1 #include "first.h" 2 3 #include "base.h" 4 #include "stat_cache.h" 5 #include "http_kv.h" 6 #include "log.h" 7 #include "connections.h" 8 #include "joblist.h" 9 #include "response.h" 10 #include "http_chunk.h" 11 #include "http_header.h" 12 13 #include "plugin.h" 14 15 #include <sys/types.h> 16 #include "sys-mmap.h" 17 #include "sys-socket.h" 18 # include <sys/wait.h> 19 20 #include <unistd.h> 21 #include <errno.h> 22 #include <stdlib.h> 23 #include <string.h> 24 #include <fdevent.h> 25 26 #include <fcntl.h> 27 #include <signal.h> 28 29 static int pipe_cloexec(int pipefd[2]) { 30 #ifdef HAVE_PIPE2 31 if (0 == pipe2(pipefd, O_CLOEXEC)) return 0; 32 #endif 33 return 0 == pipe(pipefd) 34 #ifdef FD_CLOEXEC 35 && 0 == fcntl(pipefd[0], F_SETFD, FD_CLOEXEC) 36 && 0 == fcntl(pipefd[1], F_SETFD, FD_CLOEXEC) 37 #endif 38 ? 0 39 : -1; 40 } 41 42 typedef struct { 43 char *ptr; 44 size_t used; 45 size_t size; 46 size_t *offsets; 47 size_t osize; 48 size_t oused; 49 char **eptr; 50 size_t esize; 51 buffer *ld_preload; 52 buffer *ld_library_path; 53 #ifdef __CYGWIN__ 54 buffer *systemroot; 55 #endif 56 } env_accum; 57 58 typedef struct { 59 struct { pid_t pid; void *ctx; } *ptr; 60 size_t used; 61 size_t size; 62 } buffer_pid_t; 63 64 typedef struct { 65 array *cgi; 66 unsigned short execute_x_only; 67 unsigned short local_redir; 68 unsigned short xsendfile_allow; 69 unsigned short upgrade; 70 array *xsendfile_docroot; 71 } plugin_config; 72 73 typedef struct { 74 PLUGIN_DATA; 75 plugin_config **config_storage; 76 plugin_config conf; 77 buffer_pid_t cgi_pid; 78 env_accum env; 79 } plugin_data; 80 81 typedef struct { 82 pid_t pid; 83 int fd; 84 int fdtocgi; 85 int fde_ndx; /* index into the fd-event buffer */ 86 int fde_ndx_tocgi; /* index into the fd-event buffer */ 87 88 connection *remote_conn; /* dumb pointer */ 89 plugin_data *plugin_data; /* dumb pointer */ 90 91 buffer *response; 92 buffer *cgi_handler; /* dumb pointer */ 93 http_response_opts opts; 94 plugin_config conf; 95 } handler_ctx; 96 97 static handler_ctx * cgi_handler_ctx_init(void) { 98 handler_ctx *hctx = calloc(1, sizeof(*hctx)); 99 100 force_assert(hctx); 101 102 hctx->response = chunk_buffer_acquire(); 103 hctx->fd = -1; 104 hctx->fdtocgi = -1; 105 106 return hctx; 107 } 108 109 static void cgi_handler_ctx_free(handler_ctx *hctx) { 110 chunk_buffer_release(hctx->response); 111 free(hctx); 112 } 113 114 INIT_FUNC(mod_cgi_init) { 115 plugin_data *p; 116 const char *s; 117 118 p = calloc(1, sizeof(*p)); 119 120 force_assert(p); 121 122 /* for valgrind */ 123 s = getenv("LD_PRELOAD"); 124 if (s) p->env.ld_preload = buffer_init_string(s); 125 s = getenv("LD_LIBRARY_PATH"); 126 if (s) p->env.ld_library_path = buffer_init_string(s); 127 #ifdef __CYGWIN__ 128 /* CYGWIN needs SYSTEMROOT */ 129 s = getenv("SYSTEMROOT"); 130 if (s) p->env.systemroot = buffer_init_string(s); 131 #endif 132 133 return p; 134 } 135 136 137 FREE_FUNC(mod_cgi_free) { 138 plugin_data *p = p_d; 139 buffer_pid_t *r = &(p->cgi_pid); 140 141 UNUSED(srv); 142 143 if (p->config_storage) { 144 size_t i; 145 for (i = 0; i < srv->config_context->used; i++) { 146 plugin_config *s = p->config_storage[i]; 147 148 if (NULL == s) continue; 149 150 array_free(s->cgi); 151 array_free(s->xsendfile_docroot); 152 153 free(s); 154 } 155 free(p->config_storage); 156 } 157 158 159 if (r->ptr) free(r->ptr); 160 free(p->env.ptr); 161 free(p->env.offsets); 162 free(p->env.eptr); 163 buffer_free(p->env.ld_preload); 164 buffer_free(p->env.ld_library_path); 165 #ifdef __CYGWIN__ 166 buffer_free(p->env.systemroot); 167 #endif 168 free(p); 169 170 return HANDLER_GO_ON; 171 } 172 173 SETDEFAULTS_FUNC(mod_fastcgi_set_defaults) { 174 plugin_data *p = p_d; 175 size_t i = 0; 176 177 config_values_t cv[] = { 178 { "cgi.assign", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 0 */ 179 { "cgi.execute-x-only", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 1 */ 180 { "cgi.x-sendfile", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 2 */ 181 { "cgi.x-sendfile-docroot", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 3 */ 182 { "cgi.local-redir", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 4 */ 183 { "cgi.upgrade", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 5 */ 184 { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET} 185 }; 186 187 if (!p) return HANDLER_ERROR; 188 189 p->config_storage = calloc(1, srv->config_context->used * sizeof(plugin_config *)); 190 force_assert(p->config_storage); 191 192 for (i = 0; i < srv->config_context->used; i++) { 193 data_config const* config = (data_config const*)srv->config_context->data[i]; 194 plugin_config *s; 195 196 s = calloc(1, sizeof(plugin_config)); 197 force_assert(s); 198 199 s->cgi = array_init(); 200 s->execute_x_only = 0; 201 s->local_redir = 0; 202 s->xsendfile_allow= 0; 203 s->xsendfile_docroot = array_init(); 204 s->upgrade = 0; 205 206 cv[0].destination = s->cgi; 207 cv[1].destination = &(s->execute_x_only); 208 cv[2].destination = &(s->xsendfile_allow); 209 cv[3].destination = s->xsendfile_docroot; 210 cv[4].destination = &(s->local_redir); 211 cv[5].destination = &(s->upgrade); 212 213 p->config_storage[i] = s; 214 215 if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) { 216 return HANDLER_ERROR; 217 } 218 219 if (!array_is_kvstring(s->cgi)) { 220 log_error_write(srv, __FILE__, __LINE__, "s", 221 "unexpected value for cgi.assign; expected list of \"ext\" => \"exepath\""); 222 return HANDLER_ERROR; 223 } 224 225 if (s->xsendfile_docroot->used) { 226 size_t j; 227 for (j = 0; j < s->xsendfile_docroot->used; ++j) { 228 data_string *ds = (data_string *)s->xsendfile_docroot->data[j]; 229 if (ds->type != TYPE_STRING) { 230 log_error_write(srv, __FILE__, __LINE__, "s", 231 "unexpected type for key cgi.x-sendfile-docroot; expected: cgi.x-sendfile-docroot = ( \"/allowed/path\", ... )"); 232 return HANDLER_ERROR; 233 } 234 if (ds->value->ptr[0] != '/') { 235 log_error_write(srv, __FILE__, __LINE__, "SBs", 236 "cgi.x-sendfile-docroot paths must begin with '/'; invalid: \"", ds->value, "\""); 237 return HANDLER_ERROR; 238 } 239 buffer_path_simplify(ds->value, ds->value); 240 buffer_append_slash(ds->value); 241 } 242 } 243 } 244 245 return HANDLER_GO_ON; 246 } 247 248 249 static void cgi_pid_add(plugin_data *p, pid_t pid, void *ctx) { 250 buffer_pid_t *r = &(p->cgi_pid); 251 252 if (r->size == 0) { 253 r->size = 16; 254 r->ptr = malloc(sizeof(*r->ptr) * r->size); 255 force_assert(r->ptr); 256 } else if (r->used == r->size) { 257 r->size += 16; 258 r->ptr = realloc(r->ptr, sizeof(*r->ptr) * r->size); 259 force_assert(r->ptr); 260 } 261 262 r->ptr[r->used].pid = pid; 263 r->ptr[r->used].ctx = ctx; 264 ++r->used; 265 } 266 267 static void cgi_pid_kill(plugin_data *p, pid_t pid) { 268 buffer_pid_t *r = &(p->cgi_pid); 269 for (size_t i = 0; i < r->used; ++i) { 270 if (r->ptr[i].pid == pid) { 271 r->ptr[i].ctx = NULL; 272 kill(pid, SIGTERM); 273 return; 274 } 275 } 276 } 277 278 static void cgi_pid_del(plugin_data *p, size_t i) { 279 buffer_pid_t *r = &(p->cgi_pid); 280 281 if (i != r->used - 1) { 282 r->ptr[i] = r->ptr[r->used - 1]; 283 } 284 r->used--; 285 } 286 287 288 static void cgi_connection_close_fdtocgi(server *srv, handler_ctx *hctx) { 289 /*(closes only hctx->fdtocgi)*/ 290 fdevent_event_del(srv->ev, &(hctx->fde_ndx_tocgi), hctx->fdtocgi); 291 /*fdevent_unregister(srv->ev, hctx->fdtocgi);*//*(handled below)*/ 292 fdevent_sched_close(srv->ev, hctx->fdtocgi, 0); 293 hctx->fdtocgi = -1; 294 } 295 296 static void cgi_connection_close(server *srv, handler_ctx *hctx) { 297 plugin_data *p = hctx->plugin_data; 298 connection *con = hctx->remote_conn; 299 300 /* the connection to the browser went away, but we still have a connection 301 * to the CGI script 302 * 303 * close cgi-connection 304 */ 305 306 if (hctx->fd != -1) { 307 /* close connection to the cgi-script */ 308 fdevent_event_del(srv->ev, &(hctx->fde_ndx), hctx->fd); 309 /*fdevent_unregister(srv->ev, hctx->fd);*//*(handled below)*/ 310 fdevent_sched_close(srv->ev, hctx->fd, 0); 311 } 312 313 if (hctx->fdtocgi != -1) { 314 cgi_connection_close_fdtocgi(srv, hctx); /*(closes only hctx->fdtocgi)*/ 315 } 316 317 if (hctx->pid > 0) { 318 cgi_pid_kill(p, hctx->pid); 319 } 320 321 con->plugin_ctx[p->id] = NULL; 