Index: head/www/fcgi/Makefile =================================================================== --- head/www/fcgi/Makefile (revision 429553) +++ head/www/fcgi/Makefile (revision 429554) @@ -1,40 +1,38 @@ # Created by: kbyanc # $FreeBSD$ PORTNAME= fcgi PORTVERSION= 2.4.0 PORTREVISION= 5 CATEGORIES= www -MASTER_SITES= http://www.fastcgi.com/dist/ +MASTER_SITES= LOCAL/adamw PKGNAMESUFFIX= -devkit MAINTAINER= adamw@FreeBSD.org COMMENT= FastCGI Development Kit LICENSE= Open_Market_FastCGI_license LICENSE_NAME= Open Market FastCGI license LICENSE_FILE= ${WRKSRC}/LICENSE.TERMS LICENSE_PERMS= dist-mirror dist-sell pkg-mirror pkg-sell auto-accept USES= cpe libtool +CPE_VENDOR= fastcgi + GNU_CONFIGURE= yes USE_LDCONFIG= yes MAKE_JOBS_UNSAFE= yes -CPE_VENDOR= fastcgi OPTIONS_DEFINE= DOCS -.include - post-install: ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/libfcgi.so.0.0.0 ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/libfcgi++.so.0.0.0 - ${INSTALL_MAN} ${WRKSRC}/doc/*.1 ${STAGEDIR}${MANPREFIX}/man/man1/ - ${INSTALL_MAN} ${WRKSRC}/doc/*.3 ${STAGEDIR}${MANPREFIX}/man/man3/ -.if ${PORT_OPTIONS:MDOCS} + @${MKDIR} ${STAGEDIR}${DOCSDIR} - cd ${WRKSRC}/doc && ${COPYTREE_SHARE} . ${STAGEDIR}${DOCSDIR} - @${RM} ${STAGEDIR}${DOCSDIR}/*.[13] -.endif + ${INSTALL_MAN} ${WRKSRC}/doc/*.1 ${STAGEDIR}${MANPREFIX}/man/man1 + ${INSTALL_MAN} ${WRKSRC}/doc/*.3 ${STAGEDIR}${MANPREFIX}/man/man3 + (cd ${WRKSRC}/doc && \ + ${COPYTREE_SHARE} . ${STAGEDIR}${DOCSDIR} "! -name *\.[13]") .include Index: head/www/fcgi/files/patch-CVE-2012-6687-pool =================================================================== --- head/www/fcgi/files/patch-CVE-2012-6687-pool (revision 429553) +++ head/www/fcgi/files/patch-CVE-2012-6687-pool (revision 429554) @@ -1,81 +1,79 @@ -diff --git a/libfcgi/os_unix.c b/libfcgi/os_unix.c -index 73e6a7f..af35aee 100755 ---- libfcgi/os_unix.c +--- libfcgi/os_unix.c.orig 2002-03-05 19:14:49 UTC +++ libfcgi/os_unix.c -@@ -42,6 +42,7 @@ static const char rcsid[] = "$Id: os_unix.c,v 1.37 2002/03/05 19:14:49 robs Exp +@@ -42,6 +42,7 @@ static const char rcsid[] = "$Id: os_uni #include #include #include +#include #ifdef HAVE_NETDB_H #include @@ -103,6 +104,9 @@ static int volatile maxFd = -1; static int shutdownPending = FALSE; static int shutdownNow = FALSE; +static int libfcgiOsClosePollTimeout = 2000; +static int libfcgiIsAfUnixKeeperPollTimeout = 2000; + void OS_ShutdownPending() { shutdownPending = TRUE; @@ -168,6 +172,16 @@ int OS_LibInit(int stdioFds[3]) if(libInitialized) return 0; + char *libfcgiOsClosePollTimeoutStr = getenv( "LIBFCGI_OS_CLOSE_POLL_TIMEOUT" ); + if(libfcgiOsClosePollTimeoutStr) { + libfcgiOsClosePollTimeout = atoi(libfcgiOsClosePollTimeoutStr); + } + + char *libfcgiIsAfUnixKeeperPollTimeoutStr = getenv( "LIBFCGI_IS_AF_UNIX_KEEPER_POLL_TIMEOUT" ); + if(libfcgiIsAfUnixKeeperPollTimeoutStr) { + libfcgiIsAfUnixKeeperPollTimeout = atoi(libfcgiIsAfUnixKeeperPollTimeoutStr); + } + asyncIoTable = (AioInfo *)malloc(asyncIoTableSize * sizeof(AioInfo)); if(asyncIoTable == NULL) { errno = ENOMEM; @@ -755,19 +769,16 @@ int OS_Close(int fd) if (shutdown(fd, 1) == 0) { - struct timeval tv; - fd_set rfds; + struct pollfd pfd; int rv; char trash[1024]; - FD_ZERO(&rfds); + pfd.fd = fd; + pfd.events = POLLIN; do { - FD_SET(fd, &rfds); - tv.tv_sec = 2; - tv.tv_usec = 0; - rv = select(fd + 1, &rfds, NULL, NULL, &tv); + rv = poll(&pfd, 1, libfcgiOsClosePollTimeout); } while (rv > 0 && read(fd, trash, sizeof(trash)) > 0); } -@@ -1116,13 +1127,11 @@ static int is_reasonable_accept_errno (const int error) +@@ -1116,13 +1127,11 @@ static int is_reasonable_accept_errno (c */ static int is_af_unix_keeper(const int fd) { - struct timeval tval = { READABLE_UNIX_FD_DROP_DEAD_TIMEVAL }; - fd_set read_fds; - - FD_ZERO(&read_fds); - FD_SET(fd, &read_fds); + struct pollfd pfd; + pfd.fd = fd; + pfd.events = POLLIN; - return select(fd + 1, &read_fds, NULL, NULL, &tval) >= 0 && FD_ISSET(fd, &read_fds); + return poll(&pfd, 1, libfcgiIsAfUnixKeeperPollTimeout) >= 0 && (pfd.revents & POLLIN); } /* Index: head/www/fcgi/files/patch-examples__Makefile.in =================================================================== --- head/www/fcgi/files/patch-examples__Makefile.in (revision 429553) +++ head/www/fcgi/files/patch-examples__Makefile.in (revision 429554) @@ -1,11 +1,11 @@ ---- ./examples/Makefile.in.orig 2003-01-19 18:21:17.000000000 +0100 -+++ ./examples/Makefile.in 2014-07-08 00:25:16.000000000 +0200 -@@ -125,7 +125,7 @@ +--- examples/Makefile.in.orig 2003-01-19 17:21:17 UTC ++++ examples/Makefile.in +@@ -125,7 +125,7 @@ threaded_CFLAGS = @PTHREAD_CFLAGS@ threaded_LDFLAGS = @PTHREAD_CFLAGS@ @PTHREAD_LIBS@ echo_cpp_SOURCES = $(INCLUDE_FILES) $(INCLUDEDIR)/fcgio.h echo-cpp.cpp -echo_cpp_LDADD = $(LIBDIR)/libfcgi++.la +echo_cpp_LDADD = $(LIBDIR)/libfcgi++.la $(LIBFCGI) subdir = examples mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/fcgi_config.h Index: head/www/fcgi/files/patch-include__fcgio.h =================================================================== --- head/www/fcgi/files/patch-include__fcgio.h (revision 429553) +++ head/www/fcgi/files/patch-include__fcgio.h (revision 429554) @@ -1,10 +1,10 @@ ---- ./include/fcgio.h.orig 2011-01-21 12:26:36.000000000 +0000 -+++ ./include/fcgio.h 2011-01-21 12:27:29.000000000 +0000 +--- include/fcgio.h.orig 2002-02-25 13:16:11 UTC ++++ include/fcgio.h @@ -31,6 +31,7 @@ #define FCGIO_H #include +#include #include "fcgiapp.h" Index: head/www/fcgiwrap/Makefile =================================================================== --- head/www/fcgiwrap/Makefile (revision 429553) +++ head/www/fcgiwrap/Makefile (revision 429554) @@ -1,34 +1,35 @@ # $FreeBSD$ PORTNAME= fcgiwrap PORTVERSION= 1.1.0 PORTREVISION= 4 CATEGORIES= www -MASTER_SITES= http://www.skysmurf.nl/comp/FreeBSD/distfiles/ MAINTAINER= adamw@FreeBSD.org COMMENT= Simple FastCGI wrapper for CGI scripts LICENSE= MIT LIB_DEPENDS= libfcgi.so:www/fcgi -BROKEN= unfetchable - USES= autoreconf gmake pkgconfig USE_GITHUB= yes GH_ACCOUNT= gnosek