[BusyBox] httpd w/ SSI support (full patch)
Vladimir N. Oleynik
dzo at simtreas.ru
Sat Dec 25 09:33:40 UTC 2004
jean-marc.morin3,
(Can I see your real name? ;-)
>>Your putCgiEnvVar() have buffer overflow problem, why you do not use
>>my function addEnv() ?
>>
> This function was just an attempt to consolidate your sendCgi portion with
> my need concerning CGI variable, and get a more compact code. Sorry for the
> buffer issue. I'll take your code if you extract the CGI declaration from
> the sendCgi function.
Trivial changes:
> + const char *CgiVars[] =
> + {
> + //"PATH", "", "", getenv("PATH"),
> + "SERVER", "_", "PROTOCOL", "HTTP/1.0", // FIX-ME:
> + "GATEWAY", "_", "INTERFACE", "CGI/1.1", // FIX-ME:
> + "SERVER", "_", "SOFTWARE", httpdVersion, // FIX-ME:
> + "QUERY", "_", "STRING", config->query,
> + "REMOTE", "_", "ADDR", config->rmt_ip_str,
> + "PATH", "_", "INFO", path_info,
> + "REQUEST", "_", "URI", request_uri,
> + "REQUEST", "_", "METHOD", request_method,
> + "SCRIPT", "_", "NAME", script_name,
> + "CONTENT", "_", "LENGTH", content_length,
> + "CONTENT", "_", "TYPE", content_type,
> + "HTTP", "_", "COOKIE", http_cookie,
> + "HTTP", "_", "REFERER", config->referer,
> +#ifdef CONFIG_FEATURE_HTTPD_BASIC_AUTH
> + "REMOTE", "_", "USER", config->remoteuser,
> + "AUTH", "_", "TYPE", config->remoteuser?"Basic":NULL,
> +#endif
> + 0, 0, 0, 0
> + };
> + const char ** curs;
> +
> + for(curs = CgiVars;*curs;curs+=4)
> + {
> + char buf[MAX_MEMORY_BUFF]; // CAVEAT: buffer overflow
> +
> + if(curs[3])
> + {
> + strcpy(buf,curs[0]);
> + strcat(buf,curs[1]);
> + strcat(buf,curs[2]);
> + strcat(buf,"=");
> + strcat(buf,curs[3]);
> + putenv( strdup( buf ) );
> + }
> + }
to:
+ const char *CgiVars[] =
+ {
+ //"PATH", "", getenv("PATH"),
+ "SERVER", "PROTOCOL", "HTTP/1.0", // FIX-ME:
+ "GATEWAY","INTERFACE", "CGI/1.1", // FIX-ME:
+ "SERVER", "SOFTWARE", httpdVersion, // FIX-ME:
+ "QUERY", "STRING", config->query,
+ "REMOTE", "ADDR", config->rmt_ip_str,
+ "PATH", "INFO", path_info,
+ "REQUEST", "URI", request_uri,
+ "REQUEST", "METHOD", request_method,
+ "SCRIPT", "NAME", script_name,
+ "CONTENT", "LENGTH", content_length,
+ "CONTENT", "TYPE", content_type,
+ "HTTP", "COOKIE", http_cookie,
+ "HTTP", "REFERER", config->referer,
+#ifdef CONFIG_FEATURE_HTTPD_BASIC_AUTH
+ "REMOTE", "USER", config->remoteuser,
+ "AUTH", "TYPE", config->remoteuser?"Basic":NULL,
+#endif
+ 0, 0, 0, 0
+ };
+ const char ** curs;
+
+ for(curs = CgiVars;*curs;curs+=3) {
+ if(curs[3]) {
+ addEnv(curs[0], curs[1], curs[2]);
+ }
+ }
>>I do not understand, what for you use "for" cycles in this code.
>
>
> I was too lazy to spend time to figure out what could be 0,1,2 in all
> configuration. This trick just take care that the nuls I use for dup to
> stdin, will never come from the range 0,1,2. Don't even mention it is bad
> coding technique, I admit it unreservedly. I have a rewrite of this in my
> plan. In the mean time, let says ... "it works" :-o
I think, it is necessary to make two variants:
1) for standalone daemon (not form inetd) daemon() always set 0,1,2
to /dev/null, and socket fd is > 2
2) for from inetd usage, 0,1,2 set to socket
#ifndef CONFIG_FEATURE_HTTPD_USAGE_FROM_INETD_ONLY
/* standalone, set stdout and stderr
from /dev/null to accepted socket */
fd1 = dup(1);
dup2(a_c_w, 1);
dup2(a_c_w, 2);
#else
/* from inetd - set stdin from socket to /dev/null */
close(0);
open("/dev/null", O_RDONLY);
#endif
system(...);
#ifndef CONFIG_FEATURE_HTTPD_USAGE_FROM_INETD_ONLY
dup2(fd1, 1);
dup2(fd1, 2);
close(fd1);
#else
dup2(a_c_w, 0);
#endif
Its easy for see. Right?
>
>>I think, here too it is required to use path by default:
>>/var/run/httpd.pid
>
>
> I did not understand this one.
Always set s_pidfile.
> + const char *s_pidfile;
+ const char *s_pidfile = "/var/run/httpd.pid";
(hmm, and your patch have problem: forgoten set to NULL).
> BTW, my mail to your address (vodz) get bounced back undelivered. Is this on
> purpose or an issue due my ip range blocked at some point (get a dynamic
> french IP range).
Ok. I change REJECT:wanadoo.fr to REJECT:abo.wanadoo.fr
(ohh, many spam from this)
--w
vodz
More information about the busybox
mailing list