0

Does thttpd support HTTP 1.1 only for static pages? HTTP requests for CGI-generated pages seem to respond only with HTTP 1.0.

=========================

$ curl -i http://<ip address>index.html
HTTP/1.1 200 OK
Server: thttpd/2.25b 29dec2003
Content-Type: text/html; charset=iso-8859-1
Date: Tue, 04 Aug 2009 07:00:52 GMT
Last-Modified: Tue, 04 Aug 2009 06:58:04 GMT
Accept-Ranges: bytes
Connection: close
Content-Length: 74

<html>
<head><title>blah</title></
head>
<body>Hello There!</body>
</html>


$ curl -i http://<ip address>/cgi-bin/hello
HTTP/1.0 200 OK
Content-type: text/html

Hello there!

=========================

thttpd CGI can't even respond to a HTTP HEAD request..

$ curl --head http://<ip address>/cgi-bin/hello
HTTP/1.1 501 Not Implemented
Server: thttpd/2.25b 29dec2003
Content-Type: text/html; charset=iso-8859-1
Date: Tue, 04 Aug 2009 07:02:36 GMT
Last-Modified: Tue, 04 Aug 2009 07:02:36 GMT
Accept-Ranges: bytes
Connection: close
Cache-Control: no-cache,no-store

=========================

Is there a way to enable HTTP 1.1 on CGI requests? BTW, this is using thttpd ver.2.25b.

Thanks, Kenneth

ksuralta
  • 101
  • 3

1 Answers1

2

As you know, thttpd, unlike dhttpd, supports CGI but the man page does not refer to the HTTP level supported for the requests in the documentation. From the thttpd man page:

CGI

   thttpd supports the CGI 1.1 spec.

   In order for a CGI program to be run, its name must match  the  pattern
   specified  either  at  compile  time or on the command line with the -c
   flag.  This is a simple shell-style filename pattern.  You can use * to
   match  any  string  not  including  a  slash, or ** to match any string
   including slashes, or ? to match any single character.   You  can  also
   use  multiple  such  patterns separated by |.  The patterns get checked
   against the filename part of the incoming URL.  Don’t forget  to  quote
   any wildcard characters so that the shell doesn’t mess with them.

   Restricting  CGI  programs to a single directory lets the site adminis‐
   trator review them for security holes, and is strongly recommended.  If
   there  are individual users that you trust, you can enable their direc‐
   tories too.

   If no CGI pattern is specified, neither here nor at compile time,  then
   CGI  programs  cannot  be  run at all.  If you want to disable CGI as a
   security measure, that’s how you do it, just comment out  the  patterns
   in the config file and don’t run with the -c flag.

   Note:  the current working directory when a CGI program gets run is the
   directory that the CGI program lives in.  This isn’t  in  the  CGI  1.1
   spec, but it’s what most other HTTP servers do.

   Relevant   config.h   options:  CGI_PATTERN,  CGI_TIMELIMIT,  CGI_NICE,
   CGI_PATH, CGI_LD_LIBRARY_PATH, CGIBINDIR.

On the specific question of HTTP 1.1 support, I think asking on the thttpd support forum was probably the best way forward, short of reading the code. I would not be surprised at HTTP 1.0 only as it saves the server having to store pieces of the page until the whole page is available in order to fill in the byte count correctly in the HTTP 1.1 header.

Certainly in the routine cgi_interpose_output( httpd_conn* hc, int rfd ) in libhttpd.c the sequence starting

(void) my_snprintf( buf, sizeof(buf), "HTTP/1.0 %d %s\015\012", status, title );

seems to support this view but I expect you are probably more familiar with the code than I am and there will be folk on the mailing list who know it in detail and could be more definitive.

mas
  • 639
  • 5
  • 9