commit 3571854e942b2354ae216f340add076d71d0776a
from: Omar Polo <op@omarpolo.com>
date: Fri Sep 24 10:48:51 2021 UTC

fix possible out-of-bound access

While computing the parent directory it an out-of-bound access can
occur, which usually means the server process dies.

In particular, it can be triggered by making a request for a
non-existent file in the root of a virtual host if the path matches
the `cgi` pattern.

Thanks cage for helping in debugging!

commit - 353e3c8ebe516943a38d051a0bf390bb6116574c
commit + 3571854e942b2354ae216f340add076d71d0776a
blob - cec1d6d0e2e6aa441941b1361157d28c890173a9
blob + cf96d9be15028cf16db0a1ff6b28c47ef3880cc7
--- regress/runtime
+++ regress/runtime
@@ -385,3 +385,13 @@ restart
 eq "$(head /)"		"20 text/gemini"	"Unexpected head for /"
 eq "$(get /)"		"# hello world$ln"	"Unexpected body for /"
 echo OK GET / with macro expansion
+
+
+# 1.7.4 bugfix: check_for_cgi goes out-of-bound processing a string
+# that doesn't contain a '/'
+config '' 'cgi "*"'
+checkconf
+restart
+
+eq "$(head /favicon.txt)"	"51 not found"	"Unexpected head for /"
+echo OK GET /favicon.txt with cgi
blob - 473e1117d93d24ec3ebb4774ba959a5b2ddcb7af
blob + e07d6bcebcb38c8468ad7a5b0e078d2defedd84f
--- server.c
+++ server.c
@@ -406,8 +406,12 @@ check_for_cgi(struct client *c)
 		 * dirname, with its ambiguities on if the given
 		 * pointer is changed or not, gives me headaches.
 		 */
-		while (*end != '/')
+		while (*end != '/' && end > path)
 			end--;
+
+		if (end == path)
+			break;
+
 		*end = '\0';
 
 		switch (check_path(c, path, &c->pfd)) {