LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8290 Commits
1 Branch
46 MiB
Tree: 63996b19c6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '63996b19c6'
${ noResults }
openwrt-packages-dist/net/lighttpd/patches/0001-mod_cgi-RFC3875-CGI-lo...

62 lines
3.0 KiB
Raw Normal View History

lighttpd: backport more mod_cgi fixes queued for 1.4.46 The most important change is local redirects being disabled by default. There is an option called cgi.local-redir that allows enabling this optimization manually back if needed. Local redirects were initially introduced in 1.4.40 but caused many problems for *some* web services. One of problems is breaking Post/Redirect/Get design pattern. With redirects handled on server side there is no browser redirection making it "lose" the POST data. Another possible issue are HTML forms with action="". With CGI local redirects browser may be sending form data to the wrong URL (the one that was supposed to redirect the browser). Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
7 years ago
 
  1. From dde50f1939e22926d17342b5d812e9a3034e7e98 Mon Sep 17 00:00:00 2001
  2. From: Glenn Strauss <gstrauss@gluelogic.com>
  3. Date: Wed, 25 Jan 2017 11:22:39 -0500
  4. Subject: [PATCH] [mod_cgi] RFC3875 CGI local-redir strict adherence (#2108)
  5. 

  6. RFC3875 CGI local-redir stricter adherence
  7. 

  8. do not apply local-redir if any response headers besides "Location"
  9. do not apply local-redir if any response body has been received
  10. (though it might not have been received yet, and we do not wait to find
  11.  out, if lighttpd is configured to stream response body back to client)
  12. 

  13. x-ref:
  14.   RFC3875 CGI 1.1 specification section 6.2.2 Local Redirect Response
  15.   http://www.ietf.org/rfc/rfc3875
  16.   "CGI local redirect not implemented correctly"
  17.   https://redmine.lighttpd.net/issues/2108
  18. ---

  19.  src/mod_cgi.c | 25 ++++++++++++++++++++++++-
  20.  1 file changed, 24 insertions(+), 1 deletion(-)
  21. 

  22. --- a/src/mod_cgi.c

  23. +++ b/src/mod_cgi.c

  24. @@ -527,6 +527,27 @@ static int cgi_demux_response(server *sr

  25.  					/* parse the response header */
  26.  					cgi_response_parse(srv, con, p, hctx->response_header);
  27.  
  28. +					/* [RFC3875] 6.2.2 Local Redirect Response

  29. +					 *

  30. +					 *    The CGI script can return a URI path and query-string

  31. +					 *    ('local-pathquery') for a local resource in a Location header field.

  32. +					 *    This indicates to the server that it should reprocess the request

  33. +					 *    using the path specified.

  34. +					 *

  35. +					 *      local-redir-response = local-Location NL

  36. +					 *

  37. +					 *    The script MUST NOT return any other header fields or a message-body,

  38. +					 *    and the server MUST generate the response that it would have produced

  39. +					 *    in response to a request containing the URL

  40. +					 *

  41. +					 *      scheme "://" server-name ":" server-port local-pathquery

  42. +					 *

  43. +					 * (Might not have begun to receive body yet, but do skip local-redir

  44. +					 *  if we already have started receiving a response body (blen > 0))

  45. +					 * (Also, while not required by the RFC, do not send local-redir back

  46. +					 *  to same URL, since CGI should have handled it internally if it

  47. +					 *  really wanted to do that internally)

  48. +					 */

  49.  					if (con->http_status >= 300 && con->http_status < 400) {
  50.  						/*(con->parsed_response & HTTP_LOCATION)*/
  51.  						size_t ulen = buffer_string_length(con->uri.path);
  52. @@ -535,7 +556,9 @@ static int cgi_demux_response(server *sr

  53.  						    && ds->value->ptr[0] == '/'
  54.  						    && (0 != strncmp(ds->value->ptr, con->uri.path->ptr, ulen)
  55.  							|| (ds->value->ptr[ulen] != '\0' && ds->value->ptr[ulen] != '/' && ds->value->ptr[ulen] != '?'))
  56. -						    && NULL == array_get_element(con->response.headers, "Set-Cookie")) {

  57. +						    && 0 == blen

  58. +						    && !(con->parsed_response & HTTP_STATUS) /* no "Status" or NPH response line */

  59. +						    && 1 == con->response.headers->used) {

  60.  							if (++con->loops_per_request > 5) {
  61.  								log_error_write(srv, __FILE__, __LINE__, "sb", "too many internal loops while processing request:", con->request.orig_uri);
  62.  								con->http_status = 500; /* Internal Server Error */