322 323 cgi_handler_ctx_free(hctx); 324 325 /* finish response (if not already con->file_started, con->file_finished) */ 326 if (con->mode == p->id) { 327 http_response_backend_done(srv, con); 328 } 329 } 330 331 static handler_t cgi_connection_close_callback(server *srv, connection *con, void *p_d) { 332 plugin_data *p = p_d; 333 handler_ctx *hctx = con->plugin_ctx[p->id]; 334 if (hctx) cgi_connection_close(srv, hctx); 335 336 return HANDLER_GO_ON; 337 } 338 339 340 static int cgi_write_request(server *srv, handler_ctx *hctx, int fd); 341 342 343 static handler_t cgi_handle_fdevent_send (server *srv, void *ctx, int revents) { 344 handler_ctx *hctx = ctx; 345 connection *con = hctx->remote_conn; 346 347 /*(joblist only actually necessary here in mod_cgi fdevent send if returning HANDLER_ERROR)*/ 348 joblist_append(srv, con); 349 350 if (revents & FDEVENT_OUT) { 351 if (0 != cgi_write_request(srv, hctx, hctx->fdtocgi)) { 352 cgi_connection_close(srv, hctx); 353 return HANDLER_ERROR; 354 } 355 /* more request body to be sent to CGI */ 356 } 357 358 if (revents & FDEVENT_HUP) { 359 /* skip sending remaining data to CGI */ 360 if (con->request.content_length) { 361 chunkqueue *cq = con->request_content_queue; 362 chunkqueue_mark_written(cq, chunkqueue_length(cq)); 363 if (cq->bytes_in != (off_t)con->request.content_length) { 364 con->keep_alive = 0; 365 } 366 } 367 368 cgi_connection_close_fdtocgi(srv, hctx); /*(closes only hctx->fdtocgi)*/ 369 } else if (revents & FDEVENT_ERR) { 370 /* kill all connections to the cgi process */ 371 #if 1 372 log_error_write(srv, __FILE__, __LINE__, "s", "cgi-FDEVENT_ERR"); 373 #endif 374 cgi_connection_close(srv, hctx); 375 return HANDLER_ERROR; 376 } 377 378 return HANDLER_FINISHED; 379 } 380 381 382 static handler_t cgi_response_headers(server *srv, connection *con, struct http_response_opts_t *opts) { 383 /* response headers just completed */ 384 handler_ctx *hctx = (handler_ctx *)opts->pdata; 385 386 if (con->response.htags & HTTP_HEADER_UPGRADE) { 387 if (hctx->conf.upgrade && con->http_status == 101) { 388 /* 101 Switching Protocols; transition to transparent proxy */ 389 http_response_upgrade_read_body_unknown(srv, con); 390 } 391 else { 392 con->response.htags &= ~HTTP_HEADER_UPGRADE; 393 #if 0 394 /* preserve prior questionable behavior; likely broken behavior 395 * anyway if backend thinks connection is being upgraded but client 396 * does not receive Connection: upgrade */ 397 http_header_response_unset(con, HTTP_HEADER_UPGRADE, 398 CONST_STR_LEN("Upgrade")); 399 #endif 400 } 401 } 402 403 if (hctx->conf.upgrade && !(con->response.htags & HTTP_HEADER_UPGRADE)) { 404 chunkqueue *cq = con->request_content_queue; 405 hctx->conf.upgrade = 0; 406 if (cq->bytes_out == (off_t)con->request.content_length) { 407 cgi_connection_close_fdtocgi(srv, hctx); /*(closes hctx->fdtocgi)*/ 408 } 409 } 410 411 return HANDLER_GO_ON; 412 } 413 414 415 static int cgi_recv_response(server *srv, handler_ctx *hctx) { 416 switch (http_response_read(srv, hctx->remote_conn, &hctx->opts, 417 hctx->response, hctx->fd, &hctx->fde_ndx)) { 418 default: 419 return HANDLER_GO_ON; 420 case HANDLER_ERROR: 421 http_response_backend_error(srv, hctx->remote_conn); 422 /* fall through */ 423 case HANDLER_FINISHED: 424 cgi_connection_close(srv, hctx); 425 return HANDLER_FINISHED; 426 case HANDLER_COMEBACK: 427 /* hctx->conf.local_redir */ 428 buffer_clear(hctx->response); 429 connection_response_reset(srv, hctx->remote_conn); /*(includes con->http_status = 0)*/ 430 plugins_call_connection_reset(srv, hctx->remote_conn); 431 /*cgi_connection_close(srv, hctx);*//*(already cleaned up and hctx is now invalid)*/ 432 return HANDLER_COMEBACK; 433 } 434 } 435 436 437 static handler_t cgi_handle_fdevent(server *srv, void *ctx, int revents) { 438 handler_ctx *hctx = ctx; 439 connection *con = hctx->remote_conn; 440 441 joblist_append(srv, con); 442 443 if (revents & FDEVENT_IN) { 444 handler_t rc = cgi_recv_response(srv, hctx);/*(might invalidate hctx)*/ 445 if (rc != HANDLER_GO_ON) return rc; /*(unless HANDLER_GO_ON)*/ 446 } 447 448 /* perhaps this issue is already handled */ 