Attachment #147558 for bug #192907





PORTNAME=	fcgiwrap
PORTVERSION=	1.1.0
PORTREVISION=	2
CATEGORIES=	www
MASTER_SITES=	GH \
		http://www.skysmurf.nl/comp/FreeBSD/distfiles/

PLIST_FILES=	sbin/fcgiwrap man/man8/fcgiwrap.8.gz

post-patch:
	@${REINPLACE_CMD} -e 's/@prefix@@mandir@/@mandir@/'\
	-e 's|-m 755 fcgiwrap|-s -m 755 fcgiwrap|' ${WRKSRC}/Makefile.in
post-stage:
	${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/fcgiwrap

.include <bsd.port.mk>




--- fcgiwrap.8.orig	2014-09-22 12:44:32.000000000 +0200
+++ fcgiwrap.8	2014-09-22 12:51:14.000000000 +0200
@@ -42,6 +42,9 @@
 tests this option may be used. Valid socket_urls include \fIunix:/path/to/unix/socket\fP,
 \fItcp:dot.ted.qu.ad:port\fP and \fItcp6:[ipv6_addr]:port\fP.
 .TP
+.B \-p \fIpath\fP
+Restrict execution to the given path. Repeated options will be merged.
+.TP
 .B \-h
 Show a help message and exit.
 
@@ -113,3 +116,8 @@
 This manual page was written by Jordi Mallach <jordi@debian.org>
 (with contributions by Grzegorz Nosek)
 for the Debian project (and may be used by others).
+.PP
+The 
+.B \-p
+option was contributed by <takefu@airport.fm> as an addition to the FreeBSD
+port.

Lines 1-5 Link Here

(-)fcgiwrap/files/patch-fcgiwrap.c (-2 / +74 lines)
1	--- ./fcgiwrap.c.orig 2010-06-03 16:18:21.000000000 +0200	1	--- fcgiwrap.c.orig 2014-09-22 12:36:32.000000000 +0200
2	+++ ./fcgiwrap.c 2010-06-15 14:54:38.232029168 +0200	2	+++ fcgiwrap.c 2014-09-22 12:41:59.000000000 +0200
3	@@ -43,6 +43,7 @@	3	@@ -43,6 +43,7 @@
4	#include <ctype.h>	4	#include <ctype.h>
5		5
Lines 7-10 Link Here
7	+#include <netinet/in.h>	7	+#include <netinet/in.h>
8	#include <sys/socket.h>	8	#include <sys/socket.h>
9	#include <sys/un.h>	9	#include <sys/un.h>
		10	#include <netinet/in.h>
		11	@@ -58,6 +59,8 @@
10		12
		13	extern char **environ;
		14	static char * const * inherited_environ;
		15	+static const char **allowed_programs;
		16	+static size_t allowed_programs_count;
		17
		18	static const char * blacklisted_env_vars[] = {
		19	"AUTH_TYPE",
		20	@@ -485,6 +488,19 @@
		21	}
		22	}
		23
		24	+static bool is_allowed_program(const char *program) {
		25	+ size_t i;
		26	+ if (!allowed_programs_count)
		27	+ return true;
		28	+
		29	+ for (i = 0; i < allowed_programs_count; i++) {
		30	+ if (!strcmp(allowed_programs[i], program))
		31	+ return true;
		32	+ }
		33	+
		34	+ return false;
		35	+}
		36	+
		37	static void cgi_error(const char message, const char reason, const char *filename)
		38	{
		39	printf("Status: %s\r\nContent-Type: text/plain\r\n\r\n%s\r\n",
		40	@@ -541,6 +557,9 @@
		41	if (!filename)
		42	cgi_error("403 Forbidden", "Cannot get script name, are DOCUMENT_ROOT and SCRIPT_NAME (or SCRIPT_FILENAME) set and is the script executable?", NULL);
		43
		44	+ if (!is_allowed_program(filename))
		45	+ cgi_error("403 Forbidden", "The given script is not allowed to execute", filename);
		46	+
		47	last_slash = strrchr(filename, '/');
		48	if (!last_slash)
		49	cgi_error("403 Forbidden", "Script name must be a fully qualified path", filename);
		50	@@ -760,7 +779,7 @@
		51	char *socket_url = NULL;
		52	int c;
		53
		54	- while ((c = getopt(argc, argv, "c:hfs:")) != -1) {
		55	+ while ((c = getopt(argc, argv, "c:hfs:p:")) != -1) {
		56	switch (c) {
		57	case 'f':
		58	stderr_to_fastcgi++;
		59	@@ -773,6 +792,7 @@
		60	" -c <number>\t\tNumber of processes to prefork\n"
		61	" -s <socket_url>\tSocket to bind to (say -s help for help)\n"
		62	" -h\t\t\tShow this help message and exit\n"
		63	+ " -p <path>\t\tRestrict execution to this script. (repeated options will be merged)\n"
		64	"\nReport bugs to Grzegorz Nosek <"PACKAGE_BUGREPORT">.\n"
		65	PACKAGE_NAME" home page: <http://nginx.localdomain.pl/wiki/FcgiWrap>\n",
		66	argv[0]
		67	@@ -784,8 +804,14 @@
		68	case 's':
		69	socket_url = strdup(optarg);
		70	break;
		71	+ case 'p':
		72	+ allowed_programs = realloc(allowed_programs, (allowed_programs_count + 1) * sizeof (char *));
		73	+ if (!allowed_programs)
		74	+ abort();
		75	+ allowed_programs[allowed_programs_count++] = strdup(optarg);
		76	+ break;
77	case '?':
78	- if (optopt == 'c' \|\| optopt == 's')
79	+ if (optopt == 'c' \|\| optopt == 's' \|\| optopt == 'p')
80	fprintf(stderr, "Option -%c requires an argument.\n", optopt);
81	else if (isprint(optopt))
82	fprintf(stderr, "Unknown option `-%c'.\n", optopt);

