From 2cf74b7f6387c13fac5557e0e76086e375731574 Mon Sep 17 00:00:00 2001 From: florian Date: Sun, 9 Feb 2020 09:44:04 +0000 Subject: Implement "strip" option for fastcgi to be able to have multiple chroots under /var/www for FastCGI servers. From Nazar Zhuk (nazar AT zhuk DOT online), thanks! Ok benno --- usr.sbin/httpd/httpd.conf.5 | 10 ++++++++-- usr.sbin/httpd/httpd.h | 3 ++- usr.sbin/httpd/parse.y | 9 ++++++++- usr.sbin/httpd/server_fcgi.c | 9 +++++---- 4 files changed, 23 insertions(+), 8 deletions(-) (limited to 'usr.sbin/httpd') diff --git a/usr.sbin/httpd/httpd.conf.5 b/usr.sbin/httpd/httpd.conf.5 index f4ea2e55766..174e12be7ab 100644 --- a/usr.sbin/httpd/httpd.conf.5 +++ b/usr.sbin/httpd/httpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: httpd.conf.5,v 1.107 2019/05/08 21:46:56 tb Exp $ +.\" $OpenBSD: httpd.conf.5,v 1.108 2020/02/09 09:44:04 florian Exp $ .\" .\" Copyright (c) 2014, 2015 Reyk Floeter .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: May 8 2019 $ +.Dd $Mdocdate: February 9 2020 $ .Dt HTTPD.CONF 5 .Os .Sh NAME @@ -300,6 +300,12 @@ Alternatively if the FastCGI handler is listening on a TCP socket, .Ar socket starts with a colon followed by the TCP port number. +.It Ic strip Ar number +Strip +.Ar number +path components from the beginning of DOCUMENT_ROOT and +SCRIPT_FILENAME before sending them to the FastCGI server. +This allows FastCGI server chroot to be a directory under httpd chroot. .It Ic param Ar variable value Sets a variable that will be sent to the FastCGI server. Each statement defines one variable. diff --git a/usr.sbin/httpd/httpd.h b/usr.sbin/httpd/httpd.h index b1f17af8cd7..8295e2a5a5b 100644 --- a/usr.sbin/httpd/httpd.h +++ b/usr.sbin/httpd/httpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: httpd.h,v 1.145 2019/05/08 19:57:45 reyk Exp $ */ +/* $OpenBSD: httpd.h,v 1.146 2020/02/09 09:44:04 florian Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter @@ -547,6 +547,7 @@ struct server_config { uint8_t hsts_flags; struct server_fcgiparams fcgiparams; + int fcgistrip; TAILQ_ENTRY(server_config) entry; }; diff --git a/usr.sbin/httpd/parse.y b/usr.sbin/httpd/parse.y index 054302269f4..bc531b5eddb 100644 --- a/usr.sbin/httpd/parse.y +++ b/usr.sbin/httpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.113 2019/06/28 13:32:47 deraadt Exp $ */ +/* $OpenBSD: parse.y,v 1.114 2020/02/09 09:44:04 florian Exp $ */ /* * Copyright (c) 2007 - 2015 Reyk Floeter @@ -689,6 +689,13 @@ fcgiflags : SOCKET STRING { param->name, param->value); TAILQ_INSERT_HEAD(&srv_conf->fcgiparams, param, entry); } + | STRIP NUMBER { + if ($2 < 0 || $2 > INT_MAX) { + yyerror("invalid fastcgi strip number"); + YYERROR; + } + srv_conf->fcgistrip = $2; + } ; connection : CONNECTION '{' optnl conflags_l '}' diff --git a/usr.sbin/httpd/server_fcgi.c b/usr.sbin/httpd/server_fcgi.c index 864ce6b16d5..a3b4bf583b3 100644 --- a/usr.sbin/httpd/server_fcgi.c +++ b/usr.sbin/httpd/server_fcgi.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server_fcgi.c,v 1.80 2019/05/08 21:41:06 tb Exp $ */ +/* $OpenBSD: server_fcgi.c,v 1.81 2020/02/09 09:44:04 florian Exp $ */ /* * Copyright (c) 2014 Florian Obser @@ -241,7 +241,8 @@ server_fcgi(struct httpd *env, struct client *clt) errstr = "failed to encode param"; goto fail; } - if (fcgi_add_param(¶m, "SCRIPT_FILENAME", script, clt) == -1) { + if (fcgi_add_param(¶m, "SCRIPT_FILENAME", server_root_strip(script, + srv_conf->fcgistrip), clt) == -1) { errstr = "failed to encode param"; goto fail; } @@ -257,8 +258,8 @@ server_fcgi(struct httpd *env, struct client *clt) goto fail; } - if (fcgi_add_param(¶m, "DOCUMENT_ROOT", srv_conf->root, - clt) == -1) { + if (fcgi_add_param(¶m, "DOCUMENT_ROOT", server_root_strip( + srv_conf->root, srv_conf->fcgistrip), clt) == -1) { errstr = "failed to encode param"; goto fail; } -- cgit v1.2.3-59-g8ed1b