Quantcast

httpd/slowcgi not RFC compliant w.r.t. Local Redirect Response

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

httpd/slowcgi not RFC compliant w.r.t. Local Redirect Response

Ross L Richardson
>Synopsis: httpd/slowcgi not RFC compliant w.r.t. Local Redirect Response
>Category: user
>Environment:
        System      : OpenBSD 6.0 (also under late Feb -current snapshot)
        Details     : OpenBSD 6.0-stable (GENERIC.MP) #15: Fri Mar 10 11:43:46 AEDT 2017
                         [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP

        Architecture: OpenBSD.amd64
        Machine     : amd64
>Description:

RFC 3875 The Common Gateway Interface (CGI) Version 1.1
states:
====
6.2.2.  Local Redirect Response

   The CGI script can return a URI path and query-string
   ('local-pathquery') for a local resource in a Location header field.
   This indicates to the server that it should reprocess the request
   using the path specified.

      local-redir-response = local-Location NL

   The script MUST NOT return any other header fields or a message-body,
   and the server MUST generate the response that it would have produced
   in response to a request containing the URL

      scheme "://" server-name ":" server-port local-pathquery
====

httpd/slowcgi fails to comply with this and just returns the Location header
to the client.

>How-To-Repeat:

# set up a target file
echo "OK" > /var/www/htdocs/nbg.txt

# create a simple CGI test program
cat > t.c <<EOC
#include <stdlib.h>
#include <stdio.h>

int
main(__unused int argc, __unused char *argv[])
{
        fprintf(stdout, "Location: /nbg.txt\n\n");
        return 0;
}
EOC

# build the CGI program and install as /var/www/cgi-bin/t
...

# try retrieving
: user@host; printf "GET /cgi-bin/t HTTP/1.0\r\nHost: www.example.org\r\n\r\n" \
:; | nc www.example.org 80  
HTTP/1.0 200 OK
Connection: close
Date: Sat, 11 Mar 2017 07:01:23 GMT
Location: /nbg.txt
Server: OpenBSD httpd

# "Location: /nbg.txt" is WRONG

# in contrast, trying the equivalent under Apache http (on a Linux host) gives:
: user@host; printf "GET /cgi-bin/t HTTP/1.0\r\nHost: www.example.org\r\n\r\n" \
:; | nc www.example.org 80  
HTTP/1.1 200 OK
Date: Sat, 11 Mar 2017 07:08:23 GMT
Server: Apache
Last-Modified: Sat, 11 Mar 2017 06:36:13 GMT
ETag: "4e36ef-4-54a6eb1c95622"
Accept-Ranges: bytes
Content-Length: 3
Connection: close
Content-Type: text/plain

OK

# We see the file content, which is the correct behaviour.

>Fix:
        Not know; presumably patch(es) to httpd will be required.


dmesg:
OpenBSD 6.0-stable (GENERIC.MP) #15: Fri Mar 10 11:43:46 AEDT 2017
    [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 17041805312 (16252MB)
avail mem = 16520851456 (15755MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
<deleted as presumed to be irrelevant>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: httpd/slowcgi not RFC compliant w.r.t. Local Redirect Response

Raul Miller
It's not safe to assume that "Local Redirect Response" is the only
valid use of the Location header.

--
Raul

On Sat, Mar 11, 2017 at 5:22 AM,  <[hidden email]> wrote:

>>Synopsis:      httpd/slowcgi not RFC compliant w.r.t. Local Redirect Response
>>Category:      user
>>Environment:
>         System      : OpenBSD 6.0 (also under late Feb -current snapshot)
>         Details     : OpenBSD 6.0-stable (GENERIC.MP) #15: Fri Mar 10 11:43:46 AEDT 2017
>                          [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
>         Architecture: OpenBSD.amd64
>         Machine     : amd64
>>Description:
>
> RFC 3875 The Common Gateway Interface (CGI) Version 1.1
> states:
> ====
> 6.2.2.  Local Redirect Response
>
>    The CGI script can return a URI path and query-string
>    ('local-pathquery') for a local resource in a Location header field.
>    This indicates to the server that it should reprocess the request
>    using the path specified.
>
>       local-redir-response = local-Location NL
>
>    The script MUST NOT return any other header fields or a message-body,
>    and the server MUST generate the response that it would have produced
>    in response to a request containing the URL
>
>       scheme "://" server-name ":" server-port local-pathquery
> ====
>
> httpd/slowcgi fails to comply with this and just returns the Location header
> to the client.
>
>>How-To-Repeat:
>
> # set up a target file
> echo "OK" > /var/www/htdocs/nbg.txt
>
> # create a simple CGI test program
> cat > t.c <<EOC
> #include <stdlib.h>
> #include <stdio.h>
>
> int
> main(__unused int argc, __unused char *argv[])
> {
>         fprintf(stdout, "Location: /nbg.txt\n\n");
>         return 0;
> }
> EOC
>
> # build the CGI program and install as /var/www/cgi-bin/t
> ...
>
> # try retrieving
> : user@host; printf "GET /cgi-bin/t HTTP/1.0\r\nHost: www.example.org\r\n\r\n" \
> :; | nc www.example.org 80
> HTTP/1.0 200 OK
> Connection: close
> Date: Sat, 11 Mar 2017 07:01:23 GMT
> Location: /nbg.txt
> Server: OpenBSD httpd
>
> # "Location: /nbg.txt" is WRONG
>
> # in contrast, trying the equivalent under Apache http (on a Linux host) gives:
> : user@host; printf "GET /cgi-bin/t HTTP/1.0\r\nHost: www.example.org\r\n\r\n" \
> :; | nc www.example.org 80
> HTTP/1.1 200 OK
> Date: Sat, 11 Mar 2017 07:08:23 GMT
> Server: Apache
> Last-Modified: Sat, 11 Mar 2017 06:36:13 GMT
> ETag: "4e36ef-4-54a6eb1c95622"
> Accept-Ranges: bytes
> Content-Length: 3
> Connection: close
> Content-Type: text/plain
>
> OK
>
> # We see the file content, which is the correct behaviour.
>
>>Fix:
>         Not know; presumably patch(es) to httpd will be required.
>
>
> dmesg:
> OpenBSD 6.0-stable (GENERIC.MP) #15: Fri Mar 10 11:43:46 AEDT 2017
>     [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 17041805312 (16252MB)
> avail mem = 16520851456 (15755MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> <deleted as presumed to be irrelevant>
>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: httpd/slowcgi not RFC compliant w.r.t. Local Redirect Response

