ksgi
/
child.c
2264 строки · 52.7 Кб
1/* $Id$ */2/*3* Copyright (c) 2012, 2014--2020 Kristaps Dzonsons <kristaps@bsd.lv>4*5* Permission to use, copy, modify, and distribute this software for any6* purpose with or without fee is hereby granted, provided that the above7* copyright notice and this permission notice appear in all copies.8*9* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES10* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF11* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR12* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES13* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN14* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF15* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.16*/17#include "config.h"18MIMETYPE_TYPE50};51/*53* For handling HTTP multipart forms.54* This consists of data for a single multipart form entry.55*/56struct mime {57char *disp; /* content disposition */58char *name; /* name of form entry */59size_t namesz; /* size of "name" string */60char *file; /* whether a file was specified */61char *ctype; /* content type */62size_t ctypepos; /* position of ctype in mimes */63char *xcode; /* encoding type */64char *bound; /* form entry boundary */65};66/*68* Both CGI and FastCGI use an environment for their HTTP parameters.69* CGI gets it from the actual environment; FastCGI from a transmitted70* environment.71* We use an abstract representation of those key-value pairs here so72* that we can use the same functions for both.73*/74struct env {75char *key; /* key (e.g., HTTP_HOST) */76size_t keysz;77char *val; /* value (e.g., `foo.com') */78size_t valsz;79};80/*82* Types of FastCGI requests.83* Defined in the FastCGI v1.0 spec, section 8.84*/85enum fcgi_type {86FCGI_BEGIN_REQUEST = 1,87FCGI_ABORT_REQUEST = 2,88FCGI_END_REQUEST = 3,89FCGI_PARAMS = 4,90FCGI_STDIN = 5,91FCGI_STDOUT = 6,92FCGI_STDERR = 7,93FCGI_DATA = 8,94FCGI_GET_VALUES = 9,95FCGI_GET_VALUES_RESULT = 10,96FCGI_UNKNOWN_TYPE = 11,97FCGI__MAX98};99/*101* The FastCGI `FCGI_Header' header layout.102* Defined in the FastCGI v1.0 spec, section 8.103*/104struct fcgi_hdr {105uint8_t version;106uint8_t type;107uint16_t requestId;108uint16_t contentLength;109uint8_t paddingLength;110uint8_t reserved;111};112/*114* The FastCGI `FCGI_BeginRequestBody' header layout.115* Defined in the FastCGI v1.0 spec, section 8.116*/117struct fcgi_bgn {118uint16_t role;119uint8_t flags;120uint8_t res[5];121};122/*124* A buffer of reads from kfcgi_control().125*/126struct fcgi_buf {127size_t sz; /* bytes in buffer */128size_t pos; /* current position (from last read) */129int fd; /* file descriptor */130char *buf; /* buffer itself */131};132/*134* Parameters required to validate fields.135*/136struct parms {137int fd;138const char *const *mimes;139size_t mimesz;140const struct kvalid *keys;141size_t keysz;142enum input type;143};144/*196* Parse the type/subtype field out of a content-type.197* The content-type is defined (among other places) in RFC 822, and is198* either the whole string or up until the ';', which marks the199* beginning of the parameters.200*/201static size_t202str2ctype(const struct parms *pp, const char *ctype)203{204size_t i, sz;205}219/*221* Given a parsed field "key" with value "val" of size "valsz" and MIME222* information "mime", first try to look it up in the array of223* recognised keys ("pp->keys") and optionally validate.224* Then output the type, parse status (key, type, etc.), and values read225* by the parent input() function.226*/227static void228output(const struct parms *pp, char *key,229char *val, size_t valsz, struct mime *mime)230{231size_t i;232ptrdiff_t diff;233char *save;234struct kpair pair;235* Look up the key name in our key table.249* If we find it and it has a validator, then run the validator250* and record the output.251* If we fail, reset the type and clear the results.252* Either way, the keypos parameter is going to be the key253* identifier or keysz if none is found.254*/255* We can write a new "val" in the validator allocated on