src/sbbs3 websrvr.c 1.698 1.699
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv18232

Modified Files:
websrvr.c
Log Message:
Alterego reported a scenario where the web server's cleanup() would wait forever for 1 child thread (presumably the http_logging_thread) to terminate:

8/27 02:39:43p Waiting for HTTP logging thread to terminate...
8/27 02:39:43p HTTP logging thread started
8/27 02:39:43p HTTP logging thread received NULL linked list log entry
8/27 02:40:44p !TIMEOUT waiting for HTTP logging thread to terminate
8/27 02:40:44p Done waiting for HTTP logging thread to terminate
8/27 02:40:44p 0000 Waiting for 1 child threads to terminate

<infinite wait loop here>

- Add an extra terminate_http_logging_thread check to the top of the loop in
http_logging_thread().
- Signal the log_list semaphore in the "Waiting for HTTP logging thread" and
"Waiting for x child threads" loops.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.699 1.700
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/home/rswindell/sbbs/src/sbbs3

Modified Files:
websrvr.c
Log Message:
Fix buffer (stack memory) overflow observed in parse_headers(). This is what brought down [cvs.]synchro.net this weekend. It's hard to believe we still
have unchecked calls sprintf() around, but we do.



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.700 1.701
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv23416

Modified Files:
websrvr.c
Log Message:
Allow redirects from non-existant URLs.
This allows redirect targets from paths that don't exist. Required to implement hard-coded API endpoints via ssjs.




---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.701 1.702
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv16639

Modified Files:
websrvr.c
Log Message:
While we're making ssllabs happy, disable TLS 1.0 and 1.1 in the web server only (you can still use them from JS etc).




---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.702 1.703
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv13539

Modified Files:
websrvr.c
Log Message:
Comment out TLS 1.2 minver. Too many existing things don't support 1.2.

We don't need PCI DSS compliance I hope, we just want people doing things.




---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Re: src/sbbs3/websrvr.c
By: deuce to CVS commit on Thu Jan 23 2020 09:27:47

For what it's worth, we've been using the following list of ciphers where I work... seems to have decent security/compatibility currently.

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-ECDSA-CHACHA20-POLY1305

ECDHE-RSA-CHACHA20-POLY1305

DHE-RSA-AES128-GCM-SHA256

DHE-RSA-AES256-GCM-SHA384

--
Michael J. Ryan
+o roughneckbbs.com
bbs@tracker1.dev

---
þ Synchronet þ Roughneck BBS - coming back 2/2/20

src/sbbs3 websrvr.c 1.703 1.704
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/home/rswindell/sbbs/src/sbbs3

Modified Files:
websrvr.c
Log Message:
Fix NULL pointer dereference in CGI handling:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007fb3be8ce071 in do_cgi_stuff (session=0x7fb2fbfaac40, cgi=0x7fb2fbfaa850, orig_keep=1) at websrvr.c:4376
4376 SKIP_WHITESPACE(value);




---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.705 1.706
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv12695

Modified Files:
websrvr.c
Log Message:
Since lprintf() sends to stdout in sbbscon foreground mode, we must call
it before redirecting stdout to the pipe.

Likely fixes CGI errors seen by alterego (and has been broken for almost fifteen years).




---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.706 1.707
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv19117

Modified Files:
websrvr.c
Log Message:
Move lprintf() out of fork() child... it uses a mutex and the state of
mutexes are undefined in children.




---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.708 1.709
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv2052

Modified Files:
websrvr.c
Log Message:
Support CGI over TLS on *nix.




---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.709 1.710
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv24259

Modified Files:
websrvr.c
Log Message:
Don't attempt to read a FastCGI body if the header type is zero.
Should fix the POST/GET hangs on the wiki once DigitalMan updates.




---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.710 1.711
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv22341

Modified Files:
websrvr.c
Log Message:
Add some paranoia for handling FCGI_END_REQUEST.

While the FastCGI read_wait_timeout function should never return
CGI_*_READY with CGI_PROCESS_TERMINATED, it looks like somehow on some
systems, there's an additional select() happening after the process is
done.

Explicitly track this, and try to prevent it.




---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.711 1.712
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv757

Modified Files:
websrvr.c
Log Message:
Fix bug in last commit... !



---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.712 1.713
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv4082

Modified Files:
websrvr.c
Log Message:
Just because there is a Location: header does not mean we should not send
a body. Broken by HSTS enhancement.

There's a (small) possibility that the HSTS enhancement is now broken.