USE_RC_SUBR= fcgiwrap -CFLAGS+= -I${LOCALBASE}/include -L${LOCALBASE}/lib +CPPFLAGS+= -I${LOCALBASE}/include +LDFLAGS+= -L${LOCALBASE}/lib GNU_CONFIGURE= yes PLIST_FILES= sbin/fcgiwrap man/man8/fcgiwrap.8.gz post-patch: @${REINPLACE_CMD} -e 's/@prefix@@mandir@/@mandir@/'\ - -e 's|-m 755 fcgiwrap|-s -m 755 fcgiwrap|' ${WRKSRC}/Makefile.in + ${WRKSRC}/Makefile.in + +post-install: + ${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/fcgiwrap .include Index: head/www/fcgiwrap/files/patch-fcgiwrap.8 =================================================================== --- head/www/fcgiwrap/files/patch-fcgiwrap.8 (revision 429553) +++ head/www/fcgiwrap/files/patch-fcgiwrap.8 (revision 429554) @@ -1,21 +1,21 @@ ---- fcgiwrap.8.orig 2014-09-22 12:44:32.000000000 +0200 -+++ fcgiwrap.8 2014-09-22 12:51:14.000000000 +0200 -@@ -42,6 +42,9 @@ +--- fcgiwrap.8.orig 2013-02-03 13:25:17 UTC ++++ fcgiwrap.8 +@@ -42,6 +42,9 @@ takes care of opening the socket. Howeve tests this option may be used. Valid socket_urls include \fIunix:/path/to/unix/socket\fP, \fItcp:dot.ted.qu.ad:port\fP and \fItcp6:[ipv6_addr]:port\fP. .TP +.B \-p \fIpath\fP +Restrict execution to the given path. Repeated options will be merged. +.TP .B \-h Show a help message and exit. -@@ -113,3 +116,8 @@ +@@ -113,3 +116,8 @@ with contributions by W-Mark Kubacki (with contributions by Grzegorz Nosek) for the Debian project (and may be used by others). +.PP +The +.B \-p +option was contributed by as an addition to the FreeBSD +port. Index: head/www/fcgiwrap/files/patch-fcgiwrap.c =================================================================== --- head/www/fcgiwrap/files/patch-fcgiwrap.c (revision 429553) +++ head/www/fcgiwrap/files/patch-fcgiwrap.c (revision 429554) @@ -1,160 +1,160 @@ ---- fcgiwrap.c.orig 2013-02-03 14:25:17.000000000 +0100 -+++ fcgiwrap.c 2014-12-22 13:25:23.000000000 +0100 +--- fcgiwrap.c.orig 2013-02-03 13:25:17 UTC ++++ fcgiwrap.c @@ -43,6 +43,7 @@ #include #include +#include #include #include #include @@ -58,6 +59,8 @@ extern char **environ; static char * const * inherited_environ; +static const char **allowed_programs; +static size_t allowed_programs_count; static const char * blacklisted_env_vars[] = { "AUTH_TYPE", -@@ -485,6 +488,19 @@ +@@ -485,6 +488,19 @@ static void inherit_environment(void) } } +static bool is_allowed_program(const char *program) { + size_t i; + if (!allowed_programs_count) + return true; + + for (i = 0; i < allowed_programs_count; i++) { + if (!strcmp(allowed_programs[i], program)) + return true; + } + + return false; +} + static void cgi_error(const char *message, const char *reason, const char *filename) { printf("Status: %s\r\nContent-Type: text/plain\r\n\r\n%s\r\n", -@@ -541,6 +557,9 @@ +@@ -541,6 +557,9 @@ static void handle_fcgi_request(void) if (!filename) cgi_error("403 Forbidden", "Cannot get script name, are DOCUMENT_ROOT and SCRIPT_NAME (or SCRIPT_FILENAME) set and is the script executable?", NULL); + if (!is_allowed_program(filename)) + cgi_error("403 