 @@ -1,25 +1,28 @@
-$NetBSD: CHANGES,v 1.19.2.1.2.4 2018/11/24 17:23:47 martin Exp $
+$NetBSD: CHANGES,v 1.19.2.1.2.5 2018/11/28 19:57:50 martin Exp $
 changes in bozohttpd 20181125:
 	o  fixes for option parsing introduced in bozohttpd 20181123
 changes in bozohttpd 20181121:
 	o  add url remap support via .bzremap file, from martin@netbsd.org
 	o  handle redirections for any protocol, not just http:
 	o  fix a denial of service attack against header contents, which
 	   is now bounded at 16KiB.  reported by JP
 	o  reduce default timeouts, and add expand timeouts to handle the
 	   initial line, each header, and the total time spent
 	o  add -T option to expose new timeout settings
 	o  minor RFC fixes related to timeout handling
-	o  fix special file (.htpasswd, .bz*) bypass.  reported by JP.
+	o  fix special file (.htpasswd, .bz*) bypass.  reported by JP
 changes in bozohttpd 20170201:
 	o  fix an infinite loop in cgi processing
 	o  fixes and clean up for the testsuite
 	o  no longer sends encoding header for compressed formats
 changes in bozohttpd 20160517:
 	o  add a bozo_get_version() function which returns the version number
 changes in bozohttpd 20160415:
 	o  add search-word support for CGI
 	o  fix a security issue in CGI suffix handler support which would
 	   allow remote code execution, from shm@netbsd.org
 @@ -84,27 +87,27 @@ changes in bozohttpd 20100920:
 	o  fix dynamic CGI content maps, from rudolf
 changes in bozohttpd 20100617:
 	o  fix some compile issues
 	o  fix SSL mode.  from rtr
 	o  fix some cgi-bin issues, as seen with cvsweb
 	o  disable multi-file daemon mode for now, it breaks
 	o  return 404's instead of 403's when chdir of ~user dirs fail
 	o  remove "noreturn" attribute from bozo_http_error() that was
 	   causing incorrect runtime behaviour
 changes in bozohttpd 20100509:
 	o  major rework and clean up of internal interfaces.  move the main
-	   program into main.c, the remaining parts are useable as library.
+	   program into main.c, the remaining parts are useable as library
 	   add bindings for lua.  by Alistair G. Crooks <agc@netbsd.org>
 	o  fix http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566325
 changes in bozohttpd 20090522:
 	o  avoid dying in daemon mode for some uncommon, but recoverable, errors
 	o  close leaking file descriptors for CGI and daemon mode
 	o  handle poll errors properly
 	o  don't try to handle more than one request per process yet
 	o  add subdirs for build "debug" and "small" versions
 	o  clean up a bad merge / duplicate code
 	o  make mmap() usage portable, fixes linux & ranges: support
 	o  document the -f option
 	o  daemon mode now serves 6 files per child

 @@ -1,14 +1,14 @@
-/*	$NetBSD: bozohttpd.c,v 1.56.2.4.2.4 2018/11/24 17:23:47 martin Exp $	*/
+/*	$NetBSD: bozohttpd.c,v 1.56.2.4.2.5 2018/11/28 19:57:50 martin Exp $	*/
 /*	$eterna: bozohttpd.c,v 1.178 2011/11/18 09:21:15 mrg Exp $	*/
 /*
  * Copyright (c) 1997-2018 Matthew R. Green
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
 @@ -99,27 +99,27 @@
+ *
  *	- 14.15: content-md5 would be nice.
+ *
  *	- 14.24/14.26/14.27: if-match, if-none-match, if-range.  be
  *	  nice to support this.
+ *
  *	- 14.44: Vary: seems unneeded.  ignore it for now.
  */
 #ifndef INDEX_HTML
 #define INDEX_HTML		"index.html"
 #endif
 #ifndef SERVER_SOFTWARE
-#define SERVER_SOFTWARE		"bozohttpd/20181124"
+#define SERVER_SOFTWARE		"bozohttpd/20181125"
 #endif
 #ifndef PUBLIC_HTML
 #define PUBLIC_HTML		"public_html"
 #endif
 #ifndef USE_ARG
 #define USE_ARG(x)	/*LINTED*/(void)&(x)
 #endif
 /*
  * And so it begins ..
