www-servers/lighttpd: Version bump (v1.4.64)

* use pcre2 instead of pcre
* remove long-deprecated modules and obsolete dependencies
* update configs to use mod_deflate (subsumed mod_compress)
* CVE-2022-22707 https://bugs.gentoo.org/830691

Closes: https://bugs.gentoo.org/820755
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Signed-off-by: Sam James <sam@gentoo.org>

4 files changed, 548 insertions, 0 deletions

diff --git a/www-servers/lighttpd/Manifest b/www-servers/lighttpd/Manifest
index 545b25d8c85c..ec36ebba44a4 100644
--- a/www-servers/lighttpd/Manifest
+++ b/www-servers/lighttpd/Manifest
@@ -1,3 +1,4 @@
 DIST lighttpd-1.4.55.tar.xz 765660 BLAKE2B 7b972de86e7d1a51438718e4d5bd49188c107b0f2e656ead597085ae84f3d41cdb662a7774c6655155d390c26f3e4f0b0dc4243c85cb0255a91d8ca57742f402 SHA512 023d5a54079e710a89a59e259c0b5798103ef6fce4544c36110dc4c5281ef429ef99369923d74123fcf8be37afe622d44cd7149078d21971ff26f3f4ee37c439
 DIST lighttpd-1.4.58.tar.xz 956828 BLAKE2B b8b0a111db64a8af429dd9922503991e55276808b58143ffce3268bc8b20a39cfec9d8c1e2917b34326ac5502801a6ca3b9bae26874f86b6749c363a09225ca3 SHA512 b7f18223e46bf78f866eb22f44a7702df07424271e085da9f0d03e626198c30e87a3959536d02e3588aa47ba4bc7db7c432307175fb3b25a2984f9cf692c0ca4
 DIST lighttpd-1.4.59.tar.xz 968352 BLAKE2B 8997386be24d9d84fa8012aedd8ac97b3ad4fd19bb756163d3e9b8c6984c740475c6db2810817db9d1a246320bcd81f7ab35847707316454523c614a4485299f SHA512 94d312f6ac65c32057018b749c4865220b43b3e4b7fe9396848aa403ea7fdc2ccbf3f4f91daf281b754cf272a52a8bcdc689502773ea33cae36eead2785daa0f
+DIST lighttpd-1.4.64.tar.xz 1011436 BLAKE2B 7eea665f20a07ced23e7372515b5e44852ea14e4ac83297ed9f764106b69e7931d84bf5d1c6d5f542ef810021ef94398a89bc3161213f8bdfaba3676e0a687ca SHA512 8e2ad0830ff80fcebf0c33600caafb5ab4e9ff6b5073c12572f88a44fdfe85f777fa8b22b2fc2964fecbeb556997ad660867dcee80efb224d63329c8b18ea936
diff --git a/www-servers/lighttpd/files/conf/lighttpd.conf-r1 b/www-servers/lighttpd/files/conf/lighttpd.conf-r1
new file mode 100644
index 000000000000..1017098caa4f
--- /dev/null
+++ b/www-servers/lighttpd/files/conf/lighttpd.conf-r1
@@ -0,0 +1,309 @@
+###############################################################################
+# Default lighttpd.conf for Gentoo.
+###############################################################################
+
+# {{{ variables
+var.basedir  = "/var/www/localhost"
+var.logdir   = "/var/log/lighttpd"
+var.statedir = "/var/lib/lighttpd"
+# }}}
+
+# {{{ modules
+# At the very least, mod_access and mod_accesslog should be enabled.
+# All other modules should only be loaded if necessary.
+# NOTE: the order of modules is important.
