1 /*
2  * Copyright (c) 2020-2022 Tracey Emery <tracey@traceyemery.net>
3  * Copyright (c) 2013 David Gwynne <dlg@openbsd.org>
4  * Copyright (c) 2013 Florian Obser <florian@openbsd.org>
5  *
6  * Permission to use, copy, modify, and distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 #include <arpa/inet.h>
20 #include <sys/queue.h>
21 #include <sys/socket.h>
22 #include <sys/types.h>
23 
24 #include <errno.h>
25 #include <event.h>
26 #include <stdlib.h>
27 #include <stdio.h>
28 #include <string.h>
29 #include <time.h>
30 #include <unistd.h>
31 
32 #include "got_error.h"
33 
34 #include "got_compat.h"
35 
36 #include "proc.h"
37 #include "gotwebd.h"
38 
39 size_t	 fcgi_parse_record(uint8_t *, size_t, struct request *);
40 void	 fcgi_parse_begin_request(uint8_t *, uint16_t, struct request *,
41 	    uint16_t);
42 void	 fcgi_parse_params(uint8_t *, uint16_t, struct request *, uint16_t);
43 void	 fcgi_send_response(struct request *, struct fcgi_response *);
44 
45 void	 dump_fcgi_record_header(const char *, struct fcgi_record_header *);
46 void	 dump_fcgi_begin_request_body(const char *,
47 	    struct fcgi_begin_request_body *);
48 void	 dump_fcgi_end_request_body(const char *,
49 	    struct fcgi_end_request_body *);
50 
51 extern int	 cgi_inflight;
52 extern volatile int client_cnt;
53 
54 void
55 fcgi_request(int fd, short events, void *arg)
56 {
57 	struct request *c = arg;
58 	ssize_t n;
59 	size_t parsed = 0;
60 
61 	n = read(fd, c->buf + c->buf_pos + c->buf_len,
62 	    FCGI_RECORD_SIZE - c->buf_pos-c->buf_len);
63 
64 	switch (n) {
65 	case -1:
66 		switch (errno) {
67 		case EINTR:
68 		case EAGAIN:
69 			return;
70 		default:
71 			goto fail;
72 		}
73 		break;
74 
75 	case 0:
76 		log_debug("closed connection");
77 		goto fail;
78 	default:
79 		break;
80 	}
81 
82 	c->buf_len += n;
83 
84 	/*
85 	 * Parse the records as they are received. Per the FastCGI
86 	 * specification, the server need only receive the FastCGI
87 	 * parameter records in full; it is free to begin execution
88 	 * at that point, which is what happens here.
89 	 */
90 	do {
91 		parsed = fcgi_parse_record(c->buf + c->buf_pos, c->buf_len, c);
92 		if (parsed != 0) {
93 			c->buf_pos += parsed;
94 			c->buf_len -= parsed;
95 		}
96 	} while (parsed > 0 && c->buf_len > 0);
97 
98 	/* Make space for further reads */
99 	if (parsed != 0)
100 		if (c->buf_len > 0) {
101 			bcopy(c->buf + c->buf_pos, c->buf, c->buf_len);
102 			c->buf_pos = 0;
103 		}
104 	return;
105 fail:
106 	fcgi_cleanup_request(c);
107 }
108 
109 size_t
110 fcgi_parse_record(uint8_t *buf, size_t n, struct request *c)
111 {
112 	struct fcgi_record_header *h;
113 
114 	if (n < sizeof(struct fcgi_record_header))
115 		 return 0;
116 
117 	h = (struct fcgi_record_header*) buf;
118 
119 	dump_fcgi_record("", h);
120 
121 	if (n < sizeof(struct fcgi_record_header) + ntohs(h->content_len)
122 	    + h->padding_len)
123 		 return 0;
124 
125 	if (h->version != 1)
126 		log_warn("wrong version");
127 
128 	switch (h->type) {
129 	case FCGI_BEGIN_REQUEST:
130 		fcgi_parse_begin_request(buf +
131 		    sizeof(struct fcgi_record_header),
132 		    ntohs(h->content_len), c, ntohs(h->id));
133 		break;
134 	case FCGI_PARAMS:
135 		fcgi_parse_params(buf + sizeof(struct fcgi_record_header),
136 		    ntohs(h->content_len), c, ntohs(h->id));
137 		break;
138 	case FCGI_STDIN:
139 	case FCGI_ABORT_REQUEST:
140 		fcgi_create_end_record(c);
141 		fcgi_cleanup_request(c);
142 		return 0;
143 	default:
144 		log_warn("unimplemented type %d", h->type);
145 		break;
146 	}
147 
148 	return (sizeof(struct fcgi_record_header) + ntohs(h->content_len)
149 	    + h->padding_len);
150 }
151 
152 void
153 fcgi_parse_begin_request(uint8_t *buf, uint16_t n,
154     struct request *c, uint16_t id)
155 {
156 	/* XXX -- FCGI_CANT_MPX_CONN */
157 	if (c->request_started) {
158 		log_warn("unexpected FCGI_BEGIN_REQUEST, ignoring");
159 		return;
160 	}
161 
162 	if (n != sizeof(struct fcgi_begin_request_body)) {
163 		log_warn("wrong size %d != %lu", n,
164 		    sizeof(struct fcgi_begin_request_body));
165 		return;
166 	}
167 
168 	c->request_started = 1;
169 
170 	c->id = id;
171 	SLIST_INIT(&c->env);
172 	c->env_count = 0;
173 }
174 
175 void
176 fcgi_parse_params(uint8_t *buf, uint16_t n, struct request *c, uint16_t id)
177 {
178 	struct env_val *env_entry;
179 	uint32_t name_len, val_len;
180 	uint8_t *sd, *dr_buf;
181 
182 	if (!c->request_started) {
183 		log_warn("FCGI_PARAMS without FCGI_BEGIN_REQUEST, ignoring");
184 		return;
185 	}
186 
187 	if (c->id != id) {
188 		log_warn("unexpected id, ignoring");
189 		return;
190 	}
191 
192 	if (n == 0) {
193 		gotweb_process_request(c);
194 		return;
195 	}
196 
197 	while (n > 0) {
198 		if (buf[0] >> 7 == 0) {
199 			name_len = buf[0];
200 			n--;
201 			buf++;
202 		} else {
203 			if (n > 3) {
204 				name_len = ((buf[0] & 0x7f) << 24) +
205 				    (buf[1] << 16) + (buf[2] << 8) + buf[3];
206 				n -= 4;
207 				buf += 4;
208 			} else
209 				return;
210 		}
211 
212 		if (n > 0) {
213 			if (buf[0] >> 7 == 0) {
214 				val_len = buf[0];
215 				n--;
216 				buf++;
217 			} else {
218 				if (n > 3) {
219 					val_len = ((buf[0] & 0x7f) << 24) +
220 					    (buf[1] << 16) + (buf[2] << 8) +
221 					     buf[3];
222 					n -= 4;
223 					buf += 4;
224 				} else
225 					return;
226 			}
227 		} else
228 			return;
229 
230 		if (n < name_len + val_len)
231 			return;
232 
233 		if ((env_entry = malloc(sizeof(struct env_val))) == NULL) {
234 			log_warn("cannot malloc env_entry");
235 			return;
236 		}
237 
238 		if ((env_entry->val = calloc(sizeof(char), name_len + val_len +
239 		    2)) == NULL) {
240 			log_warn("cannot allocate env_entry->val");
241 			free(env_entry);
242 			return;
243 		}
244 
245 		bcopy(buf, env_entry->val, name_len);
246 		buf += name_len;
247 		n -= name_len;
248 
249 		env_entry->val[name_len] = '\0';
250 		if (val_len < MAX_QUERYSTRING && strcmp(env_entry->val,
251 		    "QUERY_STRING") == 0 && c->querystring[0] == '\0') {
252 			bcopy(buf, c->querystring, val_len);
253 			c->querystring[val_len] = '\0';
254 		}
255 		if (val_len < GOTWEBD_MAXTEXT && strcmp(env_entry->val,
256 		    "HTTP_HOST") == 0 && c->http_host[0] == '\0') {
257 
258 			/*
259 			 * lazily get subdomain
260 			 * will only get domain if no subdomain exists
261 			 * this can still work if gotweb server name is the same
262 			 */
263 			sd = strchr(buf, '.');
264 			if (sd)
265 				*sd = '\0';
266 
267 			bcopy(buf, c->http_host, val_len);
268 			c->http_host[val_len] = '\0';
269 		}
270 		if (val_len < MAX_DOCUMENT_ROOT && strcmp(env_entry->val,
271 		    "DOCUMENT_ROOT") == 0 && c->document_root[0] == '\0') {
272 
273 			/* drop first char, as it's always / */
274 			dr_buf = &buf[1];
275 
276 			bcopy(dr_buf, c->document_root, val_len - 1);
277 			c->document_root[val_len] = '\0';
278 		}
279 		if (val_len < MAX_SERVER_NAME && strcmp(env_entry->val,
280 		    "SERVER_NAME") == 0 && c->server_name[0] == '\0') {