  */
 @@ -1008,36 +1008,37 @@ bozo_escape_rfc3986(bozohttpd_t *httpd,
 		case '&':
 		case '\'':
 		case '(':
 		case ')':
 		case '*':
 		case '+':
 		case ',':
 		case ';':
 		case '=':
 		case '%':
 		case '"':
 			if (absolute)
 				goto leave_it;
 			/*FALLTHROUGH*/
 		case '\n':
 		case '\r':
 		case ' ':
 		encode_it:
 			snprintf(d, 4, "%%%02X", *s++);
 			d += 3;
 			len += 3;
 			break;
 		leave_it:
 		default:
 		leave_it:
 			*d++ = *s++;
 			len++;
 			break;
+		}
+	}
 	buf[len] = 0;
 	return buf;
+}
 /*
  * do automatic redirection -- if there are query parameters or userdir for
  * the URL we will tack these on to the new (redirected) URL.
 @@ -1467,27 +1468,26 @@ check_bzredirect(bozo_httpreq_t *request
 	} else {
 		*basename++ = '\0';
 		strcpy(path, dir);
+	}
 	if (bozo_check_special_files(request, basename))
 		return -1;
 	debug((httpd, DEBUG_FAT, "check_bzredirect: path %s", path));
 	if ((size_t)snprintf(redir, sizeof(redir), "%s/%s", path,
 			     REDIRECT_FILE) >= sizeof(redir)) {
 		return bozo_http_error(httpd, 404, request,
 		    "redirectfile path too long");
 		return -1;
+	}
 	if (lstat(redir, &sb) == 0) {
 		if (!S_ISLNK(sb.st_mode))
 			return 0;
 		absolute = 0;
 	} else {
 		if ((size_t)snprintf(redir, sizeof(redir), "%s/%s", path,
 				     ABSREDIRECT_FILE) >= sizeof(redir)) {
 			bozo_http_error(httpd, 404, request,
 					"redirectfile path too long");
 			return -1;
+		}
 		if (lstat(redir, &sb) < 0 || !S_ISLNK(sb.st_mode))
 @@ -1914,28 +1914,29 @@ bozo_process_request(bozo_httpreq_t *req
  cleanup:
 	close(fd);
  cleanup_nofd:
 	close(STDIN_FILENO);
 	close(STDOUT_FILENO);
 	/*close(STDERR_FILENO);*/
+}
 /* make sure we're not trying to access special files */
 int
 bozo_check_special_files(bozo_httpreq_t *request, const char *name)
+{
 	bozohttpd_t *httpd = request->hr_httpd;
 	size_t i;
-	for (size_t i = 0; specials[i].file; i++)
+	for (i = 0; specials[i].file; i++)
 		if (strcmp(name, specials[i].file) == 0)
 			return bozo_http_error(httpd, 403, request,
 					       specials[i].name);
 	return 0;
+}
 /* generic header printing routine */
 void
 bozo_print_header(bozo_httpreq_t *request,
 		struct stat *sbp, const char *type, const char *encoding)
+{
 	bozohttpd_t *httpd = request->hr_httpd;

 @@ -1,14 +1,14 @@
-/*	$NetBSD: bozohttpd.h,v 1.33.2.2.2.4 2018/11/24 17:23:47 martin Exp $	*/
+/*	$NetBSD: bozohttpd.h,v 1.33.2.2.2.5 2018/11/28 19:57:50 martin Exp $	*/
 /*	$eterna: bozohttpd.h,v 1.39 2011/11/18 09:21:15 mrg Exp $	*/
 /*
  * Copyright (c) 1997-2018 Matthew R. Green
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
 @@ -397,27 +397,27 @@ bozo_content_map_t *bozo_get_content_map
 void	bozo_add_content_map_mime(bozohttpd_t *, const char *, const char *,
 				  const char *, const char *);
 #define have_dynamic_content				(1)
 #endif
 /* additional cgi-bozo.c */
 #if have_cgibin && have_dynamic_content
 void	bozo_add_content_map_cgi(bozohttpd_t *, const char *, const char *);
 #else
 #define	bozo_add_content_map_cgi(h,s,t)
 #endif
 /* I/O */
-int bozo_printf(bozohttpd_t *, const char *, ...) BOZO_PRINTFLIKE(2, 3);;
+int bozo_printf(bozohttpd_t *, const char *, ...) BOZO_PRINTFLIKE(2, 3);
 ssize_t bozo_read(bozohttpd_t *, int, void *, size_t);
