AW: Busybox httpd sends output of stderr to the Website

Dirk Lohse d.lohse at meier-nt.de
Thu Mar 23 07:51:05 UTC 2017 

A workaround for me is to not use inetd mode. But the reason for this behavior should be found and fixed - I think.

Dirk

-----Ursprüngliche Nachricht-----
Von: Guillermo Rodriguez Garcia [mailto:guille.rodriguez at gmail.com] 
Gesendet: Mittwoch, 22. März 2017 18:40
An: Dirk Lohse
Cc: busybox at busybox.net
Betreff: Re: Busybox httpd sends output of stderr to the Website

Not sure why that happens (I mean stderr behaviour being different when httpd is started via inetd) but at least now you have solved your issue.

Guillermo

2017-03-22 15:03 GMT+01:00 Dirk Lohse <d.lohse at meier-nt.de>:
> Hi,
>
> there is a difference between starting httpd in inetd and standalone/daemon mode!
>
> I tried my test script in inetd mode
>   www stream tcp nowait root /bin/busybox httpd -i -u httpd -h 
> /srv/www and I see the text I would not see. Btw: 
> http://lists.busybox.net/pipermail/busybox/2007-May/061465.html
>
> Starting it from cmdline with
>   httpd -h /srv/www
> it works like expected. A nice feature I found is starting with "-f" 
> Don't daemonize and I can see the output from stderr on cmdline. This 
> makes debugging quite easier :)
>
> Dirk
>
> -----Ursprüngliche Nachricht-----
> Von: Guillermo Rodriguez Garcia [mailto:guille.rodriguez at gmail.com]
> Gesendet: Dienstag, 21. März 2017 18:13
> An: Dirk Lohse
> Cc: busybox at busybox.net
> Betreff: Re: Busybox httpd sends output of stderr to the Website
>
> Looking at the source code of httpd.c from busybox 1.20.2 I see this 
> (send_cgi_and_exit, line 1408)
>
> /* User seeing stderr output can be a security problem.
> * If CGI really wants that, it can always do dup itself. */
> /* dup2(1, 2); */
>
> So it looks like it should be doing the right thing already (i.e. not 
> sending the child's stderr to its output)
>
> Where is your busybox 1.20.2 coming from? Perhaps there have been 3rd party patches applied to it?
>
> Guillermo
>
> 2017-03-21 17:37 GMT+01:00 Dirk Lohse <d.lohse at meier-nt.de>:
>> Hi,
>>
>> when i run some cgi's with BusyBox internal httpd and there is some code that writes to stdout I get the result on the HTTP site - which is desired - because I produce HTTP-code within this cgi scripts. The output of stderr instead should not destroy my HTML-code and could be redirected to /dev/null.
>>
>> In BusyBox v1.19.4 all was fine. But on BusyBox version v1.20.2 httpd redirects output from stdout + stderr to the HTML-code.
>>
>> I've written a small test script to check this behavior on both versions:
>>
>> test.cgi:
>> #!/bin/sh
>>
>> echo "Content-Type: text/plain"
>> echo "Expires: 0"
>> echo
>>
>> echo "Hello World!"
>> echo "You should not see this text in your Browser" >&2
>>
>> when I call this script on the older version, I only see "Hello World!", on the new version instead I see also the last line.
>>
>> I've many code and libraries where everywhere an error message or warning could happen on stdout. So changing all the code is nearly impossible, and some warnings like "can't open file..." are necessary for debugging.
>>
>> My question: How can I tell the httpd to NOT redirect stdout to the website?
>>
>> Thanks,
>> Dirk
>>
>>
>> _______________________________________________
>> busybox mailing list
>> busybox at busybox.net
>> http://lists.busybox.net/mailman/listinfo/busybox
>
>
>
> --
> Guillermo Rodriguez Garcia
> guille.rodriguez at gmail.com



--
Guillermo Rodriguez Garcia
guille.rodriguez at gmail.com

More information about the busybox mailing list