commit 1c776e4b98985916f464d5df1e5b4768c8c4c7ff
from: Omar Polo <op@omarpolo.com>
date: Fri Sep 24 10:52:17 2021 UTC

fix possible out-of-bound access

While computing the parent directory it an out-of-bound access can
occur, which usually means the server process dies.

In particular, it can be triggered by making a request for a
non-existent file in the root of a virtual host if the path matches
the `cgi` pattern.

Thanks cage for helping in debugging!

commit - fba809b5c775fd4d3c28a012259ee3b1908d4e40
commit + 1c776e4b98985916f464d5df1e5b4768c8c4c7ff
blob - cec1d6d0e2e6aa441941b1361157d28c890173a9
blob + cf96d9be15028cf16db0a1ff6b28c47ef3880cc7
--- regress/runtime
+++ regress/runtime
@@ -385,3 +385,13 @@ restart
 eq "$(head /)"		"20 text/gemini"	"Unexpected head for /"
 eq "$(get /)"		"# hello world$ln"	"Unexpected body for /"
 echo OK GET / with macro expansion
+
+
+# 1.7.4 bugfix: check_for_cgi goes out-of-bound processing a string
+# that doesn't contain a '/'
+config '' 'cgi "*"'
+checkconf
+restart
+
+eq "$(head /favicon.txt)"	"51 not found"	"Unexpected head for /"
+echo OK GET /favicon.txt with cgi
blob - 18fdb6e5878d1d81c9e1cb709bec9fb05c450c8c
blob + ddf003a69ee4f33c67e01ffa732c84233e7823bc
--- server.c
+++ server.c
@@ -406,8 +406,12 @@ check_for_cgi(struct client *c)
 		 * dirname, with its ambiguities on if the given
 		 * pointer is changed or not, gives me headaches.
 		 */
-		while (*end != '/')
+		while (*end != '/' && end > path)
 			end--;
+
+		if (end == path)
+			break;
+
 		*end = '\0';
 
 		switch (check_path(c, path, &c->pfd)) {