search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[security] do not emit HTTP_PROXY to CGI env
[lighttpd.git] / src / mod_cgi.c
blobe6212fea56535bfaa80ca6188169b709d572f458
1 #include "first.h"
2
3 #include "server.h"
4 #include "stat_cache.h"
5 #include "keyvalue.h"
6 #include "log.h"
7 #include "connections.h"
8 #include "joblist.h"
9 #include "response.h"
10 #include "http_chunk.h"
11 #include "network_backends.h"
12
13 #include "plugin.h"
14
15 #include <sys/types.h>
16 #include "sys-mmap.h"
17
18 #ifdef __WIN32
19 # include <winsock2.h>
20 #else
21 # include <sys/socket.h>
22 # include <sys/wait.h>
23 # include <netinet/in.h>
24 # include <arpa/inet.h>
25 #endif
26
27 #include <unistd.h>
28 #include <errno.h>
29 #include <stdlib.h>
30 #include <string.h>
31 #include <fdevent.h>
32 #include <signal.h>
33 #include <ctype.h>
34 #include <assert.h>
35
36 #include <stdio.h>
37 #include <fcntl.h>
38
39 enum {EOL_UNSET, EOL_N, EOL_RN};
40
41 typedef struct {
42 char **ptr;
43
44 size_t size;
45 size_t used;
46 } char_array;
47
48 typedef struct {
49 pid_t *ptr;
50 size_t used;
51 size_t size;
52 } buffer_pid_t;
53
54 typedef struct {
55 array *cgi;
56 unsigned short execute_x_only;
57 unsigned short xsendfile_allow;
58 array *xsendfile_docroot;
59 } plugin_config;
60
61 typedef struct {
62 PLUGIN_DATA;
63 buffer_pid_t cgi_pid;
64
65 buffer *tmp_buf;
66 buffer *parse_response;
67
68 plugin_config **config_storage;
69
70 plugin_config conf;
71 } plugin_data;
72
73 typedef struct {
74 pid_t pid;
75 int fd;
76 int fdtocgi;
77 int fde_ndx; /* index into the fd-event buffer */
78 int fde_ndx_tocgi; /* index into the fd-event buffer */
79
80 connection *remote_conn; /* dumb pointer */
81 plugin_data *plugin_data; /* dumb pointer */
82
83 buffer *response;
84 buffer *response_header;
85 } handler_ctx;
86
87 static handler_ctx * cgi_handler_ctx_init(void) {
88 handler_ctx *hctx = calloc(1, sizeof(*hctx));
89
90 force_assert(hctx);
91
92 hctx->response = buffer_init();
93 hctx->response_header = buffer_init();
94 hctx->fd = -1;
95 hctx->fdtocgi = -1;
96
97 return hctx;
98 }
99
100 static void cgi_handler_ctx_free(handler_ctx *hctx) {
101 buffer_free(hctx->response);
102 buffer_free(hctx->response_header);
103
104 free(hctx);
105 }
106
107 enum {FDEVENT_HANDLED_UNSET, FDEVENT_HANDLED_FINISHED, FDEVENT_HANDLED_NOT_FINISHED, FDEVENT_HANDLED_COMEBACK, FDEVENT_HANDLED_ERROR};
108
109 INIT_FUNC(mod_cgi_init) {
110 plugin_data *p;
111
112 p = calloc(1, sizeof(*p));
113
114 force_assert(p);
115
116 p->tmp_buf = buffer_init();
117 p->parse_response = buffer_init();
118
119 return p;
120 }
121
122
123 FREE_FUNC(mod_cgi_free) {
124 plugin_data *p = p_d;
125 buffer_pid_t *r = &(p->cgi_pid);
126
127 UNUSED(srv);
128
129 if (p->config_storage) {
130 size_t i;
131 for (i = 0; i < srv->config_context->used; i++) {
132 plugin_config *s = p->config_storage[i];
133
134 if (NULL == s) continue;
135
136 array_free(s->cgi);
137 array_free(s->xsendfile_docroot);
138
139 free(s);
140 }
141 free(p->config_storage);
142 }
143
144
145 if (r->ptr) free(r->ptr);
146
147 buffer_free(p->tmp_buf);
148 buffer_free(p->parse_response);
149
150 free(p);
151
152 return HANDLER_GO_ON;
153 }
154
155 SETDEFAULTS_FUNC(mod_fastcgi_set_defaults) {
156 plugin_data *p = p_d;
157 size_t i = 0;
158
159 config_values_t cv[] = {
160 { "cgi.assign", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 0 */
161 { "cgi.execute-x-only", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 1 */
162 { "cgi.x-sendfile", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 2 */
163 { "cgi.x-sendfile-docroot", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 3 */
164 { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET}
165 };
166
167 if (!p) return HANDLER_ERROR;
168
169 p->config_storage = calloc(1, srv->config_context->used * sizeof(plugin_config *));
170 force_assert(p->config_storage);
171
172 for (i = 0; i < srv->config_context->used; i++) {
173 data_config const* config = (data_config const*)srv->config_context->data[i];
174 plugin_config *s;
175
176 s = calloc(1, sizeof(plugin_config));
177 force_assert(s);
178
179 s->cgi = array_init();
180 s->execute_x_only = 0;
181 s->xsendfile_allow= 0;
182 s->xsendfile_docroot = array_init();
183
184 cv[0].destination = s->cgi;
185 cv[1].destination = &(s->execute_x_only);
186 cv[2].destination = &(s->xsendfile_allow);
187 cv[3].destination = s->xsendfile_docroot;
188
189 p->config_storage[i] = s;
190
191 if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
192 return HANDLER_ERROR;
193 }
194
195 if (s->xsendfile_docroot->used) {
196 size_t j;
197 for (j = 0; j < s->xsendfile_docroot->used; ++j) {
198 data_string *ds = (data_string *)s->xsendfile_docroot->data[j];
199 if (ds->type != TYPE_STRING) {
200 log_error_write(srv, __FILE__, __LINE__, "s",
201 "unexpected type for key cgi.x-sendfile-docroot; expected: cgi.x-sendfile-docroot = ( \"/allowed/path\", ... )");
202 return HANDLER_ERROR;
203 }
204 if (ds->value->ptr[0] != '/') {
205 log_error_write(srv, __FILE__, __LINE__, "SBs",
206 "cgi.x-sendfile-docroot paths must begin with '/'; invalid: \"", ds->value, "\"");
207 return HANDLER_ERROR;
208 }
209 buffer_path_simplify(ds->value, ds->value);
210 buffer_append_slash(ds->value);
211 }
212 }
213 }
214
215 return HANDLER_GO_ON;
216 }
217
218
219 static int cgi_pid_add(server *srv, plugin_data *p, pid_t pid) {
220 int m = -1;
221 size_t i;
222 buffer_pid_t *r = &(p->cgi_pid);
223
224 UNUSED(srv);
225
226 for (i = 0; i < r->used; i++) {
227 if (r->ptr[i] > m) m = r->ptr[i];
228 }
229
230 if (r->size == 0) {
231 r->size = 16;
232 r->ptr = malloc(sizeof(*r->ptr) * r->size);
233 force_assert(r->ptr);
234 } else if (r->used == r->size) {
235 r->size += 16;
236 r->ptr = realloc(r->ptr, sizeof(*r->ptr) * r->size);
237 force_assert(r->ptr);
238 }
239
240 r->ptr[r->used++] = pid;
241
242 return m;
243 }
244
