[prev in list] [next in list] [prev in thread] [next in thread] 

List:       busybox
Subject:    Re: [PATCH] httpd: Pass custom HTTP headers to CGI scripts
From:       Alexander Vickberg <wickbergster () gmail ! com>
Date:       2019-03-29 7:13:06
Message-ID: CAAxSGfYnBH4=QMusALVY-GK4PcKnp9+FWzuxD0iThe-cyB10Yw () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hi,

Thank you for your valuable feedback Assaf.

Den tors 28 mars 2019 kl 18:33 skrev Assaf Gordon:
>
> Hello Alexander,
>
> On 2019-03-28 11:04 a.m., Alexander Vickberg wrote:
> > This patch creates a list of unmatched HTTP headers and sets up
> > environment variables before running the CGI script.
>
> I assume this is inspired by my (more limited) patch
> of passing "Content-encoding" header:
> http://lists.busybox.net/pipermail/busybox/2019-March/087141.html
> (or, just a very strange timing coincidence?).
>
> I like your patch and of course, if it is accepted,
> mine isn't needed.

However unlikely it might seem I didn't see your patch until after.
Besides I wanted to be able to use completely custom headers for
which there has to be a general approach implementation.

> two small comments:
>
> > @@ -417,6 +423,7 @@ struct globals {
> > IF_FEATURE_HTTPD_CGI(char *host;)
> > IF_FEATURE_HTTPD_CGI(char *http_accept;)
> > IF_FEATURE_HTTPD_CGI(char *http_accept_language;)
> > +IF_FEATURE_HTTPD_CGI(HTTP_Header *hdr_list;)
>
> Since your mechanism is now much more generic than
> the hard-coded CGI headers, perhaps they can
> be safely removed?
> i.e. host/http_accept/http_accept_language/cookie/referer .
>
> Seems like this could save some space.

Good point. I agree.

> > +HTTP_Header *cur = xzalloc(sizeof(HTTP_Header));
> > +char *after_colon = strchr(iobuf, ':');
> > +char *ch = iobuf;
> > +
> > +if (!after_colon)
> > +    continue;
> > +
>
> I think the combination of "xzalloc" + "continue"
> opens the possibility of a resource leak -
> if a malicious client sends lots of HTTP header lines without
> a colon, there's no corresponding "free".

Another good catch. I also found another issue that if the requested URL is
not a CGI then the list will be populated but never freed. However I see
other
places which do allocs or strdups and not freeing them. I wonder if that
behavior is counting on that the fork handling the request will exit and
that
then the kernel will free it for us?

> regards,
>   - assaf

/Alexander

[Attachment #5 (text/html)]

<div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div>Hi,</div><div><br></div><div>Thank you for your valuable feedback \
Assaf.</div><div dir="ltr"><br></div><div dir="ltr">Den tors 28 mars 2019 kl 18:33 \
skrev Assaf Gordon:<br>&gt;<br>&gt; Hello Alexander,<br>&gt;<br>&gt; On 2019-03-28 \
11:04 a.m., Alexander Vickberg wrote:<br>&gt; &gt; This patch creates a list of \
unmatched HTTP headers and sets up<br>&gt; &gt; environment variables before running \
the CGI script.<br>&gt;<br>&gt; I assume this is inspired by my (more limited) \
patch<br>&gt; of passing &quot;Content-encoding&quot; header:<br>&gt; <a \
href="http://lists.busybox.net/pipermail/busybox/2019-March/087141.html">http://lists.busybox.net/pipermail/busybox/2019-March/087141.html</a><br>&gt; \
(or, just a very strange timing coincidence?).<br>&gt;<br>&gt; I like your patch and \
of course, if it is accepted,<br>&gt; mine isn&#39;t needed.</div><div \
dir="ltr"><br><div>However unlikely it might seem I didn&#39;t see your patch until \
after.</div><div>Besides I wanted to be able to use completely custom headers \
for</div><div>which there has to be a general approach implementation.</div><br>&gt; \
two small comments:<br>&gt;<br>&gt; &gt; @@ -417,6 +423,7 @@ struct globals {<br>&gt; \
&gt; IF_FEATURE_HTTPD_CGI(char *host;)<br>&gt; &gt; IF_FEATURE_HTTPD_CGI(char \
*http_accept;)<br>&gt; &gt; IF_FEATURE_HTTPD_CGI(char *http_accept_language;)<br>&gt; \
&gt; +IF_FEATURE_HTTPD_CGI(HTTP_Header *hdr_list;)<br>&gt;<br>&gt; Since your \
mechanism is now much more generic than<br>&gt; the hard-coded CGI headers, perhaps \
they can<br>&gt; be safely removed?<br>&gt; i.e. \
host/http_accept/http_accept_language/cookie/referer .<br>&gt;<br>&gt; Seems like \
this could save some space.<br><br>Good point. I agree.<br><br>&gt; &gt; +HTTP_Header \
*cur = xzalloc(sizeof(HTTP_Header));<br>&gt; &gt; +char *after_colon = strchr(iobuf, \
&#39;:&#39;);<br>&gt; &gt; +char *ch = iobuf;<br>&gt; &gt; +<br>&gt; &gt; +if \
(!after_colon)<br>&gt; &gt; +      continue;<br>&gt; &gt; +<br>&gt;<br>&gt; I think \
the combination of &quot;xzalloc&quot; + &quot;continue&quot;<br>&gt; opens the \
possibility of a resource leak -<br>&gt; if a malicious client sends lots of HTTP \
header lines without<br>&gt; a colon, there&#39;s no corresponding \
&quot;free&quot;.<br><br><div dir="ltr">Another good catch. I also found another \
issue that if the requested URL is</div><div dir="ltr">not a CGI then the list will \
be populated but never freed. However I see other</div><div dir="ltr">places which do \
allocs or strdups and not freeing them. I wonder if that</div><div dir="ltr">behavior \
is counting on that the fork handling the request will exit and that</div><div \
dir="ltr">then the kernel will free it for us?</div><br>&gt; regards,<br>&gt;    - \
assaf<br></div><div><br></div><div>/Alexander</div><div \
dir="ltr"><br></div></div></div></div></div>



_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic