Limit CGI processes to a particular path.

2020-01-12 13:39:38 +01:00 · 2020-01-12 13:39:38 +01:00 · 8239e7fd3f
parent cadb7b2ea5
commit 8239e7fd3f
2 changed files with 6 additions and 1 deletions
--- a/config.go
+++ b/config.go
@ -12,6 +12,7 @@ type Config struct {
 	DocBase            string
 	HomeDocBase        string
 	LogPath            string
+	CGIPath            string
 }

 func getConfig(filename string) (Config, error) {
@ -26,6 +27,7 @@ func getConfig(filename string) (Config, error) {
 	config.DocBase = "/var/gemini/"
 	config.HomeDocBase = "users"
 	config.LogPath = "molly.log"
+	config.CGIPath = "^/var/gemini/cgi-bin/"

 	// Return defaults if no filename given
 	if filename == "" {
--- a/handler.go
+++ b/handler.go
@ -13,6 +13,7 @@ import (
 		"os"
 		"os/exec"
 		"path/filepath"
+		"regexp"
 		"strconv"
 		"strings"
 		"time"
@ -124,8 +125,10 @@ func handleGeminiRequest(conn net.Conn, config Config, logEntries chan LogEntry)
 		log.Status = 20
 		conn.Write([]byte(generateDirectoryListing(path)))
 		return
+	}
 	// If this file is executable, get dynamic content
-	} else if info.Mode().Perm() & 0111 == 0111 {
+	inCGIPath, err := regexp.Match(config.CGIPath, []byte(path))
+	if inCGIPath && info.Mode().Perm() & 0111 == 0111 {
 		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 		defer cancel()
 		cmd := exec.CommandContext(ctx, path)