Standardize logging with bgpd Tweak and OK claudio@

remove empty server_http_init OK claudio

Error out on presence of Content-Length and Transfer-Encoding headers for GET, HEAD and other methods that should have no body. Ignoring the Content-Length header makes httpd vulnerable to HTTP request smuggling. A crafted GET request may embed an extra HTTP request which could bypass a proxy or WAF but then is handled by httpd. Remove the special case for TRACE and CONNECT in the Content-Length handling. Move those checks into the method switch at the end of the header parsing phase and by that also cover more methods including GET and HEAD. If either header is present simply abort the connection, nobody should send extra data along GET and HEAD requests. Add an an explicit HTTP_METHOD_TRACE case above the default case to indicated that we deliberately don't handle TRACE requests. This security vulnerability was found by Nicola Staller of SySS GmbH. With and OK rsadowski@ previous version also OK florian@

In server_read_httpchunks() do not blindly enable the bufferevent. This leads to a use-after-free since the bev->readcb() call could free the memory holding the bev right before the bufferevent_enable() call. Reported by Pontus Stenetorp. OK florian@ rsadowski@

Slightly iprove a confusing wording in the parse.y manuals: The things that need quoting are not necessarily "argument names", and not even necessarily "names" at all, so just talk about "arguments". "I guess?" florian@ and no objection from otto@, both back in July 2025. Actually, the quoting rules are more complicated than the text makes believe, but i do not know how to better describe them. It may not be easy because some suspect the implementation may be somewhat adhoc rather than based on cleary defined lexical rules.

validate return_uri_len before copying data Spotted by tb@, ok claudio

fix scan-build dead stores findings - httpd.c:533 – q assigned but immediately overwritten in the loop - server.c:891 – inrd/inwr assigned, then reassigned, never actually needed - server_fcgi.c:678,690 – kv result unused OK stsp@

httpd: fix server_http_time() to emit GMT times again The HTTP standard RFC 9110 requires GMT, in HTTP-date. We used to do this until a recent change to localtime.c changed GMT to UTC. From Sören Tempel, ok sthen

Add "no banner" option to suppress Server header Introduces a global and per-server "[no] banner" directive that prevents httpd from sending the Server HTTP response header and removes server identification from error documents. The SERVER_SOFTWARE CGI environment variable remains set as required by RFC 3875. Diff by Lloyd (thanks), ok kirill@

Add missing GZIP_STATIC flag to SRVFLAG_BITS macro GZIP_STATIC flag at position \33 was missing from the debug string. Also correct the truncated PATH_REWRITE/NO_PATH_REWRITE flag names. The PATH_REWRITE and NO_PATH_REWRITE flag names were truncated to PATH and NO_PATH in the SRVFLAG_BITS string definition. OK kirill@ deraadt@

Systopia team at UBC found 5 info leaks in the private privsep protocol between httpd programs, and provided a fix. ok claudio benno florian

Make internal hyperlinking work by moving custom sections from .Sh to .Ss and the titles from all caps to sentence case such that they match the table of contents, and switch from .Sy to .Sx as needed. OK florian@

In the manual pages for configuration files based on parse.y, describe the syntax of both defining and using macros, rather than exclusively relying on examples, which some of the pages do not even provide. In those pages containing tables of content, also clarify that the "Macros" section contains *definitions* of variables. Both changes were already committed to vm.conf(5) earlier. In those few pages that referenced cpp(1) and m4(1), stop doing that because the macro definition syntax and the macro dereferencing syntax of both languages is totally different from the parse.y syntax. OK florian@, and deraadt also requests keeping these manuals in sync.

Set correct request timeout once we found the correct server block. On accept(2), httpd(8) sets the timeout based on ip:port. Once we have parsed the http headers we can find the name-based server block and apply its request timeout. Problem identified and fix from Nick Owens, thanks! OK tb

Convert various reyk proc.c daemons over to new imsgbuf_init and imsgbuf_allow_fdpass. OK tb@

Convert the common imsgbuf_read calls to the post EAGAIN world. OK tb@

Use imsgbuf_queuelen() instead of accessing the w.queue member. OK tb@

Use imsgbuf_clear() where appropriate instead of msgbuf_clear(). OK tb@

Rename imsg_init, imsg_clear, imsg_read, imsg_write and imsg_flush to imsgbuf_init, imsgbuf_clear, imsgbuf_read, imsgbuf_write and imsgbuf_flush. This separates the imsgbuf API from the per-imsg API. OK tb@

Convert imsg_write() callers to the new simplified return logic. OK tb@

Introduce imsg_write() and use it instead of msgbuf_write(). imsg_write() is just a thin wrapper around msgbuf_write(). So this is mostly search and replace. OK tb@

imsg_flush no longer returns EAGAIN. Simplify proc_flush_imsg() accordingly. Issue spotted by op@

remove unused struct

httpd: render "emojis" as text in directory listing The "up and down" character used in the directory listing is technically an emoji and can, depending on the browser configuration, be rendered in colors and whatnot. set `font-variant-emoji' to ask the browser to render it as text. This property, as of now, needs to be enabled manually in some browsers, but since it's part of the "CSS Fonts Module Level 4" spec, support for it is expected to be implemented and turned on "soon" in major browsers. While here, remove the italic for directories. Diff from Paul W. Rankin (hello (at) paulwrankin dot com) ok claudio@

plug fd leak introduced in "avoid toctu" rewrite. Issue reported by job OK tb, job