Implement "strip" option for fastcgi to be able to have multiple chroots

under /var/www for FastCGI servers.
From Nazar Zhuk (nazar AT zhuk DOT online), thanks!
Ok benno

4 files changed, 23 insertions, 8 deletions

diff --git a/usr.sbin/httpd/httpd.conf.5 b/usr.sbin/httpd/httpd.conf.5
index f4ea2e55766..174e12be7ab 100644
--- a/usr.sbin/httpd/httpd.conf.5
+++ b/usr.sbin/httpd/httpd.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: httpd.conf.5,v 1.107 2019/05/08 21:46:56 tb Exp $
+.\"	$OpenBSD: httpd.conf.5,v 1.108 2020/02/09 09:44:04 florian Exp $
 .\"
 .\" Copyright (c) 2014, 2015 Reyk Floeter <reyk@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 8 2019 $
+.Dd $Mdocdate: February 9 2020 $
 .Dt HTTPD.CONF 5
 .Os
 .Sh NAME
@@ -300,6 +300,12 @@ Alternatively if
 the FastCGI handler is listening on a TCP socket,
 .Ar socket
 starts with a colon followed by the TCP port number.
+.It Ic strip Ar number
+Strip
+.Ar number
+path components from the beginning of DOCUMENT_ROOT and
+SCRIPT_FILENAME before sending them to the FastCGI server.
+This allows FastCGI server chroot to be a directory under httpd chroot.
 .It Ic param Ar variable value
 Sets a variable that will be sent to the FastCGI server.
 Each statement defines one variable.
diff --git a/usr.sbin/httpd/httpd.h b/usr.sbin/httpd/httpd.h
index b1f17af8cd7..8295e2a5a5b 100644
--- a/usr.sbin/httpd/httpd.h
+++ b/usr.sbin/httpd/httpd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: httpd.h,v 1.145 2019/05/08 19:57:45 reyk Exp $	*/
+/*	$OpenBSD: httpd.h,v 1.146 2020/02/09 09:44:04 florian Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org>
@@ -547,6 +547,7 @@ struct server_config {
 	uint8_t			 hsts_flags;
 
 	struct server_fcgiparams fcgiparams;
+	int			 fcgistrip;
 
 	TAILQ_ENTRY(server_config) entry;
 };
diff --git a/usr.sbin/httpd/parse.y b/usr.sbin/httpd/parse.y
index 054302269f4..bc531b5eddb 100644
--- a/usr.sbin/httpd/parse.y
+++ b/usr.sbin/httpd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.113 2019/06/28 13:32:47 deraadt Exp $	*/
+/*	$OpenBSD: parse.y,v 1.114 2020/02/09 09:44:04 florian Exp $	*/
 
 /*
  * Copyright (c) 2007 - 2015 Reyk Floeter <reyk@openbsd.org>
@@ -689,6 +689,13 @@ fcgiflags	: SOCKET STRING		{
 			    param->name, param->value);
 			TAILQ_INSERT_HEAD(&srv_conf->fcgiparams, param, entry);
 		}
+		| STRIP NUMBER			{
+			if ($2 < 0 || $2 > INT_MAX) {
+				yyerror("invalid fastcgi strip number");
+				YYERROR;
+			}
+			srv_conf->fcgistrip = $2;
+		}
 		;
 
 connection	: CONNECTION '{' optnl conflags_l '}'
diff --git a/usr.sbin/httpd/server_fcgi.c b/usr.sbin/httpd/server_fcgi.c
index 864ce6b16d5..a3b4bf583b3 100644
--- a/usr.sbin/httpd/server_fcgi.c
+++ b/usr.sbin/httpd/server_fcgi.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: server_fcgi.c,v 1.80 2019/05/08 21:41:06 tb Exp $	*/
+/*	$OpenBSD: server_fcgi.c,v 1.81 2020/02/09 09:44:04 florian Exp $	*/
 
 /*
  * Copyright (c) 2014 Florian Obser <florian@openbsd.org>
@@ -241,7 +241,8 @@ server_fcgi(struct httpd *env, struct client *clt)
 		errstr = "failed to encode param";
 		goto fail;
 	}
-	if (fcgi_add_param(&param, "SCRIPT_FILENAME", script, clt) == -1) {
+	if (fcgi_add_param(&param, "SCRIPT_FILENAME", server_root_strip(script,
+	    srv_conf->fcgistrip), clt) == -1) {
 		errstr = "failed to encode param";
 		goto fail;
 	}
@@ -257,8 +258,8 @@ server_fcgi(struct httpd *env, struct client *clt)
 		goto fail;
 	}
 
-	if (fcgi_add_param(&param, "DOCUMENT_ROOT", srv_conf->root,
-	    clt) == -1) {
+	if (fcgi_add_param(&param, "DOCUMENT_ROOT", server_root_strip(
+	    srv_conf->root, srv_conf->fcgistrip), clt) == -1) {
 		errstr = "failed to encode param";
 		goto fail;
 	}