281 			/* drop first char, as it's always / */
282 
283 			bcopy(buf, c->server_name, val_len);
284 			c->server_name[val_len] = '\0';
285 		}
286 		env_entry->val[name_len] = '=';
287 
288 		bcopy(buf, (env_entry->val) + name_len + 1, val_len);
289 		buf += val_len;
290 		n -= val_len;
291 
292 		SLIST_INSERT_HEAD(&c->env, env_entry, entry);
293 		log_debug("env[%d], %s", c->env_count, env_entry->val);
294 		c->env_count++;
295 	}
296 }
297 
298 void
299 fcgi_timeout(int fd, short events, void *arg)
300 {
301 	fcgi_cleanup_request((struct request*) arg);
302 }
303 
304 int
305 fcgi_gen_binary_response(struct request *c, const uint8_t *data, int len)
306 {
307 	struct fcgi_response *resp;
308 	struct fcgi_record_header *header;
309 	ssize_t n = 0;
310 	int i;
311 
312 	if (c->sock->client_status == CLIENT_DISCONNECT)
313 		return -1;
314 
315 	if (data == NULL)
316 		return 0;
317 
318 	if ((resp = calloc(1, sizeof(struct fcgi_response))) == NULL) {
319 		log_warn("%s: cannot calloc fcgi_response", __func__);
320 		return -1;
321 	}
322 
323 	header = (struct fcgi_record_header*) resp->data;
324 	header->version = 1;
325 	header->type = FCGI_STDOUT;
326 	header->id = htons(c->id);
327 	header->padding_len = 0;
328 	header->reserved = 0;
329 
330 	for (i = 0; i < len; i++) {
331 		resp->data[i+8] = data[i];
332 		n++;
333 	}
334 
335 	header->content_len = htons(n);
336 	resp->data_pos = 0;
337 	resp->data_len = n + sizeof(struct fcgi_record_header);
338 	fcgi_send_response(c, resp);
339 
340 	return 0;
341 }
342 
343 int
344 fcgi_gen_response(struct request *c, const char *data)
345 {
346 	struct fcgi_response *resp;
347 	struct fcgi_record_header *header;
348 	ssize_t n = 0;
349 	int i;
350 
351 	if (c->sock->client_status == CLIENT_DISCONNECT)
352 		return -1;
353 
354 	if (data == NULL)
355 		return 0;
356 
357 	if (strlen(data) == 0)
358 		return 0;
359 
360 	if ((resp = calloc(1, sizeof(struct fcgi_response))) == NULL) {
361 		log_warn("%s: cannot calloc fcgi_response", __func__);
362 		return -1;
363 	}
364 
365 	header = (struct fcgi_record_header*) resp->data;
366 	header->version = 1;
367 	header->type = FCGI_STDOUT;
368 	header->id = htons(c->id);
369 	header->padding_len = 0;
370 	header->reserved = 0;
371 
372 	for (i = 0; i < strlen(data); i++) {
373 		resp->data[i+8] = data[i];
374 		n++;
375 	}
376 
377 	header->content_len = htons(n);
378 	resp->data_pos = 0;
379 	resp->data_len = n + sizeof(struct fcgi_record_header);
380 	fcgi_send_response(c, resp);
381 
382 	return 0;
383 }
384 
385 void
386 fcgi_send_response(struct request *c, struct fcgi_response *resp)
387 {
388 	struct fcgi_record_header *header;
389 	struct timespec ts;
390 	size_t padded_len;
391 	int err = 0, th = 2000;
392 
393 	ts.tv_sec = 0;
394 	ts.tv_nsec = 50;
395 
396 	header = (struct fcgi_record_header*)resp->data;
397 
398 	/* The FastCGI spec suggests to align the output buffer */
399 	padded_len = FCGI_ALIGN(resp->data_len);
400 	if (padded_len > resp->data_len) {
401 		/* There should always be FCGI_PADDING_SIZE bytes left */
402 		if (padded_len > FCGI_RECORD_SIZE)
403 			log_warn("response too long");
404 		header->padding_len = padded_len - resp->data_len;
405 		resp->data_len = padded_len;
406 	}
407 
408 	dump_fcgi_record("resp ", header);
409 
410 	/*
411 	 * XXX: add some simple write heuristics here
412 	 * On slower VMs, spotty connections, etc., we don't want to go right to
413 	 * disconnect. Let's at least try to write the data a few times before
414 	 * giving up.
