On Tue, 24 Sep 2019 21:16:05 +0200 Hiltjo Posthuma <hil...@codemadness.org> wrote:
Dear Hiltjo, > Sorry to go a bit off-topic here, but I quickly tested and reviewed > the CGI patch. This CGI patch is broken. A basic `quark -h 127.0.0.1 > -p 8080` serving some page always returns HTTP 400 "Bad request". > > A few bounds checks seem not to use good code practises like: > > * all other data will be later passed to script */ > sprintf(r->cgicont, "%s", p); > > It seems it allows only a maximum of PATH_MAX bytes of POST data too. > > and: > > snprintf(realtarget, sizeof(tmptarget) + sizeof(s.cgi[i].dir) > - 1, "%s%s", s.cgi[i].dir, tmptarget); > > The patch filename is also named incorrectly on the wiki. > > I CC'd the patch author. thanks for the heads up! I think at least in regard to the HTTP 400 it might be due to the pledge disallowing something, killing the cgi-process. But this is just from the top of my head and I haven't looked into it. With best regards Laslo