Debian Bug report logs - #119888
thttpd not forwarding POST content

version graph

Package: thttpd; Maintainer for thttpd is Debian QA Group <packages@qa.debian.org>;

Reported by: "Sebastian Rasmussen" <sebras@hotmail.com>

Date: Fri, 16 Nov 2001 21:33:03 UTC

Severity: normal

Tags: patch

Found in version 2.21b-4

Fixed in version thttpd/2.25b-10

Done: Steve Kemp <skx@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Yotam Rubin <yotam@makif.omer.k12.il>:
Bug#119888; Package thttpd. Full text and rfc822 format available.

Acknowledgement sent to "Sebastian Rasmussen" <sebras@hotmail.com>:
New Bug report received and forwarded. Copy sent to Yotam Rubin <yotam@makif.omer.k12.il>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Sebastian Rasmussen" <sebras@hotmail.com>
To: submit@bugs.debian.org
Subject: thttpd not forwarding POST content
Date: Fri, 16 Nov 2001 22:30:59 +0100
Package: thttpd
Version: 2.21b-4

I used thttpd as my webserver software until I discovered that it does not 
forward the content of a HTTP POST header to any CGI programs. If one 
connects to the webserver port and sends exactly the same information as a 
browser would, nothing is sent back. If one presses ENTER afterwards the 
webserver forwards the content to the CGI program and everything works ok 
though. Probably the maintainer used fgets() or some similar "get everything 
on the next line"-type of function instead of a fgetc()-type of function...?

Maybe this can be considered important information also?

host:/usr/doc/thttpd# ldd /usr/sbin/thttpd
       libcrypt.so.1 => /lib/libcrypt.so.1 (0x40018000)
       libc.so.6 => /lib/libc.so.6 (0x40045000)
       /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

/ Sebastian Rasmussen

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp




Information forwarded to debian-bugs-dist@lists.debian.org, cd@debian.org (Chris G. Davis):
Bug#119888; Package thttpd. Full text and rfc822 format available.

Acknowledgement sent to Nikita Borisov <nikitab@cs.berkeley.edu>:
Extra info received and forwarded to list. Copy sent to cd@debian.org (Chris G. Davis). Full text and rfc822 format available.

Message #10 received at 119888@bugs.debian.org (full text, mbox):

From: Nikita Borisov <nikitab@cs.berkeley.edu>
To: 119888@bugs.debian.org
Subject: Re: thttpd not forwarding POST content
Date: Fri, 25 Jul 2003 23:59:04 -0700
I believe this was an bug in version 2.21b that was fixed upstream in 
version 2.22.  Is it worth to backport it to stable?  As far as I can 
tell, it's impossible to use the stable version of thttpd to serve any 
POST forms.

- Nikita




Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#119888; Package thttpd. (Mon, 14 Dec 2009 20:09:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Xan <dxpublica@telefonica.net>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. (Mon, 14 Dec 2009 20:09:08 GMT) Full text and rfc822 format available.

Message #15 received at 119888@bugs.debian.org (full text, mbox):

From: Xan <dxpublica@telefonica.net>
To: 119888@bugs.debian.org
Cc: webmaster@mail.acme.com, n142857@gmail.com
Subject: Patch for fix that
Date: Mon, 14 Dec 2009 21:08:39 +0100
In this reference [http://wiki.nginx.org/ThttpdRealIP] is avaliable a 
patch for that thttpd respect the X-forward-for header (originaly posted 
by Daniel Clemente [http://www.danielclemente.com/amarok/ip_real.txt] ). 
I would like you apply this patch. I add now:

--- thttpd-2.25b/libhttpd.c	2003-12-25 20:06:05.000000000 +0100
+++ thttpd-2.25b-patched/libhttpd.c	2005-01-09 00:26:04.867255248 +0100
@@ -2207,6 +2207,12 @@
		if ( strcasecmp( cp, "keep-alive" ) == 0 )
		    hc->keep_alive = 1;
		}
+	    else if ( strncasecmp( buf, "X-Forwarded-For:", 16 ) == 0 )
+		{ // Use real IP if available 
+		cp = &buf[16];
+		cp += strspn( cp, " \t" );
+		inet_aton( cp, &(hc->client_addr.sa_in.sin_addr) );
+	        }
#ifdef LOG_UNKNOWN_HEADERS
	    else if ( strncasecmp( buf, "Accept-Charset:", 15 ) == 0 ||
		      strncasecmp( buf, "Accept-Language:", 16 ) == 0 ||



I CC acme labs software for confirming this bug is _not_ fixed in 
version 2.22 (or any later version) of thttpd (in 
http://acme.com/software/thttpd/#releasenotes it seems it's not) and 
Daniel Clemente for knowing your work is helpful for others ;-) (I hope 
you're not "molesto", Daniel)

Thanks a lot,
Xan.




Added tag(s) patch. Request was from Xan <dxpublica@telefonica.net> to control@bugs.debian.org. (Sun, 27 Dec 2009 18:09:02 GMT) Full text and rfc822 format available.

Reply sent to Steve Kemp <skx@debian.org>:
You have taken responsibility. (Fri, 26 Feb 2010 13:03:06 GMT) Full text and rfc822 format available.

Notification sent to "Sebastian Rasmussen" <sebras@hotmail.com>:
Bug acknowledged by developer. (Fri, 26 Feb 2010 13:03:06 GMT) Full text and rfc822 format available.

