svn commit: r370135 - in head/www/fcgiwrap: . files

Sun Oct 5 23:37:47 UTC 2014

Author: marino
Date: Sun Oct  5 23:37:46 2014
New Revision: 370135
URL: https://svnweb.freebsd.org/changeset/ports/370135
QAT: https://qat.redports.org/buildarchive/r370135/

Log:
  www/fcgiwrap: Improve binary strip handling, add new feature
  
  PR:		192907
  Final version:	maintainer (fonz)

Added:
  head/www/fcgiwrap/files/patch-fcgiwrap.8   (contents, props changed)
Modified:
  head/www/fcgiwrap/Makefile
  head/www/fcgiwrap/files/patch-fcgiwrap.c

Modified: head/www/fcgiwrap/Makefile
==============================================================================

--- head/www/fcgiwrap/Makefile	Sun Oct  5 23:25:46 2014	(r370134)
+++ head/www/fcgiwrap/Makefile	Sun Oct  5 23:37:46 2014	(r370135)
@@ -2,7 +2,7 @@
 
 PORTNAME=	fcgiwrap
 PORTVERSION=	1.1.0
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	www
 MASTER_SITES=	GH \
 		http://www.skysmurf.nl/comp/FreeBSD/distfiles/
@@ -31,9 +31,7 @@ GNU_CONFIGURE=	yes
 PLIST_FILES=	sbin/fcgiwrap man/man8/fcgiwrap.8.gz
 
 post-patch:
-	@${REINPLACE_CMD} 's/@prefix@@mandir@/@mandir@/' ${WRKSRC}/Makefile.in
-
-post-stage:
-	${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/fcgiwrap
+	@${REINPLACE_CMD} -e 's/@prefix@@mandir@/@mandir@/'\
+	-e 's|-m 755 fcgiwrap|-s -m 755 fcgiwrap|' ${WRKSRC}/Makefile.in
 
 .include <bsd.port.mk>

Added: head/www/fcgiwrap/files/patch-fcgiwrap.8
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/www/fcgiwrap/files/patch-fcgiwrap.8	Sun Oct  5 23:37:46 2014	(r370135)
@@ -0,0 +1,21 @@
+--- fcgiwrap.8.orig	2014-09-22 12:44:32.000000000 +0200
++++ fcgiwrap.8	2014-09-22 12:51:14.000000000 +0200
+@@ -42,6 +42,9 @@
+ tests this option may be used. Valid socket_urls include \fIunix:/path/to/unix/socket\fP,
+ \fItcp:dot.ted.qu.ad:port\fP and \fItcp6:[ipv6_addr]:port\fP.
+ .TP
++.B \-p \fIpath\fP
++Restrict execution to the given path. Repeated options will be merged.
++.TP
+ .B \-h
+ Show a help message and exit.
+ 
+@@ -113,3 +116,8 @@
+ This manual page was written by Jordi Mallach <jordi at debian.org>
+ (with contributions by Grzegorz Nosek)
+ for the Debian project (and may be used by others).
++.PP
++The 
++.B \-p
++option was contributed by <takefu at airport.fm> as an addition to the FreeBSD
++port.

Modified: head/www/fcgiwrap/files/patch-fcgiwrap.c
==============================================================================
--- head/www/fcgiwrap/files/patch-fcgiwrap.c	Sun Oct  5 23:25:46 2014	(r370134)
+++ head/www/fcgiwrap/files/patch-fcgiwrap.c	Sun Oct  5 23:37:46 2014	(r370135)
@@ -1,5 +1,5 @@
---- ./fcgiwrap.c.orig	2010-06-03 16:18:21.000000000 +0200
-+++ ./fcgiwrap.c	2010-06-15 14:54:38.232029168 +0200
+--- fcgiwrap.c.orig	2014-09-22 12:36:32.000000000 +0200
++++ fcgiwrap.c	2014-09-22 12:41:59.000000000 +0200
 @@ -43,6 +43,7 @@
  #include <ctype.h>
  
@@ -7,4 +7,76 @@
 +#include <netinet/in.h>
  #include <sys/socket.h>
  #include <sys/un.h>
+ #include <netinet/in.h>
+@@ -58,6 +59,8 @@
  
+ extern char **environ;
+ static char * const * inherited_environ;
++static const char **allowed_programs;
++static size_t allowed_programs_count;
+ 
+ static const char * blacklisted_env_vars[] = {
+ 	"AUTH_TYPE",
+@@ -485,6 +488,19 @@
+ 	}
+ }
+ 
++static bool is_allowed_program(const char *program) {
++	size_t i;
++	if (!allowed_programs_count)
++		return true;
++
++	for (i = 0; i < allowed_programs_count; i++) {
++		if (!strcmp(allowed_programs[i], program))
++			return true;
++	}
++
++	return false;
++}
++
+ static void cgi_error(const char *message, const char *reason, const char *filename)
+ {
+ 	printf("Status: %s\r\nContent-Type: text/plain\r\n\r\n%s\r\n",
+@@ -541,6 +557,9 @@
+ 			if (!filename)
+ 				cgi_error("403 Forbidden", "Cannot get script name, are DOCUMENT_ROOT and SCRIPT_NAME (or SCRIPT_FILENAME) set and is the script executable?", NULL);
+ 
++			if (!is_allowed_program(filename))
++				cgi_error("403 Forbidden", "The given script is not allowed to execute", filename);
++
+ 			last_slash = strrchr(filename, '/');
+ 			if (!last_slash)
+ 				cgi_error("403 Forbidden", "Script name must be a fully qualified path", filename);
+@@ -760,7 +779,7 @@
+ 	char *socket_url = NULL;
+ 	int c;
+ 
+-	while ((c = getopt(argc, argv, "c:hfs:")) != -1) {
++	while ((c = getopt(argc, argv, "c:hfs:p:")) != -1) {
+ 		switch (c) {
+ 			case 'f':
+ 				stderr_to_fastcgi++;
+@@ -773,6 +792,7 @@
+ 					"  -c <number>\t\tNumber of processes to prefork\n"
+ 					"  -s <socket_url>\tSocket to bind to (say -s help for help)\n"
+ 					"  -h\t\t\tShow this help message and exit\n"
++					"  -p <path>\t\tRestrict execution to this script. (repeated options will be merged)\n"
+ 					"\nReport bugs to Grzegorz Nosek <"PACKAGE_BUGREPORT">.\n"
+ 					PACKAGE_NAME" home page: <http://nginx.localdomain.pl/wiki/FcgiWrap>\n",
+ 					argv[0]
+@@ -784,8 +804,14 @@
+ 			case 's':
+ 				socket_url = strdup(optarg);
+ 				break;
++			case 'p':
++				allowed_programs = realloc(allowed_programs, (allowed_programs_count + 1) * sizeof (char *));
++				if (!allowed_programs)
++					abort();
++				allowed_programs[allowed_programs_count++] = strdup(optarg);
++				break;
+ 			case '?':
+-				if (optopt == 'c' || optopt == 's')
++				if (optopt == 'c' || optopt == 's' || optopt == 'p')
+ 					fprintf(stderr, "Option -%c requires an argument.\n", optopt);
+ 				else if (isprint(optopt))
+ 					fprintf(stderr, "Unknown option `-%c'.\n", optopt);