Return to bug 192907

Lines 2-8 Link Here

(-)fcgiwrap/Makefile (-5 / +3 lines)
2		2
3	PORTNAME= fcgiwrap	3	PORTNAME= fcgiwrap
4	PORTVERSION= 1.1.0	4	PORTVERSION= 1.1.0
5	PORTREVISION= 1	5	PORTREVISION= 2
6	CATEGORIES= www	6	CATEGORIES= www
7	MASTER_SITES= GH \	7	MASTER_SITES= GH \
8	http://www.skysmurf.nl/comp/FreeBSD/distfiles/	8	http://www.skysmurf.nl/comp/FreeBSD/distfiles/
Lines 31-39 Link Here
31	PLIST_FILES= sbin/fcgiwrap man/man8/fcgiwrap.8.gz	31	PLIST_FILES= sbin/fcgiwrap man/man8/fcgiwrap.8.gz
32		32
33	post-patch:	33	post-patch:
34	@${REINPLACE_CMD} 's/@prefix@@mandir@/@mandir@/' ${WRKSRC}/Makefile.in	34	@${REINPLACE_CMD} -e 's/@prefix@@mandir@/@mandir@/'\
35		35	-e 's\|-m 755 fcgiwrap\|-s -m 755 fcgiwrap\|' ${WRKSRC}/Makefile.in
36	post-stage:
37	${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/fcgiwrap
38		36
39	.include <bsd.port.mk>	37	.include <bsd.port.mk>

Line 0 Link Here

(-)fcgiwrap/files/patch-fcgiwrap.8 (+21 lines)
	1	--- fcgiwrap.8.orig 2014-09-22 12:44:32.000000000 +0200
	2	+++ fcgiwrap.8 2014-09-22 12:51:14.000000000 +0200
	3	@@ -42,6 +42,9 @@
	4	tests this option may be used. Valid socket_urls include \fIunix:/path/to/unix/socket\fP,
	5	\fItcp:dot.ted.qu.ad:port\fP and \fItcp6:[ipv6_addr]:port\fP.
	6	.TP
	7	+.B \-p \fIpath\fP
	8	+Restrict execution to the given path. Repeated options will be merged.
	9	+.TP
	10	.B \-h
	11	Show a help message and exit.
	12
	13	@@ -113,3 +116,8 @@
	14	This manual page was written by Jordi Mallach <jordi@debian.org>
	15	(with contributions by Grzegorz Nosek)
	16	for the Debian project (and may be used by others).
	17	+.PP
	18	+The
	19	+.B \-p
	20	+option was contributed by <takefu@airport.fm> as an addition to the FreeBSD
	21	+port.