Date: Sun, 5 Oct 2014 23:37:46 +0000 (UTC) From: John Marino <marino@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r370135 - in head/www/fcgiwrap: . files Message-ID: <201410052337.s95Nbk3Z085449@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: marino Date: Sun Oct 5 23:37:46 2014 New Revision: 370135 URL: https://svnweb.freebsd.org/changeset/ports/370135 QAT: https://qat.redports.org/buildarchive/r370135/ Log: www/fcgiwrap: Improve binary strip handling, add new feature PR: 192907 Final version: maintainer (fonz) Added: head/www/fcgiwrap/files/patch-fcgiwrap.8 (contents, props changed) Modified: head/www/fcgiwrap/Makefile head/www/fcgiwrap/files/patch-fcgiwrap.c Modified: head/www/fcgiwrap/Makefile ============================================================================== --- head/www/fcgiwrap/Makefile Sun Oct 5 23:25:46 2014 (r370134) +++ head/www/fcgiwrap/Makefile Sun Oct 5 23:37:46 2014 (r370135) @@ -2,7 +2,7 @@ PORTNAME= fcgiwrap PORTVERSION= 1.1.0 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= www MASTER_SITES= GH \ http://www.skysmurf.nl/comp/FreeBSD/distfiles/ @@ -31,9 +31,7 @@ GNU_CONFIGURE= yes PLIST_FILES= sbin/fcgiwrap man/man8/fcgiwrap.8.gz post-patch: - @${REINPLACE_CMD} 's/@prefix@@mandir@/@mandir@/' ${WRKSRC}/Makefile.in - -post-stage: - ${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/fcgiwrap + @${REINPLACE_CMD} -e 's/@prefix@@mandir@/@mandir@/'\ + -e 's|-m 755 fcgiwrap|-s -m 755 fcgiwrap|' ${WRKSRC}/Makefile.in .include <bsd.port.mk> Added: head/www/fcgiwrap/files/patch-fcgiwrap.8 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/fcgiwrap/files/patch-fcgiwrap.8 Sun Oct 5 23:37:46 2014 (r370135) @@ -0,0 +1,21 @@ +--- fcgiwrap.8.orig 2014-09-22 12:44:32.000000000 +0200 ++++ fcgiwrap.8 2014-09-22 12:51:14.000000000 +0200 +@@ -42,6 +42,9 @@ + tests this option may be used. Valid socket_urls include \fIunix:/path/to/unix/socket\fP, + \fItcp:dot.ted.qu.ad:port\fP and \fItcp6:[ipv6_addr]:port\fP. + .TP ++.B \-p \fIpath\fP ++Restrict execution to the given path. Repeated options will be merged. ++.TP + .B \-h + Show a help message and exit. + +@@ -113,3 +116,8 @@ + This manual page was written by Jordi Mallach <jordi@debian.org> + (with contributions by Grzegorz Nosek) + for the Debian project (and may be used by others). ++.PP ++The ++.B \-p ++option was contributed by <takefu@airport.fm> as an addition to the FreeBSD ++port. Modified: head/www/fcgiwrap/files/patch-fcgiwrap.c ============================================================================== --- head/www/fcgiwrap/files/patch-fcgiwrap.c Sun Oct 5 23:25:46 2014 (r370134) +++ head/www/fcgiwrap/files/patch-fcgiwrap.c Sun Oct 5 23:37:46 2014 (r370135) @@ -1,5 +1,5 @@ ---- ./fcgiwrap.c.orig 2010-06-03 16:18:21.000000000 +0200 -+++ ./fcgiwrap.c 2010-06-15 14:54:38.232029168 +0200 +--- fcgiwrap.c.orig 2014-09-22 12:36:32.000000000 +0200 ++++ fcgiwrap.c 2014-09-22 12:41:59.000000000 +0200 @@ -43,6 +43,7 @@ #include <ctype.h> @@ -7,4 +7,76 @@ +#include <netinet/in.h> #include <sys/socket.h> #include <sys/un.h> + #include <netinet/in.h> +@@ -58,6 +59,8 @@ + extern char **environ; + static char * const * inherited_environ; ++static const char **allowed_programs; ++static size_t allowed_programs_count; + + static const char * blacklisted_env_vars[] = { + "AUTH_TYPE", +@@ -485,6 +488,19 @@ + } + } + ++static bool is_allowed_program(const char *program) { ++ size_t i; ++ if (!allowed_programs_count) ++ return true; ++ ++ for (i = 0; i < allowed_programs_count; i++) { ++ if (!strcmp(allowed_programs[i], program)) ++ return true; ++ } ++ ++ return false; ++} ++ + static void cgi_error(const char *message, const char *reason, const char *filename) + { + printf("Status: %s\r\nContent-Type: text/plain\r\n\r\n%s\r\n", +@@ -541,6 +557,9 @@ + if (!filename) + cgi_error("403 Forbidden", "Cannot get script name, are DOCUMENT_ROOT and SCRIPT_NAME (or SCRIPT_FILENAME) set and is the script executable?", NULL); + ++ if (!is_allowed_program(filename)) ++ cgi_error("403 Forbidden", "The given script is not allowed to execute", filename); ++ + last_slash = strrchr(filename, '/'); + if (!last_slash) + cgi_error("403 Forbidden", "Script name must be a fully qualified path", filename); +@@ -760,7 +779,7 @@ + char *socket_url = NULL; + int c; + +- while ((c = getopt(argc, argv, "c:hfs:")) != -1) { ++ while ((c = getopt(argc, argv, "c:hfs:p:")) != -1) { + switch (c) { + case 'f': + stderr_to_fastcgi++; +@@ -773,6 +792,7 @@ + " -c <number>\t\tNumber of processes to prefork\n" + " -s <socket_url>\tSocket to bind to (say -s help for help)\n" + " -h\t\t\tShow this help message and exit\n" ++ " -p <path>\t\tRestrict execution to this script. (repeated options will be merged)\n" + "\nReport bugs to Grzegorz Nosek <"PACKAGE_BUGREPORT">.\n" + PACKAGE_NAME" home page: <http://nginx.localdomain.pl/wiki/FcgiWrap>\n", + argv[0] +@@ -784,8 +804,14 @@ + case 's': + socket_url = strdup(optarg); + break; ++ case 'p': ++ allowed_programs = realloc(allowed_programs, (allowed_programs_count + 1) * sizeof (char *)); ++ if (!allowed_programs) ++ abort(); ++ allowed_programs[allowed_programs_count++] = strdup(optarg); ++ break; + case '?': +- if (optopt == 'c' || optopt == 's') ++ if (optopt == 'c' || optopt == 's' || optopt == 'p') + fprintf(stderr, "Option -%c requires an argument.\n", optopt); + else if (isprint(optopt)) + fprintf(stderr, "Unknown option `-%c'.\n", optopt);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201410052337.s95Nbk3Z085449>