Hiltjo Posthuma
On Sat, Mar 11, 2017 at 09:40:37AM -0500, Raul Miller wrote:

> It's not safe to assume that "Local Redirect Response" is the only
> valid use of the Location header.
>
> --
> Raul
>
> On Sat, Mar 11, 2017 at 5:22 AM,  <[hidden email]> wrote:
> >>Synopsis:      httpd/slowcgi not RFC compliant w.r.t. Local Redirect Response
> >>Category:      user
> >>Environment:
> >         System      : OpenBSD 6.0 (also under late Feb -current snapshot)
> >         Details     : OpenBSD 6.0-stable (GENERIC.MP) #15: Fri Mar 10 11:43:46 AEDT 2017
> >                          [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> >
> >         Architecture: OpenBSD.amd64
> >         Machine     : amd64
> >>Description:
> >
> > RFC 3875 The Common Gateway Interface (CGI) Version 1.1
> > states:
> > ====
> > 6.2.2.  Local Redirect Response
> >
> >    The CGI script can return a URI path and query-string
> >    ('local-pathquery') for a local resource in a Location header field.
> >    This indicates to the server that it should reprocess the request
> >    using the path specified.
> >
> >       local-redir-response = local-Location NL
> >
> >    The script MUST NOT return any other header fields or a message-body,
> >    and the server MUST generate the response that it would have produced
> >    in response to a request containing the URL
> >
> >       scheme "://" server-name ":" server-port local-pathquery
> > ====
> >
> > httpd/slowcgi fails to comply with this and just returns the Location header
> > to the client.
> >
> >>How-To-Repeat:
> >
> > # set up a target file
> > echo "OK" > /var/www/htdocs/nbg.txt
> >
> > # create a simple CGI test program
> > cat > t.c <<EOC
> > #include <stdlib.h>
> > #include <stdio.h>
> >
> > int
> > main(__unused int argc, __unused char *argv[])
> > {
> >         fprintf(stdout, "Location: /nbg.txt\n\n");
> >         return 0;
> > }
> > EOC
> >
> > # build the CGI program and install as /var/www/cgi-bin/t
> > ...
> >
> > # try retrieving
> > : user@host; printf "GET /cgi-bin/t HTTP/1.0\r\nHost: www.example.org\r\n\r\n" \
> > :; | nc www.example.org 80
> > HTTP/1.0 200 OK
> > Connection: close
> > Date: Sat, 11 Mar 2017 07:01:23 GMT
> > Location: /nbg.txt
> > Server: OpenBSD httpd
> >
> > # "Location: /nbg.txt" is WRONG
> >
> > # in contrast, trying the equivalent under Apache http (on a Linux host) gives:
> > : user@host; printf "GET /cgi-bin/t HTTP/1.0\r\nHost: www.example.org\r\n\r\n" \
> > :; | nc www.example.org 80
> > HTTP/1.1 200 OK
> > Date: Sat, 11 Mar 2017 07:08:23 GMT
> > Server: Apache
> > Last-Modified: Sat, 11 Mar 2017 06:36:13 GMT
> > ETag: "4e36ef-4-54a6eb1c95622"
> > Accept-Ranges: bytes
> > Content-Length: 3
> > Connection: close
> > Content-Type: text/plain
> >
> > OK
> >
> > # We see the file content, which is the correct behaviour.
> >
> >>Fix:
> >         Not know; presumably patch(es) to httpd will be required.
> >
> >
> > dmesg:
> > OpenBSD 6.0-stable (GENERIC.MP) #15: Fri Mar 10 11:43:46 AEDT 2017
> >     [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> > real mem = 17041805312 (16252MB)
> > avail mem = 16520851456 (15755MB)
> > mpath0 at root
> > scsibus0 at mpath0: 256 targets
> > mainbus0 at root
> > <deleted as presumed to be irrelevant>
> >
>

Hey,

You should add a statuscode, for example:
        fprintf(stdout, "Status: 301 Moved Permanently\r\n");

then the client redirects to the specified location. Out of curiousity:
which software requires this this way?

Also the slowcgi(8) man page says:

"
BUGS
     slowcgi only implements the parts of the FastCGI standard needed to
     execute CGI scripts.  This is intentional.
"

so maybe this is intentional, I imagine this behaviour could be abused, like
infinite redirects and stuff.

--
Kind regards,
Hiltjo

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: httpd/slowcgi not RFC compliant w.r.t. Local Redirect Response

Ross L Richardson
In reply to this post by Raul Miller
Raul,

> On 2017-03-12, at 01:40 , Raul Miller <[hidden email]> wrote:
>
> It's not safe to assume that "Local Redirect Response" is the only
> valid use of the Location header.
> [...]

The RFC is explicit ["MUST"] about the required behaviour when
only a local Location header is sent:

>>
>>      local-redir-response = local-Location NL
>>
>>   The script MUST NOT return any other header fields or a message-body,
>>   and the server MUST generate the response that it would have produced
>>   in response to a request containing the URL

Ross

Loading...