.gear/rules | 2 + .../tags/dc479293169b07c40137325df55cb29614ad8015 | 13 +++++ .gear/tags/list | 1 + Makefile.in | 4 +- README.rst | 3 + configure.ac | 2 +- fcgiwrap.c | 33 +++++++++-- fcgiwrap.spec | 65 ++++++++++++++++++++++ systemd/fcgiwrap.service | 5 +- systemd/fcgiwrap.socket | 2 +- 10 files changed, 120 insertions(+), 10 deletions(-) diff --git a/.gear/rules b/.gear/rules new file mode 100644 index 0000000..0fd88d8 --- /dev/null +++ b/.gear/rules @@ -0,0 +1,2 @@ +tar: v@version@:. +diff: v@version@:. . name=@name@-@version@-alt.patch diff --git a/.gear/tags/dc479293169b07c40137325df55cb29614ad8015 b/.gear/tags/dc479293169b07c40137325df55cb29614ad8015 new file mode 100644 index 0000000..cded031 --- /dev/null +++ b/.gear/tags/dc479293169b07c40137325df55cb29614ad8015 @@ -0,0 +1,13 @@ +object 333ff9951b169f6a093608497b8b97f304365017 +type commit +tag v1.1.0 +tagger Anton Farygin 1379424237 +0400 + +1.1.0 +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.14 (GNU/Linux) + +iEYEABECAAYFAlI4V/IACgkQqohfd2vlwKvJtgCgrpvoAuXo1aCifndRfWjmNRzA +TtwAoLX1NTcieQ6mdIBjSM9Cxv2elKpl +=gXuO +-----END PGP SIGNATURE----- diff --git a/.gear/tags/list b/.gear/tags/list new file mode 100644 index 0000000..f1262a2 --- /dev/null +++ b/.gear/tags/list @@ -0,0 +1 @@ +dc479293169b07c40137325df55cb29614ad8015 v1.1.0 diff --git a/Makefile.in b/Makefile.in index 97378e5..e6ad58f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,5 +1,5 @@ -targetdir = $(DESTDIR)@prefix@@sbindir@ -man8dir = $(DESTDIR)@prefix@@mandir@/man8 +targetdir = $(DESTDIR)@sbindir@ +man8dir = $(DESTDIR)@mandir@/man8 datarootdir = .PHONY: clean distclean diff --git a/README.rst b/README.rst index 377ead8..4686c34 100644 --- a/README.rst +++ b/README.rst @@ -7,6 +7,9 @@ fcgiwrap :Contributors: W-Mark Kubacki Jordi Mallach + +This page has been translated into `Spanish `_ language by Maria Ramos from `Webhostinghub.com/support/edu `_. + Features ======== - very lightweight (84KB of private memory per instance) diff --git a/configure.ac b/configure.ac index bb3674e..2b02ef4 100644 --- a/configure.ac +++ b/configure.ac @@ -28,7 +28,7 @@ AC_ARG_WITH([systemd], [], [with_systemd=check]) have_systemd=no if test "x$with_systemd" != "xno"; then - PKG_CHECK_MODULES(systemd, [libsystemd-daemon], + PKG_CHECK_MODULES(systemd, [libsystemd], [AC_DEFINE(HAVE_SYSTEMD, 1, [Define if systemd is available]) have_systemd=yes], have_systemd=no) diff --git a/fcgiwrap.c b/fcgiwrap.c index 81c5062..cf18fbc 100644 --- a/fcgiwrap.c +++ b/fcgiwrap.c @@ -58,6 +58,8 @@ extern char **environ; static char * const * inherited_environ; +static const char **allowed_programs; +static size_t allowed_programs_count; static const char * blacklisted_env_vars[] = { "AUTH_TYPE", @@ -485,6 +487,19 @@ static void inherit_environment(void) } } +static bool is_allowed_program(const char *program) { + size_t i; + if (!allowed_programs_count) + return true; + + for (i = 0; i < allowed_programs_count; i++) { + if (!strcmp(allowed_programs[i], program)) + return true; + } + + return false; +} + static void cgi_error(const char *message, const char *reason, const char *filename) { printf("Status: %s\r\nContent-Type: text/plain\r\n\r\n%s\r\n", @@ -541,6 +556,9 @@ static void handle_fcgi_request(void) if (!filename) cgi_error("403 Forbidden", "Cannot get script name, are DOCUMENT_ROOT and SCRIPT_NAME (or SCRIPT_FILENAME) set and is the script executable?", NULL); + if (!is_allowed_program(filename)) + cgi_error("403 Forbidden", "The given script is not allowed to execute", filename); + last_slash = strrchr(filename, '/'); if (!last_slash) cgi_error("403 Forbidden", "Script name must be a fully qualified path", filename); @@ -552,7 +570,7 @@ static void handle_fcgi_request(void) *last_slash = '/'; execl(filename, filename, (void *)NULL); - cgi_error("502 Bad Gateway", "Cannot execute script", filename); + cgi_error("502 