Headline
CVE-2020-24379: Commits · erlyaws/yaws
WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection.
Commits on Nov 14, 2022
Regenerate TLS snakeoil cert
The erlang emulator complains about not having enough security when using the TLS snakeoil (i.e. self-signed) cert shipped. This is because SHA-1 is used for signing algorithm. Nothing in the TLS standard states that it shouldn’t be allowed, but the erlang emulator doesn’t allow it.
The TLS snakeoil cert is regenerated using SHA-256 as signing algorithm.
Commits on Sep 23, 2022
Commits on Sep 1, 2022
Commits on Aug 16, 2022
Make all erlang files UTF-8
All the Erlang versions that are currently supported by yaws, default to UTF-8 files. This converts the couple comments that were encoded in Latin-1 to UTF-8 and removes the coding comments.
Commits on Jun 14, 2022
Commits on Jun 11, 2022
Inline hardcoding of some automake variables for deterministic build
Putting various automake variables in the examples.mk include file includes the build path. This makes the build non-deterministic.
Running diffoscope reports that the files www/code/Makefile and www/shoppingcart/Makefile, differ between two different installation directories because of this.
Inline and hardcode these automake variables to enable deterministic builds.
Commits on May 21, 2022
Add support for OTP 25.0
Yaws supports 3 major OTP versions, so now that OTP 25.0 has been released, change our minimum supported OTP release to 22.0. Fix configure.ac and rebar.config to enforce this. Fix the README files and yaws.tex to document this.
Add 25.0 to the github workflow matrix. Also add missing point releases for versions 22 and 23.
Commits on Apr 6, 2022
Drop stacktrace polyfill
Yaws requires OTP 21.3 - the Class:Reason:Stack syntax was introduced in OTP 21, thus the macro filling in for compatibility with older versions is no longer needed and can be removed.
Commits on Mar 16, 2022
Fix README to drop rebar references
In README.md, drop references to rebar and replace them with rebar3. Also note that rebar3 currently works only with the rebar3-support branch.
Move to python3
Since python 2.x is no longer supported, and since MacOS 12.3 has fully dropped python 2.x, switch uses of python to python3.
Commits on Mar 11, 2022
Commits on Feb 27, 2022
Disable urldecode for JSON-RPC
None of the popular JSON-RPC clients apply urlencode to the produced JSON request. Consequently, any method parameter that contains percent symbol will be either decoded to a wrong value or, more often, will cause request handling failure.
Vladislav Glinsky authored and vinoski committed
Feb 27, 2022
Commits on Feb 4, 2022
Add a new known dialyzer warning
Dialyzer complains about the yaws_config not being able to match the atom ‘undefined’ when it calls yaws_generated functions; this is because yaws_generated is generated code, as its name implies, so it handles constants as if they were variables. Ignore this complaint by adding it to known_dialyzer_warnings.
Also in known_dialyzer_warnings, augment each regular expression to optionally match a column number.
Commits on Jan 31, 2022
Fix handling of SOURCE_DATE_EPOCH
If no SOURCE_DATE_EPOCH is specified via configure, then it can’t be set as an environment variable in doc/Makefile.am build rules. Change the build rules to check if SOURCE_DATE_EPOCH is non-empty and use it if so, otherwise leave it out of the commands.
Also fix verbosity for make in doc/Makefile.am. If V=1 is passed on the make command line, echo the build commands, otherwise echo abbreviated commands. Special handling is needed because of the “if” commands in the build rules have echo unconditionally disabled via @.
Commits on Jan 24, 2022
Reenable warnings as errors
The -Werror “warnings as errors” option was disabled some time ago due to the deprecated ssl:cipher_suites/0 function. This was fixed awhile ago, so reenable -Werror.
Commits on Jan 23, 2022
Create a deterministic build environment
Enable reproducible builds with a deterministic build environment.
* Let configure set +debug_info/+deterministic and SOURCE_DATE_EPOCH
New options to ./configure:
--enable-deterministic-build --with-source-date-epoch=EPOCHThe ./configure script also understands the following two environment variables:
YAWS\_DETERMINISTIC\_BUILD SOURCE\_DATE\_EPOCHConfiguring with either the ./configure options or setting the enviroment variables before running autoconf and configure will enable a deterministic build.
A deterministic build sets the erlc flag +deterministic instead of +debug_info and also sets the DETERMINISTIC macro.
When configuring a deterministic build, several scripts and Makefiles are generated with predefined values; notably include.mk and scripts/gen-yaws-generated are now generated by ./configure.
* If YAWS_DETERMINISTIC_BUILD is set, set the +deterministic compiler flag.
But remove +deterministic when building tests, as the *_SUITE_data directories will not be handled correctly if +deterministic is used. When the beam files are built once, they will try to rebuild on the next make invocation and it will not work. In other words, if the beam is built, it will be built again. This breaks the pattern make && make install.
Add +debug_info when building tests. Prior to using +deterministic, this was the default, and since +deterministic isn’t used for building tests, keep +debug_info.
Set +deterministic as appropriate in rebar.config.script and scripts/rebar-pre-script based on YAWS_DETERMINISTIC_BUILD.
* Hardcode include path in generated mime_types.erl for deterministic build.
* Generate deterministic www/*/Makefile
Several things are taken from the build environment when building, but they are not needed to build or use the examples, and are hence hardcoded or just removed.
Add the examples.mk fragment to support reproducible builds in the examples. In it, set the SHELL variable instead of using the one from the environment. Omit build environment paths. Remove calls to ac-aux/missing and ac-aux/install-sh, as they include absolute build environment paths. Include examples.mk in www/code/Makefile and www/shoppingcart/Makefile.