the306* heap: if we do, free it here.307*/308}312/*314* Read full stdin request into memory.315* This reads at most "len" bytes and NUL-terminates the results, the316* length of which may be less than "len" and is stored in *szp if not317* NULL.318* Returns the pointer to the data.319* NOTE: we can't use fullread() here because we may not get the total320* number of bytes requested.321* NOTE: "szp" can legit be set to zero.322*/323static char *324scanbuf(size_t len, size_t *szp)325{326ssize_t ssz;327size_t sz;328char *p;329int rc;330struct pollfd pfd;331* Keep reading til we get all the data or the sender stops342* giving us data---whichever comes first.343* Use kutil_warn[x] and _exit to avoid flushing buffers.344*/345}379/*381* Reset a particular mime component.382* We can get duplicates, so reallocate.383*/384static void385mime_reset(char **dst, const char *src)386{387}392/*394* Free up all MIME headers.395* We might call this more than once, so make sure that it can be396* invoked again by setting the memory to zero.397*/398static void399mime_free(struct mime *mime)400{401}410/*412* Parse out all MIME headers.413* This is defined by RFC 2045.414* This returns TRUE if we've parsed up to (and including) the last415* empty CRLF line, or FALSE if something has gone wrong (e.g., parse416* error, out of memory).417* If FALSE, parsing should stop immediately.418*/419static int420mime_parse(const struct parms *pp, struct mime *mime,421char *buf, size_t len, size_t *pos)422{423char *key, *val, *keyend, *end, *start, *line;424enum mimetype type;425int rc = 0;426* NUL-terminate to make a nice line.442* Then re-set our starting position.443*/444* Find end of MIME statement name.457* The RFCs disagree on white-space before the colon,458* but as it's allowed in the original RFC 822 and459* obsolete syntax should be supported, we do so here.460*/461* Set "line" to be at the MIME value subpart, for483* example, "Content-type: text/plain; charset=us-ascii"484* would put us at the parts before "charset".485*/486* Allow these specific MIME header statements.493* We'll follow up by parsing specific information from494* the header values, so remember what we parsed.495*/496* Process subpart only for content-type and511* content-disposition.512* The rest have no information we want: silently ignore them.513*/514* It's not clear whether we're allowed to have527* OWS before the separator, but allow for it528* anyway.529*/530* It's unclear as to whether this is564* allowed (white-space before the565* semicolon separator), but let's566* accommodate for it anyway.567*/568}598/*600* Parse keys and values separated by newlines.601* I'm not aware of any standard that defines this, but the W3602* guidelines for HTML give a rough idea.603* FIXME: deprecate this.604*/605static void606parse_pairs_text(const struct parms *pp, char *p)607{608char *key, *val;609* Key/value pair.619* No value is a warning (not processed).620*/621}648/*650* Parse an HTTP message that has a given content-type.651* This happens with, e.g., PUT requests.652* We fake up a "name" for this (it's not really a key-value pair) of an653* empty string, then pass that to the validator and forwarder.654*/655static void656parse_body(const char *ct, const struct parms *pp, char *b, size_t bsz)657{658char name;659struct mime mime;660}671/*673* Parse out key-value pairs from an HTTP cookie.674* These are not URL encoded (at this phase): they're just simple675* key-values "crumbs" with opaque values.676* This is defined by RFC 6265, however, we don't [yet] do the677* quoted-string implementation, nor do we check for accepted678* characters so long as the delimiters aren't used.679*/680static void681parse_pairs(const struct parms *pp, char *p)682{683char *key, *val;684* Don't allow key-pair without a value.691* Keys shouldn't be zero-length.692*/693}718/*720* Parse out key-value pairs from an HTTP request variable.721* This is either a POST or GET string.722* This MUST be a non-binary (i.e., NUL-terminated) string!723*/724static void725parse_pairs_urlenc(const