449 if (revents & (FDEVENT_HUP|FDEVENT_RDHUP)) { 450 if (con->file_started) { 451 /* drain any remaining data from kernel pipe buffers 452 * even if (con->conf.stream_response_body 453 * & FDEVENT_STREAM_RESPONSE_BUFMIN) 454 * since event loop will spin on fd FDEVENT_HUP event 455 * until unregistered. */ 456 handler_t rc; 457 const unsigned short flags = con->conf.stream_response_body; 458 con->conf.stream_response_body &= ~FDEVENT_STREAM_RESPONSE_BUFMIN; 459 con->conf.stream_response_body |= FDEVENT_STREAM_RESPONSE_POLLRDHUP; 460 do { 461 rc = cgi_recv_response(srv,hctx);/*(might invalidate hctx)*/ 462 } while (rc == HANDLER_GO_ON); /*(unless HANDLER_GO_ON)*/ 463 con->conf.stream_response_body = flags; 464 return rc; /* HANDLER_FINISHED or HANDLER_COMEBACK or HANDLER_ERROR */ 465 } else if (!buffer_string_is_empty(hctx->response)) { 466 /* unfinished header package which is a body in reality */ 467 con->file_started = 1; 468 if (0 != http_chunk_append_buffer(srv, con, hctx->response)) { 469 cgi_connection_close(srv, hctx); 470 return HANDLER_ERROR; 471 } 472 if (0 == con->http_status) con->http_status = 200; /* OK */ 473 } 474 cgi_connection_close(srv, hctx); 475 } else if (revents & FDEVENT_ERR) { 476 /* kill all connections to the cgi process */ 477 cgi_connection_close(srv, hctx); 478 return HANDLER_ERROR; 479 } 480 481 return HANDLER_FINISHED; 482 } 483 484 485 static int cgi_env_add(void *venv, const char *key, size_t key_len, const char *val, size_t val_len) { 486 env_accum *env = venv; 487 char *dst; 488 489 if (!key || !val) return -1; 490 491 if (env->size - env->used < key_len + val_len + 2) { 492 if (0 == env->size) env->size = 4096; 493 do { env->size *= 2; } while (env->size - env->used < key_len + val_len + 2); 494 env->ptr = realloc(env->ptr, env->size); 495 force_assert(env->ptr); 496 } 497 498 dst = env->ptr + env->used; 499 memcpy(dst, key, key_len); 500 dst[key_len] = '='; 501 memcpy(dst + key_len + 1, val, val_len); 502 dst[key_len + 1 + val_len] = '\0'; 503 504 if (env->osize == env->oused) { 505 env->osize += 16; 506 env->offsets = realloc(env->offsets, env->osize * sizeof(*env->offsets)); 507 force_assert(env->offsets); 508 } 509 env->offsets[env->oused++] = env->used; 510 env->used += key_len + val_len + 2; 511 512 return 0; 513 } 514 515 /*(improved from network_write_mmap.c)*/ 516 static off_t mmap_align_offset(off_t start) { 517 static off_t pagemask = 0; 518 if (0 == pagemask) { 519 long pagesize = sysconf(_SC_PAGESIZE); 520 if (-1 == pagesize) pagesize = 4096; 521 pagemask = ~((off_t)pagesize - 1); /* pagesize always power-of-2 */ 522 } 523 return (start & pagemask); 524 } 525 526 /* returns: 0: continue, -1: fatal error, -2: connection reset */ 527 /* similar to network_write_file_chunk_mmap, but doesn't use send on windows (because we're on pipes), 528 * also mmaps and sends complete chunk instead of only small parts - the files 529 * are supposed to be temp files with reasonable chunk sizes. 530 * 531 * Also always use mmap; the files are "trusted", as we created them. 532 */ 533 static ssize_t cgi_write_file_chunk_mmap(server *srv, connection *con, int fd, chunkqueue *cq) { 534 chunk* const c = cq->first; 535 off_t offset, toSend, file_end; 536 ssize_t r; 537 size_t mmap_offset, mmap_avail; 538 char *data = NULL; 539 540 force_assert(NULL != c); 541 force_assert(FILE_CHUNK == c->type); 542 force_assert(c->offset >= 0 && c->offset <= c->file.length); 543 544 offset = c->file.start + c->offset; 545 toSend = c->file.length - c->offset; 546 file_end = c->file.start + c->file.length; /* offset to file end in this chunk */ 547 548 if (0 == toSend) { 549 chunkqueue_remove_finished_chunks(cq); 550 return 0; 551 } 552 553 /*(simplified from chunk.c:chunkqueue_open_file_chunk())*/ 554 UNUSED(con); 555 if (-1 == c->file.fd) { 556 if (-1 == (c->file.fd = fdevent_open_cloexec(c->mem->ptr, O_RDONLY, 0))) { 557 log_error_write(srv, __FILE__, __LINE__, "ssb", "open failed:", strerror(errno), c->mem); 558 return -1; 559 } 560 } 561 562 /* (re)mmap the buffer if range is not covered completely */ 563 if (MAP_FAILED == c->file.mmap.start 564 || offset < c->file.mmap.offset 565 || file_end > (off_t)(c->file.mmap.offset + c->file.mmap.length)) { 566 567 if (MAP_FAILED != c->file.mmap.start) { 568 munmap(c->file.mmap.start, c->file.mmap.length); 569 c->file.mmap.start = MAP_FAILED; 570 } 571 572 c->file.mmap.offset = mmap_align_offset(offset); 573 c->file.mmap.length = file_end - c->file.mmap.offset; 574 575 if (MAP_FAILED == (c->file.mmap.start = mmap(NULL, c->file.mmap.length, PROT_READ, MAP_PRIVATE, c->file.fd, c->file.mmap.offset))) { 576 if (toSend > 65536) toSend = 65536; 577 data = malloc(toSend); 578 force_assert(data); 579 if (-1 == lseek(c->file.fd, offset, SEEK_SET) 580 || 0 >= (toSend = read(c->file.fd, data, toSend))) { 581 if (-1 == toSend) { 582 log_error_write(srv, __FILE__, __LINE__, "ssbdo", "lseek/read failed:", 583 strerror(errno), c->mem, c->file.fd, offset); 584 } else { /*(0 == toSend)*/ 585 log_error_write(srv, __FILE__, __LINE__, "sbdo", "unexpected EOF (input truncated?):", 586 c->mem, c->file.fd, offset); 587 } 588 free(data); 589 return -1; 590 } 591 } 592 } 593 594 if (MAP_FAILED != c->file.mmap.start) { 595 force_assert(offset >= c->file.mmap.offset); 596 mmap_offset = offset - c->file.mmap.offset; 597 force_assert(c->file.mmap.length > mmap_offset); 598 mmap_avail = c->file.mmap.length - mmap_offset; 599 force_assert(toSend <= (off_t) mmap_avail); 600 601 data = c->file.mmap.start + mmap_offset; 602 } 603 604 r = write(fd, data, toSend); 605 606 if (MAP_FAILED == c->file.mmap.start) free(data); 607 608 if (r < 0) { 609 switch (errno) { 610 case EAGAIN: 611 case EINTR: 612 return 0; 613 case EPIPE: 614 case ECONNRESET: 615 return -2; 616 default: 617 log_error_write(srv, __FILE__, __LINE__, "ssd", 618 "write failed:", strerror(errno), fd); 619 return -1; 620 } 621 } 622 623 if (r >= 0) { 624 chunkqueue_mark_written(cq, r); 625 } 626 627 return r; 628 } 629 630 static int cgi_write_request(server *srv, handler_ctx *hctx, int fd) { 631 connection *con = hctx->remote_conn; 632 chunkqueue *cq = con->request_content_queue; 633 chunk *c; 634 635 /* old comment: windows doesn't support select() on pipes - wouldn't be easy to fix for all platforms. 636 * solution: if this is still a problem on windows, then substitute 637 * socketpair() for pipe() and closesocket() for close() on windows. 638 */ 639 640 for (c = cq->first; c; c = cq->first) { 641 ssize_t r = -1; 642 643 switch(c->type) { 644 case FILE_CHUNK: 645 r = cgi_write_file_chunk_mmap(srv, con, fd, cq); 646 break; 647 648 case MEM_CHUNK: 649 if ((r = write(fd, c->mem->ptr + c->offset, buffer_string_length(c->mem) - c->offset)) < 0) { 650 switch(errno) { 651 case EAGAIN: 652 case EINTR: 653 /* ignore and try again */ 654 r = 0; 655 break; 656 case EPIPE: 657 case ECONNRESET: 658 /* connection closed */ 659 r = -2; 660 break; 661 default: 662 /* fatal error */ 663 log_error_write(srv, __FILE__, __LINE__, "ss", "write failed due to: ", strerror(errno)); 664 r = -1; 665 break; 666 } 667 } else if (r > 0) { 668 chunkqueue_mark_written(cq, r); 669 } 670 break; 671 } 672 673 if (0 == r) break; /*(might block)*/ 674 675 switch (r) { 676 case -1: 677 /* fatal error */ 678 return -1; 679 case -2: 680 /* connection reset */ 681 log_error_write(srv, __FILE__, __LINE__, "s", "failed to send post data to cgi, connection closed by CGI"); 682 /* skip all remaining data */ 683 chunkqueue_mark_written(cq, chunkqueue_length(cq)); 684 break; 685 default: 686 break; 687 } 688 } 689 690 if (cq->bytes_out == (off_t)con->request.content_length && !hctx->conf.upgrade) { 691 /* sent all request body input */ 692 /* close connection to the cgi-script */ 693 if (-1 == hctx->fdtocgi) { /*(received request body sent in initial send to pipe buffer)*/ 694 --srv->cur_fds; 695 if (close(fd)) { 696 log_error_write(srv, __FILE__, __LINE__, "sds", "cgi stdin close failed ", fd, strerror(errno)); 697 } 698 } else { 699 cgi_connection_close_fdtocgi(srv, hctx); /*(closes only hctx->fdtocgi)*/ 700 } 701 } else { 702 off_t cqlen = cq->bytes_in - cq->bytes_out; 703 if (cq->bytes_in != con->request.content_length && cqlen < 65536 - 16384) { 704 /*(con->conf.stream_request_body & FDEVENT_STREAM_REQUEST)*/ 705 if (!