FreeBSD Bugzilla – Attachment 147558 Details for
Bug 192907
www/fcgiwrap: Improved handling of binary stripping and addition of a new command line option that restricts what may be run
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
New patch, maintainer approved.
fcgiwrap.new.patch (text/plain), 4.68 KB, created by
A.J. "Fonz" van Werven
on 2014-09-22 13:09:19 UTC
(
hide
)
Description:
New patch, maintainer approved.
Filename:
MIME Type:
Creator:
A.J. "Fonz" van Werven
Created:
2014-09-22 13:09:19 UTC
Size:
4.68 KB
patch
obsolete
>diff -ruN fcgiwrap.orig/Makefile fcgiwrap/Makefile >--- fcgiwrap.orig/Makefile 2014-09-22 12:23:45.000000000 +0200 >+++ fcgiwrap/Makefile 2014-09-22 12:38:52.000000000 +0200 >@@ -2,7 +2,7 @@ > > PORTNAME= fcgiwrap > PORTVERSION= 1.1.0 >-PORTREVISION= 1 >+PORTREVISION= 2 > CATEGORIES= www > MASTER_SITES= GH \ > http://www.skysmurf.nl/comp/FreeBSD/distfiles/ >@@ -31,9 +31,7 @@ > PLIST_FILES= sbin/fcgiwrap man/man8/fcgiwrap.8.gz > > post-patch: >- @${REINPLACE_CMD} 's/@prefix@@mandir@/@mandir@/' ${WRKSRC}/Makefile.in >- >-post-stage: >- ${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/fcgiwrap >+ @${REINPLACE_CMD} -e 's/@prefix@@mandir@/@mandir@/'\ >+ -e 's|-m 755 fcgiwrap|-s -m 755 fcgiwrap|' ${WRKSRC}/Makefile.in > > .include <bsd.port.mk> >diff -ruN fcgiwrap.orig/files/patch-fcgiwrap.8 fcgiwrap/files/patch-fcgiwrap.8 >--- fcgiwrap.orig/files/patch-fcgiwrap.8 1970-01-01 01:00:00.000000000 +0100 >+++ fcgiwrap/files/patch-fcgiwrap.8 2014-09-22 12:52:02.000000000 +0200 >@@ -0,0 +1,21 @@ >+--- fcgiwrap.8.orig 2014-09-22 12:44:32.000000000 +0200 >++++ fcgiwrap.8 2014-09-22 12:51:14.000000000 +0200 >+@@ -42,6 +42,9 @@ >+ tests this option may be used. Valid socket_urls include \fIunix:/path/to/unix/socket\fP, >+ \fItcp:dot.ted.qu.ad:port\fP and \fItcp6:[ipv6_addr]:port\fP. >+ .TP >++.B \-p \fIpath\fP >++Restrict execution to the given path. Repeated options will be merged. >++.TP >+ .B \-h >+ Show a help message and exit. >+ >+@@ -113,3 +116,8 @@ >+ This manual page was written by Jordi Mallach <jordi@debian.org> >+ (with contributions by Grzegorz Nosek) >+ for the Debian project (and may be used by others). >++.PP >++The >++.B \-p >++option was contributed by <takefu@airport.fm> as an addition to the FreeBSD >++port. >diff -ruN fcgiwrap.orig/files/patch-fcgiwrap.c fcgiwrap/files/patch-fcgiwrap.c >--- fcgiwrap.orig/files/patch-fcgiwrap.c 2014-09-22 12:23:45.000000000 +0200 >+++ fcgiwrap/files/patch-fcgiwrap.c 2014-09-22 12:43:46.000000000 +0200 >@@ -1,5 +1,5 @@ >---- ./fcgiwrap.c.orig 2010-06-03 16:18:21.000000000 +0200 >-+++ ./fcgiwrap.c 2010-06-15 14:54:38.232029168 +0200 >+--- fcgiwrap.c.orig 2014-09-22 12:36:32.000000000 +0200 >++++ fcgiwrap.c 2014-09-22 12:41:59.000000000 +0200 > @@ -43,6 +43,7 @@ > #include <ctype.h> > >@@ -7,4 +7,76 @@ > +#include <netinet/in.h> > #include <sys/socket.h> > #include <sys/un.h> >+ #include <netinet/in.h> >+@@ -58,6 +59,8 @@ > >+ extern char **environ; >+ static char * const * inherited_environ; >++static const char **allowed_programs; >++static size_t allowed_programs_count; >+ >+ static const char * blacklisted_env_vars[] = { >+ "AUTH_TYPE", >+@@ -485,6 +488,19 @@ >+ } >+ } >+ >++static bool is_allowed_program(const char *program) { >++ size_t i; >++ if (!allowed_programs_count) >++ return true; >++ >++ for (i = 0; i < allowed_programs_count; i++) { >++ if (!strcmp(allowed_programs[i], program)) >++ return true; >++ } >++ >++ return false; >++} >++ >+ static void cgi_error(const char *message, const char *reason, const char *filename) >+ { >+ printf("Status: %s\r\nContent-Type: text/plain\r\n\r\n%s\r\n", >+@@ -541,6 +557,9 @@ >+ if (!filename) >+ cgi_error("403 Forbidden", "Cannot get script name, are DOCUMENT_ROOT and SCRIPT_NAME (or SCRIPT_FILENAME) set and is the script executable?", NULL); >+ >++ if (!is_allowed_program(filename)) >++ cgi_error("403 Forbidden", "The given script is not allowed to execute", filename); >++ >+ last_slash = strrchr(filename, '/'); >+ if (!last_slash) >+ cgi_error("403 Forbidden", "Script name must be a fully qualified path", filename); >+@@ -760,7 +779,7 @@ >+ char *socket_url = NULL; >+ int c; >+ >+- while ((c = getopt(argc, argv, "c:hfs:")) != -1) { >++ while ((c = getopt(argc, argv, "c:hfs:p:")) != -1) { >+ switch (c) { >+ case 'f': >+ stderr_to_fastcgi++; >+@@ -773,6 +792,7 @@ >+ " -c <number>\t\tNumber of processes to prefork\n" >+ " -s <socket_url>\tSocket to bind to (say -s help for help)\n" >+ " -h\t\t\tShow this help message and exit\n" >++ " -p <path>\t\tRestrict execution to this script. (repeated options will be merged)\n" >+ "\nReport bugs to Grzegorz Nosek <"PACKAGE_BUGREPORT">.\n" >+ PACKAGE_NAME" home page: <http://nginx.localdomain.pl/wiki/FcgiWrap>\n", >+ argv[0] >+@@ -784,8 +804,14 @@ >+ case 's': >+ socket_url = strdup(optarg); >+ break; >++ case 'p': >++ allowed_programs = realloc(allowed_programs, (allowed_programs_count + 1) * sizeof (char *)); >++ if (!allowed_programs) >++ abort(); >++ allowed_programs[allowed_programs_count++] = strdup(optarg); >++ break; >+ case '?': >+- if (optopt == 'c' || optopt == 's') >++ if (optopt == 'c' || optopt == 's' || optopt == 'p') >+ fprintf(stderr, "Option -%c requires an argument.\n", optopt); >+ else if (isprint(optopt)) >+ fprintf(stderr, "Unknown option `-%c'.\n", optopt);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=147558">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
freebsd
:
maintainer-approval+
Actions:
View
|
Diff
Attachments on
bug 192907
:
146143
| 147558