+server.modules = (
+#    "mod_rewrite",
+#    "mod_redirect",
+#    "mod_alias",
+    "mod_access",
+#    "mod_magnet",
+#    "mod_auth",
+#    "mod_status",
+#    "mod_setenv",
+#    "mod_proxy",
+#    "mod_simple_vhost",
+#    "mod_evhost",
+#    "mod_userdir",
+#    "mod_deflate",
+#    "mod_ssi",
+#    "mod_usertrack",
+#    "mod_expire",
+#    "mod_secdownload",
+#    "mod_rrdtool",
+#    "mod_webdav",
+    "mod_accesslog"
+)
+# }}}
+
+# {{{ includes
+include "mime-types.conf"
+# fcgi and cgi are included below
+# }}}
+
+# {{{ server settings
+server.username      = "lighttpd"
+server.groupname     = "lighttpd"
+
+server.document-root = var.basedir + "/htdocs"
+server.pid-file      = "/run/lighttpd.pid"
+
+server.errorlog      = var.logdir  + "/error.log"
+# log errors to syslog instead
+#   server.errorlog-use-syslog = "enable"
+
+server.indexfiles    = ("index.php", "index.html",
+						"index.htm", "default.htm")
+
+# server.tag           = "lighttpd"
+
+server.follow-symlink = "enable"
+
+# event handler (defaults to "poll")
+# see performance.txt
+#
+# for >= linux-2.4
+#   server.event-handler = "linux-rtsig"
+# for >= linux-2.6
+#   server.event-handler = "linux-sysepoll"
+# for FreeBSD
+#   server.event-handler = "freebsd-kqueue"
+
+# chroot to directory (defaults to no chroot)
+# server.chroot      = "/"
+
+# bind to port (defaults to 80)
+# server.port          = 81
+
+# bind to name (defaults to all interfaces)
+# server.bind          = "grisu.home.kneschke.de"
+
+# error-handler for status 404
+# server.error-handler-404 = "/error-handler.html"
+# server.error-handler-404 = "/error-handler.php"
+
+# Format: <errorfile-prefix><status-code>.html
+# -> ..../status-404.html for 'File not found'
+# server.errorfile-prefix    = var.basedir + "/error/status-"
+
+# FAM support for caching stat() calls
+# requires that lighttpd be built with USE=fam
+#   server.stat-cache-engine = "fam"
+
+# If lighttpd was build with IPv6 support, and you would like to listen on IPv6,
+# uncomment the following:
+# server.use-ipv6 = "enable"
+
+# }}}
+
+# {{{ mod_staticfile
+
+# which extensions should not be handled via static-file transfer
+# (extensions that are usually handled by mod_cgi, mod_fastcgi, etc).
+static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")
+# }}}
+
+# {{{ mod_accesslog
+accesslog.filename   = var.logdir + "/access.log"
+# }}}
+
+# {{{ mod_dirlisting
+# enable directory listings
+#   dir-listing.activate      = "enable"
+#
+# don't list hidden files/directories
+#   dir-listing.hide-dotfiles = "enable"
+#
+# use a different css for directory listings
+#   dir-listing.external-css  = "/path/to/dir-listing.css"
+#
+# list of regular expressions.  files that match any of the
+# specified regular expressions will be excluded from directory
+# listings.
+#   dir-listing.exclude = ("^\.", "~$")
+# }}}
+
+# {{{ mod_access
+# see access.txt
+
+url.access-deny = ("~", ".inc")
+# }}}
+
+# {{{ mod_userdir
+# see userdir.txt
+#
+# userdir.path = "public_html"
+# userdir.exclude-user = ("root")
+# }}}
+
+# {{{ mod_ssi
+# see ssi.txt
+#
+# ssi.extension = (".shtml")
+# }}}
+
+# {{{ mod_ssl
+# see ssl.txt
+#
+# ssl.engine    = "enable"
+# ssl.pemfile   = "server.pem"
+# }}}
+
+# {{{ mod_status
+# see status.txt
+#
+# status.status-url  = "/server-status"
+# status.config-url  = "/server-config"
+# }}}
+
+# {{{ mod_simple_vhost
+# see simple-vhost.txt
+#
+#  If you want name-based virtual hosting add the next three settings and load
+#  mod_simple_vhost
+#
+# document-root =
+#   virtual-server-root + virtual-server-default-host + virtual-server-docroot
+# or
+#   virtual-server-root + http-host + virtual-server-docroot
+#