struct parms *pp, char *p)726{727char *key, *val;728* Look ahead to either '=' or one of the key-value739* terminators (or the end of the string).740* If we have the equal sign, then we're a key-value741* pair; otherwise, we're a standalone key value.742*/743* Both the key and the value can be URL encoded, so758* decode those into the character string now.759* If decoding fails, don't decode the given pair, but760* instead move on to the next one after logging the761* failure.762*/763}777/*779* This is described by the "multipart-body" BNF part of RFC 2046,780* section 5.1.1.781* We return TRUE if the parse was ok, FALSE if errors occurred (all782* calling parsers should bail too).783*/784static int785parse_multiform(const struct parms *pp, char *name,786const char *bound, char *buf, size_t len, size_t *pos)787{788struct mime mime;789size_t endpos, bbsz, partsz;790char *ln, *bb;791int rc, first;792* The (first ? 2 : 0) is because the first prologue809* boundary will not incur an initial CRLF, so our bb is810* past the CRLF and two bytes smaller.811*/812* Set "endpos" to point to the beginning of the next825* multipart component, i.e, the end of the boundary826* "bb" string.827* Again, be respectful of whether we should scan after828* the lack of initial CRLF.829*/830* Terminating boundary has an initial trailing "--".844* If not terminating, must be followed by a CRLF.845* If terminating, RFC 1341 says we can ignore whatever846* comes after the last boundary.847*/848* Zero-length part.870* This shouldn't occur, but if it does, it'll screw up871* the MIME parsing (which requires a blank CRLF before872* considering itself finished).873*/874* As per RFC 2388, we need a name and disposition.891* Note that multipart/mixed bodies will inherit the892* name of their parent, so the mime.name is ignored.893*/894* As per RFC 2045, we default to text/plain.907* We then re-lookup the ctypepos after doing so.908*/909* Multipart sub-handler.921* We only recognise the multipart/mixed handler.922* This will route into our own function, inheriting the923* current name for content.924*/925* According to the specification, we can have transport957* padding, a CRLF, then the epilogue.958* But since we don't care about that crap, just pretend that959* everything's fine and exit.960*/961}968/*970* Parse the boundary from a multipart CONTENT_TYPE and pass it to the971* actual parsing engine.972* This doesn't actually handle any part of the MIME specification.973*/974static void975parse_multi(const struct parms *pp, char *line, char *b, size_t bsz)976{977char *cp;978size_t len = 0;979* Make sure the line is terminated in the right place.1016* XXX: if it's not, what we do may not properly follow RFC1017* 2046, 5.1.1, which specifically lays out the boundary1018* characters.1019* We simply jump to the first whitespace.1020*/1021* If we have data following the boundary declaration, we simply1034* ignore it.1035* The RFC mandates the existence of the boundary, but is silent1036* as to whether anything can come after it.1037*/1038}1041/*1043* Output all of the HTTP_xxx headers.1044* This transforms the HTTP_xxx header (CGI form) into HTTP form, which1045* is the second part title-cased, e.g., HTTP_FOO = Foo.1046* Disallow zero-length values as per RFC 3875, 4.1.18.1047*/1048static void1049kworker_child_env(const struct env *env, int fd, size_t envsz)1050{1051size_t i, j, sz, reqs;1052int first;1053enum krequ requ;1054char c;1055const char *cp;1056* Process known headers (starting with HTTP_).1066* We must have non-zero-length keys.1067*/1068* According to RFC 3875, 4.1.18, HTTP headers are1082* re-written into CGI environment variables by1083* uppercasing and converting dashes to underscores.1084* In this part, we [try to] reverse that so that the1085* headers are properly identified.1086* (We also skip the HTTP_ leading part.)1087*/1088}1110/*1112* Like getenv() but for our env structure.1113*/1114static char *1115kworker_env(struct env *env, size_t envsz, const char *key)1116{1117size_t