openbsd httpd and roundcubemail file attachments

Gabriel Kihlman Wed, 14 Jun 2017 13:17:48 -0700

As noticed in this roundcubemail issue:
https://github.com/roundcube/roundcubemail/issues/5772


httpd "breaks" attachments with non-ascii filenames. This is fine but
it breaks it by adding the rest of the header to the content, thus
corrupting the attachment which is not so nice.

roundcubemail is going to fix this by using the standard encoding but
still, maybe httpd could be nicer, like this:

Index: httpd.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/httpd.c,v
retrieving revision 1.67
diff -u -p -u -r1.67 httpd.c
--- httpd.c     28 May 2017 10:37:26 -0000      1.67
+++ httpd.c     14 Jun 2017 19:50:02 -0000
@@ -828,7 +828,13 @@ evbuffer_getline(struct evbuffer *evb)
                return (NULL);
        }
 
-       str[i] = '\0';
+       if (str[i] != '\0') {
+               str[i] = '\0';
+       }
+       else {
+               while(i < len && ptr[i] != '\r' && ptr[i] != '\n')
+                       i++;
+       }
 
        if ((i + 1) < len) {
                if (ptr[i] == '\r' && ptr[i + 1] == '\n')


get_string() breaks as soon as it sees a !isprint but leaves the
buffer as it is and next it gets called it contains a !isprint char
and this returns != NULL but *line = '\0', thus stopping the parsing
and the rest then ends up in the body. The above diff tries to amend
this and consumes the rest of the line until '\r' or '\n'.

Here is a repro-case with ./httpd -d -v -v debug print showing the
issue with DPRINTfs added:

Index: httpd.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/httpd.c,v
retrieving revision 1.67
diff -u -p -u -r1.67 httpd.c
--- httpd.c     28 May 2017 10:37:26 -0000      1.67
+++ httpd.c     14 Jun 2017 08:00:18 -0000
@@ -813,7 +813,7 @@ evbuffer_getline(struct evbuffer *evb)
        size_t           len = EVBUFFER_LENGTH(evb);
        char            *str;
        size_t           i;
-
+       DPRINTF("%s: ptr=<%s> len=%zd", __func__, ptr, len);
        /* Safe version of evbuffer_readline() */
        if ((str = get_string(ptr, len)) == NULL)
                return (NULL);
Index: server_fcgi.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
retrieving revision 1.74
diff -u -p -u -r1.74 server_fcgi.c
--- server_fcgi.c       21 Jan 2017 11:32:04 -0000      1.74
+++ server_fcgi.c       14 Jun 2017 08:00:18 -0000
@@ -766,7 +766,7 @@ server_fcgi_getheaders(struct client *cl

                if ((value = strchr(key, ':')) == NULL)
                        break;
-
+               DPRINTF("%s: line=<%s>", __func__, line);
                *value++ = '\0';
                value += strspn(value, " \t");


accept_reserve: inflight incremented, now 1
server_read_http: session 1: size 461, to read -2
server_read_http: session 1: header 'GET: /a.php HTTP/1.1'
server_read_http: session 1: header 'Host: 127.0.0.1:8080'
server_read_http: session 1: header 'User-Agent: Mozilla/5.0 (Macintosh; Intel 
Mac OS X 10.12; rv:53.0) Gecko/20100101 Firefox/53.0'
server_read_http: session 1: header 'Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
server_read_http: session 1: header 'Accept-Language: en-US,en;q=0.5'
server_read_http: session 1: header 'Accept-Encoding: gzip, deflate'
server_read_http: session 1: header 'Cookie: csrftoken=XXXXXXXXXXXXX; 
sessionid=YYYYYYYYYYYYYYYYYY'
server_read_http: session 1: header 'Connection: keep-alive'
server_read_http: session 1: header 'Upgrade-Insecure-Requests: 1'
server_response: virtual host "default:8080" host "127.0.0.1:8080" ("127.0.0.1")
server_getlocation: location "*.php" path "/a.php"
fcgi_add_param: PATH_INFO[9] => [0], total_len: 0
fcgi_add_param: SCRIPT_NAME[11] => /a.php[6], total_len: 11
fcgi_add_param: SCRIPT_FILENAME[15] => /roundcubemail//a.php[21], total_len: 30
fcgi_add_param: QUERY_STRING[12] => [0], total_len: 68
fcgi_add_param: DOCUMENT_ROOT[13] => /roundcubemail/[15], total_len: 82
fcgi_add_param: DOCUMENT_URI[12] => /a.php[6], total_len: 112
fcgi_add_param: GATEWAY_INTERFACE[17] => CGI/1.1[7], total_len: 132
fcgi_add_param: HTTP_ACCEPT[11] => 
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8[63], total_len: 
158
fcgi_add_param: HTTP_ACCEPT_ENCODING[20] => gzip, deflate[13], total_len: 234
fcgi_add_param: HTTP_ACCEPT_LANGUAGE[20] => en-US,en;q=0.5[14], total_len: 269
fcgi_add_param: HTTP_CONNECTION[15] => keep-alive[10], total_len: 305
fcgi_add_param: HTTP_COOKIE[11] => csrftoken=XXXXXXXXXXXXXXXXX; 
sessionid=YYYYYYYYYYYYYYYYYYYYy[118], total_len: 332
fcgi_add_param: HTTP_HOST[9] => 127.0.0.1:8080[14], total_len: 463
fcgi_add_param: HTTP_UPGRADE_INSECURE_REQUESTS[30] => 1[1], total_len: 488
fcgi_add_param: HTTP_USER_AGENT[15] => Mozilla/5.0 (Macintosh; Intel Mac OS X 
10.12; rv:53.0) Gecko/20100101 Firefox/53.0[82], total_len: 521
fcgi_add_param: REMOTE_ADDR[11] => 127.0.0.1[9], total_len: 620
fcgi_add_param: REMOTE_PORT[11] => 46248[5], total_len: 642
fcgi_add_param: REQUEST_METHOD[14] => GET[3], total_len: 660
fcgi_add_param: REQUEST_URI[11] => /a.php[6], total_len: 679
fcgi_add_param: SERVER_ADDR[11] => 127.0.0.1[9], total_len: 698
fcgi_add_param: SERVER_PORT[11] => 8080[4], total_len: 720
fcgi_add_param: SERVER_NAME[11] => default[7], total_len: 737
fcgi_add_param: SERVER_PROTOCOL[15] => HTTP/1.1[8], total_len: 757
fcgi_add_param: SERVER_SOFTWARE[15] => OpenBSD httpd[13], total_len: 782
server_fcgi_read: len: 8 toread: 0 state: 0 type: 0
server_fcgi_read: record header: version 1 type 6 id 1 content len 95 padding 1
server_fcgi_read: len: 95 toread: 0 state: 1 type: 6
evbuffer_getline: ptr=<X-Powered-By: PHP/5.5.38
Content-Disposition: \"pï¿½Ã¤Ã¶.png\"
Content-type: text/html