+# simple-vhost.server-root   = "/home/weigon/wwwroot/servers/"
+# simple-vhost.default-host  = "grisu.home.kneschke.de"
+# simple-vhost.document-root = "/pages/"
+# }}}
+
+# {{{ mod_deflate
+# see compress.txt
+#
+# deflate.cache-dir   = var.statedir + "/cache/compress"
+# deflate.mimetypes   = ("text/plain", "text/html")
+# }}}
+
+# {{{ mod_proxy
+# see proxy.txt
+#
+# proxy.server               = ( ".php" =>
+#                               ( "localhost" =>
+#                                 (
+#                                   "host" => "192.168.0.101",
+#                                   "port" => 80
+#                                 )
+#                               )
+#                             )
+# }}}
+
+# {{{ mod_auth
+# see authentication.txt
+#
+# auth.backend               = "plain"
+# auth.backend.plain.userfile = "lighttpd.user"
+# auth.backend.plain.groupfile = "lighttpd.group"
+
+# auth.backend.ldap.hostname = "localhost"
+# auth.backend.ldap.base-dn  = "dc=my-domain,dc=com"
+# auth.backend.ldap.filter   = "(uid=$)"
+
+# auth.require               = ( "/server-status" =>
+#                               (
+#                                 "method"  => "digest",
+#                                 "realm"   => "download archiv",
+#                                 "require" => "user=jan"
+#                               ),
+#                               "/server-info" =>
+#                               (
+#                                 "method"  => "digest",
+#                                 "realm"   => "download archiv",
+#                                 "require" => "valid-user"
+#                               )
+#                             )
+# }}}
+
+# {{{ mod_rewrite
+# see rewrite.txt
+#
+# url.rewrite = (
+#	"^/$"		=>		"/server-status"
+# )
+# }}}
+
+# {{{ mod_redirect
+# see redirect.txt
+#
+# url.redirect = (
+#	"^/wishlist/(.+)"		=>		"http://www.123.org/$1"
+# )
+# }}}
+
+# {{{ mod_evhost
+# define a pattern for the host url finding
+# %% => % sign
+# %0 => domain name + tld
+# %1 => tld
+# %2 => domain name without tld
+# %3 => subdomain 1 name
+# %4 => subdomain 2 name
+#
+# evhost.path-pattern        = "/home/storage/dev/www/%3/htdocs/"
+# }}}
+
+# {{{ mod_expire
+# expire.url = (
+#	"/buggy/"		=>		"access 2 hours",
+#	"/asdhas/"		=>		"access plus 1 seconds 2 minutes"
+# )
+# }}}
+
+# {{{ mod_rrdtool
+# see rrdtool.txt
+#
+# rrdtool.binary  = "/usr/bin/rrdtool"
+# rrdtool.db-name = var.statedir + "/lighttpd.rrd"
+# }}}
+
+# {{{ mod_setenv
+# see setenv.txt
+#
+# setenv.add-request-header  = ( "TRAV_ENV" => "mysql://user@host/db" )
+# setenv.add-response-header = ( "X-Secret-Message" => "42" )
+# }}}
+
+# {{{ mod_webdav
+# see webdav.txt
+#
+# $HTTP["url"] =~ "^/dav($|/)" {
+#     webdav.activate = "enable"
+#     webdav.is-readonly = "enable"
+# }
+# }}}
+
+# {{{ extra rules
+#
+# set Content-Encoding and reset Content-Type for browsers that
+# support decompressing on-thy-fly (requires mod_setenv)
+# $HTTP["url"] =~ "\.gz$" {
+#     setenv.add-response-header = ("Content-Encoding" => "x-gzip")
+#     mimetype.assign = (".gz" => "text/plain")
+# }
+
+# $HTTP["url"] =~ "\.bz2$" {
+#     setenv.add-response-header = ("Content-Encoding" => "x-bzip2")
+#     mimetype.assign = (".bz2" => "text/plain")
+# }
+#
+# }}}
+
+# {{{ debug
+# debug.log-request-header   = "enable"
+# debug.log-response-header  = "enable"
+# debug.log-request-handling = "enable"
+# debug.log-file-not-found   = "enable"
+# }}}
+
+# {{{ cgi includes
+# uncomment for cgi support
+#   include "mod_cgi.conf"
+# uncomment for php/fastcgi support
+#   include "mod_fastcgi.conf"
+# }}}
+
+# vim: set ft=conf foldmethod=marker et :
