When mode-keys is set to vi, do not allow the cursor to go into the
invisible extra cell to the right of the visible text. This is closer to
what vi(1) does. From Max Vim in GitHub issue 5070.
Add a five second limit on pasting for terminals which mysteriously lose
the end sequence if the paste is too big (that is, Terminal.app).
Reported by Garri Djavadyan in GitHub issue 4527.
usr.sbin/httpd: add cache controls for static files
Teach httpd to advertise static file revalidation by default with
Cache-Control: no-cache, preserving the existing Last-Modified and
If-Modified-Since flow; add a [no] static-cache-control directive for
opting out, and advertise Vary: Accept-Encoding whenever gzip-static is
enabled.
OK: claudio@
Add new-pane command, currently this is equivalent to split-window but
it will have minor differences for floating panes in future. Also add
-R/-s/-S/-k/-m flags to control border and style and behaviour, like
popups. GitHub issue 5027 from Dane Jensen.
usr.sbin/relayd: support multiple resolveble addresses.
relayd supports interface name, DNS hostname or interface group at
listen on but it binds only to the first discovered IP address which is
usually IPv4.
Here I changed parser to create a dedicated listener for each discovered
and confiugred on a local inerface address.
This means that listen on egress port 80 binds to all IPv4 and IPv6
addresses on the egress group.
OK: rsadowski@
Fix sys_shmat().
The shminfo.shmseg could be changed via sysctl during sleeping malloc().
It only grows, so we access memory outside of allocated chunk within the
following 'for' loop. This issue was exposed by syzkaller [1].
Also, p->p_vmspace points to the ps_vmspace common to the whole process,
so p->p_vmspace->vm_shm could be already set by concurrent sys_shmat()
thread. We need to check this case, otherwise the pointer to
concurrently allocated segment will be overwritten.
1. https://syzkaller.appspot.com/bug?extid=9669e87e543ae1f05884
ok deraadt
Replace semid_ds with semid_ds_kern for in-kernel sysv semaphore
implementation.
Note, the buffer used for userland dlivery in sysctl_sysvipc() was
filled with zeros during allocation, we don't need extra zeroing.
ok deraadt millert
usr.sbin/relayd: handle HTTP responses without bodies
RFC 9112 section 6.3 specifies that responses to HEAD requests, and
responses with 1xx, 204, or 304 status codes, are terminated by the
empty line after the header section regardless of Content-Length or
Transfer-Encoding. They cannot contain a message body or trailer
section.
Teach relayd to apply that framing rule before deciding whether a
response body is bounded. Otherwise relayd treats these responses as
unbounded, adds Connection: close, and can forward both the backend's
Connection: keep-alive and its own Connection: close.
Tweaks and OK: rsadowski@
repair more prototypes for pseudo-device attach functions
pppattach and spppattach should have a single int parameter to match
what's in ioconf.c.
also noticed independently by jsg@; ok jsg@
relayd: use explicit_bzero in ssl_password_cb
This replaces bzero with explicit_bzero in the SSL password callback. Since
ssl_password_cb handles sensitive data a standard bzero could be optimized
away by the compiler.
Additionally, this ensures the buffer is cleared if strlcpy fails due to
truncation, preventing password fragments from lingering in memory.
OK renaud@, kirill@
repair prototype for pseudo-device attach function
The dtattach function was declared with an autoconf style prototype, but
should have been declared with a single int parameter. Repair this.
ok deraadt@, jsg@
Exclude hidden files and directories when synchronizing via Rsync
According to RFC 9286 section 4.2.2, filenames in the RPKI cannot start
with a dot. And RFC 6481 section 1.1 describes the concept of a publication
point as a "directory in a publicly accessible filesystem". From there it
follows there is no need to transfer hidden files and directories. This may
help in avoiding exposure to intermediate states (e.g., /a/.~tmp~/b.roa).
Thanks to by Ben Cartwright-Cox for raising this.
OK tb@
Introduce and use dtls12_handshake_msg.
Add struct dtls12_handshake_msg and various related functions, which
allow for the construction of DTLS handshake messages and associated
fragments.
Use this on the DTLS write path for sending handshake message fragments.
This means that we no longer modify the init buffer, which also fixes a
bug where the message callback is called with a corrupted handshake
message when multiple fragments have been sent.
We also now correctly track fragment offsets when sending a handshake
message that results in multiple calls to dtls1_do_write_handshake_message().
This is the first step towards further untangling of the write path in
the legacy TLS stack.
ok kenjiro@ tb@
