bin/52194: httpd fails to exec cgi scripts outside of cgi-bin

[martin%NetBSD.org@localhost]

>Number:         52194
>Category:       bin
>Synopsis:       httpd fails to exec cgi scripts outside of cgi-bin
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Apr 25 09:45:00 +0000 2017
>Originator:     Martin Husemann
>Release:        NetBSD 7.1
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD emmas.aprisoft.de 7.1 NetBSD 7.1 (EMMAS) #6: Tue Mar 14 16:38:26 CET 2017 martin%emmas.aprisoft.de@localhost:/var/nbsd/src-7/sys/arch/i386/compile/EMMAS i386
Architecture: i386
Machine: i386
>Description:

When invoked with "-C .pl /usr/pkg/bin/perl", httpd should run cgi scripts
that match the .pl suffix in the document tree.

This fails for me in 7.1 with an EFAULT from execvpe() of the interpreter.
Even with the patch below, it still does not work (not sure if argv for the
interpreter is correctly constructed, and -d does not seem to work)

>How-To-Repeat:
n/a

>Fix:
Not sure if this is the right way:

Index: cgi-bozo.c
===================================================================
RCS file: /cvsroot/src/libexec/httpd/cgi-bozo.c,v
retrieving revision 1.25.2.7
diff -u -p -r1.25.2.7 cgi-bozo.c
--- cgi-bozo.c	12 Feb 2017 22:07:17 -0000	1.25.2.7
+++ cgi-bozo.c	25 Apr 2017 09:35:34 -0000
@@ -587,6 +587,8 @@ bozo_process_cgi(bozo_httpreq_t *request
 		bozoerr(httpd, 1, "child socketpair failed: %s",
 				strerror(errno));
 
+	*curenvp = 0; 
+
 	/*
 	 * We create 2 procs: one to become the CGI, one read from
 	 * the CGI and output to the network, and this parent will