245 static int cgi_pid_del(server *srv, plugin_data *p, pid_t pid) {
246 size_t i;
247 buffer_pid_t *r = &(p->cgi_pid);
248
249 UNUSED(srv);
250
251 for (i = 0; i < r->used; i++) {
252 if (r->ptr[i] == pid) break;
253 }
254
255 if (i != r->used) {
256 /* found */
257
258 if (i != r->used - 1) {
259 r->ptr[i] = r->ptr[r->used - 1];
260 }
261 r->used--;
262 }
263
264 return 0;
265 }
266
267 static int cgi_response_parse(server *srv, connection *con, plugin_data *p, buffer *in) {
268 char *ns;
269 const char *s;
270 int line = 0;
271
272 UNUSED(srv);
273
274 buffer_copy_buffer(p->parse_response, in);
275
276 for (s = p->parse_response->ptr;
277 NULL != (ns = strchr(s, '\n'));
278 s = ns + 1, line++) {
279 const char *key, *value;
280 int key_len;
281 data_string *ds;
282
283 /* strip the \n */
284 ns[0] = '\0';
285
286 if (ns > s && ns[-1] == '\r') ns[-1] = '\0';
287
288 if (line == 0 &&
289 0 == strncmp(s, "HTTP/1.", 7)) {
290 /* non-parsed header ... we parse them anyway */
291
292 if ((s[7] == '1' ||
293 s[7] == '0') &&
294 s[8] == ' ') {
295 int status;
296 /* after the space should be a status code for us */
297
298 status = strtol(s+9, NULL, 10);
299
300 if (status >= 100 &&
301 status < 1000) {
302 /* we expected 3 digits and didn't got them */
303 con->parsed_response |= HTTP_STATUS;
304 con->http_status = status;
305 }
306 }
307 } else {
308 /* parse the headers */
309 key = s;
310 if (NULL == (value = strchr(s, ':'))) {
311 /* we expect: "<key>: <value>\r\n" */
312 continue;
313 }
314
315 key_len = value - key;
316 value += 1;
317
318 /* skip LWS */
319 while (*value == ' ' || *value == '\t') value++;
320
321 if (NULL == (ds = (data_string *)array_get_unused_element(con->response.headers, TYPE_STRING))) {
322 ds = data_response_init();
323 }
324 buffer_copy_string_len(ds->key, key, key_len);
325 buffer_copy_string(ds->value, value);
326
327 array_insert_unique(con->response.headers, (data_unset *)ds);
328
329 switch(key_len) {
330 case 4:
331 if (0 == strncasecmp(key, "Date", key_len)) {
332 con->parsed_response |= HTTP_DATE;
333 }
334 break;
335 case 6:
336 if (0 == strncasecmp(key, "Status", key_len)) {
337 int status = strtol(value, NULL, 10);
338 if (status >= 100 && status < 1000) {
339 con->http_status = status;
340 con->parsed_response |= HTTP_STATUS;
341 } else {
342 con->http_status = 502;
343 }
344 }
345 break;
346 case 8:
347 if (0 == strncasecmp(key, "Location", key_len)) {
348 con->parsed_response |= HTTP_LOCATION;
349 }
350 break;
351 case 10:
352 if (0 == strncasecmp(key, "Connection", key_len)) {
353 con->response.keep_alive = (0 == strcasecmp(value, "Keep-Alive")) ? 1 : 0;
354 con->parsed_response |= HTTP_CONNECTION;
355 }
356 break;
357 case 14:
358 if (0 == strncasecmp(key, "Content-Length", key_len)) {
359 con->response.content_length = strtoul(value, NULL, 10);
360 con->parsed_response |= HTTP_CONTENT_LENGTH;
361 }
362 break;
363 default:
364 break;
365 }
366 }
367 }
368
369 /* CGI/1.1 rev 03 - 7.2.1.2 */
370 if ((con->parsed_response & HTTP_LOCATION) &&
371 !(con->parsed_response & HTTP_STATUS)) {
372 con->http_status = 302;
373 }
374
375 return 0;
376 }
377
378
379 static int cgi_demux_response(server *srv, handler_ctx *hctx) {
380 plugin_data *p = hctx->plugin_data;
381 connection *con = hctx->remote_conn;
382
383 while(1) {
384 int n;
385 int toread;
386
387 #if defined(__WIN32)
388 buffer_string_prepare_copy(hctx->response, 4 * 1024);
389 #else
390 if (ioctl(con->fd, FIONREAD, &toread) || toread <= 4*1024) {
391 buffer_string_prepare_copy(hctx->response, 4 * 1024);
392 } else {
393 if (toread > MAX_READ_LIMIT) toread = MAX_READ_LIMIT;
394 buffer_string_prepare_copy(hctx->response, toread);
395 }
396 #endif
397
398 if (-1 == (n = read(hctx->fd, hctx->response->ptr, hctx->response->size - 1))) {
399 if (errno == EAGAIN || errno == EINTR) {
400 /* would block, wait for signal */
401 fdevent_event_add(srv->ev, &(hctx->fde_ndx), hctx->fd, FDEVENT_IN);
402 return FDEVENT_HANDLED_NOT_FINISHED;
403 }
404 /* error */
405 log_error_write(srv, __FILE__, __LINE__, "sdd", strerror(errno), con->fd, hctx->fd);
406 return FDEVENT_HANDLED_ERROR;
407 }
408
409 if (n == 0) {
410 /* read finished */
411 return FDEVENT_HANDLED_FINISHED;
412 }
413
414 buffer_commit(hctx->response, n);
415
416 /* split header from body */
417
418 if (con->file_started == 0) {
419 int is_header = 0;
420 int is_header_end = 0;
421 size_t last_eol = 0;
422 size_t i, header_len;
423
424 buffer_append_string_buffer(hctx->response_header, hctx->response);
425
426 /**
427 * we have to handle a few cases:
428 *
429 * nph:
430 *
431 * HTTP/1.0 200 Ok\n
432 * Header: Value\n
433 * \n
434 *
435 * CGI:
436 * Header: Value\n
437 * Status: 200\n
438 * \n
439 *
440 * and different mixes of \n and \r\n combinations
441 *
442 * Some users also forget about CGI and just send a response and hope
443 * we handle it. No headers, no header-content seperator
444 *
445 */
446
447 /* nph (non-parsed headers) */
448 if (0 == strncmp(hctx->response_header->ptr, "HTTP/1.", 7)) is_header = 1;
449
450 header_len = buffer_string_length(hctx->response_header);
451 for (i = 0; !is_header_end && i < header_len; i++) {
452 char c = hctx->response_header->ptr[i];
453
454 switch (c) {
455 case ':':
456 /* we found a colon
457 *
458 * looks like we have a normal header
459 */
460 is_header = 1;
461 break;
462 case '\n':
463 /* EOL */
464 if (is_header == 0) {
465 /* we got a EOL but we don't seem to got a HTTP header */
466
467 is_header_end = 1;
468
469 break;
470 }
471
472 /**
473 * check if we saw a \n(\r)?\n sequence
474 */
475 if (last_eol > 0 &&
476 ((i - last_eol == 1) ||
477 (i - last_eol == 2 && hctx->response_header->ptr[i - 1] == '\r'))) {
478 is_header_end = 1;
479 break;
480 }
481
482 last_eol = i;
483
484 break;
485 }
486 }
487
488 if (is_header_end) {
489 if (!is_header) {
490 /* no header, but a body */
491 if (0 != http_chunk_append_buffer(srv, con, hctx->response_header)) {