LOL2> len=95
server_fcgi_getheaders: line=<X-Powered-By: PHP/5.5.38>
server_fcgi_getheaders: X-Powered-By: PHP/5.5.38
evbuffer_getline: ptr=<Content-Disposition: \"pï¿½Ã¤Ã¶.png\"
Content-type: text/html

LOL2> len=69
server_fcgi_getheaders: line=<Content-Disposition: \"p>
server_fcgi_getheaders: Content-Disposition: \"p
evbuffer_getline: ptr=<ï¿½Ã¤Ã¶.png\"
Content-type: text/html

LOL2> len=44
version: HTTP/1.1 rescode: 200 resmsg: OK
server_writeheader_http: Connection: keep-alive
server_writeheader_http: Content-Disposition: \"p
server_writeheader_http: Date: Wed, 14 Jun 2017 07:57:39 GMT
server_writeheader_http: Server: OpenBSD httpd
server_writeheader_http: Transfer-Encoding: chunked
server_writeheader_http: X-Powered-By: PHP/5.5.38
server_fcgi_read: len: 1 toread: 0 state: 2 type: 6
server_fcgi_read: len: 8 toread: 0 state: 0 type: 6
server_fcgi_read: record header: version 1 type 3 id 1 content len 8 padding 0
server_fcgi_read: len: 8 toread: 0 state: 1 type: 3
server_fcgi_read: len: 0 toread: 8 state: 0 type: 3
proc_dispatch: logger 1 got imsg 17 peerid -1 from server 2
default 127.0.0.1 - - [14/Jun/2017:09:57:39 +0200] "GET /a.php HTTP/1.1" 200 0

And then the same trace after the diff was applied:

accept_reserve: inflight incremented, now 1
server_read_http: session 1: size 506, to read -2
server_read_http: session 1: header 'GET: /a.php HTTP/1.1'
server_read_http: session 1: header 'Host: 127.0.0.1:8080'
server_read_http: session 1: header 'User-Agent: Mozilla/5.0 (Macintosh; Intel 
Mac OS X 10.12; rv:53.0) Gecko/20100101 Firefox/53.0'
server_read_http: session 1: header 'Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
server_read_http: session 1: header 'Accept-Language: en-US,en;q=0.5'
server_read_http: session 1: header 'Accept-Encoding: gzip, deflate'
server_read_http: session 1: header 'Cookie: csrftoken=XXXXXXXX; 
sessionid=YYYYY; roundcube_sessid=ZZZZZZ'
server_read_http: session 1: header 'Connection: keep-alive'
server_read_http: session 1: header 'Upgrade-Insecure-Requests: 1'
server_response: virtual host "default:8080" host "127.0.0.1:8080" ("127.0.0.1")
server_getlocation: location "*.php" path "/a.php"
fcgi_add_param: PATH_INFO[9] => [0], total_len: 0
fcgi_add_param: SCRIPT_NAME[11] => /a.php[6], total_len: 11
fcgi_add_param: SCRIPT_FILENAME[15] => /roundcubemail//a.php[21], total_len: 30
fcgi_add_param: QUERY_STRING[12] => [0], total_len: 68
fcgi_add_param: DOCUMENT_ROOT[13] => /roundcubemail/[15], total_len: 82
fcgi_add_param: DOCUMENT_URI[12] => /a.php[6], total_len: 112
fcgi_add_param: GATEWAY_INTERFACE[17] => CGI/1.1[7], total_len: 132
fcgi_add_param: HTTP_ACCEPT[11] => 
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8[63], total_len: 
158
fcgi_add_param: HTTP_ACCEPT_ENCODING[20] => gzip, deflate[13], total_len: 234
fcgi_add_param: HTTP_ACCEPT_LANGUAGE[20] => en-US,en;q=0.5[14], total_len: 269
fcgi_add_param: HTTP_CONNECTION[15] => keep-alive[10], total_len: 305
fcgi_add_param: HTTP_COOKIE[11] => csrftoken=XXXXXX; sessionid=YYYY; 
roundcube_sessid=ZZZZZZ[163], total_len: 332
fcgi_add_param: HTTP_HOST[9] => 127.0.0.1:8080[14], total_len: 511
fcgi_add_param: HTTP_UPGRADE_INSECURE_REQUESTS[30] => 1[1], total_len: 536
fcgi_add_param: HTTP_USER_AGENT[15] => Mozilla/5.0 (Macintosh; Intel Mac OS X 
10.12; rv:53.0) Gecko/20100101 Firefox/53.0[82], total_len: 569
fcgi_add_param: REMOTE_ADDR[11] => 127.0.0.1[9], total_len: 668
fcgi_add_param: REMOTE_PORT[11] => 7578[4], total_len: 690
fcgi_add_param: REQUEST_METHOD[14] => GET[3], total_len: 707
fcgi_add_param: REQUEST_URI[11] => /a.php[6], total_len: 726
fcgi_add_param: SERVER_ADDR[11] => 127.0.0.1[9], total_len: 745
fcgi_add_param: SERVER_PORT[11] => 8080[4], total_len: 767
fcgi_add_param: SERVER_NAME[11] => default[7], total_len: 784
fcgi_add_param: SERVER_PROTOCOL[15] => HTTP/1.1[8], total_len: 804
fcgi_add_param: SERVER_SOFTWARE[15] => OpenBSD httpd[13], total_len: 829
server_fcgi_read: len: 8 toread: 0 state: 0 type: 0
server_fcgi_read: record header: version 1 type 6 id 1 content len 95 padding 1
server_fcgi_read: len: 95 toread: 0 state: 1 type: 6
evbuffer_getline: ptr=<X-Powered-By: PHP/5.5.38
Content-Disposition: \"pï¿½Ã¤Ã¶.png\"
Content-type: text/html

LOL2> len=95
server_fcgi_getheaders: line=<X-Powered-By: PHP/5.5.38>
server_fcgi_getheaders: X-Powered-By: PHP/5.5.38
evbuffer_getline: ptr=<Content-Disposition: \"pï¿½Ã¤Ã¶.png\"
Content-type: text/html

LOL2> len=69
server_fcgi_getheaders: line=<Content-Disposition: \"p>
server_fcgi_getheaders: Content-Disposition: \"p
evbuffer_getline: ptr=<Content-type: text/html

LOL2> len=31
server_fcgi_getheaders: line=<Content-type: text/html>
server_fcgi_getheaders: Content-type: text/html
evbuffer_getline: ptr=<
LOL2> len=6
version: HTTP/1.1 rescode: 200 resmsg: OK
server_writeheader_http: Connection: keep-alive
server_writeheader_http: Content-Disposition: \"p
server_writeheader_http: Content-type: text/html
server_writeheader_http: Date: Wed, 14 Jun 2017 10:33:03 GMT
server_writeheader_http: Server: OpenBSD httpd
server_writeheader_http: Transfer-Encoding: chunked
server_writeheader_http: X-Powered-By: PHP/5.5.38
server_fcgi_read: len: 1 toread: 0 state: 2 type: 6
server_fcgi_read: len: 8 toread: 0 state: 0 type: 6
server_fcgi_read: record header: version 1 type 3 id 1 content len 8 padding 0
server_fcgi_read: len: 8 toread: 0 state: 1 type: 3
server_fcgi_read: len: 0 toread: 8 state: 0 type: 3
proc_dispatch: logger 1 got imsg 17 peerid -1 from server 3
default 127.0.0.1 - - [14/Jun/2017:12:33:03 +0200] "GET /a.php HTTP/1.1" 200 0

Attaching the a.php and inlining the httpd.conf used:

<<attachment: a.php>>

server "default" {
        listen on 127.0.0.1 port 8080

        directory index "index.php"

        location "*.php" {
                fastcgi socket "/run/php-fpm.sock"
        }

        root "/roundcubemail/"
}

# Include MIME types instead of the built-in ones
types {
        include "/usr/share/misc/mime.types"
}



/gabriel

openbsd httpd and roundcubemail file attachments

Reply via email to