From 8239e7fd3fd06dfe358fbb8329884d8ba97edc07 Mon Sep 17 00:00:00 2001
From: Solderpunk <solderpunk@sdf.org>
Date: Sun, 12 Jan 2020 13:39:38 +0100
Subject: [PATCH] Limit CGI processes to a particular path.

---
 config.go  | 2 ++
 handler.go | 5 ++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/config.go b/config.go
index c6ccef1..5cf1c0a 100644
--- a/config.go
+++ b/config.go
@@ -12,6 +12,7 @@ type Config struct {
 	DocBase            string
 	HomeDocBase        string
 	LogPath            string
+	CGIPath            string
 }
 
 func getConfig(filename string) (Config, error) {
@@ -26,6 +27,7 @@ func getConfig(filename string) (Config, error) {
 	config.DocBase = "/var/gemini/"
 	config.HomeDocBase = "users"
 	config.LogPath = "molly.log"
+	config.CGIPath = "^/var/gemini/cgi-bin/"
 
 	// Return defaults if no filename given
 	if filename == "" {
diff --git a/handler.go b/handler.go
index bd7d2a0..d5c5bec 100644
--- a/handler.go
+++ b/handler.go
@@ -13,6 +13,7 @@ import (
 		"os"
 		"os/exec"
 		"path/filepath"
+		"regexp"
 		"strconv"
 		"strings"
 		"time"
@@ -124,8 +125,10 @@ func handleGeminiRequest(conn net.Conn, config Config, logEntries chan LogEntry)
 		log.Status = 20
 		conn.Write([]byte(generateDirectoryListing(path)))
 		return
+	}
 	// If this file is executable, get dynamic content
-	} else if info.Mode().Perm() & 0111 == 0111 {
+	inCGIPath, err := regexp.Match(config.CGIPath, []byte(path))
+	if inCGIPath && info.Mode().Perm() & 0111 == 0111 {
 		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 		defer cancel()
 		cmd := exec.CommandContext(ctx, path)