Bad Gateway", "Cannot execute script", filename); //-fallthrough default: /* parent */ close(pipe_in[0]); @@ -605,7 +623,7 @@ static void sigchld_handler(int dummy) { int status; - while ((dummy = waitpid(-1, &status, WNOHANG)) != -1) { + while ((dummy = waitpid(-1, &status, WNOHANG)) > 0) { /* sanity check */ if (nrunning > 0) nrunning--; @@ -760,7 +778,7 @@ int main(int argc, char **argv) char *socket_url = NULL; int c; - while ((c = getopt(argc, argv, "c:hfs:")) != -1) { + while ((c = getopt(argc, argv, "c:hfs:p:")) != -1) { switch (c) { case 'f': stderr_to_fastcgi++; @@ -773,6 +791,7 @@ int main(int argc, char **argv) " -c \t\tNumber of processes to prefork\n" " -s \tSocket to bind to (say -s help for help)\n" " -h\t\t\tShow this help message and exit\n" + " -p \t\tRestrict execution to this script. (repeated options will be merged)\n" "\nReport bugs to Grzegorz Nosek <"PACKAGE_BUGREPORT">.\n" PACKAGE_NAME" home page: \n", argv[0] @@ -784,8 +803,14 @@ int main(int argc, char **argv) case 's': socket_url = strdup(optarg); break; + case 'p': + allowed_programs = realloc(allowed_programs, (allowed_programs_count + 1) * sizeof (char *)); + if (!allowed_programs) + abort(); + allowed_programs[allowed_programs_count++] = strdup(optarg); + break; case '?': - if (optopt == 'c' || optopt == 's') + if (optopt == 'c' || optopt == 's' || optopt == 'p') fprintf(stderr, "Option -%c requires an argument.\n", optopt); else if (isprint(optopt)) fprintf(stderr, "Unknown option `-%c'.\n", optopt); diff --git a/fcgiwrap.spec b/fcgiwrap.spec new file mode 100644 index 0000000..ae9a099 --- /dev/null +++ b/fcgiwrap.spec @@ -0,0 +1,65 @@ +Summary: Simple FastCGI wrapper for CGI scripts +Name: fcgiwrap +Version: 1.1.0 +Release: alt5 +License: BSD-style +Group: System/Servers +URL: http://nginx.localdomain.pl/wiki/FcgiWrap +Source: %name-%version.tar +# git://github.com/gnosek/fcgiwrap.git +Patch0: %name-%version-alt.patch + +# Automatically added by buildreq on Tue Oct 19 2010 +BuildRequires: libfcgi-devel +BuildRequires: libsystemd-devel + +%description +fcgiwrap is a simple server for running CGI applications over FastCGI. +It hopes to provide clean CGI support to Nginx (and other web servers +that may need it). + + +%prep +%setup -q +%patch0 -p1 + + +%build +autoreconf -fisv +%configure --with-systemd --with-systemdsystemunitdir=%_unitdir +%make + +%install +%makeinstall_std + +%pre +%_sbindir/groupadd -r -f _webserver ||: +%_sbindir/useradd -r -g _webserver -G _webserver -d /dev/null -s /dev/null -n _fcgiwrap \ + 2> /dev/null > /dev/null ||: + +%files +%_sbindir/fcgiwrap +%_unitdir/* +%_man8dir/* + +%changelog +* Sat Jun 22 2019 Igor Vlasenko 1.1.0-alt5 +- NMU: remove rpm-build-ubt from BR: + +* Mon Oct 29 2018 Anton Farygin 1.1.0-alt4 +- fixed build with recent gcc + +* Sat Aug 05 2017 Anton Farygin 1.1.0-alt3 +- add systemd support + +* Fri Apr 18 2014 Anton Farygin 1.1.0-alt2 +- updated from upstream git + +* Tue Sep 17 2013 Anton Farygin 1.1.0-alt1 +- new version + +* Mon Apr 15 2013 Dmitry V. Levin (QA) 1.0.3-alt1.qa1 +- NMU: rebuilt for debuginfo. + +* Tue Oct 19 2010 Anton Farygin 1.0.3-alt1 +- first build for Sisyphus diff --git a/systemd/fcgiwrap.service b/systemd/fcgiwrap.service index 7b010c9..dacbadf 100644 --- a/systemd/fcgiwrap.service +++ b/systemd/fcgiwrap.service @@ -1,11 +1,12 @@ [Unit] Description=Simple CGI Server After=nss-user-lookup.target +Requires=fcgiwrap.socket [Service] ExecStart=/usr/sbin/fcgiwrap -User=http -Group=http +User=_fcgiwrap +Group=_webserver [Install] Also=fcgiwrap.socket diff --git a/systemd/fcgiwrap.socket b/systemd/fcgiwrap.socket index dc074f1..0fc1185 100644 --- a/systemd/fcgiwrap.socket +++ b/systemd/fcgiwrap.socket @@ -2,7 +2,7 @@ Description=fcgiwrap Socket [Socket] -ListenStream=/run/fcgiwrap.sock +ListenStream=/run/fcgiwrap.socket [Install] WantedBy=sockets.target