1.4.53
January 27, 2019
Important changes
TLS-ALPN-01, systemd socket activation, bug fixes
Future scheduled behavior change (Q1 2019)
Beginning in Q1 2019, lighttpd defaults are scheduled to change to perform limited URL normalization on HTTP requests.
Since lighttpd 1.4.50, this URL normalization is available with server.http-parseopts <https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails>. The lighttpd default will become server.http-parseopts = (“url-normalize-unreserved” => “enable”, “url-path-2f-decode” => “enable”) unless server.http-parseopts is explicitly set in the lighttpd config. Enabling URL normalization by default will provide more consistent behavior for mod_redirect and mod_rewrite, which match against the (url-encoded) URL request. However, decoding %2F by default, while generally desirable for consistency, is potentially a breaking change for those encoding URLs in the url-path and relying on the literal ‘/’ as a delimiter. For those uses, “url-path-2f-decode” => “disable” will need to be explicitly set in the lighttpd config.
https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails
The recommended settings for server.http-parseopts are the following, unless specific use requires looser settings:
server.http-parseopts = ( "header-strict" => "enable", "host-strict" => "enable", "host-normalize" => "enable", "url-normalize" => "enable", "url-normalize-unreserved" => "enable", "url-normalize-required" => "enable", "url-ctrls-reject" => "enable", "url-path-2f-decode" => "enable", "url-path-dotseg-remove" => "enable", "url-query-20-plus" => "enable" )
Downloads
- lighttpd-1.4.53.tar.gz (GPG signature)
- SHA256:
423b3951f212e3a30511eb86f4662a1848c6e857074289ff23fc310eef520266
- SHA256:
- lighttpd-1.4.53.tar.xz (GPG signature)
- SHA256:
3bdfce1cf3e9650a556a8c26fb15342c5717c63f530c54693db632b0371dcb78
- SHA256:
- SHA256 checksums