i;1118}1124/*1126* Output the method found in our environment.1127* Returns the method.1128* Defaults to KMETHOD_GET, uses KETHOD__MAX if the method was bad.1129*/1130static enum kmethod1131kworker_child_method(struct env *env, int fd, size_t envsz)1132{1133enum kmethod meth;1134const char *cp;1135}1148/*1150* Output the web server's authentication.1151* Defaults to KAUTH_NONE.1152*/1153static void1154kworker_child_auth(struct env *env, int fd, size_t envsz)1155{1156enum kauth auth = KAUTH_NONE;1157const char *cp;1158}1171/*1173* Send the raw (i.e., un-webserver-filtered) authorisation to the1174* parent.1175* Most web servers will `handle this for us'. Ugh.1176*/1177static int1178kworker_child_rawauth(struct env *env, int fd, size_t envsz)1179{1180}1184/*1186* Send our HTTP scheme (secure or not) to the parent.1187*/1188static void1189kworker_child_scheme(struct env *env, int fd, size_t envsz)1190{1191const char *cp;1192enum kscheme scheme;1193* This isn't defined in any RFC.1196* It seems to be the best way of getting whether we're HTTPS,1197* as the SERVER_PROTOCOL (RFC 3875, 4.1.16) doesn't reliably1198* return the scheme.1199*/1200}1208/*1210* Send remote address to the parent.1211* This is required by RFC 3875, 4.1.8.1212* Use 127.0.0.1 on protocol violation.1213*/1214static void1215kworker_child_remote(struct env *env, int fd, size_t envsz)1216{1217const char *cp;1218}1227/*1229* Parse and send the port to the parent.1230* This is required by RFC 3875, 4.1.15.1231* Use port 80 if not provided or on parse error.1232*/1233static void1234kworker_child_port(struct env *env, int fd, size_t envsz)1235{1236uint16_t port = 80;1237const char *cp, *er;1238}1252/*1254* Send requested host to the parent.1255* This is required by RFC 7230, 5.4.1256* Use "localhost" if not provided.1257*/1258static void1259kworker_child_httphost(struct env *env, int fd, size_t envsz)1260{1261const char *cp;1262}1270/*1272* Send script name to the parent.1273* This is required by RFC 3875, 4.1.13.1274* Use the empty string on error.1275*/1276static void1277kworker_child_scriptname(struct env *env, int fd, size_t envsz)1278{1279const char *cp;1280}1289/*1291* Parse all path information (subpath, path, etc.) and send to parent.1292*/1293static void1294kworker_child_path(struct env *env, int fd, size_t envsz)1295{1296char *cp, *ep, *sub;1297size_t len;1298* Parse the first path element (the page we want to access),1301* subsequent path information, and the file suffix. We convert1302* suffix and path element into the respective enum's inline.1303*/1304}1348/*1350* Construct the body hash component of an HTTP digest hash.1351* See khttpdigest_validatehash(3) for where this is used.1352* See RFC 2617.1353* We only do this if our authorisation requires it!1354*/1355static void1356kworker_child_bodymd5(int fd, const char *b, size_t bsz, int md5)1357{1358MD5_CTX ctx;1359unsigned char hab[MD5_DIGEST_LENGTH];1360size_t sz;1361}1378/*1380* Parse and send the body of the request to the parent.1381* This is arguably the most complex part of the system.1382*/1383static void1384kworker_child_body(struct env *env, int fd, size_t envsz,1385struct parms *pp, enum kmethod meth, char *b,1386size_t bsz, unsigned int debugging, int md5)1387{1388size_t i, len = 0, sz;1389char *cp, *bp = b;1390const char *end;1391int wrap;1392* The CONTENT_LENGTH must be a valid integer.1395* Since we're storing into "len", make sure it's in size_t.1396* If there's an error, it will default to zero.1397* Note that LLONG_MAX < SIZE_MAX.1398* RFC 3875, 4.1.2.1399*/1400* If a CONTENT_TYPE has been specified (i.e., POST or GET has1420* been set -- we don't care which), then switch on that type1421* for parsing out key value pairs.1422* RFC 3875, 4.1.3.1423* HTML5, 4.10.1424* We only support the main three content types.1425*/1426* If we're CGI, read the request now.1432* Note that the "bsz" can come out as zero.1433*/1434* If we're debugging read bodies, emit the body line by line1446* (or split at the 80-character mark).1447*/1448}1485/*1487* Send