492 return FDEVENT_HANDLED_ERROR;
493 }
494 } else {
495 const char *bstart;
496 size_t blen;
497
498 /* the body starts after the EOL */
499 bstart = hctx->response_header->ptr + i;
500 blen = header_len - i;
501
502 /**
503 * i still points to the char after the terminating EOL EOL
504 *
505 * put it on the last \n again
506 */
507 i--;
508
509 /* string the last \r?\n */
510 if (i > 0 && (hctx->response_header->ptr[i - 1] == '\r')) {
511 i--;
512 }
513
514 buffer_string_set_length(hctx->response_header, i);
515
516 /* parse the response header */
517 cgi_response_parse(srv, con, p, hctx->response_header);
518
519 if (con->http_status >= 300 && con->http_status < 400) {
520 /*(con->parsed_response & HTTP_LOCATION)*/
521 data_string *ds;
522 if (NULL != (ds = (data_string *) array_get_element(con->response.headers, "Location"))
523 && ds->value->ptr[0] == '/') {
524 if (++con->loops_per_request > 5) {
525 log_error_write(srv, __FILE__, __LINE__, "sb", "too many internal loops while processing request:", con->request.orig_uri);
526 con->http_status = 500; /* Internal Server Error */
527 con->mode = DIRECT;
528 return FDEVENT_HANDLED_FINISHED;
529 }
530
531 if (!buffer_is_equal(con->request.uri, con->request.orig_uri)
532 && !array_get_element(con->environment, "REDIRECT_URI")) {
533 array_set_key_value(con->environment,
534 CONST_STR_LEN("REDIRECT_URI"),
535 CONST_BUF_LEN(con->request.orig_uri));
536 }
537
538 buffer_copy_buffer(con->request.uri, ds->value);
539
540 if (con->request.content_length) {
541 if ((off_t)con->request.content_length != chunkqueue_length(con->request_content_queue)) {
542 con->keep_alive = 0;
543 }
544 con->request.content_length = 0;
545 chunkqueue_reset(con->request_content_queue);
546 }
547
548 if (con->http_status != 307 && con->http_status != 308) {
549 /* Note: request body (if any) sent to initial dynamic handler
550 * and is not available to the internal redirect */
551 con->request.http_method = HTTP_METHOD_GET;
552 }
553
554 connection_response_reset(srv, con); /*(includes con->http_status = 0)*/
555
556 con->mode = DIRECT;
557 return FDEVENT_HANDLED_COMEBACK;
558 }
559 }
560
561 if (p->conf.xsendfile_allow) {
562 data_string *ds;
563 if (NULL != (ds = (data_string *) array_get_element(con->response.headers, "X-Sendfile"))) {
564 http_response_xsendfile(srv, con, ds->value, p->conf.xsendfile_docroot);
565 return FDEVENT_HANDLED_FINISHED;
566 }
567 }
568
569 if (blen > 0) {
570 if (0 != http_chunk_append_mem(srv, con, bstart, blen)) {
571 return FDEVENT_HANDLED_ERROR;
572 }
573 }
574 }
575
576 con->file_started = 1;
577 } else {
578 /*(reuse MAX_HTTP_REQUEST_HEADER as max size for response headers from backends)*/
579 if (header_len > MAX_HTTP_REQUEST_HEADER) {
580 log_error_write(srv, __FILE__, __LINE__, "sb", "response headers too large for", con->uri.path);
581 con->http_status = 502; /* Bad Gateway */
582 con->mode = DIRECT;
583 return FDEVENT_HANDLED_FINISHED;
584 }
585 }
586 } else {
587 if (0 != http_chunk_append_buffer(srv, con, hctx->response)) {
588 return FDEVENT_HANDLED_ERROR;
589 }
590 if ((con->conf.stream_response_body & FDEVENT_STREAM_RESPONSE_BUFMIN)
591 && chunkqueue_length(con->write_queue) > 65536 - 4096) {
592 if (!con->is_writable) {
593 /*(defer removal of FDEVENT_IN interest since
594 * connection_state_machine() might be able to send data
595 * immediately, unless !con->is_writable, where
596 * connection_state_machine() might not loop back to call
597 * mod_cgi_handle_subrequest())*/
598 fdevent_event_clr(srv->ev, &(hctx->fde_ndx), hctx->fd, FDEVENT_IN);
599 }
600 break;
601 }
602 }
603
604 #if 0
605 log_error_write(srv, __FILE__, __LINE__, "ddss", con->fd, hctx->fd, connection_get_state(con->state), b->ptr);
606 #endif
607 }
608
609 return FDEVENT_HANDLED_NOT_FINISHED;
610 }
611
612 static void cgi_connection_close_fdtocgi(server *srv, handler_ctx *hctx) {
613 /*(closes only hctx->fdtocgi)*/
614 fdevent_event_del(srv->ev, &(hctx->fde_ndx_tocgi), hctx->fdtocgi);
615 fdevent_unregister(srv->ev, hctx->fdtocgi);
616
617 if (close(hctx->fdtocgi)) {
618 log_error_write(srv, __FILE__, __LINE__, "sds", "cgi stdin close failed ", hctx->fdtocgi, strerror(errno));
619 }
620 hctx->fdtocgi = -1;
621 }
622
623 static void cgi_connection_close(server *srv, handler_ctx *hctx) {
624 int status;
625 pid_t pid;
626 plugin_data *p = hctx->plugin_data;
627 connection *con = hctx->remote_conn;
628
629 #ifndef __WIN32
630
631 /* the connection to the browser went away, but we still have a connection
632 * to the CGI script
633 *
634 * close cgi-connection
635 */
636
637 if (hctx->fd != -1) {
638 /* close connection to the cgi-script */
639 fdevent_event_del(srv->ev, &(hctx->fde_ndx), hctx->fd);
640 fdevent_unregister(srv->ev, hctx->fd);
641
642 if (close(hctx->fd)) {
643 log_error_write(srv, __FILE__, __LINE__, "sds", "cgi close failed ", hctx->fd, strerror(errno));
644 }
645 }
646
647 if (hctx->fdtocgi != -1) {
648 cgi_connection_close_fdtocgi(srv, hctx); /*(closes only hctx->fdtocgi)*/
649 }
650
651 pid = hctx->pid;
652
653 con->plugin_ctx[p->id] = NULL;
654
655 cgi_handler_ctx_free(hctx);
656
657 /* if waitpid hasn't been called by response.c yet, do it here */
658 if (pid) {
659 /* check if the CGI-script is already gone */
660 switch(waitpid(pid, &status, WNOHANG)) {
661 case 0:
662 /* not finished yet */
663 #if 0
664 log_error_write(srv, __FILE__, __LINE__, "sd", "(debug) child isn't done yet, pid:", pid);
665 #endif
666 break;
667 case -1:
668 /* */
669 if (errno == EINTR) break;
670
671 /*
672 * errno == ECHILD happens if _subrequest catches the process-status before
673 * we have read the response of the cgi process
674 *
675 * -> catch status
676 * -> WAIT_FOR_EVENT
677 * -> read response
678 * -> we get here with waitpid == ECHILD
679 *
680 */
681 if (errno != ECHILD) {
682 log_error_write(srv, __FILE__, __LINE__, "ss", "waitpid failed: ", strerror(errno));