See #446 for more information.
Signed-off-by: Steve Vinoski [email protected]
Commits on Jan 9, 2022
Document reproducible builds of YAWS
Document how to enable reproducible builds (export environment variables YAWS_DETERMINISTIC_BUILD and SOURCE_DATE_EPOCH when building) and what that entails for the build artefacts. Also note that various paths are included in generated files, i.e. installation prefix affects build artefacts, which can be mitigated by using DESTDIR.
SOURCE_DATE_EPOCH is understood by pdflatex, thus setting it to the same Unix timestamp across builds will make yaws.pdf build deterministically. However, latex/dvips does not understand SOURCE_DATE_EPOCH, thus the generated date in the DVIPSSource comment is generated from SOURCE_DATE_EPOCH if set.
Fixes #446
Commits on Jan 5, 2022
Add YAWS_DETERMINISTIC_BUILD env var
To avoid embedding different paths for VARDIR and ETCDIR in the compiled yaws_generated.erl beam file, allow the user to set the environment variable YAWS_DETERMINISTIC_BUILD to any value. When generating yaws_generated.erl, Yaws looks for this environment variable and if found, it makes yaws_generated:vardir() and yaws_generated:etcdir() return undefined instead of pathname strings.
Commits on Dec 22, 2021
Detect externally rotated logfiles
Currently, Yaws does not play well with an external log rotation mechanism (Linux logrotate or BSD newsyslog). When such an external program rotates a Yaws log, it will customarily move the existing log to a new name, open a new logfile with the old name, and (optionally) send a (configurable) signal to the program that writes to the log, to notify it to re-open the logfile.
Yaws supports wrapping its logs at a given size (configuration variable log_wrap_size), but it does not support wrapping it in a time-based fashion (e.g., wrap once a day at midnight), which is why an external log rotator is useful.
The problem is that in such a case, Yaws will continue writing to the old logfile. There is logic to detect that the logfile has been wrapped, but it does not work if the log rotator creates a new file in place of the old. In such case, Yaws should detect that the logfile it sees at the expected path is smaller than what it knows to have written to the log, and take that as a signal that the log has been wrapped.
This patch adds support for just this. To make use of it, one should arrange for the log rotator to issue a ‘yaws --hup’ post rotating the files. This will trigger Yaws to immediately re-evaluate the conditions and lead to migrating to the newly opened logfile. Otherwise, it will take up to 10 minutes for this to happen, and Yaws will have been writing to the old file (via the file descriptor it is holding to) prior to that.
Tom Szilagyi authored and vinoski committed
Dec 22, 2021
Commits on Dec 21, 2021
Fix url_encode issue
Commit 9cd9173 introduced a problem with yaws_api:url_encode/1 that wasn’t caught because “make check” sometimes reports success on macOS even when a failure occurs.
Fix verified on Ubuntu and macOS.
Fix #440: handle TLSv1.3-only server
The Erlang/OTP ssl configuration settings “secure_renegotiate” and “client_renegotiation” don’t apply to TLS version 1.3, but Yaws sets both to defaults that differ from Erlang/OTP defaults and so always tries to include them when setting up SSL listening, which results in an error for servers configured for only TLSv1.3.
If a server is configured for TLSv1.3 only, set secure_renegotiate and client_renegotiation to undefined. Also modify supported configuration settings for these variables to allow them to be set to true, false, or undefined, where the latter setting restores the Erlang/OTP default. Modify the documentation to describe the undefined setting.
Add a new test to sconf_SUITE to verify settings in an #ssl{} record when a server is configured for only TLSv1.3. Note that this test is skipped for OTP 21.3 since it doesn’t support TLSv1.3.
Commits on Dec 16, 2021
Allow colons in dir listing file references
When encoding filenames for use as relative URLs in directory listings, if a file contains only colons as encoded characters, use the original filename prefixed with “./” as its relative URL as per RFC3986 section 4.2.
Commits on Dec 15, 2021
Fix jsonrpc Content-Length header value
OTP 24.2 tightened up header checking in httpc:request calls, which uncovered a call in jsonrpc passing Content-Length as an integer rather than a string. Fix it to pass the value as a string.
Commits on Dec 6, 2021
Use special logger handler for report.log
Use logger instead of error_logger for report.log. This makes it possible to run yaws when no error_logger process running, since we don’t try to install custom handlers in it.
Because of logger_std_h differences in Erlang/OTP 21.0 through 21.2 that prevent these changes from working correctly for those versions, raise the minimum Erlang/OTP version that Yaws supports from 21.0 to 21.3. Anyone needing 21.0-21.2 support can use Yaws release 2.1.0. Change all places mentioning 21.0 as the minimum to be 21.3 instead.
Switch to Github Actions for CI
Travis-CI is no longer useful for open source projects, so switch to Github Actions using an OTP versions matrix. Remove legacy .travis.yml file.
In testsuite/run_common_test.in, add the -noshell option to prevent early termination when running in a Github Action.
Co-authored-by: Sergey Prokhorov [email protected]
Commits on Nov 16, 2021
src/yaws_log.erl: Update timestamp every 1 second
Prior to this change, the timestamp of log entries was updated every 3 seconds. While yaws_log:fmtnow/0 is not a very fast function, losing the precision and yielding inaccurate timestamps does not seem to balance with the optimization, so change it to 1 second instead.
Commits on Nov 14, 2021