query string data to parent.1488* Even POST requests are allowed to have QUERY_STRING elements.1489* Note: both QUERY_STRING and CONTENT_TYPE fields share the same field1490* space.1491*/1492static void1493kworker_child_query(struct env *env,1494int fd, size_t envsz, struct parms *pp)1495{1496char *cp;1497}1502/*1504* Send cookies to our parent.1505* These use the same syntax as QUERY_STRING elements, but don't share1506* the same namespace (just as a means to differentiate the same names).1507*/1508static void1509kworker_child_cookies(struct env *env,1510int fd, size_t envsz, struct parms *pp)1511{1512char *cp;1513}1518/*1520* Terminate the input fields for the parent.1521*/1522static void1523kworker_child_last(int fd)1524{1525enum input last = IN__MAX;1526}1529/*1531* This is the child kcgi process that's going to do the unsafe reading1532* of network data to parse input.1533* When it parses a field, it outputs the key, key size, value, and1534* value size along with the field type.1535* We use the CGI specification in RFC 3875.1536*/1537enum kcgi_err1538kworker_child(int wfd,1539const struct kvalid *keys, size_t keysz,1540const char *const *mimes, size_t mimesz,1541unsigned int debugging)1542{1543struct parms pp;1544char *cp;1545const char *start;1546char **evp;1547int md5;1548enum kmethod meth;1549size_t i;1550extern char **environ;1551struct env *envs = NULL;1552size_t envsz;1553* Pull the entire environment into an array.1562*/1563for (envsz = 0, evp = environ; NULL != *evp; evp++)1564envsz++;1565* Pull all reasonable values from the environment into "envs".1574* Filter out variables that don't meet RFC 3875, section 4.1.1575* However, we're a bit more relaxed: we don't let through1576* zero-length, non-ASCII, control characters, and whitespace.1577*/1578* This means something is seriously wrong, so make sure1589* that the operator knows.1590*/1591* Now run a series of transmissions based upon what's in our1615* environment.1616*/1617}1644/*1646* Reads from the FastCGI control process, kfcgi_control(), are buffered1647* according to what the control process can read from the web server.1648* Here we read ahead til we have enough data for what currently needs1649* to be read.1650* Returns a pointer to the data of size "sz" or NULL if errors occured.1651* If error is KCGI_OK, this *always* returns a buffer.1652* The error is reported in "er".1653*/1654static char *1655kworker_fcgi_read(struct fcgi_buf *b, size_t nsz, enum kcgi_err *er)1656{1657void *pp;1658int rc;1659size_t sz;1660}1698/*1701* Read the FastCGI header (see section 8, Types and Contents,1702* FCGI_Header, in the FastCGI Specification v1.0).1703* Return KCGI_OK on success, KCGI_HUP on connection close, KCGI_FORM1704* with FastCGI protocol errors, and a fatal error otherwise.1705*/1706static enum kcgi_err1707kworker_fcgi_header(struct fcgi_buf *b, struct fcgi_hdr *hdr)1708{1709enum kcgi_err er;1710const char *cp;1711struct fcgi_hdr buf;1712}1733/*1735* Read in the entire header and data for the begin sequence request.1736* This is defined in section 5.1 of the v1.0 specification.1737* Return KCGI_OK on success, KCGI_HUP on connection close, KCGI_FORM1738* with FastCGI protocol errors, and a fatal error otherwise.1739*/1740static enum kcgi_err1741kworker_fcgi_begin(struct fcgi_buf *b, uint16_t *rid)1742{1743struct fcgi_hdr hdr;1744const struct fcgi_bgn *ptr;1745const char *buf;1746enum kcgi_err er;1747}1777/*1779* Read in a data stream as defined within section 5.3 of the v1.01780* specification.1781* We might have multiple stdin buffers for the same data, so always1782* append to the existing NUL-terminated buffer.1783* Return KCGI_OK on success, KCGI_HUP on connection close, KCGI_FORM1784* with FastCGI protocol errors, and a fatal error otherwise.1785*/1786static enum kcgi_err1787kworker_fcgi_stdin(struct fcgi_buf *b, const struct fcgi_hdr *hdr,1788unsigned char **sbp, size_t *ssz)1789{1790enum kcgi_err er;1791void *ptr;1792char *bp;1793* Short-circuit: no data to read.1802* The caller should detect this and