On Fri, Sep 27, 2019 at 09:28:39AM +0200, Solene Rapenne wrote: > On Thu, Sep 26, 2019 at 05:40:38PM +0200, Otto Moerbeek wrote: > > On Thu, Sep 26, 2019 at 05:27:08PM +0200, Solene Rapenne wrote: > > > > > Hi, now that we have OpenBSD::pledge I thought it would be nice to use > > > it in devel/cvsweb > > > > > > I've been able to tight it to "rpath proc exec prot_exec", removing > > > wpath and cpath was possible by commenting lines piping STDERROR to > > > /dev/null, that doesn't mean creating dev/null is not required anymore, > > > it's still required for cvsweb to work correctly (due to rlog I think). > > > > > > I updated pkg/README because this requires OpenBSD/Pledge.pm and a so > > > file to be copied into the chroot too. > > > > > > I had some testing on www repository by lot of people and it worked > > > perfectly. > > > > Be careful that error messages do not show up on the web pages > > generated by not redirecting stderr... > > > > -Otto > > at least slowcgi discard stderr output, not sure for others cgi. > if you have a better way (not writing to something) to discard the > stderr output that would be better than making slowcgi ignoring it.
That's not exactly how this works. Slowcgi transports stderr, but it does not mix stdout and stderr. There is a record type for stderr in the FastCGI spec. Slowcgi transmits stderr inside of that. It's the webserver that does something with stderr, either drop it on the floor or log it to the error log. In practice it does not matter, stderr does not show up on the delivered webpage. But if someone is looking for the error output they at least have a chance of finding it. -- I'm not entirely sure you are real.
