Fixes the following security vulnerability:
CVE-2019-13503: mq_parse_http in mongoose.c in Mongoose 6.15
has a heap-based buffer over-read.
See https://github.com/cesanta/mongoose/releases/tag/6.16
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
For some reason, the hash of the Github-provided tarball for mongoose
6.7 has changed. The actual contents are the same between the old and
new tarballs, only the order of the files is changed.
However, changing the hash would break older Buildroot releases
(because sources.buildroot.net would pick up the tarball with the new
hash, and old Buildroot releases would no longer be able to pick up
the tarball with the old hash, neither from Github nor from the
Buildroot mirror).
So, we simply bump to a newer version of mongoose. This way, old
Buildroot releases will continue to fetch Mongoose 6.7 from the
Buildroot mirror, with the old hash matching. New Buildroot releases
will be using the new Mongoose version, with a correct hash that
allows to download from Github successfully.
The hash of the license file has changed, due to a change in the
copyright years.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Only a static library is built (and no _INSTALL_TARGET_CMDS are defined), so
there is no need to run the target-install step.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
NS_ENABLE_SSL was renamed to MG_ENABLE_SSL in v6.0, commit e1dd3f06fe33
(Rename Mongoose constants: NS_ -> MG_, NSF_ -> MG_F_), so use the new name
instead.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
No linking is done since the package was reworked for v6.x in commit
9860746ff (mongoose: bump to version 6.1), so drop LDFLAGS and the list of
libraries to link against.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This define is not used anywhere in the mongoose sources since v6.0 (commit
8927c9d22b3f), so drop it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We want to use SPDX identifier for license strings as much as possible.
SPDX short identifier for GPLv2/GPLv2+ is GPL-2.0/GPL-2.0+.
This change is done by using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/\<GPLv2\>/GPL-2.0/g'
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
- provide only libmongoose.a
- rework package description
[Peter: move under Libraries->Networking]
Signed-off-by: Davide Viti <zinosat@tiscali.it>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
'echo -n' is not a POSIX construct (no flag support), we shoud use
'printf', especially in init script.
This patch was generated by the following command line:
git grep -l 'echo -n' -- `git ls-files | grep -v 'patch'` | xargs sed -i 's/echo -n/printf/'
Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Thomas: use relative symbolic link.]
Signed-off-by: Alex Suykov <alex.suykov@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Now that largefile is mandatory removes package dependencies and
conditionals.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- examples/server was renamed examples/web_server
- patch was submitted and included upstream so we can drop it
Signed-off-by: Davide Viti <zinosat@tiscali.it>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
mongoose.h looks missing because we're not building locally, so add
the appropriate -I flag. Fixes:
http://autobuild.buildroot.net/results/701/701711626548bd166cd5bc5669e4761ffed074d1/
[Thomas: change the solution to use -I$(@D) instead of switching to
the build directory.]
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Avoid compilation of the server via the upstream Makefile which
unconditionally uses -lssl
The -lssl flag is appended to MONGOOSE_CFLAGS whenever
BR2_PACKAGE_OPENSSL=y gets set.
Signed-off-by: Davide Viti <zinosat@tiscali.it>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The package provides a webserver and, eventually, a library: this is
what Centos, among other distros, is doing.
[Peter: correct install -D invocation]
Signed-off-by: Davide Viti <d.viti@infosolution.it>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Mongoose has changed quite drastically in the last months.
Here is a list of changes which had to be applied:
- Bump version from 3.7 to 5.3
- use tarball download via github helper iso git clone
- need largefile support
- compilation takes place into "examples"
- weberver source is now "server.c"
- adapt to new command line options
- SSL support now controlled via NS_ENABLE_SSL
[Peter: extend commit text, use CFLAGS_EXTRA, only build server]
Signed-off-by: Davide Viti <zinosat@tiscali.it>
Cc: Will Wagner <will_wagner@carallon.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Startup script fails to restart the service: 1s delay is enough to fix
this.
Also apply a minor fix of the script name in the usage string
Signed-off-by: Davide Viti <d.viti@infosolution.it>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
mongoose fails to start because the options used are not supported by
mongoose. Fix it by using the correct option names instead.
[Peter: reworded commit text and use the correct long options instead]
Signed-off-by: Davide Viti <d.viti@infosolution.it>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When a package A depends on config option B and toolchain option C, then
the comment that is given when C is not fulfilled should also depend on B.
For example:
config BR2_PACKAGE_A
depends on BR2_B
depends on BR2_LARGEFILE
depends on BR2_WCHAR
comment "A needs a toolchain w/ largefile, wchar"
depends on !BR2_LARGEFILE || !BR2_WCHAR
This comment should actually be:
comment "A needs a toolchain w/ largefile, wchar"
depends on BR2_B
depends on !BR2_LARGEFILE || !BR2_WCHAR
or if possible (typically when B is a package config option declared in that
same Config.in file):
if BR2_B
comment "A needs a toolchain w/ largefile, wchar"
depends on !BR2_LARGEFILE || !BR2_WCHAR
[other config options depending on B]
endif
Otherwise, the comment would be visible even though the other dependencies
are not met.
This patch adds such missing dependencies, and changes existing such
dependencies from
depends on BR2_BASE_DEP && !BR2_TOOLCHAIN_USES_GLIBC
to
depends on BR2_BASE_DEP
depends on !BR2_TOOLCHAIN_USES_GLIBC
so that (positive) base dependencies are separate from the (negative)
toolchain dependencies. This strategy makes it easier to write such comments
(because one can simply copy the base dependency from the actual package
config option), but also avoids complex and long boolean expressions.
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(untested)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch lines up the comments in Config.in files that clarify which
toolchain options the package depends on.
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: drop noauth patch, cleanup Config.in, don't install to staging, ..]
Signed-off-by: Charles Manning <cdhmanning@gmail.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