stop reading from the1803* FastCGI connection.1804*/1805* Use another buffer for the stdin.1811* This is because our buffer (b->buf) consists of FastCGI1812* frames (data interspersed with control information).1813* Obviously, we want to extract our data from that.1814* Make sure it's NUL-terminated!1815* FIXME: check for addition overflow.1816*/1817}1828/*1830* Read out a series of parameters contained within a FastCGI parameter1831* request defined in section 5.2 of the v1.0 specification.1832* Return KCGI_OK on success, KCGI_HUP on connection close, KCGI_FORM1833* with FastCGI protocol errors, and a fatal error otherwise.1834*/1835static enum kcgi_err1836kworker_fcgi_params(struct fcgi_buf *buf, const struct fcgi_hdr *hdr,1837struct env **envs, size_t *envsz)1838{1839size_t i, remain, pos, keysz, valsz;1840const unsigned char *b;1841enum kcgi_err er;1842void *ptr;1843* Loop through the string data that's laid out as a key length1853* then value length, then key, then value.1854* There can be arbitrarily many key-values per string.1855*/1856* First, make sure that the key is valid.1917* There's no documented precedent for this, so we1918* follow CGI's constraints in RFC 3875, sec. 4.1.1919* If it's not valid, just skip it.1920*/1921* If we don't have the key: expand our table.1950* If we do, clear the current value.1951*/1952}1989/*1991* This is executed by the untrusted child for FastCGI setups.1992* Throughout, we follow the FastCGI specification, version 1.0, 291993* April 1996.1994*/1995void1996kworker_fcgi_child(int wfd, int work_ctl,1997const struct kvalid *keys, size_t keysz,1998const char *const *mimes, size_t mimesz,1999unsigned int debugging)2000{2001struct parms pp;2002struct fcgi_hdr hdr;2003enum kcgi_err er;2004unsigned char *sbuf = NULL;2005struct env *envs = NULL;2006uint16_t rid;2007uint32_t cookie = 0;2008size_t i, ssz = 0, sz, envsz = 0;2009int rc, md5;2010enum kmethod meth;2011struct fcgi_buf fbuf;2012* Loop over all incoming sequences to this particular slave.2023* Sequences must consist of a single FastCGI session as defined2024* in the FastCGI version 1.0 reference document.2025*2026* If the connection closes out at any point, we receive a2027* zero-length read from the control socket.2028* The response to this should be to write an zero error code2029* back to the control socket, then keep on listening.2030* Otherwise, if we've read the full message, write a non-zero2031* error code, then our identifier and cookie, then the rest2032* goes directly to the parse routines in kworker_parent().2033*/2034* Begin by reading our magic cookie.2054* This is emitted by kfcgi_control() at the start of2055* our sequence.2056* When we've finished reading data with success, we'll2057* respond with this value.2058*/2059* Now read one or more parameters.2090* We read them all at once, then do the parsing later2091* after we've read all of our data.2092* We read parameters til we no longer have the2093* FCGI_PARAMS type on the current header.2094*/2095* Lastly, we want to process the stdin content.2141* These will end with a single zero-length record.2142* Keep looping til we've flushed all input.2143*/2144* Call this even if we have a zero-length data2148* payload as specified by contentLength.2149* This is because there might be padding, and2150* we want to make sure we've drawn everything2151* from the socket before exiting.2152*/2153* Notify the control process that we've received all of2194* our data by giving back the cookie and requestId.2195* FIXME: merge cookie and rc.2196*/2197* Read our last zero-length frame.2205* This is because kfcgi_control() always ends with an2206* empty frame, regardless of whether we're in an error2207* or not.2208* So if we're this far, we've read the full request,2209* and we should have an empty frame.2210*/2211* Now we can reply to our request.2226* See kworker_parent().2227* These are in a very specific order.2228*/2229* And now the message body itself.2243* We must either have a NULL message or non-zero2244* length.2245*/2246}2265