[PATCH] httpd: Pass custom HTTP headers to CGI scripts

Assaf Gordon assafgordon at gmail.com
Thu Mar 28 17:33:23 UTC 2019

Hello Alexander,

On 2019-03-28 11:04 a.m., Alexander Vickberg wrote:
> This patch creates a list of unmatched HTTP headers and sets up 
> environment variables before running the CGI script.

I assume this is inspired by my (more limited) patch
of passing "Content-encoding" header:
(or, just a very strange timing coincidence?).

I like your patch and of course, if it is accepted,
mine isn't needed.

two small comments:

> @@ -417,6 +423,7 @@ struct globals {
> IF_FEATURE_HTTPD_CGI(char *host;)
> IF_FEATURE_HTTPD_CGI(char *http_accept;)
> IF_FEATURE_HTTPD_CGI(char *http_accept_language;)
> +IF_FEATURE_HTTPD_CGI(HTTP_Header *hdr_list;)

Since your mechanism is now much more generic than
the hard-coded CGI headers, perhaps they can
be safely removed?
i.e. host/http_accept/http_accept_language/cookie/referer .

Seems like this could save some space.

> +HTTP_Header *cur = xzalloc(sizeof(HTTP_Header));
> +char *after_colon = strchr(iobuf, ':');
> +char *ch = iobuf;
> +
> +if (!after_colon)
> +    continue;
> +

I think the combination of "xzalloc" + "continue"
opens the possibility of a resource leak -
if a malicious client sends lots of HTTP header lines without
a colon, there's no corresponding "free".

  - assaf

More information about the busybox mailing list