415 	 */
416 	while ((write(c->fd, resp->data + resp->data_pos,
417 	    resp->data_len)) == -1) {
418 		nanosleep(&ts, NULL);
419 		err++;
420 		if (err == th) {
421 			c->sock->client_status = CLIENT_DISCONNECT;
422 			break;
423 		}
424 	}
425 
426 	free(resp);
427 }
428 
429 void
430 fcgi_create_end_record(struct request *c)
431 {
432 	struct fcgi_response *resp;
433 	struct fcgi_record_header *header;
434 	struct fcgi_end_request_body *end_request;
435 
436 	if ((resp = calloc(1, sizeof(struct fcgi_response))) == NULL) {
437 		log_warn("cannot calloc fcgi_response");
438 		return;
439 	}
440 	header = (struct fcgi_record_header*) resp->data;
441 	header->version = 1;
442 	header->type = FCGI_END_REQUEST;
443 	header->id = htons(c->id);
444 	header->content_len = htons(sizeof(struct
445 	    fcgi_end_request_body));
446 	header->padding_len = 0;
447 	header->reserved = 0;
448 	end_request = (struct fcgi_end_request_body *) (resp->data +
449 	    sizeof(struct fcgi_record_header));
450 	end_request->app_status = htonl(0); /* script_status */
451 	end_request->protocol_status = FCGI_REQUEST_COMPLETE;
452 	end_request->reserved[0] = 0;
453 	end_request->reserved[1] = 0;
454 	end_request->reserved[2] = 0;
455 	resp->data_pos = 0;
456 	resp->data_len = sizeof(struct fcgi_end_request_body) +
457 	    sizeof(struct fcgi_record_header);
458 	fcgi_send_response(c, resp);
459 }
460 
461 void
462 fcgi_cleanup_request(struct request *c)
463 {
464 	cgi_inflight--;
465 	client_cnt--;
466 
467 	evtimer_del(&c->tmo);
468 	if (event_initialized(&c->ev))
469 		event_del(&c->ev);
470 
471 	close(c->fd);
472 	gotweb_free_transport(c->t);
473 	free(c);
474 }
475 
476 void
477 dump_fcgi_record(const char *p, struct fcgi_record_header *h)
478 {
479 	dump_fcgi_record_header(p, h);
480 
481 	if (h->type == FCGI_BEGIN_REQUEST)
482 		dump_fcgi_begin_request_body(p,
483 		    (struct fcgi_begin_request_body *)(h + 1));
484 	else if (h->type == FCGI_END_REQUEST)
485 		dump_fcgi_end_request_body(p,
486 		    (struct fcgi_end_request_body *)(h + 1));
487 }
488 
489 void
490 dump_fcgi_record_header(const char* p, struct fcgi_record_header *h)
491 {
492 	log_debug("%sversion:         %d", p, h->version);
493 	log_debug("%stype:            %d", p, h->type);
494 	log_debug("%srequestId:       %d", p, ntohs(h->id));
495 	log_debug("%scontentLength:   %d", p, ntohs(h->content_len));
496 	log_debug("%spaddingLength:   %d", p, h->padding_len);
497 	log_debug("%sreserved:        %d", p, h->reserved);
498 }
499 
500 void
501 dump_fcgi_begin_request_body(const char *p, struct fcgi_begin_request_body *b)
502 {
503 	log_debug("%srole             %d", p, ntohs(b->role));
504 	log_debug("%sflags            %d", p, b->flags);
505 }
506 
507 void
508 dump_fcgi_end_request_body(const char *p, struct fcgi_end_request_body *b)
509 {
510 	log_debug("%sappStatus:       %d", p, ntohl(b->app_status));
511 	log_debug("%sprotocolStatus:  %d", p, b->protocol_status);
512 }