683 }
684 /* anyway: don't wait for it anymore */
685 pid = 0;
686 break;
687 default:
688 if (WIFEXITED(status)) {
689 #if 0
690 log_error_write(srv, __FILE__, __LINE__, "sd", "(debug) cgi exited fine, pid:", pid);
691 #endif
692 } else {
693 log_error_write(srv, __FILE__, __LINE__, "sd", "cgi died, pid:", pid);
694 }
695
696 pid = 0;
697 break;
698 }
699
700 if (pid) {
701 kill(pid, SIGTERM);
702
703 /* cgi-script is still alive, queue the PID for removal */
704 cgi_pid_add(srv, p, pid);
705 }
706 }
707 #endif
708
709 /* finish response (if not already con->file_started, con->file_finished) */
710 if (con->mode == p->id) {
711 http_response_backend_done(srv, con);
712 }
713 }
714
715 static handler_t cgi_connection_close_callback(server *srv, connection *con, void *p_d) {
716 plugin_data *p = p_d;
717 handler_ctx *hctx = con->plugin_ctx[p->id];
718 if (hctx) cgi_connection_close(srv, hctx);
719
720 return HANDLER_GO_ON;
721 }
722
723
724 static int cgi_write_request(server *srv, handler_ctx *hctx, int fd);
725
726
727 static handler_t cgi_handle_fdevent_send (server *srv, void *ctx, int revents) {
728 handler_ctx *hctx = ctx;
729 connection *con = hctx->remote_conn;
730
731 /*(joblist only actually necessary here in mod_cgi fdevent send if returning HANDLER_ERROR)*/
732 joblist_append(srv, con);
733
734 if (revents & FDEVENT_OUT) {
735 if (0 != cgi_write_request(srv, hctx, hctx->fdtocgi)) {
736 cgi_connection_close(srv, hctx);
737 return HANDLER_ERROR;
738 }
739 /* more request body to be sent to CGI */
740 }
741
742 if (revents & FDEVENT_HUP) {
743 /* skip sending remaining data to CGI */
744 if (con->request.content_length) {
745 chunkqueue *cq = con->request_content_queue;
746 chunkqueue_mark_written(cq, chunkqueue_length(cq));
747 if (cq->bytes_in != (off_t)con->request.content_length) {
748 con->keep_alive = 0;
749 }
750 }
751
752 cgi_connection_close_fdtocgi(srv, hctx); /*(closes only hctx->fdtocgi)*/
753 } else if (revents & FDEVENT_ERR) {
754 /* kill all connections to the cgi process */
755 #if 1
756 log_error_write(srv, __FILE__, __LINE__, "s", "cgi-FDEVENT_ERR");
757 #endif
758 cgi_connection_close(srv, hctx);
759 return HANDLER_ERROR;
760 }
761
762 return HANDLER_FINISHED;
763 }
764
765
766 static int cgi_recv_response(server *srv, handler_ctx *hctx) {
767 switch (cgi_demux_response(srv, hctx)) {
768 case FDEVENT_HANDLED_NOT_FINISHED:
769 break;
770 case FDEVENT_HANDLED_FINISHED:
771 /* we are done */
772
773 #if 0
774 log_error_write(srv, __FILE__, __LINE__, "ddss", con->fd, hctx->fd, connection_get_state(con->state), "finished");
775 #endif
776 cgi_connection_close(srv, hctx);
777
778 /* if we get a IN|HUP and have read everything don't exec the close twice */
779 return HANDLER_FINISHED;
780 case FDEVENT_HANDLED_COMEBACK:
781 cgi_connection_close(srv, hctx);
782 return HANDLER_COMEBACK;
783 case FDEVENT_HANDLED_ERROR:
784 log_error_write(srv, __FILE__, __LINE__, "s", "demuxer failed: ");
785
786 cgi_connection_close(srv, hctx);
787 return HANDLER_FINISHED;
788 }
789
790 return HANDLER_GO_ON;
791 }
792
793
794 static handler_t cgi_handle_fdevent(server *srv, void *ctx, int revents) {
795 handler_ctx *hctx = ctx;
796 connection *con = hctx->remote_conn;
797
798 joblist_append(srv, con);
799
800 if (revents & FDEVENT_IN) {
801 handler_t rc = cgi_recv_response(srv, hctx);/*(might invalidate hctx)*/
802 if (rc != HANDLER_GO_ON) return rc; /*(unless HANDLER_GO_ON)*/
803 }
804
805 /* perhaps this issue is already handled */
806 if (revents & FDEVENT_HUP) {
807 if (con->file_started) {
808 /* drain any remaining data from kernel pipe buffers
809 * even if (con->conf.stream_response_body
810 * & FDEVENT_STREAM_RESPONSE_BUFMIN)
811 * since event loop will spin on fd FDEVENT_HUP event
812 * until unregistered. */
813 handler_t rc;
814 do {
815 rc = cgi_recv_response(srv,hctx);/*(might invalidate hctx)*/
816 } while (rc == HANDLER_GO_ON); /*(unless HANDLER_GO_ON)*/
817 return rc; /* HANDLER_FINISHED or HANDLER_COMEBACK or HANDLER_ERROR */
818 } else if (!buffer_string_is_empty(hctx->response_header)) {
819 /* unfinished header package which is a body in reality */
820 con->file_started = 1;
821 if (0 != http_chunk_append_buffer(srv, con, hctx->response_header)) {
822 cgi_connection_close(srv, hctx);
823 return HANDLER_ERROR;
824 }
825 } else {
826 # if 0
827 log_error_write(srv, __FILE__, __LINE__, "sddd", "got HUP from cgi", con->fd, hctx->fd, revents);
828 # endif
829 }
830 cgi_connection_close(srv, hctx);
831 } else if (revents & FDEVENT_ERR) {
832 /* kill all connections to the cgi process */
833 cgi_connection_close(srv, hctx);
834 #if 1
835 log_error_write(srv, __FILE__, __LINE__, "s", "cgi-FDEVENT_ERR");
836 #endif
837 return HANDLER_ERROR;
838 }
839
840 return HANDLER_FINISHED;
841 }
842
843
844 static int cgi_env_add(char_array *env, const char *key, size_t key_len, const char *val, size_t val_len) {
845 char *dst;
846
847 if (!key || !val) return -1;
848
849 dst = malloc(key_len + val_len + 2);
850 force_assert(dst);
851 memcpy(dst, key, key_len);
852 dst[key_len] = '=';
853 memcpy(dst + key_len + 1, val, val_len);
854 dst[key_len + 1 + val_len] = '\0';
855
856 if (env->size == 0) {
857 env->size = 16;
858 env->ptr = malloc(env->size * sizeof(*env->ptr));
859 force_assert(env->ptr);
860 } else if (env->size == env->used) {
861 env->size += 16;
862 env->ptr = realloc(env->ptr, env->size * sizeof(*env->ptr));
863 force_assert(env->ptr);
864 }
865
866 env->ptr[env->used++] = dst;
867
868 return 0;
869 }
870
871 /* returns: 0: continue, -1: fatal error, -2: connection reset */
872 /* similar to network_write_file_chunk_mmap, but doesn't use send on windows (because we're on pipes),
873 * also mmaps and sends complete chunk instead of only small parts - the files
874 * are supposed to be temp files with reasonable chunk sizes.
875 *
876 * Also always use mmap; the files are "trusted", as we created them.