diff --git a/www-servers/lighttpd/lighttpd-1.4.64-r1.ebuild b/www-servers/lighttpd/lighttpd-1.4.64-r1.ebuild
new file mode 100644
index 000000000000..0dadbae5b17a
--- /dev/null
+++ b/www-servers/lighttpd/lighttpd-1.4.64-r1.ebuild
@@ -0,0 +1,236 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+LUA_COMPAT=( lua5-{1..4} )
+
+inherit autotools lua-single readme.gentoo-r1 systemd tmpfiles toolchain-funcs
+
+DESCRIPTION="Lightweight high-performance web server"
+HOMEPAGE="https://www.lighttpd.net https://github.com/lighttpd"
+SRC_URI="https://download.lighttpd.net/lighttpd/releases-1.4.x/${P}.tar.xz"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86"
+IUSE="+brotli dbi doc gnutls ipv6 kerberos ldap +lua maxminddb mbedtls mmap mysql +nettle nss +pcre php postgres rrdtool sasl selinux ssl sqlite +system-xxhash test unwind webdav xattr +zlib zstd"
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="lua? ( ${LUA_REQUIRED_USE} )
+	mysql? ( dbi )
+	postgres? ( dbi )
+	sqlite? ( dbi )
+	webdav? ( sqlite )
+"
+
+COMMON_DEPEND="
+	acct-group/lighttpd
+	acct-user/lighttpd
+	virtual/libcrypt:=
+	brotli? ( app-arch/brotli )
+	dbi? (
+		dev-db/libdbi
+		mysql? ( dev-db/libdbi-drivers[mysql] )
+		postgres? ( dev-db/libdbi-drivers[postgres] )
+		sqlite? ( dev-db/libdbi-drivers[sqlite] )
+	)
+	gnutls? ( net-libs/gnutls )
+	kerberos? ( virtual/krb5 )
+	ldap? ( >=net-nds/openldap-2.1.26 )
+	lua? ( ${LUA_DEPS} )
+	maxminddb? ( dev-libs/libmaxminddb )
+	mbedtls? ( net-libs/mbedtls )
+	nettle? ( dev-libs/nettle )
+	nss? ( dev-libs/nss )
+	pcre? ( dev-libs/libpcre2 )
+	php? ( dev-lang/php:*[cgi] )
+	rrdtool? ( net-analyzer/rrdtool )
+	sasl? ( dev-libs/cyrus-sasl )
+	ssl? ( >=dev-libs/openssl-0.9.7:0= )
+	system-xxhash? ( dev-libs/xxhash )
+	unwind? ( sys-libs/libunwind )
+	webdav? (
+		dev-libs/libxml2
+		sys-fs/e2fsprogs
+	)
+	xattr? ( kernel_linux? ( sys-apps/attr ) )
+	zlib? ( >=sys-libs/zlib-1.1 )
+	zstd? ( app-arch/zstd )"
+
+BDEPEND="
+	virtual/pkgconfig
+	doc?  ( dev-python/docutils )
+	test? (
+		virtual/perl-Test-Harness
+	)"
+
+DEPEND="${COMMON_DEPEND}"
+
+RDEPEND="${COMMON_DEPEND}
+	selinux? ( sec-policy/selinux-apache )
+"
+
+# update certain parts of lighttpd.conf based on conditionals
+update_config() {
+	local config="${D}/etc/lighttpd/lighttpd.conf"
+
+	# enable php/mod_fastcgi settings
+	if use php; then sed -i -e 's|#.*\(include.*fastcgi.*$\)|\1|' ${config} || die; fi
+
+	# automatically listen on IPv6 if built with USE=ipv6. Bug #234987
+	if use ipv6; then sed -i -e 's|# server.use-ipv6|server.use-ipv6|' ${config} || die; fi
+}
+
+pkg_setup() {
+	if use lua; then
+		lua-single_pkg_setup
+	fi
+
+	if ! use pcre ; then
+		ewarn "It is highly recommended that you build ${PN}"
+		ewarn "with perl regular expressions support via USE=pcre."
+		ewarn "Otherwise you lose support for some core options such"
+		ewarn "as conditionals and modules such as mod_re{write,direct}."
+	fi
+
+	DOC_CONTENTS="IPv6 migration guide:\n
+		http://redmine.lighttpd.net/projects/lighttpd/wiki/IPv6-Config"
+}
+
+src_prepare() {
+	default
+	# dev-python/docutils installs rst2html.py not rst2html
+	sed -i -e 's|\(rst2html\)|\1.py|g' doc/outdated/Makefile.am || \
+		die "sed doc/Makefile.am failed"
+	eautoreconf
+}
+
+src_configure() {
+	# The lua bit requires a bit of explanation. The lighttpd autoconf script
+	# handles the value passed to --with-lua as follows:
+	#  - "no" - do nothing
+	#  - "yes" - query pkgconfig for VERSIONED lua packages, starting with 5.3
+	#    and going down; only if lua5.1 cannot be found plain "lua" is tried
+	#  - any other value is passed to pkgconfig as the exact package name to use.
+	# We want a specific implementation to be used even if a newer one is present
+	# in the system so we use the latter mode.
