From: chrisz Date: Wed, 13 Aug 2014 18:00:54 +0000 (+0000) Subject: For a non-existent root we don't want the root prefix to show up in X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=20b0b87157c7f3513e16e2c1d44503862e0c9d04;p=openbsd For a non-existent root we don't want the root prefix to show up in PATH_INFO. Therefore put a lower bound of strlen(root) on scriptlen. This makes perfect sense for virtual FastCGI scripts which run chrooted in another directory from httpd. ok reyk@ --- diff --git a/usr.sbin/httpd/server_fcgi.c b/usr.sbin/httpd/server_fcgi.c index d191ef21aee..848bae485f7 100644 --- a/usr.sbin/httpd/server_fcgi.c +++ b/usr.sbin/httpd/server_fcgi.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server_fcgi.c,v 1.32 2014/08/13 16:04:28 reyk Exp $ */ +/* $OpenBSD: server_fcgi.c,v 1.33 2014/08/13 18:00:54 chrisz Exp $ */ /* * Copyright (c) 2014 Florian Obser @@ -100,7 +100,8 @@ server_fcgi(struct httpd *env, struct client *clt) struct fcgi_record_header *h; struct fcgi_begin_request_body *begin; char hbuf[MAXHOSTNAMELEN]; - ssize_t scriptlen, pathlen; + size_t scriptlen; + int pathlen; int fd = -1, ret; const char *errstr = NULL; char *str, *p, *script = NULL; @@ -191,14 +192,21 @@ server_fcgi(struct httpd *env, struct client *clt) h->type = FCGI_PARAMS; h->content_len = param.total_len = 0; - if ((pathlen = (ssize_t)asprintf(&script, "%s%s", srv_conf->root, + if ((pathlen = asprintf(&script, "%s%s", srv_conf->root, desc->http_path_alias != NULL ? desc->http_path_alias : desc->http_path)) == -1) { errstr = "failed to get script name"; goto fail; } - if ((scriptlen = path_info(script)) < pathlen) { + scriptlen = path_info(script); + /* + * no part of root should show up in PATH_INFO. + * therefore scriptlen should be >= strlen(root) + */ + if (scriptlen < strlen(srv_conf->root)) + scriptlen = strlen(srv_conf->root); + if ((int)scriptlen < pathlen) { if (fcgi_add_param(¶m, "PATH_INFO", script + scriptlen, clt) == -1) { errstr = "failed to encode param";