877 */
878 static ssize_t cgi_write_file_chunk_mmap(server *srv, connection *con, int fd, chunkqueue *cq) {
879 chunk* const c = cq->first;
880 off_t offset, toSend, file_end;
881 ssize_t r;
882 size_t mmap_offset, mmap_avail;
883 char *data;
884
885 force_assert(NULL != c);
886 force_assert(FILE_CHUNK == c->type);
887 force_assert(c->offset >= 0 && c->offset <= c->file.length);
888
889 offset = c->file.start + c->offset;
890 toSend = c->file.length - c->offset;
891 file_end = c->file.start + c->file.length; /* offset to file end in this chunk */
892
893 if (0 == toSend) {
894 chunkqueue_remove_finished_chunks(cq);
895 return 0;
896 }
897
898 if (0 != network_open_file_chunk(srv, con, cq)) return -1;
899
900 /* (re)mmap the buffer if range is not covered completely */
901 if (MAP_FAILED == c->file.mmap.start
902 || offset < c->file.mmap.offset
903 || file_end > (off_t)(c->file.mmap.offset + c->file.mmap.length)) {
904
905 if (MAP_FAILED != c->file.mmap.start) {
906 munmap(c->file.mmap.start, c->file.mmap.length);
907 c->file.mmap.start = MAP_FAILED;
908 }
909
910 c->file.mmap.offset = mmap_align_offset(offset);
911 c->file.mmap.length = file_end - c->file.mmap.offset;
912
913 if (MAP_FAILED == (c->file.mmap.start = mmap(NULL, c->file.mmap.length, PROT_READ, MAP_PRIVATE, c->file.fd, c->file.mmap.offset))) {
914 if (toSend > 65536) toSend = 65536;
915 data = malloc(toSend);
916 force_assert(data);
917 if (-1 == lseek(c->file.fd, offset, SEEK_SET)
918 || 0 >= (toSend = read(c->file.fd, data, toSend))) {
919 if (-1 == toSend) {
920 log_error_write(srv, __FILE__, __LINE__, "ssbdo", "lseek/read failed:",
921 strerror(errno), c->file.name, c->file.fd, offset);
922 } else { /*(0 == toSend)*/
923 log_error_write(srv, __FILE__, __LINE__, "sbdo", "unexpected EOF (input truncated?):",
924 c->file.name, c->file.fd, offset);
925 }
926 free(data);
927 return -1;
928 }
929 }
930 }
931
932 if (MAP_FAILED != c->file.mmap.start) {
933 force_assert(offset >= c->file.mmap.offset);
934 mmap_offset = offset - c->file.mmap.offset;
935 force_assert(c->file.mmap.length > mmap_offset);
936 mmap_avail = c->file.mmap.length - mmap_offset;
937 force_assert(toSend <= (off_t) mmap_avail);
938
939 data = c->file.mmap.start + mmap_offset;
940 }
941
942 r = write(fd, data, toSend);
943
944 if (MAP_FAILED == c->file.mmap.start) free(data);
945
946 if (r < 0) {
947 switch (errno) {
948 case EAGAIN:
949 case EINTR:
950 return 0;
951 case EPIPE:
952 case ECONNRESET:
953 return -2;
954 default:
955 log_error_write(srv, __FILE__, __LINE__, "ssd",
956 "write failed:", strerror(errno), fd);
957 return -1;
958 }
959 }
960
961 if (r >= 0) {
962 chunkqueue_mark_written(cq, r);
963 }
964
965 return r;
966 }
967
968 static int cgi_write_request(server *srv, handler_ctx *hctx, int fd) {
969 connection *con = hctx->remote_conn;
970 chunkqueue *cq = con->request_content_queue;
971 chunk *c;
972
973 /* old comment: windows doesn't support select() on pipes - wouldn't be easy to fix for all platforms.
974 * solution: if this is still a problem on windows, then substitute
975 * socketpair() for pipe() and closesocket() for close() on windows.
976 */
977
978 for (c = cq->first; c; c = cq->first) {
979 ssize_t r = -1;
980
981 switch(c->type) {
982 case FILE_CHUNK:
983 r = cgi_write_file_chunk_mmap(srv, con, fd, cq);
984 break;
985
986 case MEM_CHUNK:
987 if ((r = write(fd, c->mem->ptr + c->offset, buffer_string_length(c->mem) - c->offset)) < 0) {
988 switch(errno) {
989 case EAGAIN:
990 case EINTR:
991 /* ignore and try again */
992 r = 0;
993 break;
994 case EPIPE:
995 case ECONNRESET:
996 /* connection closed */
997 r = -2;
998 break;
999 default:
1000 /* fatal error */
1001 log_error_write(srv, __FILE__, __LINE__, "ss", "write failed due to: ", strerror(errno));
1002 r = -1;
1003 break;
1004 }
1005 } else if (r > 0) {
1006 chunkqueue_mark_written(cq, r);
1007 }
1008 break;
1009 }
1010
1011 if (0 == r) break; /*(might block)*/
1012
1013 switch (r) {
1014 case -1:
1015 /* fatal error */
1016 return -1;
1017 case -2:
1018 /* connection reset */
1019 log_error_write(srv, __FILE__, __LINE__, "s", "failed to send post data to cgi, connection closed by CGI");
1020 /* skip all remaining data */
1021 chunkqueue_mark_written(cq, chunkqueue_length(cq));
1022 break;
1023 default:
1024 break;
1025 }
1026 }
1027
1028 if (cq->bytes_out == (off_t)con->request.content_length) {
1029 /* sent all request body input */
1030 /* close connection to the cgi-script */
1031 if (-1 == hctx->fdtocgi) { /*(received request body sent in initial send to pipe buffer)*/
1032 if (close(fd)) {
1033 log_error_write(srv, __FILE__, __LINE__, "sds", "cgi stdin close failed ", fd, strerror(errno));
1034 }
1035 } else {
1036 cgi_connection_close_fdtocgi(srv, hctx); /*(closes only hctx->fdtocgi)*/
1037 }
1038 } else {
1039 off_t cqlen = cq->bytes_in - cq->bytes_out;
1040 if (cq->bytes_in < (off_t)con->request.content_length && cqlen < 65536 - 16384) {
1041 /*(con->conf.stream_request_body & FDEVENT_STREAM_REQUEST)*/
1042 if (!(con->conf.stream_request_body & FDEVENT_STREAM_REQUEST_POLLIN)) {
1043 con->conf.stream_request_body |= FDEVENT_STREAM_REQUEST_POLLIN;
1044 con->is_readable = 1; /* trigger optimistic read from client */
1045 }
1046 }
1047 if (-1 == hctx->fdtocgi) { /*(not registered yet)*/
1048 hctx->fdtocgi = fd;
1049 hctx->fde_ndx_tocgi = -1;
1050 fdevent_register(srv->ev, hctx->fdtocgi, cgi_handle_fdevent_send, hctx);
1051 }
1052 if (0 == cqlen) { /*(chunkqueue_is_empty(cq))*/
1053 if ((fdevent_event_get_interest(srv->ev, hctx->fdtocgi) & FDEVENT_OUT)) {
1054 fdevent_event_set(srv->ev, &(hctx->fde_ndx_tocgi), hctx->fdtocgi, 0);
1055 }
1056 } else {
1057 /* more request body remains to be sent to CGI so register for fdevents */
1058 fdevent_event_set(srv->ev, &(hctx->fde_ndx_tocgi), hctx->fdtocgi, FDEVENT_OUT);
1059 }
1060 }
1061
1062 return 0;
1063 }
1064
1065 static int cgi_create_env(server *srv, connection *con, plugin_data *p, handler_ctx *hctx, buffer *cgi_handler) {
1066 pid_t pid;
1067
1068 #ifdef HAVE_IPV6
1069 char b2[INET6_ADDRSTRLEN + 1];
1070 #endif
1071
1072 int to_cgi_fds[2];
1073 int from_cgi_fds[2];
1074 struct stat st;
1075
1076 #ifndef __WIN32
1077
1078 if (!buffer_string_is_empty(cgi_handler)) {
1079 /* stat the exec file */
1080 if (-1 == (stat(cgi_handler->ptr, &st))) {
1081 log_error_write(srv, __FILE__, __LINE__, "sbss",
1082 "stat for cgi-handler", cgi_handler,
1083 "failed:", strerror(errno));
1084 return -1;
1085 }
1086 }
1087
1088 if (pipe(to_cgi_fds)) {
1089 log_error_write(srv, __FILE__, __LINE__, "ss", "pipe failed:", strerror(errno));
1090 return -1;
1091 }
1092
1093 if (pipe(from_cgi_fds)) {
1094 close(to_cgi_fds[0]);
1095 close(to_cgi_fds[1]);
1096 log_error_write(srv, __FILE__, __LINE__, "ss", "pipe failed:", strerror(errno));
1097 return -1;
1098 }
1099
1100 /* fork, execve */
1101 switch (pid = fork()) {
1102 case 0: {
1103 /* child */
1104 char **args;
1105 int argc;
1106 int i = 0;
1107 char buf[LI_ITOSTRING_LENGTH];
1108 size_t n;
1109 char_array env;
1110 char *c;
1111 const char *s;
1112 server_socket *srv_sock = con->srv_socket;
1113
1114 /* move stdout to from_cgi_fd[1] */
1115 close(STDOUT_FILENO);
1116 dup2(from_cgi_fds[1], STDOUT_FILENO);
1117 close(from_cgi_fds[1]);
1118 /* not needed */
1119 close(from_cgi_fds[0]);
1120
1121 /* move the stdin to to_cgi_fd[0] */
1122 close(STDIN_FILENO);
1123 dup2(to_cgi_fds[0], STDIN_FILENO);
1124 close(to_cgi_fds[0]);
1125 /* not needed */
1126 close(to_cgi_fds[1]);
1127
1128 /* create environment */
1129 env.ptr = NULL;
1130 env.size = 0;
1131 env.used = 0;
1132
1133 cgi_env_add(&env, CONST_STR_LEN("SERVER_SOFTWARE"), CONST_BUF_LEN(con->conf.server_tag));
1134
1135 if (!buffer_string_is_empty(con->server_name)) {
1136 size_t len = buffer_string_length(con->server_name);
1137
1138 if (con->server_name->ptr[0] == '[') {
1139 const char *colon = strstr(con->server_name->ptr, "]:");
1140 if (colon) len = (colon + 1) - con->server_name->ptr;
1141 } else {
1142 const char *colon = strchr(con->server_name->ptr, ':');
1143 if (colon) len = colon - con->server_name->ptr;
1144 }
1145
1146 cgi_env_add(&env, CONST_STR_LEN("SERVER_NAME"), con->server_name->ptr, len);
1147 } else {
1148 #ifdef HAVE_IPV6
1149 s = inet_ntop(
1150 srv_sock->addr.plain.sa_family,
1151 srv_sock->addr.plain.sa_family == AF_INET6 ?