+	econf \
+		CC_FOR_BUILD=$(tc-getBUILD_CC) \
+		--libdir=/usr/$(get_libdir)/${PN} \
+		--enable-lfs \
+		$(use_enable ipv6) \
+		$(use_enable mmap) \
+		$(use_with brotli) \
+		$(use_with dbi) \
+		$(use_with gnutls ) \
+		$(use_with kerberos krb5) \
+		$(use_with ldap) \
+		$(use_with lua lua ${ELUA}) \
+		$(use_with maxminddb) \
+		$(use_with mbedtls) \
+		$(use_with nettle) \
+		$(use_with nss) \
+		$(use_with pcre pcre2) \
+		$(use_with sasl) \
+		$(use_with ssl openssl) \
+		$(use_with system-xxhash) \
+		$(use_with webdav webdav-props) \
+		$(use_with webdav webdav-locks) \
+		$(use_with xattr attr) \
+		$(use_with zlib) \
+		$(use_with zstd) \
+		$(use_with unwind)
+}
+
+src_compile() {
+	emake
+
+	if use doc ; then
+		einfo "Building HTML documentation"
+		cd doc || die
+		emake html
+	fi
+}
+
+src_test() {
+	if [[ ${EUID} -eq 0 ]]; then
+		default_src_test
+	else
+		ewarn "test skipped, please re-run as root if you wish to test ${PN}"
+	fi
+}
+
+src_install() {
+	default
+
+	find "${D}" -name '*.la' -delete || die
+
+	# init script stuff
+	newinitd "${FILESDIR}"/lighttpd.initd lighttpd
+	newconfd "${FILESDIR}"/lighttpd.confd lighttpd
+
+	# configs
+	insinto /etc/lighttpd
+	newins "${FILESDIR}"/conf/lighttpd.conf-r1 lighttpd.conf
+	doins "${FILESDIR}"/conf/mime-types.conf
+	doins "${FILESDIR}"/conf/mod_cgi.conf
+	doins "${FILESDIR}"/conf/mod_fastcgi.conf
+
+	# update lighttpd.conf directives based on conditionals
+	update_config
+
+	# docs
+	dodoc AUTHORS README NEWS doc/scripts/*.sh
+	newdoc doc/config//lighttpd.conf lighttpd.conf.distrib
+	if use ipv6; then readme.gentoo_create_doc; fi
+
+	if use doc; then dodoc -r doc; fi
+
+	docinto txt
+	dodoc doc/outdated/*.txt
+
+	# logrotate
+	insinto /etc/logrotate.d
+	newins "${FILESDIR}"/lighttpd.logrotate-r1 lighttpd
+
+	keepdir /var/l{ib,og}/lighttpd /var/www/localhost/htdocs
+	fowners lighttpd:lighttpd /var/l{ib,og}/lighttpd
+	fperms 0750 /var/l{ib,og}/lighttpd
+
+	systemd_dounit "${FILESDIR}/${PN}.service"
+	newtmpfiles "${FILESDIR}/${PN}.tmpfiles.conf" "${PN}.conf"
+}
+
+pkg_postinst() {
+	tmpfiles_process ${PN}.conf
+
+	if use ipv6; then readme.gentoo_print_elog; fi
+
+	if [[ -f ${ROOT}/etc/lighttpd.conf ]] ; then
+		elog
+		elog "Gentoo has a customized configuration,"
+		elog "which is now located in ${EROOT}/etc/lighttpd. Please migrate your"
+		elog "existing configuration."
+	fi
+
+	if use brotli || use zstd || use zlib; then
+		elog
+		elog "Remember to clean your cache directory when using"
+		elog "output compression!"
+		elog "https://wiki.lighttpd.net/Docs_ModDeflate"
+	fi
+
+	if use mysql; then
+		elog
+		elog "Note that upstream has moved away from using mysql directly"
+		elog "via mod_mysql and is now accessing it through mod_dbi. You"
+		elog "may need to update your configuration"
+	fi
+
+	elog
+	elog "Upstream has deprecated a number of features. They are not missing"
+	elog "but have been migrated to other mechanisms. Please see upstream"
+	elog "changelog for details."
+	elog "https://www.lighttpd.net/2022/1/19/1.4.64/"
+}
diff --git a/www-servers/lighttpd/metadata.xml b/www-servers/lighttpd/metadata.xml
index 25fe93ef41cd..4fa39ff0178f 100644
--- a/www-servers/lighttpd/metadata.xml
+++ b/www-servers/lighttpd/metadata.xml
@@ -25,8 +25,10 @@
 		<flag name="maxminddb">Add support for geolocation using libMaxMindDB</flag>
 		<flag name="mbedtls">Build module for TLS via Mbed TLS</flag>
 		<flag name="mmap">Use mmap with files owned by lighttpd. This is a dangerous option as it may allow local users to trigger SIGBUS crashes.</flag>
+		<flag name="nettle">Use dev-libs/nettle as crypto backend</flag>
 		<flag name="nss">Build module for TLS via Mozilla's Network Security Services</flag>
 		<flag name="rrdtool">Enable rrdtool support via mod_rrdtool</flag>
+		<flag name="system-xxhash">Use system provided libxxhash</flag>
 		<flag name="webdav">Enable webdav properties</flag>
 		<flag name="zlib">Enable output compression via gzip or deflate algorithms</flag>
 		<flag name="zstd">Enable output compression via Zstandard algorithm</flag>