client: fix invalid data access through invalid content-length values

[project/uhttpd.git] / cgi.c

diff --git a/cgi.c b/cgi.c
index a2a7e508ecdb37d79c6174fc74b614e7c7b22327..13a0bc480b633cbfdd2f10565595a2a33dd2367c 100644 (file)
--- a/cgi.c
+++ b/cgi.c
@@ -52,12 +52,12 @@ static void cgi_main(struct client *cl, struct path_info *pi, char *url)
                setenv(var->name, var->value, 1);
        }
 
-       chdir(pi->root);
-
-       if (ip)
-               execl(ip->path, ip->path, pi->phys, NULL);
-       else
-               execl(pi->phys, pi->phys, NULL);
+       if (!chdir(pi->root)) {
+               if (ip)
+                       execl(ip->path, ip->path, pi->phys, NULL);
+               else
+                       execl(pi->phys, pi->phys, NULL);
+       }
 
        printf("Status: 500 Internal Server Error\r\n\r\n"
               "Unable to launch the requested CGI program:\n"
@@ -67,11 +67,18 @@ static void cgi_main(struct client *cl, struct path_info *pi, char *url)
 static void cgi_handle_request(struct client *cl, char *url, struct path_info *pi)
 {
        unsigned int mode = S_IFREG | S_IXOTH;
+       char *escaped_url;
 
        if (!pi->ip && !((pi->stat.st_mode & mode) == mode)) {
+               escaped_url = uh_htmlescape(url);
+
                uh_client_error(cl, 403, "Forbidden",
                                "You don't have permission to access %s on this server.",
-                               url);
+                               escaped_url ? escaped_url : "the url");
+
+               if (escaped_url)
+                       free(escaped_url);
+
                return;
        }
 
@@ -104,7 +111,11 @@ static bool check_cgi_path(struct path_info *pi, const char *url)
        }
 
        pi->ip = NULL;
-       return uh_path_match(conf.cgi_docroot_path, pi->phys);
+
+       if (conf.cgi_docroot_path)
+               return uh_path_match(conf.cgi_docroot_path, pi->phys);
+
+       return false;
 }
 
 struct dispatch_handler cgi_dispatch = {