Overview: www/shttpd includes a switch to run under inetd(8), and a sample line for inetd.conf. When run from inetd, shttpd attempts to open a listening socket, instead of using stdin/stdout for communications, and sends an error message back to the browser. Steps to reproduce: - pkg install shttpd - copy inetd.conf line from man page (http stream tcp nowait nobody /bin/shttpd shttpd -inetd 1 -root /var/www) - place a text file in the webroot for shttpd to serve - service inetd reload - attempt to browse to web server (e.g., http://server.local/) Actual results: Web browser displays an error that should have gone to stderr. There's no HTTP headers, so this probably shouldn't go out on the wire. Also note that even if the actual port is changed (by replacing 'http' in the inetd.conf line with another service), shttpd still tries to open the default port 80. If you include a -ports ## switch in the inetd command line, it will attempt to open that port, and if the port is above 1024, you'll get a segfault instead (see additional info below.) open_listening_port(80): Permission denied cannot open port 80 Cannot initialize SHTTPD context Expected results: shttpd auto-generates a directory listing, or serves up the index.htm file, if it exists. Compare to non-inetd functionality: remove the inetd entry, run shttpd -root /var/www -ports 8080 (or run as root), and then access the server. Build and hardware: shttpd 1.42, FreeBSD 11.0-RELEASE-p10, amd64 Additional information: This failure can also be provoked on the command line, by using echo 'GET / HTTP/1.1' | shttpd -inetd 1. I'm not too good with C, so I couldn't track it down myself, but in the source file shttpd.c, the similar-but-distinct set_opt() (line 1780) and shttpd_set_option() (line 1689) look like an option may not get properly set, depending on which version is used. Also, set_inetd() (line 1392) is asking for a segfault by setting ctx to NULL and then dereferencing it. This segfault can be observed by running from the command line, as above, and adding '-ports 8080', or any other unprivileged port.
Feedback please!
It would seem shttpd hasn't been maintained in 10+ years, and its web site also refers to Mongoose. Dan, Is the port useful outside inetd? If it's not, I'd propose sunsetting it.
It worked better outside inetd, but the short time I spent glancing over the code convinced me to move to the port of OpenBSD's httpd. I think sunsetting this port is a good idea.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=3837dd00cf97cbed54ee2454ca68fda0f7d83342 commit 3837dd00cf97cbed54ee2454ca68fda0f7d83342 Author: Daniel Engberg <diizzy@FreeBSD.org> AuthorDate: 2022-04-04 18:23:34 +0000 Commit: Daniel Engberg <diizzy@FreeBSD.org> CommitDate: 2022-04-04 18:27:53 +0000 www/shttpd: Deprecate and set expiration date to 2022-04-31 Hasn't been maintained in 12+ years and upstream moved on to create mongoose (www/mongoose in tree) PR: 219011 Reported by: dfenwick@fastmail.com, mandree www/shttpd/Makefile | 3 +++ 1 file changed, 3 insertions(+)