1152 (const void *) &(srv_sock->addr.ipv6.sin6_addr) :
1153 (const void *) &(srv_sock->addr.ipv4.sin_addr),
1154 b2, sizeof(b2)-1);
1155 #else
1156 s = inet_ntoa(srv_sock->addr.ipv4.sin_addr);
1157 #endif
1158 force_assert(s);
1159 cgi_env_add(&env, CONST_STR_LEN("SERVER_NAME"), s, strlen(s));
1160 }
1161 cgi_env_add(&env, CONST_STR_LEN("GATEWAY_INTERFACE"), CONST_STR_LEN("CGI/1.1"));
1162
1163 s = get_http_version_name(con->request.http_version);
1164 force_assert(s);
1165 cgi_env_add(&env, CONST_STR_LEN("SERVER_PROTOCOL"), s, strlen(s));
1166
1167 li_utostrn(buf, sizeof(buf),
1168 #ifdef HAVE_IPV6
1169 ntohs(srv_sock->addr.plain.sa_family == AF_INET6 ? srv_sock->addr.ipv6.sin6_port : srv_sock->addr.ipv4.sin_port)
1170 #else
1171 ntohs(srv_sock->addr.ipv4.sin_port)
1172 #endif
1173 );
1174 cgi_env_add(&env, CONST_STR_LEN("SERVER_PORT"), buf, strlen(buf));
1175
1176 switch (srv_sock->addr.plain.sa_family) {
1177 #ifdef HAVE_IPV6
1178 case AF_INET6:
1179 s = inet_ntop(
1180 srv_sock->addr.plain.sa_family,
1181 (const void *) &(srv_sock->addr.ipv6.sin6_addr),
1182 b2, sizeof(b2)-1);
1183 break;
1184 case AF_INET:
1185 s = inet_ntop(
1186 srv_sock->addr.plain.sa_family,
1187 (const void *) &(srv_sock->addr.ipv4.sin_addr),
1188 b2, sizeof(b2)-1);
1189 break;
1190 #else
1191 case AF_INET:
1192 s = inet_ntoa(srv_sock->addr.ipv4.sin_addr);
1193 break;
1194 #endif
1195 default:
1196 s = "";
1197 break;
1198 }
1199 force_assert(s);
1200 cgi_env_add(&env, CONST_STR_LEN("SERVER_ADDR"), s, strlen(s));
1201
1202 s = get_http_method_name(con->request.http_method);
1203 force_assert(s);
1204 cgi_env_add(&env, CONST_STR_LEN("REQUEST_METHOD"), s, strlen(s));
1205
1206 if (!buffer_string_is_empty(con->request.pathinfo)) {
1207 cgi_env_add(&env, CONST_STR_LEN("PATH_INFO"), CONST_BUF_LEN(con->request.pathinfo));
1208 }
1209 if (!buffer_string_is_empty(con->uri.query)) {
1210 cgi_env_add(&env, CONST_STR_LEN("QUERY_STRING"), CONST_BUF_LEN(con->uri.query));
1211 } else {
1212 cgi_env_add(&env, CONST_STR_LEN("QUERY_STRING"), CONST_STR_LEN(""));
1213 }
1214 if (con->error_handler_saved_status >= 0) {
1215 cgi_env_add(&env, CONST_STR_LEN("REQUEST_URI"), CONST_BUF_LEN(con->request.uri));
1216 } else {
1217 cgi_env_add(&env, CONST_STR_LEN("REQUEST_URI"), CONST_BUF_LEN(con->request.orig_uri));
1218 }
1219 /* set REDIRECT_STATUS for php compiled with --force-redirect
1220 * (if REDIRECT_STATUS has not already been set by error handler) */
1221 if (0 == con->error_handler_saved_status) {
1222 cgi_env_add(&env, CONST_STR_LEN("REDIRECT_STATUS"), CONST_STR_LEN("200"));
1223 }
1224
1225
1226 switch (con->dst_addr.plain.sa_family) {
1227 #ifdef HAVE_IPV6
1228 case AF_INET6:
1229 s = inet_ntop(
1230 con->dst_addr.plain.sa_family,
1231 (const void *) &(con->dst_addr.ipv6.sin6_addr),
1232 b2, sizeof(b2)-1);
1233 break;
1234 case AF_INET:
1235 s = inet_ntop(
1236 con->dst_addr.plain.sa_family,
1237 (const void *) &(con->dst_addr.ipv4.sin_addr),
1238 b2, sizeof(b2)-1);
1239 break;
1240 #else
1241 case AF_INET:
1242 s = inet_ntoa(con->dst_addr.ipv4.sin_addr);
1243 break;
1244 #endif
1245 default:
1246 s = "";
1247 break;
1248 }
1249 force_assert(s);
1250 cgi_env_add(&env, CONST_STR_LEN("REMOTE_ADDR"), s, strlen(s));
1251
1252 li_utostrn(buf, sizeof(buf),
1253 #ifdef HAVE_IPV6
1254 ntohs(con->dst_addr.plain.sa_family == AF_INET6 ? con->dst_addr.ipv6.sin6_port : con->dst_addr.ipv4.sin_port)
1255 #else
1256 ntohs(con->dst_addr.ipv4.sin_port)
1257 #endif
1258 );
1259 cgi_env_add(&env, CONST_STR_LEN("REMOTE_PORT"), buf, strlen(buf));
1260
1261 if (buffer_is_equal_caseless_string(con->uri.scheme, CONST_STR_LEN("https"))) {
1262 cgi_env_add(&env, CONST_STR_LEN("HTTPS"), CONST_STR_LEN("on"));
1263 }
1264
1265 li_itostrn(buf, sizeof(buf), con->request.content_length);
1266 cgi_env_add(&env, CONST_STR_LEN("CONTENT_LENGTH"), buf, strlen(buf));
1267 cgi_env_add(&env, CONST_STR_LEN("SCRIPT_FILENAME"), CONST_BUF_LEN(con->physical.path));
1268 cgi_env_add(&env, CONST_STR_LEN("SCRIPT_NAME"), CONST_BUF_LEN(con->uri.path));
1269 cgi_env_add(&env, CONST_STR_LEN("DOCUMENT_ROOT"), CONST_BUF_LEN(con->physical.basedir));
1270
1271 /* for valgrind */
1272 if (NULL != (s = getenv("LD_PRELOAD"))) {
1273 cgi_env_add(&env, CONST_STR_LEN("LD_PRELOAD"), s, strlen(s));
1274 }
1275
1276 if (NULL != (s = getenv("LD_LIBRARY_PATH"))) {
1277 cgi_env_add(&env, CONST_STR_LEN("LD_LIBRARY_PATH"), s, strlen(s));
1278 }
1279 #ifdef __CYGWIN__
1280 /* CYGWIN needs SYSTEMROOT */
1281 if (NULL != (s = getenv("SYSTEMROOT"))) {
1282 cgi_env_add(&env, CONST_STR_LEN("SYSTEMROOT"), s, strlen(s));
1283 }
1284 #endif
1285
1286 for (n = 0; n < con->request.headers->used; n++) {
1287 data_string *ds;
1288
1289 ds = (data_string *)con->request.headers->data[n];
1290
1291 if (!buffer_is_empty(ds->value) && !buffer_is_empty(ds->key)) {
1292 /* Do not emit HTTP_PROXY in environment.
