{"id":108,"date":"2014-10-03T21:27:36","date_gmt":"2014-10-03T21:27:36","guid":{"rendered":"http:\/\/blogs.gentoo.org\/blueness\/?p=108"},"modified":"2014-10-03T21:28:36","modified_gmt":"2014-10-03T21:28:36","slug":"sthttpd-a-very-tiny-and-very-fast-http-server-with-a-mature-codebase","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/blueness\/2014\/10\/03\/sthttpd-a-very-tiny-and-very-fast-http-server-with-a-mature-codebase\/","title":{"rendered":"sthttpd: a very tiny and very fast http server with a mature codebase!"},"content":{"rendered":"<p>Two years ago, I took on the maintenance of <em>thttpd<\/em>, a web server written by Jef Poskanzer at ACME Labs [1].\u00a0 The code hadn&#8217;t been update in about 10 years and there were dozens of accumulated patches on the Gentoo tree, many of which addressed serious security issues.\u00a0 I emailed upstream and was told the project was &#8220;done&#8221; whatever that meant, so I was going to tree clean it.\u00a0 I expressed my intentions on the upstream mailing list when I got a bunch of &#8220;please don&#8217;t!&#8221; from users.\u00a0 So rather than maintain a ton of patches, I forked the code, rewrote the build system to use autotools, and applied all the patch.\u00a0 I dubbed the fork <em>sthttpd<\/em>.\u00a0 There was no particular meaning to the &#8220;s&#8221;.\u00a0 Maybe &#8220;still kicking&#8221;?<\/p>\n<p>I put a git repo up on my server [2], got a mail list going [3], and set up bugzilla [4].\u00a0 There hasn&#8217;t been much activity but there was enough because it got noticed by someone who pushed it out in OpenBSD ports [5].<\/p>\n<p>Today, I finally pushed out 2.27.0 after two years.\u00a0 This release takes care of a couple of new security issues: I fixed the world readable log problem, CVE-2013-0348 [6], and Vitezslav Cizek\u00a0&lt;vcizek@suse.com&gt;\u00a0 from OpenSUSE fixed a possible DOS triggered by specially crafted .htpasswd. Bob Tennent added some code to correct headers for .svgz content, and Jean-Philippe Ouellet did some code cleanup.\u00a0 So it was time.<\/p>\n<p>Web servers are not my style, but its tiny size and speed makes it perfect for embedded systems which are near and dear to my heart.\u00a0 I also make sure it compiles on *BSD and Linux with glibc, uClibc or musl.\u00a0 Not bad for a codebase which is over 10 years old!\u00a0 Kudos to Jef.<\/p>\n<ul>\n<li>[1] <a href=\"http:\/\/en.wikipedia.org\/wiki\/Thttpd\" target=\"_blank\">http:\/\/en.wikipedia.org\/wiki\/Thttpd<\/a>.\u00a0 <a href=\"http:\/\/acme.com\/\" target=\"_blank\">http:\/\/acme.com\/<\/a>.<\/li>\n<li>[2] <a href=\"http:\/\/opensource.dyc.edu\/gitweb\/?p=sthttpd.git;a=summary\" target=\"_blank\">http:\/\/opensource.dyc.edu\/gitweb\/?p=sthttpd.git;a=summary<\/a><\/li>\n<li>[3] <a href=\"mailto:sthttpd@opensource.dyc.edu\" target=\"_blank\">sthttpd@opensource.dyc.edu<\/a><\/li>\n<li>[4] <a href=\"http:\/\/opensource.dyc.edu\/bugzilla3\/\" target=\"_blank\">http:\/\/opensource.dyc.edu\/bugzilla3\/<\/a><\/li>\n<li>[5] <a href=\"http:\/\/ports.su\/www\/sthttpd\" target=\"_blank\">http:\/\/ports.su\/www\/sthttpd<\/a><\/li>\n<li>[6] <a href=\"http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2013-0348\" target=\"_blank\">http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2013-0348<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Two years ago, I took on the maintenance of thttpd, a web server written by Jef Poskanzer at ACME Labs [1].\u00a0 The code hadn&#8217;t been update in about 10 years and there were dozens of accumulated patches on the Gentoo tree, many of which addressed serious security issues.\u00a0 I emailed upstream and was told the &hellip; <a href=\"https:\/\/blogs.gentoo.org\/blueness\/2014\/10\/03\/sthttpd-a-very-tiny-and-very-fast-http-server-with-a-mature-codebase\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;sthttpd: a very tiny and very fast http server with a mature codebase!&#8221;<\/span><\/a><\/p>\n","protected":false},"author":141,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[1,3],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/blueness\/wp-json\/wp\/v2\/posts\/108"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/blueness\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/blueness\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/blueness\/wp-json\/wp\/v2\/users\/141"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/blueness\/wp-json\/wp\/v2\/comments?post=108"}],"version-history":[{"count":5,"href":"https:\/\/blogs.gentoo.org\/blueness\/wp-json\/wp\/v2\/posts\/108\/revisions"}],"predecessor-version":[{"id":113,"href":"https:\/\/blogs.gentoo.org\/blueness\/wp-json\/wp\/v2\/posts\/108\/revisions\/113"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/blueness\/wp-json\/wp\/v2\/media?parent=108"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/blueness\/wp-json\/wp\/v2\/categories?post=108"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/blueness\/wp-json\/wp\/v2\/tags?post=108"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}