41 Commits

Author SHA1 Message Date
Dominik 6fc8deed01 Fix thread-safety issues causing SIGSEGV under concurrent API load
pi_hole_extra_headers is a global char[1024] buffer written by API
handlers and read/cleared by civetweb's send_additional_header(), but
civetweb runs up to 50 worker threads concurrently. When multiple
threads handle authenticated requests in parallel, one thread can
overwrite or clear another's header data, causing wrong Set-Cookie
headers to be sent to wrong clients or cookies to be dropped entirely.

Make pi_hole_extra_headers _Thread_local so each worker thread gets its
own buffer. This is safe because civetweb handles each request entirely
within a single thread.

The auth_data session array has a similar race: concurrent threads
read/modify sessions without synchronization. Add a pthread mutex
protecting all auth_data access, using AUTOLOCK/AUTOUNLOCK macros based
on __attribute__((cleanup)) for RAII-style auto-unlock — ensuring the
mutex is released on every exit path, including hidden returns inside
JSON macros that do `return 500` on allocation failure.

Change api->session from a pointer into auth_data to an embedded struct
copy so downstream API handlers read from a per-request snapshot rather
than shared state. Use JSON_COPY_STR_TO_OBJECT for auth_data strings
so the JSON tree owns its own copies after the lock is released.