---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

src/sbbs3 websrvr.c 1.719 1.720
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv17800

Modified Files:
websrvr.c
Log Message:
The problem: the sysop (me) is not notified of critical errors (e.g. synchro.net zone file problems) in a timely manner.
Part of the solution: notify a configured user (e.g. user #1) via short-message/telegram and email/netmail logged-errors when messages of a configured severity (e.g. "Critical") are logged.
The second part of the solution (coming next) will be allowing timed events to log a message of a configurable severity logged when the event fails (returns a non-zero error level to sbbs).

I'm saving the error-notification-user-number and log-severity as part of the node.cnf file because:
- that's where the validation user number is already set
- I can conceive of a large system were certain node ranges (different instances of sbbs) might want different operators to be notified of logged-errors

This also means I eliminated all the legacy com port/modem stuff from the end of the node.cnf file. None of that is used in sbbs v3.

Also included in this commit are improvements around logging:
- reduce the severity of UDP recvfrom failures in services
- a more detailed log message when the mail server successfully delivers an email (via SMTP) - easier to answer the question: was that email you/they sent delivered successfully?


---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/sbbs/sbbs/-/commit/c9db48cec8efd56f8291443d
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Fix requests to the webserver using IPv6 address http://[1234:1234::] requests. The host portion contains ":" after split_port_part(), resulting in a 400 error.
Renaming is_legal_hostname() to is_legal_host(), since requests to webservers are to
"hosts" not "hostnames".

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/sbbs/sbbs/-/commit/d17a5ce0ba8d80a29f136c9e
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Merge branch 'leenooks/sbbs-master'

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/sbbs/sbbs/-/commit/37a23fea45bbdb3589e7d909
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Fix heap corruption that could occur when HSTS feature is enabled

At least on Windows, when realloc() is used to allocate a new buffer,
guess what's in that buffer initially? undefined values. So you can't
strcat() onto the end of that! Ouch. This was a fun one to track down.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/7fb6c7b4d8ec2150eefe55df
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Add missing argument to new error log message upone putuserdat() failure

Fixes a couple CIDs and a GCC warning

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/d98359abefd58e43bb0e3115
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Move max concurrent connections check into http_session_thread()

We can't send a 4xx error (ie: client did something wrong) in
plaintext on a TLS connection.

Untested beyond a basic compile check.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/913092779871fdf4f4fc3e56
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Since this is after client_on() is called now, use > not >=

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/91125d1b721525a9c7720d0c
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Track and report the concurrent connections per client highwater mark

It's possible now for clients to easily exceed the configured max concurrent connections limit, even though they just get an error 429 page. Let's at least track and log when a new highwater mark is reached.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/ce7d83eeda506e5f366fe31d
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Add/use errprintf() to reduce severity of repeated error messages

Part of solution for issue #619 (for the web server)

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/f2c891789734a9e783a1ac14
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Lower severity of repeated errors in js_ReportError()

This needed a custom solution (not errprintf) since the filename is passed-in is likely from dynamically allocated memory, so a pointer comparison isn't enough - and we don't get the function name.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/bbf9d5eac22ce15077a4599f
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Use errprintf() instead of lprintf() for one more log message

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/a4ac0be63a49cc98f4883bef
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Better NULL ptr checking in js_ErrorReporter, CID 516068

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/630b22ada39c50f871597b00
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Whitespace change only

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/91b5a37ca1155f71f28c6eda
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Check return value of JS_NewStringCopyZ (for NULL)

Kind of a shot in the dark here: Max (WESTLINE) is reporting HEAP CORRUPTION debug assertion in websrvr.dll. In the 2 instances reported, a long (336
char) JSON "query value" was logged by apparent spam-bot trying to create a
a new user account ("send-me-free-stuff" is one of the JSON properties).

JS_NewStringCopyZ() can return NULL in a low memory situation, though I don't know that explains possible heap corruption.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/196ad130ca1a7fbecc73807b
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Use errprintf for FastCGI related error log messages

I received 6853 duplicate FastCGI error emails today (sent in a 2 minute
time span). I wish I already had this in place. :-(

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/0afbc6a9ae33dc715e0125bc
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Fix NULL dereference when there are no directory vshortcuts defined

As reported by Accession in #synchronet at irc.synchro.net

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/3618930a6e23a5f3b5709a71
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Resolve GCC warning enumeration value `PARSED_VPATH_x' not handled in switch

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/0c6913fbd626457fb401aae8
Modified Files:
src/sbbs3/websrvr.c
Log Message:
Another use of errprintf() to help de-dupe error logs/alerts

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net