Re: bin/58713: httpd: CGIs have wrong cwd

[Sunil Nimmagadda <sunil%nimmagadda.net@localhost>]

The following reply was made to PR bin/58713; it has been noted by GNATS.

From: Sunil Nimmagadda <sunil%nimmagadda.net@localhost>
To: nia%pkgsrc.org@localhost
Cc: gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost,  gnats-bugs%netbsd.org@localhost
Subject: Re: bin/58713: httpd: CGIs have wrong cwd
Date: Sun, 06 Oct 2024 17:19:55 +0530

 nia%pkgsrc.org@localhost writes:
 
 >>Number:         58713
 >>Category:       bin
 >>Synopsis:       httpd: CGIs have wrong cwd
 >>Confidential:   no
 >>Severity:       serious
 >>Priority:       medium
 >>Responsible:    bin-bug-people
 >>State:          open
 >>Class:          sw-bug
 >>Submitter-Id:   net
 >>Arrival-Date:   Wed Oct 02 14:00:05 +0000 2024
 >>Originator:     nia
 >>Release:        NetBSD 10.0_STABLE
 >>Organization:
 > The NetBSD Foundation, Inc
 >>Environment:
 >>Description:
 > When running CGIs, I use relative paths inside the scripts to load my
 > Lua dependencies. In thttpd, this works fine. In bozo, it fails.
 >
 > According to RFC 3875:
 > The current working directory for the script SHOULD be set to the
 > directory containing the script.
 >>How-To-Repeat:
 >
 >>Fix:
 
 This diff changes the working directory of the cgi process to the user
 specified cgi-bin.
 
 diff --git a/libexec/httpd/cgi-bozo.c b/libexec/httpd/cgi-bozo.c
 index b04c89979351..b2cf1308f63e 100644
 --- a/libexec/httpd/cgi-bozo.c
 +++ b/libexec/httpd/cgi-bozo.c
 @@ -608,6 +608,9 @@ bozo_process_cgi(bozo_httpreq_t *request)
  		closelog();
  		bozo_daemon_closefds(httpd);
  
 +		if (httpd->cgibin && chdir(httpd->cgibin) == -1)
 +			bozoerr(httpd, 1, "failed to chdir(2)");
 +
  		if (-1 == execve(path, argv, envp)) {
  			int saveerrno = errno;
  			bozo_http_error(httpd, 404, request,