uhttpd, branch master

auth: replace strcmp with constant-time password comparison

2026-05-15T00:54:17Z

strcmp short-circuits on the first differing byte, leaking password match progress via measurable response time differences. Add uh_pass_compare() which XORs all bytes unconditionally and only returns true when both length and content match, preventing a timing-based password oracle attack. Co-Authored-By: Claude Sonnet 4.6 Signed-off-by: Hauke Mehrtens

auth: do not accept stored crypt hash as plaintext password

2026-05-15T00:29:10Z

uh_auth_check first compared the supplied password to the stored credential with strcmp() and only fell through to crypt() on mismatch. The strcmp branch is meant to support plaintext credentials in /etc/httpd.conf, but it also matched when the stored credential is a crypt hash and the request supplies that exact hash as the password. When the password line uses the '$p$' indirection, realm->pass is populated from /etc/shadow or /etc/passwd. Anyone who manages to read the hash (a backup, an unrelated disclosure bug, an offline copy) can therefore authenticate by sending the hash itself, bypassing the need to recover the underlying password. Skip the plaintext compare when realm->pass starts with '$', which is the marker for every modular crypt(3) format (md5crypt, sha256, sha512, bcrypt, yescrypt, ...). Plaintext credentials configured via httpd.conf still work; stored hashes are only honored through crypt(). Co-Authored-By: Claude Opus 4.7 (1M context) Signed-off-by: Hauke Mehrtens

client: parse chunked transfer chunk size safely

2026-05-15T00:29:10Z

The chunk-size hex field is parsed into content_length (int). The previous strtoul could wrap negative-looking inputs into huge positive values; switching to strtol exposes negatives but leaves the 64-bit INT_MAX overflow window open, where a long value above INT_MAX truncates implementation-defined when narrowed. Parse into a long, check errno for strtol overflow, and reject any chunk size above INT_MAX. On malformed or out-of-range input the chunked transfer state is torn down as before. Co-Authored-By: Claude Sonnet 4.6 Signed-off-by: Hauke Mehrtens

client: parse Content-Length safely

2026-05-15T00:29:10Z

content_length is declared int but the previous strtoul cast silently wrapped negative inputs into huge positive values, making the < 0 guard unreachable. Switching to strtol exposes negatives, but on 64-bit platforms a value above INT_MAX still passes strtol's own range check and truncates implementation-defined when narrowed to int. Parse into a long, check errno for strtol overflow, and reject any value above INT_MAX or below zero before assigning. The error path returns 400 Bad Request as before. Pull in errno.h and limits.h for the new checks. Co-Authored-By: Claude Sonnet 4.6 Signed-off-by: Hauke Mehrtens

main: fix daemonization stdio redirection and fd leak

2026-05-15T00:29:10Z

Two bugs in the daemon child setup: 1. The condition `cur_fd > 0` fails to redirect stdin/stdout/stderr when open("/dev/null") returns fd 0 (possible if stdin was already closed before daemonising). Change to `cur_fd >= 0` to handle that case correctly. 2. After the three dup2() calls the original file descriptor `cur_fd` is never closed. If open() returned a descriptor number greater than 2 (the common case), that descriptor is leaked into the server process for its entire lifetime. Add `close(cur_fd)` when `cur_fd > 2` to release it. 3. Change the open() flags from O_WRONLY to O_RDWR so that fd 0 (stdin) is also opened in a readable state, matching normal daemon practice. Co-Authored-By: Claude Sonnet 4.6 Signed-off-by: Hauke Mehrtens

utils: fix off-by-one out-of-bounds read in uh_b64decode

2026-05-15T00:29:10Z

The loop condition used `i <= slen`, which causes `str[slen]` to be read after processing all `slen` bytes. This is one byte past the end of the declared input length and constitutes an out-of-bounds read for any caller that passes a non-null-terminated buffer. The existing call site in auth.c happens to pass a null-terminated C string, so `str[slen]` equals '\0' and the loop terminates naturally without memory corruption in practice. However the function signature advertises only `slen` bytes of valid input, so the read is still incorrect. Fix by changing the condition to `i < slen`. Co-Authored-By: Claude Sonnet 4.6 Signed-off-by: Hauke Mehrtens

utils: remove unreachable return statement in uh_addr_rfc1918

2026-05-15T00:29:10Z

The function already returns the result of the range-check expression on the preceding line. The `return 0;` statement that follows is dead code and will never be executed. Remove it to eliminate the compiler warning and avoid misleading readers. Co-Authored-By: Claude Sonnet 4.6 Signed-off-by: Hauke Mehrtens

file: bail out of file_write_cb on read error

2026-05-15T00:29:10Z

The static-file delivery loop in file_write_cb only handled the EINTR branch of a failed read(); other failure modes (EIO on a backing storage error, EBADF on an unexpectedly-closed fd, etc.) fell through with r < 0 and reached uh_chunk_write(cl, uh_buf, r), which forwards the negative length to ustream_write() where it is interpreted as an unsigned size. The result is a chunked transfer of arbitrary memory adjacent to uh_buf to the client. On any non-EINTR read error, terminate the request like we already do for EOF instead of writing past the buffer. Co-Authored-By: Claude Opus 4.7 (1M context) Signed-off-by: Hauke Mehrtens

utils: fix one-byte overflow in uh_urldecode

2026-05-15T00:29:10Z

The output buffer was filled up to blen bytes without writing a trailing NUL, leaving every caller to either append one or rely on a happenstance zero byte. The documented contract said "not null-terminated" but every in-tree caller used the result as a C string, making the missing NUL a latent bug. Reserve one byte at the tail, write the NUL, and update the contract in the comment. Reject blen <= 0 as overflow. Adjust the -d option's caller to pass the actual buffer size (strlen + 1) rather than strlen -- the buffer was always sized for the NUL, only the blen argument was off-by-one. Without this the -d handler would reject every plain-ASCII input as "invalid encoding" after the contract change. Also cast ctype arguments to unsigned char to avoid undefined behavior on signed-char platforms. Co-Authored-By: Claude Opus 4.7 (1M context) Signed-off-by: Hauke Mehrtens

file: distinguish parse failure from epoch in date precondition checks

2026-05-15T00:29:10Z

uh_file_date2unix returned 0 on strptime() failure, which the callers could not distinguish from a successfully parsed 1970-01-01 00:00:00 UTC. Two of those callers misbehave: * uh_file_if_modified_since compared the parsed value against st_mtime with '>='. For files whose mtime sits at the Unix epoch (some tmpfs / squashfs entries on OpenWrt initramfs), any malformed If-Modified-Since header satisfied 0 >= 0 and a 304 with no body was returned, breaking content delivery. * uh_file_if_unmodified_since compared with '<='. A malformed If-Unmodified-Since header always satisfies 0 <= st_mtime (for any real file with mtime > 0), so the precondition fired and every request received a 412 Precondition Failed. Return (time_t)-1 from uh_file_date2unix on parse failure, and ignore the precondition (treat the header as if absent) in the two callers when that sentinel is returned. Co-Authored-By: Claude Opus 4.7 (1M context) Signed-off-by: Hauke Mehrtens