1293 * Some executables use HTTP_PROXY to configure
1294 * outgoing proxy. See also https://httpoxy.org/ */
1295 if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Proxy"))) {
1296 continue;
1297 }
1298
1299 buffer_copy_string_encoded_cgi_varnames(p->tmp_buf, CONST_BUF_LEN(ds->key), 1);
1300
1301 cgi_env_add(&env, CONST_BUF_LEN(p->tmp_buf), CONST_BUF_LEN(ds->value));
1302 }
1303 }
1304
1305 for (n = 0; n < con->environment->used; n++) {
1306 data_string *ds;
1307
1308 ds = (data_string *)con->environment->data[n];
1309
1310 if (!buffer_is_empty(ds->value) && !buffer_is_empty(ds->key)) {
1311 buffer_copy_string_encoded_cgi_varnames(p->tmp_buf, CONST_BUF_LEN(ds->key), 0);
1312
1313 cgi_env_add(&env, CONST_BUF_LEN(p->tmp_buf), CONST_BUF_LEN(ds->value));
1314 }
1315 }
1316
1317 if (env.size == env.used) {
1318 env.size += 16;
1319 env.ptr = realloc(env.ptr, env.size * sizeof(*env.ptr));
1320 }
1321
1322 env.ptr[env.used] = NULL;
1323
1324 /* set up args */
1325 argc = 3;
1326 args = malloc(sizeof(*args) * argc);
1327 force_assert(args);
1328 i = 0;
1329
1330 if (!buffer_string_is_empty(cgi_handler)) {
1331 args[i++] = cgi_handler->ptr;
1332 }
1333 args[i++] = con->physical.path->ptr;
1334 args[i ] = NULL;
1335
1336 /* search for the last / */
1337 if (NULL != (c = strrchr(con->physical.path->ptr, '/'))) {
1338 /* handle special case of file in root directory */
1339 const char* physdir = (c == con->physical.path->ptr) ? "/" : con->physical.path->ptr;
1340
1341 /* temporarily shorten con->physical.path to directory without terminating '/' */
1342 *c = '\0';
1343 /* change to the physical directory */
1344 if (-1 == chdir(physdir)) {
1345 log_error_write(srv, __FILE__, __LINE__, "ssb", "chdir failed:", strerror(errno), con->physical.path);
1346 }
1347 *c = '/';
1348 }
1349
1350 /* we don't need the client socket */
1351 for (i = 3; i < 256; i++) {
1352 if (i != srv->errorlog_fd) close(i);
1353 }
1354
1355 /* exec the cgi */
1356 execve(args[0], args, env.ptr);
1357
1358 /* most log files may have been closed/redirected by this point,
1359 * though stderr might still point to lighttpd.breakage.log */
1360 perror(args[0]);
1361 _exit(1);
1362 }
1363 case -1:
1364 /* error */
1365 log_error_write(srv, __FILE__, __LINE__, "ss", "fork failed:", strerror(errno));
1366 close(from_cgi_fds[0]);
1367 close(from_cgi_fds[1]);
1368 close(to_cgi_fds[0]);
1369 close(to_cgi_fds[1]);
1370 return -1;
1371 default: {
1372 /* parent process */
1373
1374 close(from_cgi_fds[1]);
1375 close(to_cgi_fds[0]);
1376
1377 /* register PID and wait for them asynchronously */
1378
1379 hctx->pid = pid;
1380 hctx->fd = from_cgi_fds[0];
1381 hctx->fde_ndx = -1;
1382
1383 if (0 == con->request.content_length) {
1384 close(to_cgi_fds[1]);
1385 } else {
1386 /* there is content to send */
1387 if (-1 == fdevent_fcntl_set(srv->ev, to_cgi_fds[1])) {
1388 log_error_write(srv, __FILE__, __LINE__, "ss", "fcntl failed: ", strerror(errno));
1389 close(to_cgi_fds[1]);
1390 cgi_connection_close(srv, hctx);
1391 return -1;
1392 }
1393
1394 if (0 != cgi_write_request(srv, hctx, to_cgi_fds[1])) {
1395 close(to_cgi_fds[1]);
1396 cgi_connection_close(srv, hctx);
1397 return -1;
1398 }
1399 }
1400
1401 fdevent_register(srv->ev, hctx->fd, cgi_handle_fdevent, hctx);
1402 fdevent_event_set(srv->ev, &(hctx->fde_ndx), hctx->fd, FDEVENT_IN);
1403
1404 if (-1 == fdevent_fcntl_set(srv->ev, hctx->fd)) {
1405 log_error_write(srv, __FILE__, __LINE__, "ss", "fcntl failed: ", strerror(errno));
1406 cgi_connection_close(srv, hctx);
1407 return -1;
1408 }
1409
1410 break;
1411 }
1412 }
1413
1414 return 0;
1415 #else
1416 return -1;
1417 #endif
1418 }
1419
1420 static buffer * cgi_get_handler(array *a, buffer *fn) {
1421 size_t k, s_len = buffer_string_length(fn);
1422 for (k = 0; k < a->used; ++k) {
1423 data_string *ds = (data_string *)a->data[k];
1424 size_t ct_len = buffer_string_length(ds->key);
1425
1426 if (buffer_is_empty(ds->key)) continue;
1427 if (s_len < ct_len) continue;
1428
1429 if (0 == strncmp(fn->ptr + s_len - ct_len, ds->key->ptr, ct_len)) {
1430 return ds->value;
1431 }
1432 }
1433
1434 return NULL;
1435 }
1436
1437 #define PATCH(x) \
1438 p->conf.x = s->x;
1439 static int mod_cgi_patch_connection(server *srv, connection *con, plugin_data *p) {
1440 size_t i, j;
1441 plugin_config *s = p->config_storage[0];
1442
1443 PATCH(cgi);
1444 PATCH(execute_x_only);
1445 PATCH(xsendfile_allow);
1446 PATCH(xsendfile_docroot);
1447
1448 /* skip the first, the global context */
1449 for (i = 1; i < srv->config_context->used; i++) {
1450 data_config *dc = (data_config *)srv->config_context->data[i];
1451 s = p->config_storage[i];
1452
1453 /* condition didn't match */
1454 if (!config_check_cond(srv, con, dc)) continue;
1455
1456 /* merge config */
1457 for (j = 0; j < dc->value->used; j++) {
1458 data_unset *du = dc->value->data[j];
1459
1460 if (buffer_is_equal_string(du->key, CONST_STR_LEN("cgi.assign"))) {
1461 PATCH(cgi);
1462 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("cgi.execute-x-only"))) {
1463 PATCH(execute_x_only);
1464 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("cgi.x-sendfile"))) {
1465 PATCH(xsendfile_allow);
1466 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("cgi.x-sendfile-docroot"))) {
1467 PATCH(xsendfile_docroot);
1468 }
1469 }
1470 }
1471
1472 return 0;
1473 }
1474 #undef PATCH
1475
1476 URIHANDLER_FUNC(cgi_is_handled) {
1477 plugin_data *p = p_d;
1478 buffer *fn = con->physical.path;
1479 stat_cache_entry *sce = NULL;
1480
1481 if (con->mode != DIRECT) return HANDLER_GO_ON;
1482
1483 if (buffer_is_empty(fn)) return HANDLER_GO_ON;