Forbidden", "The given script is not allowed to execute", filename); + last_slash = strrchr(filename, '/'); if (!last_slash) cgi_error("403 Forbidden", "Script name must be a fully qualified path", filename); -@@ -587,14 +606,29 @@ +@@ -587,14 +606,29 @@ err_pipein: FCGI_puts("System error"); } +static volatile sig_atomic_t sigint_received; +static void sigint_handler(int __attribute__((__unused__))dummy) +{ + sigint_received = 1; + FCGX_ShutdownPending(); // Or we could send SIGUSR1 +} + static void fcgiwrap_main(void) { + struct sigaction a; signal(SIGCHLD, SIG_IGN); signal(SIGPIPE, SIG_IGN); + // Use sigaction for SIGINT so we can avoid SA_RESTART and actually react + a.sa_handler = sigint_handler; + a.sa_flags = 0; + sigemptyset(&a.sa_mask); + sigaction(SIGINT, &a, NULL); + sigaction(SIGTERM, &a, NULL); + inherited_environ = environ; - while (FCGI_Accept() >= 0) { + while (FCGI_Accept() >= 0 && !sigint_received) { handle_fcgi_request(); } } -@@ -671,7 +705,7 @@ +@@ -671,7 +705,7 @@ static int listen_on_fd(int fd) { return 0; } -static int setup_socket(char *url) { +static int setup_socket(char *url, int *fd_out) { char *p = url; char *q; int fd; -@@ -751,6 +785,7 @@ +@@ -751,6 +785,7 @@ invalid_url: return -1; } + *fd_out = fd; return listen_on_fd(fd); } -@@ -758,9 +793,10 @@ +@@ -758,9 +793,10 @@ int main(int argc, char **argv) { int nchildren = 1; char *socket_url = NULL; + int fd = 0; int c; - while ((c = getopt(argc, argv, "c:hfs:")) != -1) { + while ((c = getopt(argc, argv, "c:hfs:p:")) != -1) { switch (c) { case 'f': stderr_to_fastcgi++; -@@ -773,6 +809,7 @@ +@@ -773,6 +809,7 @@ int main(int argc, char **argv) " -c \t\tNumber of processes to prefork\n" " -s \tSocket to bind to (say -s help for help)\n" " -h\t\t\tShow this help message and exit\n" + " -p \t\tRestrict execution to this script. (repeated options will be merged)\n" "\nReport bugs to Grzegorz Nosek <"PACKAGE_BUGREPORT">.\n" PACKAGE_NAME" home page: \n", argv[0] -@@ -784,8 +821,14 @@ +@@ -784,8 +821,14 @@ int main(int argc, char **argv) case 's': socket_url = strdup(optarg); break; + case 'p': + allowed_programs = realloc(allowed_programs, (allowed_programs_count + 1) * sizeof (char *)); + if (!allowed_programs) + abort(); + allowed_programs[allowed_programs_count++] = strdup(optarg); + break; case '?': - if (optopt == 'c' || optopt == 's') + if (optopt == 'c' || optopt == 's' || optopt == 'p') fprintf(stderr, "Option -%c requires an argument.\n", optopt); else if (isprint(optopt)) fprintf(stderr, "Unknown option `-%c'.\n", optopt); -@@ -808,13 +851,24 @@ +@@ -808,13 +851,24 @@ int main(int argc, char **argv) } else #endif if (socket_url) { - if (setup_socket(socket_url) < 0) { + if (setup_socket(socket_url, &fd) < 0) { return 1; } - free(socket_url); } prefork(nchildren); fcgiwrap_main(); + if(fd) { + const char *p = socket_url; + close(fd); + + if(socket_url) { + if (!strncmp(p, "unix:", sizeof("unix:") - 1)) { + p += sizeof("unix:") - 1; + unlink(p); + } + free(socket_url); + } + } return 0; }