NetBSD Problem Report #50374

From www@NetBSD.org  Wed Oct 28 15:15:04 2015
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 810EFA65B7
	for <gnats-bugs@gnats.NetBSD.org>; Wed, 28 Oct 2015 15:15:04 +0000 (UTC)
Message-Id: <20151028151503.62CEBA65BA@mollari.NetBSD.org>
Date: Wed, 28 Oct 2015 15:15:03 +0000 (UTC)
From: okuyama@flex.phys.tohoku.ac.jp
Reply-To: okuyama@flex.phys.tohoku.ac.jp
To: gnats-bugs@NetBSD.org
Subject: httpd passes duplicated path to cgi-bin
X-Send-Pr-Version: www-1.0

>Number:         50374
>Category:       bin
>Synopsis:       httpd passes duplicated path to cgi-bin
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    mrg
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Oct 28 15:20:00 +0000 2015
>Closed-Date:    Thu Dec 31 07:44:30 +0000 2015
>Last-Modified:  Thu Dec 31 07:44:37 +0000 2015
>Originator:     Rin Okuyama
>Release:        7.99.21
>Organization:
Department of Physics, Tohoku University
>Environment:
NetBSD kobrmc7 7.99.21 NetBSD 7.99.21 (XXX) #0: Tue Oct  6 01:38:01 JST 2015  root@XXX:XXX amd64
>Description:
httpd passes duplicated path to cgi-bin. For example, the followings are
outputs of pkgsrc/www/viewvc:

* with httpd (20151028)
<a href="/cgi-bin/viewvc.cgi/cvsroot//cvsroot/?sortdir=down#dirlist">File</a>

* with bozohttpd (20150320)
<a href="/cgi-bin/viewvc.cgi/cvsroot/?sortdir=down#dirlist">File</a>

"/cvsroot" is duplicated in the former. This bug was introduced to
src/libexec/httpd/cgi-bozo.c in Rev. 1.26:

  http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/httpd/cgi-bozo.c.diff?r1=1.25&r2=1.26&f=H

See codes from Revs. 1.25 and 1.26 below.

* Rev. 1.25

   317                  command = file + CGIBIN_PREFIX_LEN + 1;
   318                  if ((s = strchr(command, '/')) != NULL) {
   319                          info = bozostrdup(httpd, s);
   320                          *s = '\0';
   321                  }

* Rev. 1.26

   317                  snprintf(command, sizeof(command), "%s",
   318                      file + CGIBIN_PREFIX_LEN + 1);
   319                  if ((s = strchr(command, '/')) != NULL) {
   320                          info = bozostrdup(httpd, s);
   321                          *s = '\0';
   322                  }

In Rev. 1.25, a string pointed by "file" is trimmed, whereas it is not
in Rev. 1.26. This is the cause of the duplication.
>How-To-Repeat:
Run some cgi-bin, e.g., pkgsrc/www/viewvc, with httpd compiled from
source after Apr 19 2015.
>Fix:
--- src/libexec/httpd/cgi-bozo.c.orig	2015-10-28 23:01:12.000000000 +0900
+++ src/libexec/httpd/cgi-bozo.c	2015-10-28 23:01:21.000000000 +0900
@@ -319,12 +319,12 @@
 		argv[ix++] = path;
 			/* argv[] = [ path, command, query, NULL ] */
 	} else {
-		snprintf(command, sizeof(command), "%s",
-		    file + CGIBIN_PREFIX_LEN + 1);
-		if ((s = strchr(command, '/')) != NULL) {
+		s = strchr(t = file + CGIBIN_PREFIX_LEN + 1, '/');
+		if (s != NULL) {
 			info = bozostrdup(httpd, s);
 			*s = '\0';
 		}
+		snprintf(command, sizeof(command), "%s", t);
 		path = bozomalloc(httpd,
 				strlen(httpd->cgibin) + 1 + strlen(command) + 1);
 		strcpy(path, httpd->cgibin);

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: bin-bug-people->shm
Responsible-Changed-By: wiz@NetBSD.org
Responsible-Changed-When: Wed, 28 Oct 2015 17:31:39 +0000
Responsible-Changed-Why:
shm, can you please take a look?


From: Mateusz Kocielski <shm@digitalsun.pl>
To: gnats-bugs@NetBSD.org
Cc: shm@NetBSD.org, wiz@NetBSD.org, okuyama@flex.phys.tohoku.ac.jp
Subject: Re: bin/50374 (httpd passes duplicated path to cgi-bin)
Date: Thu, 29 Oct 2015 07:58:39 +0000

 I'll take care of it. I'm doing major changes in CGI now.

From: "matthew green" <mrg@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/50374 CVS commit: src/libexec/httpd
Date: Thu, 31 Dec 2015 04:39:16 +0000

 Module Name:	src
 Committed By:	mrg
 Date:		Thu Dec 31 04:39:16 UTC 2015

 Modified Files:
 	src/libexec/httpd: cgi-bozo.c

 Log Message:
 redo the fix for rev 1.26 - instead of getting a new string wrong,
 just delay the free until the parent has finished using them.
 also, free query as well.

 fixes PR#50374.


 To generate a diff of this commit:
 cvs rdiff -u -r1.31 -r1.32 src/libexec/httpd/cgi-bozo.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: mrg@NetBSD.org
State-Changed-When: Thu, 31 Dec 2015 07:44:30 +0000
State-Changed-Why:
i fixed it.


Responsible-Changed-From-To: shm->mrg
Responsible-Changed-By: mrg@NetBSD.org
Responsible-Changed-When: Thu, 31 Dec 2015 07:44:37 +0000
Responsible-Changed-Why:
i fixed it.


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.