Must really be safe_read(),not full_read()? (was: [PATCH] fix httpd lockup in cgi POSTs)
Paul Albrecht
albrecht at rdi1.com
Mon Feb 12 21:33:02 UTC 2007
On Mon, 2007-02-12 at 22:01 +0100, Denis Vlasenko wrote:
> On Monday 12 February 2007 18:09, Matthias Reichl wrote:
> > > If this is not sufficient then busybox httpd should line buffer standard
> > > input so that it always handles the status line correctly.
> >
> > If I understand the code correctly, it would be sufficient to do
> > something like
> >
> > if (firstline)
> > count = full_read(inFd, rbuf, 4);
> > /* read 4 bytes so we can check if the line begins with "HTTP" */
>
> So far I am happy with "bbox httpd doesn't support insane cgis
> which split their HTTP response" way.
>
A cgi program doesn't have to "split" its output for the problem to
occur because the data is read over a socket over a network and is not
buffered. There's simply no guarantee an unbuffered read gets a full
line of output from a cgi program however the data gets output.
If, for example, this is the first line of cgi program output:
echo -en "HTTP/1.0 302 Found\r\n
then when the busybox httpd server does its safe_read it can only count
on one byte with good status. It's a fact that usually the read will get
most of if not the entire line but that's not guaranteed because the
read isn't buffered.
> > } else {
> > count = safe_read(inFd, rbuf, PIPESIZE);
> > }
> >
> > Better yet, do a full line read for the first line or completely
> > switch to line buffered input, as you suggested.
>
> Are you suggesting using stdio?
> Can't do that, or POSTDATA will break again.
>
> You basically need to _open-code_ buffering here. Than will work.
> --
>
> vda
> _______________________________________________
> busybox mailing list
> busybox at busybox.net
> http://busybox.net/cgi-bin/mailman/listinfo/busybox
More information about the busybox
mailing list