Message #22 received at 119888-close@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: 119888-close@bugs.debian.org
Subject: Bug#119888: fixed in thttpd 2.25b-10
Date: Fri, 26 Feb 2010 13:02:09 +0000
Source: thttpd
Source-Version: 2.25b-10

We believe that the bug you reported is fixed in the latest version of
thttpd, which is due to be installed in the Debian FTP archive:

thttpd-util_2.25b-10_amd64.deb
  to main/t/thttpd/thttpd-util_2.25b-10_amd64.deb
thttpd_2.25b-10.diff.gz
  to main/t/thttpd/thttpd_2.25b-10.diff.gz
thttpd_2.25b-10.dsc
  to main/t/thttpd/thttpd_2.25b-10.dsc
thttpd_2.25b-10_amd64.deb
  to main/t/thttpd/thttpd_2.25b-10_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 119888@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Kemp <skx@debian.org> (supplier of updated thttpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 26 Feb 2010 12:00:21 +0000
Source: thttpd
Binary: thttpd thttpd-util
Architecture: source amd64
Version: 2.25b-10
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Steve Kemp <skx@debian.org>
Description: 
 thttpd     - tiny/turbo/throttling HTTP server
 thttpd-util - tiny/turbo/throttling HTTP server (utilities)
Closes: 119888 142306 504789 557039
Changes: 
 thttpd (2.25b-10) unstable; urgency=low
 .
   * QA upload
   * Updated standards version to 3.8.4.
   * Update our init script to depend upon remote_fs
   * Update our init script to source /etc/defaults/thttpd and fail to
     start if "enabled" is not "yes".
     (Closes: #142306)
   * Added new logwatch rule for fdwatch polls.  (Closes: #504789)
   * Added MIME types for ogv & ogx.  (Closes: #557039)
   * Added support for X-Forwarded-Via header.  (Closes: #119888)
Checksums-Sha1: 
 6ce6caa77a3fd02a5c4af99552b441dae03c385e 1031 thttpd_2.25b-10.dsc
 eeae77c85608502ad695c01c89bcf6ac301ca843 20190 thttpd_2.25b-10.diff.gz
 b5c15345da456de36077278ac8e8b5b3d9de7d2a 65758 thttpd_2.25b-10_amd64.deb
 553cb5e86a639de3449660cf78f8db347cb4a3de 30972 thttpd-util_2.25b-10_amd64.deb
Checksums-Sha256: 
 a0d598a0605b55b306b7093025bb9819558afb0f96093487fd8b3e97884f3017 1031 thttpd_2.25b-10.dsc
 27a031fc38282e1f86f1761814546a12f7e2efd76823c5d35bfbc7f72ed33c50 20190 thttpd_2.25b-10.diff.gz
 e6e50da4a0e22b2924a8fbb70992a72cf244f52f7f067b3d45cea9a6f74a2e52 65758 thttpd_2.25b-10_amd64.deb
 6a0b966e68754e2883db467af135fef8bd955eac67adabede67c703887eaee03 30972 thttpd-util_2.25b-10_amd64.deb
Files: 
 e60c332cf588cc691f5544fdc83e1534 1031 httpd optional thttpd_2.25b-10.dsc
 9b8cb5d52f865eef9bd8df7956e58e4e 20190 httpd optional thttpd_2.25b-10.diff.gz
 474f801d6e4f0216a1589dcdfe00b6fe 65758 httpd optional thttpd_2.25b-10_amd64.deb
 3eab7c7dd9dee955e3ef0c80169f640b 30972 httpd optional thttpd-util_2.25b-10_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkuHxAAACgkQwM/Gs81MDZ0NtQCgxZf7uQXp1E0+NuYQ6qI0KSOg
xQIAoOQ08BhAdkwGJADPl1qSSMNrfdAa
=8KTl
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#119888; Package thttpd. (Thu, 11 Mar 2010 20:45:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Xan <dxpublica@telefonica.net>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. (Thu, 11 Mar 2010 20:45:06 GMT) Full text and rfc822 format available.

Message #27 received at 119888@bugs.debian.org (full text, mbox):

From: Xan <dxpublica@telefonica.net>
To: 119888@bugs.debian.org
Subject: Sources....
Date: Thu, 11 Mar 2010 21:42:31 +0100
In official changelog http://www.acme.com/software/thttpd/#releasenotes 
there is no notice about it. Where is the source of this change?

Thanks a lot,
Xan.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#119888; Package thttpd. (Mon, 15 Mar 2010 14:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "era eriksson" <era@iki.fi>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. (Mon, 15 Mar 2010 14:45:03 GMT) Full text and rfc822 format available.

Message #32 received at 119888@bugs.debian.org (full text, mbox):

From: "era eriksson" <era@iki.fi>
To: 119888@bugs.debian.org
Subject: Re: Sources....
Date: Mon, 15 Mar 2010 16:43:09 +0200
On Thu, 11 Mar 2010 21:42:31 +0100, Xan wrote:
> In official changelog http://www.acme.com/software/thttpd/#releasenotes 
> there is no notice about it. Where is the source of this change?

The patch you yourself supplied is included in the Debian source package
as debian/patches/10-x-forwarded-for-header.dpatch (with very minor
modifications; and alas, with no description.  It should probably be
fixed to indicate the origins of the patch and a pointer to this bug).

It is unclear to me how this is supposed to fix the problem which this
bug report was originally about, though.  How does this help POST
content get through?  (Please be gentle; I might be ignorant of
something obvious.)

The Changelog says "X-Forwarded-Via" while the patch has
"X-Forwarded-For:" -- I presume the latter is correct, also as per
http://en.wikipedia.org/wiki/X-Forwarded-For, and that the Changelog
should be corrected.  But again, it seems doubtful to me how this helps
solve bug #119888 which is about correctly receiving POST content.

(The comment by Nikita Borisov from 2003 alleges that this POST problem
was fixed in 2.22 although there is no explicit mention of this in the
upstream changelog, either.)

/* era */

-- 
If this were a real .signature, it would suck less.  Well, maybe not.




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 13 Apr 2010 07:36:39 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 18:55:53 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.