Tiny HTTP server https://git.openwrt.org/project/uhttpd/atom?h=master 2026-04-16T09:10:36Z 2026-04-16T09:10:36Z Paul Spooren 2026-04-16T09:10:36Z urn:sha1:e619cb04cddba8316d6928ff99f55a49e6ddc561 strtoul() with base 0 auto-detects octal (leading "0") and hexadecimal (leading "0x") prefixes. A Content-Length value like "025" was parsed as octal 21 instead of decimal 25. Since compliant HTTP frontends always parse Content-Length as decimal per RFC 7230, this mismatch enables HTTP request smuggling when uhttpd sits behind a reverse proxy or load balancer. Fix by explicitly passing base 10 to strtoul(). Reported-by: Nicola Staller <nicola.staller@syss.de> Signed-off-by: Paul Spooren <mail@aparcar.org> 2025-12-24T10:08:44Z Tito Brasolin 2025-09-05T08:09:16Z urn:sha1:506e24987b97fbc866005bfb71316bd63601a1ef Fixes a potential SIGSEGV when a client disconnects from a /ubus/subscribe/... endpoint without unsubscribing. The ubus subscriber is now properly unregistered in a cleanup handler, preventing callbacks on freed client structures. Fixes: #1 Signed-off-by: Tito Brasolin <tito.brasolin@kerberos.energy> Link: https://github.com/openwrt/uhttpd/pull/18 Signed-off-by: Robert Marko <robert.marko@sartura.hr> 2025-10-03T21:39:09Z Christian Marangi 2025-10-03T21:39:09Z urn:sha1:ebb92e6b339b88bbc6b76501b6603c52d4887ba1 New cmake version 4.0 requires at least 3.5 version as the minimum required version with it increased to 3.10 in to-be-released cmake versions. Set the minimum required version to 3.10 to future-proof for future cmake version. Suggested-by: Hannu Nyman <hannu.nyman@iki.fi> Signed-off-by: Christian Marangi <ansuelsmth@gmail.com> 2025-07-06T22:58:07Z Hauke Mehrtens 2025-07-06T18:52:17Z urn:sha1:7e64e8bad2415cec0a6d9770ec379db54273c7a7 Allow sending content even when the connection is in done state. When we run into an error we will be in CLIENT_STATE_DONE state and have to write some content to the client. Allow writing in normal DATA and in DONE state. This fixes http error 403 in LuCI. Fixes: b3e3c05d6781 ("client: don't send stray EOF chunk on connection timeout") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> 2025-04-05T23:36:37Z Jo-Philipp Wich 2025-04-05T23:35:10Z urn:sha1:c7294e7037a9e6f8fb4b9084d31cb8e98bd7b5f9 Add logic to reject requests with multiple Content-Length headers or both Content-Length and Transfer-Encoding headers. Fixes: #8 Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2025-04-05T13:21:52Z Jo-Philipp Wich 2025-04-05T13:21:52Z urn:sha1:3d6f01b9d01a6ffa9e73705112cd51bfd98ec2fc Under some circumstances, e.g. when enumerating the entries of a directory hierarchy close to 4096 bytes total path length, the sprintf() used to conatenate the filename might write beyond the end of the PATH_MAX sized global `uh_buf` scratch buffer used to form the complete file paths during enumeration, potentially clobbering neighboring data structures, such as the global configuration struct. Prevent this issue by passing the amount of remaining available bytes for the name componentent to the `list_entries()` function and passing this value to `snprintf()` therein. Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2025-04-05T12:32:36Z Jo-Philipp Wich 2025-04-05T12:28:34Z urn:sha1:fad0d05da757dcd73abc2beb02ce4e4edf83ac3d When a backend CGI, Lua or ucode handler produces a response which either includes a Content-Length or a Transfer-Encoding header then disable the uhttpd side chunked transfer encoding and assume the backend response to be already properly encoded or length delimitted. Fixes: https://github.com/openwrt/luci/issues/7655 Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2024-01-23T08:48:35Z Jo-Philipp Wich 2024-01-23T08:48:35Z urn:sha1:b3e3c05d6781caa5db54fc9913772ddc1af2e045 Ensure that any kind of chunk data is only sent when the client connection is in the body data state in order to avoid sending superfluous `0\r\n\r\n` chunks on closing idle connections. Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2023-06-25T17:24:45Z Liangbin Lian 2023-04-24T03:53:16Z urn:sha1:34a8a74dbdec3c0de38abc1b08f6a73c51263792 if a url path length is multiple of 8, tailing zero will be trimed out on uh_defer_script, cause a strangle error. it's simple to reproduce. 1. create a luci controller, register a entry with path length multiple of 8 (including '/cgi-bin/'), for example, '/cgi-bin/luci/admin/system/admin'. 2. set uhttpd max_requests to 1, and restart uhttpd 3. request '/cgi-bin/luci/admin/system/admin' with at least 2 process 4. some responses will produce a error: ``` Unable to launch the requested CGI program: /www/cgi-bin/luci: No such file or directory ``` Signed-off-by: Liangbin Lian <jjm2473@gmail.com> 2023-01-28T16:10:36Z Sasha Andonov 2023-01-24T13:20:04Z urn:sha1:47561aa13574068403d48f13ea310f8511057b2b Airplay of a statically hosted video file from one Apple device to another fails due to unrecognized content-type. Let's assume we have url1: http://openwrt.local/luci-static/video.mp4. If url1 is passed to a HTML5 browser, it will download the file instead of playing it back as it thinks it is a binary (no entry for mp4 extension atm). Let's also assume we worked this around by wrapping url1 in HTML5 video tag, inside of an html file which we will put at url2: http://openwrt.local/luci-static/video.html. The playback starts as the browser now knows it is a video. However, if we now wanted to send the video over Airplay to a second device, it's not gonna share the html file found at url2, but rather the video file found at url1, and the playback on second device will fail as it thinks it is a binary. Adding Airplay supported extensions/mime types fixes the issue. Signed-off-by: Sasha Andonov <s.andonnov@gmail.com>