(con->conf.stream_request_body & FDEVENT_STREAM_REQUEST_POLLIN)) { 706 con->conf.stream_request_body |= FDEVENT_STREAM_REQUEST_POLLIN; 707 con->is_readable = 1; /* trigger optimistic read from client */ 708 } 709 } 710 if (-1 == hctx->fdtocgi) { /*(not registered yet)*/ 711 hctx->fdtocgi = fd; 712 hctx->fde_ndx_tocgi = -1; 713 fdevent_register(srv->ev, hctx->fdtocgi, cgi_handle_fdevent_send, hctx); 714 } 715 if (0 == cqlen) { /*(chunkqueue_is_empty(cq))*/ 716 if ((fdevent_event_get_interest(srv->ev, hctx->fdtocgi) & FDEVENT_OUT)) { 717 fdevent_event_set(srv->ev, &(hctx->fde_ndx_tocgi), hctx->fdtocgi, 0); 718 } 719 } else { 720 /* more request body remains to be sent to CGI so register for fdevents */ 721 fdevent_event_set(srv->ev, &(hctx->fde_ndx_tocgi), hctx->fdtocgi, FDEVENT_OUT); 722 } 723 } 724 725 return 0; 726 } 727 728 static struct stat * cgi_stat(server *srv, connection *con, buffer *path, struct stat *st) { 729 /* CGI might be executable even if it is not readable 730 * (stat_cache_get_entry() currently checks file is readable)*/ 731 stat_cache_entry *sce; 732 return (HANDLER_ERROR != stat_cache_get_entry(srv, con, path, &sce)) 733 ? &sce->st 734 : (0 == stat(path->ptr, st)) ? st : NULL; 735 } 736 737 static int cgi_create_env(server *srv, connection *con, plugin_data *p, handler_ctx *hctx, buffer *cgi_handler) { 738 char *args[3]; 739 int to_cgi_fds[2]; 740 int from_cgi_fds[2]; 741 int dfd = -1; 742 UNUSED(p); 743 744 if (!buffer_string_is_empty(cgi_handler)) { 745 /* stat the exec file */ 746 struct stat st; 747 if (NULL == cgi_stat(srv, con, cgi_handler, &st)) { 748 log_error_write(srv, __FILE__, __LINE__, "sbss", 749 "stat for cgi-handler", cgi_handler, 750 "failed:", strerror(errno)); 751 return -1; 752 } 753 } 754 755 if (pipe_cloexec(to_cgi_fds)) { 756 log_error_write(srv, __FILE__, __LINE__, "ss", "pipe failed:", strerror(errno)); 757 return -1; 758 } 759 if (pipe_cloexec(from_cgi_fds)) { 760 close(to_cgi_fds[0]); 761 close(to_cgi_fds[1]); 762 log_error_write(srv, __FILE__, __LINE__, "ss", "pipe failed:", strerror(errno)); 763 return -1; 764 } 765 fdevent_setfd_cloexec(to_cgi_fds[1]); 766 fdevent_setfd_cloexec(from_cgi_fds[0]); 767 768 { 769 size_t i = 0; 770 http_cgi_opts opts = { 0, 0, NULL, NULL }; 771 env_accum *env = &p->env; 772 env->used = 0; 773 env->oused = 0; 774 775 /* create environment */ 776 777 http_cgi_headers(srv, con, &opts, cgi_env_add, env); 778 779 /* for valgrind */ 780 if (p->env.ld_preload) { 781 cgi_env_add(env, CONST_STR_LEN("LD_PRELOAD"), CONST_BUF_LEN(p->env.ld_preload)); 782 } 783 if (p->env.ld_library_path) { 784 cgi_env_add(env, CONST_STR_LEN("LD_LIBRARY_PATH"), CONST_BUF_LEN(p->env.ld_library_path)); 785 } 786 #ifdef __CYGWIN__ 787 /* CYGWIN needs SYSTEMROOT */ 788 if (p->env.systemroot) { 789 cgi_env_add(env, CONST_STR_LEN("SYSTEMROOT"), CONST_BUF_LEN(p->env.systemroot)); 790 } 791 #endif 792 793 if (env->esize <= env->oused) { 794 env->esize = (env->oused + 1 + 0xf) & ~(0xfuL); 795 env->eptr = realloc(env->eptr, env->esize * sizeof(*env->eptr)); 796 force_assert(env->eptr); 797 } 798 for (i = 0; i < env->oused; ++i) { 799 env->eptr[i] = env->ptr + env->offsets[i]; 800 } 801 env->eptr[env->oused] = NULL; 802 803 /* set up args */ 804 i = 0; 805 806 if (!buffer_string_is_empty(cgi_handler)) { 807 args[i++] = cgi_handler->ptr; 808 } 809 args[i++] = con->physical.path->ptr; 810 args[i ] = NULL; 811 } 812 813 dfd = fdevent_open_dirname(con->physical.path->ptr); 814 if (-1 == dfd) { 815 log_error_write(srv, __FILE__, __LINE__, "ssb", "open dirname failed:", strerror(errno), con->physical.path); 816 } 817 818 hctx->pid = (dfd >= 0) ? fdevent_fork_execve(args[0], args, p->env.eptr, to_cgi_fds[0], from_cgi_fds[1], -1, dfd) : -1; 819 820 if (-1 == hctx->pid) { 821 /* log error with errno prior to calling close() (might change errno) */ 822 log_error_write(srv, __FILE__, __LINE__, "ss", "fork failed:", strerror(errno)); 823 if (-1 != dfd) close(dfd); 824 close(from_cgi_fds[0]); 825 close(from_cgi_fds[1]); 826 close(to_cgi_fds[0]); 827 close(to_cgi_fds[1]); 828 return -1; 829 } else { 830 if (-1 != dfd) close(dfd); 831 close(from_cgi_fds[1]); 832 close(to_cgi_fds[0]); 833 834 hctx->fd = from_cgi_fds[0]; 835 hctx->fde_ndx = -1; 836 837 ++srv->cur_fds; 838 839 cgi_pid_add(p, hctx->pid, hctx); 840 841 if (0 == con->request.content_length) { 842 close(to_cgi_fds[1]); 843 } else { 844 /* there is content to send */ 845 if (-1 == fdevent_fcntl_set_nb(srv->ev, to_cgi_fds[1])) { 846 log_error_write(srv, __FILE__, __LINE__, "ss", "fcntl failed: ", strerror(errno)); 847 close(to_cgi_fds[1]); 848 cgi_connection_close(srv, hctx); 849 return -1; 850 } 851 852 if (0 != cgi_write_request(srv, hctx, to_cgi_fds[1])) { 853 close(to_cgi_fds[1]); 854 cgi_connection_close(srv, hctx); 855 return -1; 856 } 857 858 ++srv->cur_fds; 859 } 860 861 fdevent_register(srv->ev, hctx->fd, cgi_handle_fdevent, hctx); 862 if (-1 == fdevent_fcntl_set_nb(srv->ev, hctx->fd)) { 863 log_error_write(srv, __FILE__, __LINE__, "ss", "fcntl failed: ", strerror(errno)); 864 cgi_connection_close(srv, hctx); 865 return -1; 866 } 867 fdevent_event_set(srv->ev, &(hctx->fde_ndx), hctx->fd, FDEVENT_IN | FDEVENT_RDHUP); 868 869 return 0; 870 } 871 } 872 873 #define PATCH(x) \ 874 p->conf.x = s->x; 875 static int mod_cgi_patch_connection(server *srv, connection *con, plugin_data *p) { 876 size_t i, j; 877 plugin_config *s = p->config_storage[0]; 878 879 PATCH(cgi); 880 PATCH(execute_x_only); 881 PATCH(local_redir); 882 PATCH(upgrade); 883 PATCH(xsendfile_allow); 884 PATCH(xsendfile_docroot); 885 886 /* skip the first, the global context */ 887 for (i = 1; i < srv->config_context->used; i++) { 888 data_config *dc = (data_config *)srv->config_context->data[i]; 889 s = p->config_storage[i]; 890 891 /* condition didn't match */ 892 if (!config_check_cond(srv, con, dc)) continue; 893 894 /* merge config */ 895 for (j = 0; j < dc->value->used; j++) { 896 data_unset *du = dc->value->data[j]; 897 898 if (buffer_is_equal_string(du->key, CONST_STR_LEN("cgi.assign"))) { 899 PATCH(cgi); 900 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("cgi.execute-x-only"))) { 901 PATCH(execute_x_only); 902 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("cgi.local-redir"))) { 903 PATCH(local_redir); 904 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("cgi.upgrade"))) { 905 PATCH(upgrade); 906 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("cgi.x-sendfile"))) { 907 PATCH(xsendfile_allow); 908 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("cgi.x-sendfile-docroot"))) { 909 PATCH(xsendfile_docroot); 910 } 911 } 912 } 913 914 return 0; 915 } 916 #undef PATCH 917 918 URIHANDLER_FUNC(cgi_is_handled) { 919 plugin_data *p = p_d; 920 struct stat stbuf; 921 struct stat *st; 922 data_string *ds; 923 924 if (con->mode != DIRECT) return HANDLER_GO_ON; 925 if (buffer_is_empty(con->physical.path)) return HANDLER_GO_ON; 926 927 mod_cgi_patch_connection(srv, con, p); 928 929 ds = (data_string *)array_match_key_suffix(p->conf.cgi, con->physical.path); 930 if (NULL == ds) return HANDLER_GO_ON; 931 932 st = cgi_stat(srv, con, con->physical.path, &stbuf); 933 if (NULL == st) return HANDLER_GO_ON; 934 935 if (!S_ISREG(st->st_mode)) return HANDLER_GO_ON; 936 if (p->conf.execute_x_only == 1 && (st->st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0) return HANDLER_GO_ON; 937 938 { 939 handler_ctx *hctx = cgi_handler_ctx_init(); 940 hctx->remote_conn = con; 941 hctx->plugin_data = p; 942 hctx->cgi_handler = ds->value; 943 memcpy(&hctx->conf, &p->conf, sizeof(plugin_config)); 944 hctx->conf.upgrade = 945 hctx->conf.upgrade 946 && con->request.http_version == HTTP_VERSION_1_1 947 && NULL != http_header_request_get(con, HTTP_HEADER_UPGRADE, CONST_STR_LEN("Upgrade")); 948 hctx->opts.fdfmt = S_IFIFO; 949 hctx->opts.backend = BACKEND_CGI; 950 hctx->opts.authorizer = 0; 951 hctx->opts.local_redir = hctx->conf.local_redir; 952 hctx->opts.xsendfile_allow = hctx->conf.xsendfile_allow; 953 hctx->opts.xsendfile_docroot = hctx->conf.xsendfile_docroot; 954 hctx->opts.pdata = hctx; 955 hctx->opts.headers = cgi_response_headers; 956 con->plugin_ctx[p->id] = hctx; 957 con->mode = p->id; 958 } 959 960 return HANDLER_GO_ON; 961 } 962 963 /* 964 * - HANDLER_GO_ON : not our job 965 * - HANDLER_FINISHED: got response 966 * - HANDLER_WAIT_FOR_EVENT: waiting for response 967 */ 968 SUBREQUEST_FUNC(mod_cgi_handle_subrequest) { 969 plugin_data *p = p_d; 970 handler_ctx *hctx = con->plugin_ctx[p->id]; 971 chunkqueue *cq = con->request_content_queue; 972 973 if (con->mode != p->id) return HANDLER_GO_ON; 974 if (NULL == hctx) return HANDLER_GO_ON; 975 976 if ((con->conf.stream_response_body & FDEVENT_STREAM_RESPONSE_BUFMIN) 977 && con->file_started) { 978 if (chunkqueue_length(con->write_queue) > 65536 - 4096) { 979 fdevent_event_clr(srv->ev, &(hctx->fde_ndx), hctx->fd, FDEVENT_IN); 980 } else if (!(fdevent_event_get_interest(srv->ev, hctx->fd) & FDEVENT_IN)) { 981 /* optimistic read from backend */ 982 handler_t rc = cgi_recv_response(srv, hctx); /*(might invalidate hctx)*/ 983 if (rc != HANDLER_GO_ON) return rc; /*(unless HANDLER_GO_ON)*/ 984 fdevent_event_add(srv->ev, &(hctx->fde_ndx), hctx->fd, FDEVENT_IN); 985 } 986 } 987 988 if (cq->bytes_in != (off_t)con->request.content_length) { 989 /*(64k - 4k to attempt to avoid temporary files 990 * in conjunction with FDEVENT_STREAM_REQUEST_BUFMIN)*/ 991 if (cq->bytes_in - cq->bytes_out > 65536 - 4096 992 && (con->conf.stream_request_body & FDEVENT_STREAM_REQUEST_BUFMIN)){ 993 con->conf.stream_request_body &= ~FDEVENT_STREAM_REQUEST_POLLIN; 994 if (-1 != hctx->fd) return HANDLER_WAIT_FOR_EVENT; 995 } else { 996 handler_t r = connection_handle_read_post_state(srv, con); 997 if (!chunkqueue_is_empty(cq)) { 998 if (fdevent_event_get_interest(srv->ev, hctx->fdtocgi) & FDEVENT_OUT) { 999 return (r == HANDLER_GO_ON) ? HANDLER_WAIT_FOR_EVENT : r; 1000 } 1001 } 1002 if (r != HANDLER_GO_ON) return r; 1003 1004 /* CGI environment requires that Content-Length be set. 1005 * Send 411 Length Required if Content-Length missing. 1006 * (occurs here if client sends Transfer-Encoding: chunked 1007 * and module is flagged to stream request body to backend) */ 1008 if (-1 == con->request.content_length) { 1009 return connection_handle_read_post_error(srv, con, 411); 1010 } 1011 } 1012 } 1013 1014 if (-1 == hctx->fd) { 1015 if (cgi_create_env(srv, con, p, hctx, hctx->cgi_handler)) { 1016 con->http_status = 500; 1017 con->mode = DIRECT; 1018 1019 return HANDLER_FINISHED; 1020 } 1021 } else if (!chunkqueue_is_empty(con->request_content_queue)) { 1022 if (0 != cgi_write_request(srv, hctx, hctx->fdtocgi)) { 1023 cgi_connection_close(srv, hctx); 1024 return HANDLER_ERROR; 1025 } 1026 } 1027 1028 /* if not done, wait for CGI to close stdout, so we read EOF on pipe */ 1029 return HANDLER_WAIT_FOR_EVENT; 1030 } 1031 1032 1033 static handler_t cgi_waitpid_cb(server *srv, void *p_d, pid_t pid, int status) { 1034 plugin_data *p = (plugin_data *)p_d; 1035 for (size_t i = 0; i < p->cgi_pid.used; ++i) { 1036 handler_ctx *hctx; 1037 if (pid != p->cgi_pid.ptr[i].pid) continue; 1038 1039 hctx = (handler_ctx *)p->cgi_pid.ptr[i].ctx; 1040 if (hctx) hctx->pid = -1; 1041 cgi_pid_del(p, i); 1042 1043 if (WIFEXITED(status)) { 1044 /* (skip logging (non-zero) CGI exit; might be very noisy) */ 1045 } 1046 else if (WIFSIGNALED(status)) { 1047 /* ignore SIGTERM if sent by cgi_connection_close() (NULL == hctx)*/ 1048 if (WTERMSIG(status) != SIGTERM || NULL != hctx) { 1049 log_error_write(srv, __FILE__, __LINE__, "sdsd", "CGI pid", pid, 1050 "died with signal", WTERMSIG(status)); 1051 } 1052 } 1053 else { 1054 log_error_write(srv, __FILE__, __LINE__, "sds", 1055 "CGI pid", pid, "ended unexpectedly"); 1056 } 1057 1058 return HANDLER_FINISHED; 1059 } 1060 1061 return HANDLER_GO_ON; 1062 } 1063 1064 1065 int mod_cgi_plugin_init(plugin *p); 1066 int mod_cgi_plugin_init(plugin *p) { 1067 p->version = LIGHTTPD_VERSION_ID; 1068 p->name = buffer_init_string("cgi"); 1069 1070 p->connection_reset = cgi_connection_close_callback; 1071 p->handle_subrequest_start = cgi_is_handled; 1072 p->handle_subrequest = mod_cgi_handle_subrequest; 1073 p->handle_waitpid = cgi_waitpid_cb; 1074 p->init = mod_cgi_init; 1075 p->cleanup = mod_cgi_free; 1076 p->set_defaults = mod_fastcgi_set_defaults; 1077 1078 p->data = NULL; 1079 1080 return 0; 1081 } 1082