Slightly tweaked diff by me, fixing "new sentence new line" in the man page.
This is OK florian@ if someone wants to commit it or I can commit it if someone OKs it. diff --git httpd.conf.5 httpd.conf.5 index f4ea2e55766..494271672ea 100644 --- httpd.conf.5 +++ httpd.conf.5 @@ -300,6 +300,12 @@ Alternatively if the FastCGI handler is listening on a TCP socket, .Ar socket starts with a colon followed by the TCP port number. +.It Ic strip Ar number +Strip +.Ar number +path components from the beginning of DOCUMENT_ROOT and +SCRIPT_FILENAME before sending them to the FastCGI server. +This allows FastCGI server chroot to be a directory under httpd chroot. .It Ic param Ar variable value Sets a variable that will be sent to the FastCGI server. Each statement defines one variable. diff --git httpd.h httpd.h index b1f17af8cd7..b22586974a5 100644 --- httpd.h +++ httpd.h @@ -547,6 +547,7 @@ struct server_config { uint8_t hsts_flags; struct server_fcgiparams fcgiparams; + int fcgistrip; TAILQ_ENTRY(server_config) entry; }; diff --git parse.y parse.y index 054302269f4..109efd36a9f 100644 --- parse.y +++ parse.y @@ -689,6 +689,13 @@ fcgiflags : SOCKET STRING { param->name, param->value); TAILQ_INSERT_HEAD(&srv_conf->fcgiparams, param, entry); } + | STRIP NUMBER { + if ($2 < 0 || $2 > INT_MAX) { + yyerror("invalid fastcgi strip number"); + YYERROR; + } + srv_conf->fcgistrip = $2; + } ; connection : CONNECTION '{' optnl conflags_l '}' diff --git server_fcgi.c server_fcgi.c index 864ce6b16d5..a85b5b44804 100644 --- server_fcgi.c +++ server_fcgi.c @@ -241,7 +241,8 @@ server_fcgi(struct httpd *env, struct client *clt) errstr = "failed to encode param"; goto fail; } - if (fcgi_add_param(¶m, "SCRIPT_FILENAME", script, clt) == -1) { + if (fcgi_add_param(¶m, "SCRIPT_FILENAME", server_root_strip(script, + srv_conf->fcgistrip), clt) == -1) { errstr = "failed to encode param"; goto fail; } @@ -257,8 +258,8 @@ server_fcgi(struct httpd *env, struct client *clt) goto fail; } - if (fcgi_add_param(¶m, "DOCUMENT_ROOT", srv_conf->root, - clt) == -1) { + if (fcgi_add_param(¶m, "DOCUMENT_ROOT", server_root_strip( + srv_conf->root, srv_conf->fcgistrip), clt) == -1) { errstr = "failed to encode param"; goto fail; } On Sat, Jan 18, 2020 at 07:19:33AM +0100, Nazar Zhuk wrote: > On Tue, Jan 14, 2020 at 03:07:05PM +0100, Florian Obser wrote: > > I like the idea. Unfortunately the diff does not apply. > Looks like I had formatting issues there. This should apply cleanly now. > > > Index: usr.sbin/httpd/httpd.conf.5 > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v > retrieving revision 1.107 > diff -u -p -u -r1.107 httpd.conf.5 > --- usr.sbin/httpd/httpd.conf.5 8 May 2019 21:46:56 -0000 1.107 > +++ usr.sbin/httpd/httpd.conf.5 17 Jan 2020 06:20:14 -0000 > @@ -300,6 +300,10 @@ Alternatively if > the FastCGI handler is listening on a TCP socket, > .Ar socket > starts with a colon followed by the TCP port number. > +.It Ic strip Ar number > +Strip > +.Ar number > +path components from the beginning of DOCUMENT_ROOT and SCRIPT_FILENAME > before sending them to the FastCGI server. This allows FastCGI server chroot > to be a directory under httpd chroot. > .It Ic param Ar variable value > Sets a variable that will be sent to the FastCGI server. > Each statement defines one variable. > Index: usr.sbin/httpd/httpd.h > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v > retrieving revision 1.145 > diff -u -p -u -r1.145 httpd.h > --- usr.sbin/httpd/httpd.h 8 May 2019 19:57:45 -0000 1.145 > +++ usr.sbin/httpd/httpd.h 17 Jan 2020 06:20:14 -0000 > @@ -547,6 +547,7 @@ struct server_config { > uint8_t hsts_flags; > > struct server_fcgiparams fcgiparams; > + int fcgistrip; > > TAILQ_ENTRY(server_config) entry; > }; > Index: usr.sbin/httpd/parse.y > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/parse.y,v > retrieving revision 1.113 > diff -u -p -u -r1.113 parse.y > --- usr.sbin/httpd/parse.y 28 Jun 2019 13:32:47 -0000 1.113 > +++ usr.sbin/httpd/parse.y 17 Jan 2020 06:20:15 -0000 > @@ -689,6 +689,13 @@ fcgiflags : SOCKET STRING { > param->name, param->value); > TAILQ_INSERT_HEAD(&srv_conf->fcgiparams, param, entry); > } > + | STRIP NUMBER { > + if ($2 < 0 || $2 > INT_MAX) { > + yyerror("invalid fastcgi strip number"); > + YYERROR; > + } > + srv_conf->fcgistrip = $2; > + } > ; > > connection : CONNECTION '{' optnl conflags_l '}' > Index: usr.sbin/httpd/server_fcgi.c > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v > retrieving revision 1.80 > diff -u -p -u -r1.80 server_fcgi.c > --- usr.sbin/httpd/server_fcgi.c 8 May 2019 21:41:06 -0000 1.80 > +++ usr.sbin/httpd/server_fcgi.c 17 Jan 2020 06:20:15 -0000 > @@ -241,7 +241,9 @@ server_fcgi(struct httpd *env, struct cl > errstr = "failed to encode param"; > goto fail; > } > - if (fcgi_add_param(¶m, "SCRIPT_FILENAME", script, clt) == -1) { > + if (fcgi_add_param(¶m, "SCRIPT_FILENAME", > + server_root_strip(script, srv_conf->fcgistrip), > + clt) == -1) { > errstr = "failed to encode param"; > goto fail; > } > @@ -257,7 +259,8 @@ server_fcgi(struct httpd *env, struct cl > goto fail; > } > > - if (fcgi_add_param(¶m, "DOCUMENT_ROOT", srv_conf->root, > + if (fcgi_add_param(¶m, "DOCUMENT_ROOT", > + server_root_strip(srv_conf->root, srv_conf->fcgistrip), > clt) == -1) { > errstr = "failed to encode param"; > goto fail; > -- I'm not entirely sure you are real.