Fixes: #2824

Signed-off-by: Dominik <dl6er@dl6er.de>
2026-04-05 20:02:16 +02:00
Dominik 80ddb8c2cd Revert "Update embedded SQLite3 to 3.52.0" 2026-03-14 17:52:34 +01:00
Dominik dcff36ede3 Update embedded SQLite3 to 3.52.0
Signed-off-by: Dominik <dl6er@dl6er.de>
2026-03-06 20:33:08 +01:00
Dominik 61caea32f2 Merge branch 'development' into new/lua-5.5.0 2025-12-22 15:42:35 +01:00
Dominik 409da093f0 Update to final version 5.5.0 released today
Signed-off-by: Dominik <dl6er@dl6er.de>
2025-12-22 15:42:22 +01:00
Dominik 9879a06983 Apply Pi-hole SQLite3 patches. The percentile and carray extensions are now native parts of the amalgation build.
Signed-off-by: Dominik <dl6er@dl6er.de>
2025-11-09 08:59:42 +01:00
Dominik 03bba1d473 Upgrade embedded Lua to 5.5-beta to work on the required changes. It turns out that only changes to civetweb (to be submitted in a separate PR over there) are needed. FTL and dnsmasq are fine with the new version.
Signed-off-by: Dominik <dl6er@dl6er.de>
2025-09-11 19:47:03 +02:00
Dominik 482c7c6be9 Fix CivetWeb patches and apply remainig patched to the already updated code
Signed-off-by: Dominik <dl6er@dl6er.de>
2025-09-03 20:00:47 +02:00
DL6ER 75b06a5469 Use "traditional" Lua Server Pages implementation when the first letter in a file is "H" (as in HTTP/1.1 ...). Use Kepler in all other cases
Signed-off-by: DL6ER <dl6er@dl6er.de>
2025-06-21 20:23:27 +02:00
DL6ER 96f7792f8a Add new CivetWeb patch
Signed-off-by: DL6ER <dl6er@dl6er.de>
2025-03-03 17:05:02 +01:00
DL6ER 96f10034e6 Updatae CivetWeb to their latest master branch
Signed-off-by: DL6ER <dl6er@dl6er.de>
2025-03-01 10:07:11 +01:00
DL6ER 2dc36c0887 Add new CivetWeb patch
Signed-off-by: DL6ER <dl6er@dl6er.de>
2025-02-22 18:37:50 +01:00
DL6ER 2aa9bed7bb Update SQLite3 to 3.48.0 released earlier today
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-01-14 17:10:11 +01:00
DL6ER ddbce6392e Add new Lua patch
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-09-23 21:50:51 +02:00
DL6ER 59cfeb4ed5 Add new Lua patch
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-09-23 13:26:24 +02:00
DL6ER ce62ddc936 Apply and update Pi-hole patches
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-08-15 20:33:42 +02:00
DL6ER 828dd7b806 Update embedded SQLite3 engine to 3.46.1 released today. None of the mentioned points in the changelog apply to how Pi-hole uses SQLite3 but we may still benefit from "other minor fixes"
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-08-13 16:34:14 +02:00
DL6ER dc204a41b0 Use v2.6 CI containers and nightly for the devcontainer
Signed-off-by: DL6ER <dl6er@dl6er.de>
2024-05-25 09:54:37 +02:00
DL6ER 3ea9ce2bbc Update embedded SQLite3 engine to version 3.44.1
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-11-22 21:47:17 +01:00
DL6ER c97239aced Remove CivetWeb patch which is not needed when authentication_domain is set
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-11-19 11:20:40 +01:00
DL6ER b6743220da Merge pull request #1721 from pi-hole/update/sqlite_3.44.0
Update embedded SQLite3 engine to version 3.44.0
2023-11-01 18:16:18 +01:00
DL6ER 011c1af8ac Update embedded SQLite3 engine to version 3.44.0
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-11-01 07:11:10 +02:00
DL6ER cc4f99e3f2 Add most recent CivetWeb patch
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-10-31 08:36:34 +01:00
DL6ER 6dc0cb2b6a Add new CivetWeb patch
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-10-14 15:40:21 +02:00
DL6ER 3427c04396 Add new Civetweb patch
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-10-08 09:11:32 +02:00
DL6ER 6474c37e44 Add mg.request_info.is_authenticated to check if a user is authenticated
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-07-05 21:11:58 +02:00
DL6ER af4ce5cbba Add more recent commit to Civetweb patch series
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-06-03 20:52:59 +02:00
DL6ER f5f0354b3c Generate and store CSRF token in the session
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-06-03 20:51:13 +02:00
DL6ER 54cf9ad1f9 Add new debug.tls option logging any mbedTLS debug output to webserver.log
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-05-25 18:28:34 +02:00
DL6ER 182a10701b Add new CivetWeb patch needed for URL rewriting
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-05-25 18:04:01 +02:00
DL6ER a02f4eb42a Add new Kepler syntax commit to Civetweb-related patch series
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-05-22 19:13:17 +02:00
DL6ER f31de37b38 Merge remote-tracking branch 'origin/development' into new/http
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-05-04 12:19:39 +02:00
DL6ER 866ca4b657 Apply Pi-hole Lua patches
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-04-30 21:11:51 +02:00
DL6ER db0157451f Apply Pi-hole CivetWeb patches
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-04-11 12:23:52 +02:00
DL6ER 44937a747a Add civetweb patch to disable DLOPEN
Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-01-13 21:38:08 +01:00
DL6ER a5d0a663e4 Update embedded civetweb to 1.15
Signed-off-by: DL6ER <dl6er@dl6er.de>
2022-12-31 08:44:43 +01:00
DL6ER e78f691fa0 Add civetweb patches
Signed-off-by: DL6ER <dl6er@dl6er.de>
2022-12-31 07:12:11 +01:00
DL6ER 4fdf3d9ab4 Re-add /*** Pi-hole modification ***/ comments
Signed-off-by: DL6ER <dl6er@dl6er.de>
2022-11-26 18:13:33 +01:00
DL6ER 8957ee456b Update embedded LUA to 5.4.4
Signed-off-by: DL6ER <dl6er@dl6er.de>
2022-11-25 19:13:51 +01:00
DL6ER 717181335b Add LUA patches
Signed-off-by: DL6ER <dl6er@dl6er.de>
2022-11-25 19:07:49 +01:00
DL6ER 5252aeb077 Reference sqlite3ErrName instead of copying it. This requires SQLite3 patching
Signed-off-by: DL6ER <dl6er@dl6er.de>
2022-11-25 11:35:08 +01:00