 ssize_t bozo_write(bozohttpd_t *, int, const void *, size_t);
 int bozo_flush(bozohttpd_t *, FILE *);
 /* misc */
 int bozo_init_httpd(bozohttpd_t *);
 int bozo_init_prefs(bozohttpd_t *, bozoprefs_t *);
 int bozo_set_defaults(bozohttpd_t *, bozoprefs_t *);
 int bozo_setup(bozohttpd_t *, bozoprefs_t *, const char *, const char *);
 bozo_httpreq_t *bozo_read_request(bozohttpd_t *);
 void bozo_process_request(bozo_httpreq_t *);
 void bozo_clean_request(bozo_httpreq_t *);
 int bozo_set_timeout(bozohttpd_t *, bozoprefs_t *, const char *, const char *);

 @@ -1,14 +1,14 @@
-/*	$NetBSD: cgi-bozo.c,v 1.25.2.2.2.6 2018/11/24 17:23:47 martin Exp $	*/
+/*	$NetBSD: cgi-bozo.c,v 1.25.2.2.2.7 2018/11/28 19:57:50 martin Exp $	*/
 /*	$eterna: cgi-bozo.c,v 1.40 2011/11/18 09:21:15 mrg Exp $	*/
 /*
  * Copyright (c) 1997-2018 Matthew R. Green
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
 @@ -224,34 +224,34 @@ parse_search_string(bozo_httpreq_t *requ
 	/* URI MUST not contain any unencoded '=' - RFC3875, section 4.4 */
 	if (strchr(query, '='))
 		return NULL;
 	str = bozostrdup(httpd, request, query);
 	/*
 	 * there's no more arguments than '+' chars in the query string as it's
 	 * the separator
 	 */
 	*args_len = 1;
 	/* count '+' in str */
-	for (s = str; (s = strchr(s, '+')); (*args_len)++)
+	for (s = str; (s = strchr(s, '+')) != NULL; (*args_len)++)
 		s++;
 	args = bozomalloc(httpd, sizeof(*args) * (*args_len + 1));
 	args[0] = str;
 	args[*args_len] = NULL;
-	for (s = str, i = 0; (s = strchr(s, '+'));) {
+	for (s = str, i = 0; (s = strchr(s, '+')) != NULL;) {
 		*s = '\0';
 		s++;
 		args[i++] = s;
+	}
 	/*
 	 * check if search-strings are valid:
+	 *
 	 * RFC3875, section 4.4:
+	 *
 	 * search-string = search-word *( "+" search-word )
 	 * search-word   = 1*schar
 	 * schar		 = unreserved | escaped | xreserved

 @@ -1,14 +1,14 @@
-/*	$NetBSD: main.c,v 1.8.4.3 2018/11/24 17:23:47 martin Exp $	*/
+/*	$NetBSD: main.c,v 1.8.4.4 2018/11/28 19:57:50 martin Exp $	*/
 /*	$eterna: main.c,v 1.6 2011/11/18 09:21:15 mrg Exp $	*/
 /* from: eterna: bozohttpd.c,v 1.159 2009/05/23 02:14:30 mrg Exp 	*/
 /*
  * Copyright (c) 1997-2018 Matthew R. Green
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -326,42 +326,42 @@ main(int argc, char **argv)
 			break;
 		case 'U':
 			bozo_set_pref(&httpd, &prefs, "username", optarg);
 			break;
 		case 'u':
 			if (!have_user)
 				goto no_user_support;
 			bozo_set_pref(&httpd, &prefs, "enable users", "true");
 			break;
 			bozo_set_pref(&httpd, &prefs, "directory indexing",
 				      "true");
 			break;
 		case 'V':
 			bozo_set_pref(&httpd, &prefs, "unknown slash", "true");
 			break;
 		case 'v':
 			bozo_set_pref(&httpd, &prefs, "virtual base", optarg);
 			break;
 		case 'X':
 			if (!have_dirindex)
 				goto no_dirindex_support;
 			bozo_set_pref(&httpd, &prefs, "directory indexing",
 				      "true");
 			break;
 		case 'x':
 			bozo_set_pref(&httpd, &prefs, "index.html", optarg);
 			break;
 		case 'Z':
 			if (!have_ssl)
  no_ssl:
 				bozoerr(&httpd, 1, "ssl support not enabled");
 			/* make sure there's two arguments */
 			if (argc - optind < 1)
 				usage(&httpd, progname);
 			bozo_ssl_set_opts(&httpd, optarg, argv[optind++]);