From a1e87b4e0e49d157c027b080b6dd202257aeb5b1 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Fri, 13 Sep 2019 08:32:58 +0200 Subject: [PATCH] cgi-io: pass appropriate HTTP error codes to failure() Instead of always replying with a generic 500 internal server error code, use more appropriate codes such as 403 to indicate denied permissions. Signed-off-by: Jo-Philipp Wich (cherry picked from commit 8c22db653158e8c4edf4fdd0e0554a603b96a655) --- net/cgi-io/Makefile | 2 +- net/cgi-io/src/main.c | 26 ++++++++++++++------------ 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/net/cgi-io/Makefile b/net/cgi-io/Makefile index 5ba695faed..eaf03b40d9 100644 --- a/net/cgi-io/Makefile +++ b/net/cgi-io/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=cgi-io -PKG_RELEASE:=10 +PKG_RELEASE:=11 PKG_LICENSE:=GPL-2.0-or-later diff --git a/net/cgi-io/src/main.c b/net/cgi-io/src/main.c index aaba37d0d4..d19277d6a4 100644 --- a/net/cgi-io/src/main.c +++ b/net/cgi-io/src/main.c @@ -369,15 +369,17 @@ response(bool success, const char *message) } static int -failure(int e, const char *message) +failure(int code, int e, const char *message) { - printf("Status: 500 Internal Server failure\r\n"); + printf("Status: %d %s\r\n", code, message); printf("Content-Type: text/plain\r\n\r\n"); printf("%s", message); if (e) printf(": %s", strerror(e)); + printf("\n"); + return -1; } @@ -661,29 +663,29 @@ main_download(int argc, char **argv) postdecode(fields, 4); if (!fields[1] || !session_access(fields[1], "cgi-io", "download", "read")) - return failure(0, "Download permission denied"); + return failure(403, 0, "Download permission denied"); if (!fields[3] || !session_access(fields[1], "file", fields[3], "read")) - return failure(0, "Access to path denied by ACL"); + return failure(403, 0, "Access to path denied by ACL"); if (stat(fields[3], &s)) - return failure(errno, "Failed to stat requested path"); + return failure(404, errno, "Failed to stat requested path"); if (!S_ISREG(s.st_mode) && !S_ISBLK(s.st_mode)) - return failure(0, "Requested path is not a regular file or block device"); + return failure(403, 0, "Requested path is not a regular file or block device"); for (p = fields[5]; p && *p; p++) if (!isalnum(*p) && !strchr(" ()<>@,;:[]?.=%", *p)) - return failure(0, "Invalid characters in filename"); + return failure(400, 0, "Invalid characters in filename"); for (p = fields[7]; p && *p; p++) if (!isalnum(*p) && !strchr(" .;=/-", *p)) - return failure(0, "Invalid characters in mimetype"); + return failure(400, 0, "Invalid characters in mimetype"); rfd = open(fields[3], O_RDONLY); if (rfd < 0) - return failure(errno, "Failed to open requested path"); + return failure(500, errno, "Failed to open requested path"); if (S_ISBLK(s.st_mode)) ioctl(rfd, BLKGETSIZE64, &size); @@ -740,15 +742,15 @@ main_backup(int argc, char **argv) char *fields[] = { "sessionid", NULL }; if (!postdecode(fields, 1) || !session_access(fields[1], "cgi-io", "backup", "read")) - return failure(0, "Backup permission denied"); + return failure(403, 0, "Backup permission denied"); if (pipe(fds)) - return failure(errno, "Failed to spawn pipe"); + return failure(500, errno, "Failed to spawn pipe"); switch ((pid = fork())) { case -1: - return failure(errno, "Failed to fork process"); + return failure(500, errno, "Failed to fork process"); case 0: dup2(fds[1], 1); -- 2.30.2