NetBSD Problem Report #50374
From www@NetBSD.org Wed Oct 28 15:15:04 2015
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 810EFA65B7
for <gnats-bugs@gnats.NetBSD.org>; Wed, 28 Oct 2015 15:15:04 +0000 (UTC)
Message-Id: <20151028151503.62CEBA65BA@mollari.NetBSD.org>
Date: Wed, 28 Oct 2015 15:15:03 +0000 (UTC)
From: okuyama@flex.phys.tohoku.ac.jp
Reply-To: okuyama@flex.phys.tohoku.ac.jp
To: gnats-bugs@NetBSD.org
Subject: httpd passes duplicated path to cgi-bin
X-Send-Pr-Version: www-1.0
>Number: 50374
>Category: bin
>Synopsis: httpd passes duplicated path to cgi-bin
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: mrg
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Oct 28 15:20:00 +0000 2015
>Closed-Date: Thu Dec 31 07:44:30 +0000 2015
>Last-Modified: Thu Dec 31 07:44:37 +0000 2015
>Originator: Rin Okuyama
>Release: 7.99.21
>Organization:
Department of Physics, Tohoku University
>Environment:
NetBSD kobrmc7 7.99.21 NetBSD 7.99.21 (XXX) #0: Tue Oct 6 01:38:01 JST 2015 root@XXX:XXX amd64
>Description:
httpd passes duplicated path to cgi-bin. For example, the followings are
outputs of pkgsrc/www/viewvc:
* with httpd (20151028)
<a href="/cgi-bin/viewvc.cgi/cvsroot//cvsroot/?sortdir=down#dirlist">File</a>
* with bozohttpd (20150320)
<a href="/cgi-bin/viewvc.cgi/cvsroot/?sortdir=down#dirlist">File</a>
"/cvsroot" is duplicated in the former. This bug was introduced to
src/libexec/httpd/cgi-bozo.c in Rev. 1.26:
http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/httpd/cgi-bozo.c.diff?r1=1.25&r2=1.26&f=H
See codes from Revs. 1.25 and 1.26 below.
* Rev. 1.25
317 command = file + CGIBIN_PREFIX_LEN + 1;
318 if ((s = strchr(command, '/')) != NULL) {
319 info = bozostrdup(httpd, s);
320 *s = '\0';
321 }
* Rev. 1.26
317 snprintf(command, sizeof(command), "%s",
318 file + CGIBIN_PREFIX_LEN + 1);
319 if ((s = strchr(command, '/')) != NULL) {
320 info = bozostrdup(httpd, s);
321 *s = '\0';
322 }
In Rev. 1.25, a string pointed by "file" is trimmed, whereas it is not
in Rev. 1.26. This is the cause of the duplication.
>How-To-Repeat:
Run some cgi-bin, e.g., pkgsrc/www/viewvc, with httpd compiled from
source after Apr 19 2015.
>Fix:
--- src/libexec/httpd/cgi-bozo.c.orig 2015-10-28 23:01:12.000000000 +0900
+++ src/libexec/httpd/cgi-bozo.c 2015-10-28 23:01:21.000000000 +0900
@@ -319,12 +319,12 @@
argv[ix++] = path;
/* argv[] = [ path, command, query, NULL ] */
} else {
- snprintf(command, sizeof(command), "%s",
- file + CGIBIN_PREFIX_LEN + 1);
- if ((s = strchr(command, '/')) != NULL) {
+ s = strchr(t = file + CGIBIN_PREFIX_LEN + 1, '/');
+ if (s != NULL) {
info = bozostrdup(httpd, s);
*s = '\0';
}
+ snprintf(command, sizeof(command), "%s", t);
path = bozomalloc(httpd,
strlen(httpd->cgibin) + 1 + strlen(command) + 1);
strcpy(path, httpd->cgibin);
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: bin-bug-people->shm
Responsible-Changed-By: wiz@NetBSD.org
Responsible-Changed-When: Wed, 28 Oct 2015 17:31:39 +0000
Responsible-Changed-Why:
shm, can you please take a look?
From: Mateusz Kocielski <shm@digitalsun.pl>
To: gnats-bugs@NetBSD.org
Cc: shm@NetBSD.org, wiz@NetBSD.org, okuyama@flex.phys.tohoku.ac.jp
Subject: Re: bin/50374 (httpd passes duplicated path to cgi-bin)
Date: Thu, 29 Oct 2015 07:58:39 +0000
I'll take care of it. I'm doing major changes in CGI now.
From: "matthew green" <mrg@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/50374 CVS commit: src/libexec/httpd
Date: Thu, 31 Dec 2015 04:39:16 +0000
Module Name: src
Committed By: mrg
Date: Thu Dec 31 04:39:16 UTC 2015
Modified Files:
src/libexec/httpd: cgi-bozo.c
Log Message:
redo the fix for rev 1.26 - instead of getting a new string wrong,
just delay the free until the parent has finished using them.
also, free query as well.
fixes PR#50374.
To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.32 src/libexec/httpd/cgi-bozo.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: mrg@NetBSD.org
State-Changed-When: Thu, 31 Dec 2015 07:44:30 +0000
State-Changed-Why:
i fixed it.
Responsible-Changed-From-To: shm->mrg
Responsible-Changed-By: mrg@NetBSD.org
Responsible-Changed-When: Thu, 31 Dec 2015 07:44:37 +0000
Responsible-Changed-Why:
i fixed it.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.