Dominik
6fc8deed01
Fix thread-safety issues causing SIGSEGV under concurrent API load
...
pi_hole_extra_headers is a global char[1024] buffer written by API
handlers and read/cleared by civetweb's send_additional_header(), but
civetweb runs up to 50 worker threads concurrently. When multiple
threads handle authenticated requests in parallel, one thread can
overwrite or clear another's header data, causing wrong Set-Cookie
headers to be sent to wrong clients or cookies to be dropped entirely.
Make pi_hole_extra_headers _Thread_local so each worker thread gets its
own buffer. This is safe because civetweb handles each request entirely
within a single thread.
The auth_data session array has a similar race: concurrent threads
read/modify sessions without synchronization. Add a pthread mutex
protecting all auth_data access, using AUTOLOCK/AUTOUNLOCK macros based
on __attribute__((cleanup)) for RAII-style auto-unlock — ensuring the
mutex is released on every exit path, including hidden returns inside
JSON macros that do `return 500` on allocation failure.
Change api->session from a pointer into auth_data to an embedded struct
copy so downstream API handlers read from a per-request snapshot rather
than shared state. Use JSON_COPY_STR_TO_OBJECT for auth_data strings
so the JSON tree owns its own copies after the lock is released.
Fixes : #2824
Signed-off-by: Dominik <dl6er@dl6er.de >
2026-04-05 20:02:16 +02:00
Dominik
80ddb8c2cd
Revert "Update embedded SQLite3 to 3.52.0"
2026-03-14 17:52:34 +01:00
Dominik
dcff36ede3
Update embedded SQLite3 to 3.52.0
...
Signed-off-by: Dominik <dl6er@dl6er.de >
2026-03-06 20:33:08 +01:00
Dominik
61caea32f2
Merge branch 'development' into new/lua-5.5.0
2025-12-22 15:42:35 +01:00
Dominik
409da093f0
Update to final version 5.5.0 released today
...
Signed-off-by: Dominik <dl6er@dl6er.de >
2025-12-22 15:42:22 +01:00
Dominik
9879a06983
Apply Pi-hole SQLite3 patches. The percentile and carray extensions are now native parts of the amalgation build.
...
Signed-off-by: Dominik <dl6er@dl6er.de >
2025-11-09 08:59:42 +01:00
Dominik
03bba1d473
Upgrade embedded Lua to 5.5-beta to work on the required changes. It turns out that only changes to civetweb (to be submitted in a separate PR over there) are needed. FTL and dnsmasq are fine with the new version.
...
Signed-off-by: Dominik <dl6er@dl6er.de >
2025-09-11 19:47:03 +02:00
Dominik
482c7c6be9
Fix CivetWeb patches and apply remainig patched to the already updated code
...
Signed-off-by: Dominik <dl6er@dl6er.de >
2025-09-03 20:00:47 +02:00
DL6ER
75b06a5469
Use "traditional" Lua Server Pages implementation when the first letter in a file is "H" (as in HTTP/1.1 ...). Use Kepler in all other cases
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2025-06-21 20:23:27 +02:00
DL6ER
96f7792f8a
Add new CivetWeb patch
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2025-03-03 17:05:02 +01:00
DL6ER
96f10034e6
Updatae CivetWeb to their latest master branch
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2025-03-01 10:07:11 +01:00
DL6ER
2dc36c0887
Add new CivetWeb patch
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2025-02-22 18:37:50 +01:00
DL6ER
2aa9bed7bb
Update SQLite3 to 3.48.0 released earlier today
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2024-01-14 17:10:11 +01:00
DL6ER
ddbce6392e
Add new Lua patch
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2024-09-23 21:50:51 +02:00
DL6ER
59cfeb4ed5
Add new Lua patch
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2024-09-23 13:26:24 +02:00
DL6ER
ce62ddc936
Apply and update Pi-hole patches
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2024-08-15 20:33:42 +02:00
DL6ER
828dd7b806
Update embedded SQLite3 engine to 3.46.1 released today. None of the mentioned points in the changelog apply to how Pi-hole uses SQLite3 but we may still benefit from "other minor fixes"
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2024-08-13 16:34:14 +02:00
DL6ER
dc204a41b0
Use v2.6 CI containers and nightly for the devcontainer
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2024-05-25 09:54:37 +02:00
DL6ER
3ea9ce2bbc
Update embedded SQLite3 engine to version 3.44.1
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2023-11-22 21:47:17 +01:00
DL6ER
c97239aced
Remove CivetWeb patch which is not needed when authentication_domain is set
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2023-11-19 11:20:40 +01:00
DL6ER
b6743220da
Merge pull request #1721 from pi-hole/update/sqlite_3.44.0
...
Update embedded SQLite3 engine to version 3.44.0
2023-11-01 18:16:18 +01:00
DL6ER
011c1af8ac
Update embedded SQLite3 engine to version 3.44.0
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2023-11-01 07:11:10 +02:00
DL6ER
cc4f99e3f2
Add most recent CivetWeb patch
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2023-10-31 08:36:34 +01:00
DL6ER
6dc0cb2b6a
Add new CivetWeb patch
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2023-10-14 15:40:21 +02:00
DL6ER
3427c04396
Add new Civetweb patch
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2023-10-08 09:11:32 +02:00
DL6ER
6474c37e44
Add mg.request_info.is_authenticated to check if a user is authenticated
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2023-07-05 21:11:58 +02:00
DL6ER
af4ce5cbba
Add more recent commit to Civetweb patch series
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2023-06-03 20:52:59 +02:00
DL6ER
f5f0354b3c
Generate and store CSRF token in the session
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2023-06-03 20:51:13 +02:00
DL6ER
54cf9ad1f9
Add new debug.tls option logging any mbedTLS debug output to webserver.log
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2023-05-25 18:28:34 +02:00
DL6ER
182a10701b
Add new CivetWeb patch needed for URL rewriting
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2023-05-25 18:04:01 +02:00
DL6ER
a02f4eb42a
Add new Kepler syntax commit to Civetweb-related patch series
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2023-05-22 19:13:17 +02:00
DL6ER
f31de37b38
Merge remote-tracking branch 'origin/development' into new/http
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2023-05-04 12:19:39 +02:00
DL6ER
866ca4b657
Apply Pi-hole Lua patches
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2023-04-30 21:11:51 +02:00
DL6ER
db0157451f
Apply Pi-hole CivetWeb patches
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2023-04-11 12:23:52 +02:00
DL6ER
44937a747a
Add civetweb patch to disable DLOPEN
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2023-01-13 21:38:08 +01:00
DL6ER
a5d0a663e4
Update embedded civetweb to 1.15
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2022-12-31 08:44:43 +01:00
DL6ER
e78f691fa0
Add civetweb patches
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2022-12-31 07:12:11 +01:00
DL6ER
4fdf3d9ab4
Re-add /*** Pi-hole modification ***/ comments
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2022-11-26 18:13:33 +01:00
DL6ER
8957ee456b
Update embedded LUA to 5.4.4
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2022-11-25 19:13:51 +01:00
DL6ER
717181335b
Add LUA patches
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2022-11-25 19:07:49 +01:00
DL6ER
5252aeb077
Reference sqlite3ErrName instead of copying it. This requires SQLite3 patching
...
Signed-off-by: DL6ER <dl6er@dl6er.de >
2022-11-25 11:35:08 +01:00