1484
1485 mod_cgi_patch_connection(srv, con, p);
1486
1487 if (HANDLER_ERROR == stat_cache_get_entry(srv, con, con->physical.path, &sce)) return HANDLER_GO_ON;
1488 if (!S_ISREG(sce->st.st_mode)) return HANDLER_GO_ON;
1489 if (p->conf.execute_x_only == 1 && (sce->st.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0) return HANDLER_GO_ON;
1490
1491 if (NULL != cgi_get_handler(p->conf.cgi, fn)) {
1492 handler_ctx *hctx = cgi_handler_ctx_init();
1493 hctx->remote_conn = con;
1494 hctx->plugin_data = p;
1495 con->plugin_ctx[p->id] = hctx;
1496 con->mode = p->id;
1497 }
1498
1499 return HANDLER_GO_ON;
1500 }
1501
1502 TRIGGER_FUNC(cgi_trigger) {
1503 plugin_data *p = p_d;
1504 size_t ndx;
1505 /* the trigger handle only cares about lonely PID which we have to wait for */
1506 #ifndef __WIN32
1507
1508 for (ndx = 0; ndx < p->cgi_pid.used; ndx++) {
1509 int status;
1510
1511 switch(waitpid(p->cgi_pid.ptr[ndx], &status, WNOHANG)) {
1512 case 0:
1513 /* not finished yet */
1514 #if 0
1515 log_error_write(srv, __FILE__, __LINE__, "sd", "(debug) child isn't done yet, pid:", p->cgi_pid.ptr[ndx]);
1516 #endif
1517 break;
1518 case -1:
1519 if (errno == ECHILD) {
1520 /* someone else called waitpid... remove the pid to stop looping the error each time */
1521 log_error_write(srv, __FILE__, __LINE__, "s", "cgi child vanished, probably someone else called waitpid");
1522
1523 cgi_pid_del(srv, p, p->cgi_pid.ptr[ndx]);
1524 ndx--;
1525 continue;
1526 }
1527
1528 log_error_write(srv, __FILE__, __LINE__, "ss", "waitpid failed: ", strerror(errno));
1529
1530 return HANDLER_ERROR;
1531 default:
1532
1533 if (WIFEXITED(status)) {
1534 #if 0
1535 log_error_write(srv, __FILE__, __LINE__, "sd", "(debug) cgi exited fine, pid:", p->cgi_pid.ptr[ndx]);
1536 #endif
1537 } else if (WIFSIGNALED(status)) {
1538 /* FIXME: what if we killed the CGI script with a kill(..., SIGTERM) ?
1539 */
1540 if (WTERMSIG(status) != SIGTERM) {
1541 log_error_write(srv, __FILE__, __LINE__, "sd", "cleaning up CGI: process died with signal", WTERMSIG(status));
1542 }
1543 } else {
1544 log_error_write(srv, __FILE__, __LINE__, "s", "cleaning up CGI: ended unexpectedly");
1545 }
1546
1547 cgi_pid_del(srv, p, p->cgi_pid.ptr[ndx]);
1548 /* del modified the buffer structure
1549 * and copies the last entry to the current one
1550 * -> recheck the current index
1551 */
1552 ndx--;
1553 }
1554 }
1555 #endif
1556 return HANDLER_GO_ON;
1557 }
1558
1559 /*
1560 * - HANDLER_GO_ON : not our job
1561 * - HANDLER_FINISHED: got response
1562 * - HANDLER_WAIT_FOR_EVENT: waiting for response
1563 */
1564 SUBREQUEST_FUNC(mod_cgi_handle_subrequest) {
1565 plugin_data *p = p_d;
1566 handler_ctx *hctx = con->plugin_ctx[p->id];
1567 chunkqueue *cq = con->request_content_queue;
1568
1569 if (con->mode != p->id) return HANDLER_GO_ON;
1570 if (NULL == hctx) return HANDLER_GO_ON;
1571
1572 if ((con->conf.stream_response_body & FDEVENT_STREAM_RESPONSE_BUFMIN)
1573 && con->file_started) {
1574 if (chunkqueue_length(con->write_queue) > 65536 - 4096) {
1575 fdevent_event_clr(srv->ev, &(hctx->fde_ndx), hctx->fd, FDEVENT_IN);
1576 } else if (!(fdevent_event_get_interest(srv->ev, hctx->fd) & FDEVENT_IN)) {
1577 /* optimistic read from backend, which might re-enable FDEVENT_IN */
1578 handler_t rc = cgi_recv_response(srv, hctx); /*(might invalidate hctx)*/
1579 if (rc != HANDLER_GO_ON) return rc; /*(unless HANDLER_GO_ON)*/
1580 }
1581 }
1582
1583 if (cq->bytes_in != (off_t)con->request.content_length) {
1584 /*(64k - 4k to attempt to avoid temporary files
1585 * in conjunction with FDEVENT_STREAM_REQUEST_BUFMIN)*/
1586 if (cq->bytes_in - cq->bytes_out > 65536 - 4096
1587 && (con->conf.stream_request_body & FDEVENT_STREAM_REQUEST_BUFMIN)){
1588 con->conf.stream_request_body &= ~FDEVENT_STREAM_REQUEST_POLLIN;
1589 if (-1 != hctx->fd) return HANDLER_WAIT_FOR_EVENT;
1590 } else {
1591 handler_t r = connection_handle_read_post_state(srv, con);
1592 if (!chunkqueue_is_empty(cq)) {
1593 if (fdevent_event_get_interest(srv->ev, hctx->fdtocgi) & FDEVENT_OUT) {
1594 return (r == HANDLER_GO_ON) ? HANDLER_WAIT_FOR_EVENT : r;
1595 }
1596 }
1597 if (r != HANDLER_GO_ON) return r;
1598 }
1599 }
1600
1601 if (-1 == hctx->fd) {
1602 buffer *handler = cgi_get_handler(p->conf.cgi, con->physical.path);
1603 if (!handler) return HANDLER_GO_ON; /*(should not happen; checked in cgi_is_handled())*/
1604 if (cgi_create_env(srv, con, p, hctx, handler)) {
1605 con->http_status = 500;
1606 con->mode = DIRECT;
1607
1608 return HANDLER_FINISHED;
1609 }
1610 #if 0
1611 log_error_write(srv, __FILE__, __LINE__, "sdd", "subrequest, pid =", hctx, hctx->pid);
1612 #endif
1613 } else if (!chunkqueue_is_empty(con->request_content_queue)) {
1614 if (0 != cgi_write_request(srv, hctx, hctx->fdtocgi)) {
1615 cgi_connection_close(srv, hctx);
1616 return HANDLER_ERROR;
1617 }
1618 }
1619
1620 /* if not done, wait for CGI to close stdout, so we read EOF on pipe */
1621 return HANDLER_WAIT_FOR_EVENT;
1622 }
1623
1624
1625 int mod_cgi_plugin_init(plugin *p);
1626 int mod_cgi_plugin_init(plugin *p) {
1627 p->version = LIGHTTPD_VERSION_ID;
1628 p->name = buffer_init_string("cgi");
1629
1630 p->connection_reset = cgi_connection_close_callback;
1631 p->handle_subrequest_start = cgi_is_handled;
1632 p->handle_subrequest = mod_cgi_handle_subrequest;
1633 p->handle_trigger = cgi_trigger;
1634 p->init = mod_cgi_init;
1635 p->cleanup = mod_cgi_free;
1636 p->set_defaults = mod_fastcgi_set_defaults;
1637
1638 p->data = NULL;
1639
1640 return 0;
1641 }
A fast webserver with minimal memory-footprint (lighttpd)