a deeper documentation about mathopd implementation to help me in my study ?

Many thanks

Pedro

Permalink | Reply | 0 comments |
headers
Dmitry | 14 May 2009 19:18
Picon

How to enable core dumps

Hello,

I need to debug mathopd process because it segfaults every 2 day. The 
pattern is always the same. Something like "mathopd[24068]: segfault at 
a17b000 ip 005be8ac sp bfd6098c error 4 in libc-2.7.so[54d000+153000]"

I am sure it is not the problem of mathopd itself, but custom patches 
applied to the sources. I can't find the way to enable core dump for 
mathopd. If I run just `./mathopd` and kill it with SIGABRT (on Linux) 
it dumps core. If I run `./mathopd -f /etc/mathopd.cfg` it doesn't. I 
guess it is related to the user_id of running process.

In /etc/mathopd.cfg I have:
User www
StayRoot On

I can't change this because I need to debug real working process. Is 
there any way to enable core dumps without changing my config?

--

-- 
Dmitry
Permalink | Reply | 4 comments |
headers
Keerthana | 6 Mar 2009 04:33
Picon

Fix for Mathopd Segmentation fault using SSL Patch

Problem:

When both HTTP and HTTPS support in mathopd is used simultaneously (using multiple server blocks in the mathopd configuration file), mathopd is killed with Segmentation fault.

In this scenario, only the HTTPS connections will contain valid SSL contexts (i.e valid openssl_connection pointer in struct connection). Whenever a connection is closed, the openssl_connection pointer is also cleaned up if it is valid (i.e not NULL). But the openssl_connection pointer is not reinitialized to NULL after freeing the memory. And this connection is returned to the free pool of connections for use in subsequent connections. If this connection structure is subsequently assigned for a HTTP connection, then during connection close, the openssl_connection is again cleaned up since it is not NULL. This causes segmentation fault.

Fix:

The fix is to initialize the SSL context to NULL on connection close (close_connection function in core.c):

The patch for this fix is as below:

 --- old/mathopd/core.c    2009-03-05 16:38:28.000000000 +0530
+++ new/mathopd/core.c    2009-03-05 16:41:32.000000000 +0530
<at> <at> -196,6 +196,9 <at> <at>
 #ifdef USE_SSL_OPENSSL
     if(cn->openssl_connection)
         SSL_free (cn->openssl_connection);
+    // Initialize to NULL to avoid invalid access later
+    // when this connection is used for a HTTP connection
+    cn->openssl_connection = NULL;
 #endif
 
     if (cn->rfd != -1) {

regards

Keerthana

Permalink | Reply | 0 comments |

Gmane