FreeBSD Bugzilla – Attachment 146143 Details for
Bug 192907
www/fcgiwrap: Improved handling of binary stripping and addition of a new command line option that restricts what may be run
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
fcgiwrap.patch
fcgiwarp.patch (text/plain), 4.59 KB, created by
takefu
on 2014-08-22 05:27:57 UTC
(
hide
)
Description:
fcgiwrap.patch
Filename:
MIME Type:
Creator:
takefu
Created:
2014-08-22 05:27:57 UTC
Size:
4.59 KB
patch
obsolete
>diff -ruN /usr/ports/www/fcgiwrap/Makefile ./Makefile >--- /usr/ports/www/fcgiwrap/Makefile 2014-07-14 00:30:08.000000000 +0900 >+++ ./Makefile 2014-08-22 08:28:15.000000000 +0900 >@@ -2,7 +2,7 @@ > > PORTNAME= fcgiwrap > PORTVERSION= 1.1.0 >-PORTREVISION= 1 >+PORTREVISION= 2 > CATEGORIES= www > MASTER_SITES= GH \ > http://www.skysmurf.nl/comp/FreeBSD/distfiles/ >@@ -31,9 +31,7 @@ > PLIST_FILES= sbin/fcgiwrap man/man8/fcgiwrap.8.gz > > post-patch: >- @${REINPLACE_CMD} 's/@prefix@@mandir@/@mandir@/' ${WRKSRC}/Makefile.in >- >-post-stage: >- ${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/fcgiwrap >+ @${REINPLACE_CMD} -e 's/@prefix@@mandir@/@mandir@/'\ >+ -e 's|-m 755 fcgiwrap|-s -m 755 fcgiwrap|' ${WRKSRC}/Makefile.in > > .include <bsd.port.mk> >diff -ruN /usr/ports/www/fcgiwrap/files/patch-README.rst ./files/patch-README.rst >--- /usr/ports/www/fcgiwrap/files/patch-README.rst 1970-01-01 09:00:00.000000000 +0900 >+++ ./files/patch-README.rst 2014-08-22 08:11:06.000000000 +0900 >@@ -0,0 +1,13 @@ >+--- ./README.rst.orig 2013-02-03 22:25:17.000000000 +0900 >++++ ./README.rst 2014-01-09 20:10:43.000000000 +0900 >+@@ -7,6 +7,9 @@ >+ :Contributors: W-Mark Kubacki <wmark@hurrikane.de> >+ Jordi Mallach <jordi@debian.org> >+ >++ >++This page has been translated into `Spanish <http://www.webhostinghub.com/support/es/misc/fcgiwrap>`_ language by Maria Ramos from `Webhostinghub.com/support/edu <http://www.webhostinghub.com/support/edu>`_. >++ >+ Features >+ ======== >+ - very lightweight (84KB of private memory per instance) >+diff -ruN gnosek-fcgiwrap-333ff99/fcgiwrap.c fcgiwrap-master/fcgiwrap.c >diff -ruN /usr/ports/www/fcgiwrap/files/patch-fcgiwrap.c ./files/patch-fcgiwrap.c >--- /usr/ports/www/fcgiwrap/files/patch-fcgiwrap.c 2014-01-23 02:40:44.000000000 +0900 >+++ ./files/patch-fcgiwrap.c 2014-08-22 08:11:51.000000000 +0900 >@@ -8,3 +8,86 @@ > #include <sys/socket.h> > #include <sys/un.h> > >+--- ./fcgiwrap.c.orig 2013-02-03 22:25:17.000000000 +0900 >++++ ./fcgiwrap.c 2014-01-09 20:10:43.000000000 +0900 >+@@ -58,6 +58,8 @@ >+ >+ extern char **environ; >+ static char * const * inherited_environ; >++static const char **allowed_programs; >++static size_t allowed_programs_count; >+ >+ static const char * blacklisted_env_vars[] = { >+ "AUTH_TYPE", >+@@ -485,6 +487,19 @@ >+ } >+ } >+ >++static bool is_allowed_program(const char *program) { >++ size_t i; >++ if (!allowed_programs_count) >++ return true; >++ >++ for (i = 0; i < allowed_programs_count; i++) { >++ if (!strcmp(allowed_programs[i], program)) >++ return true; >++ } >++ >++ return false; >++} >++ >+ static void cgi_error(const char *message, const char *reason, const char *filename) >+ { >+ printf("Status: %s\r\nContent-Type: text/plain\r\n\r\n%s\r\n", >+@@ -541,6 +556,9 @@ >+ if (!filename) >+ cgi_error("403 Forbidden", "Cannot get script name, are DOCUMENT_ROOT and SCRIPT_NAME (or SCRIPT_FILENAME) set and is the script executable?", NULL); >+ >++ if (!is_allowed_program(filename)) >++ cgi_error("403 Forbidden", "The given script is not allowed to execute", filename); >++ >+ last_slash = strrchr(filename, '/'); >+ if (!last_slash) >+ cgi_error("403 Forbidden", "Script name must be a fully qualified path", filename); >+@@ -605,7 +623,7 @@ >+ { >+ int status; >+ >+- while ((dummy = waitpid(-1, &status, WNOHANG)) != -1) { >++ while ((dummy = waitpid(-1, &status, WNOHANG)) > 0) { >+ /* sanity check */ >+ if (nrunning > 0) >+ nrunning--; >+@@ -760,7 +778,7 @@ >+ char *socket_url = NULL; >+ int c; >+ >+- while ((c = getopt(argc, argv, "c:hfs:")) != -1) { >++ while ((c = getopt(argc, argv, "c:hfs:p:")) != -1) { >+ switch (c) { >+ case 'f': >+ stderr_to_fastcgi++; >+@@ -773,6 +791,7 @@ >+ " -c <number>\t\tNumber of processes to prefork\n" >+ " -s <socket_url>\tSocket to bind to (say -s help for help)\n" >+ " -h\t\t\tShow this help message and exit\n" >++ " -p <path>\t\tRestrict execution to this script. (repeated options will be merged)\n" >+ "\nReport bugs to Grzegorz Nosek <"PACKAGE_BUGREPORT">.\n" >+ PACKAGE_NAME" home page: <http://nginx.localdomain.pl/wiki/FcgiWrap>\n", >+ argv[0] >+@@ -784,8 +803,14 @@ >+ case 's': >+ socket_url = strdup(optarg); >+ break; >++ case 'p': >++ allowed_programs = realloc(allowed_programs, (allowed_programs_count + 1) * sizeof (char *)); >++ if (!allowed_programs) >++ abort(); >++ allowed_programs[allowed_programs_count++] = strdup(optarg); >++ break; >+ case '?': >+- if (optopt == 'c' || optopt == 's') >++ if (optopt == 'c' || optopt == 's' || optopt == 'p') >+ fprintf(stderr, "Option -%c requires an argument.\n", optopt); >+ else if (isprint(optopt)) >+ fprintf(stderr, "Unknown option `-%c'.\n", optopt);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=146143">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
koobs
:
maintainer-approval-
Actions:
View
|
Diff
Attachments on
bug 192907
:
146143
|
147558