Must really be safe_read(), not full_read()? (was: [PATCH] fix httpd lockup in cgi POSTs)

Paul Albrecht albrecht at rdi1.com
Mon Feb 12 13:17:23 PST 2007 

On Mon, 2007-02-12 at 21:52 +0100, Denis Vlasenko wrote: 
> On Monday 12 February 2007 16:25, Paul Albrecht wrote:
> > 
> > Reverting the code back to using safe_read doesn't work if you don't fix
> > the way the first line is handled because you're not guaranteed a full
> > line with the safe_read.
> > 
> > You can verify this by writing a cgi program which redirects to another
> > location.
> 
> Testcase, please?

I have already given you an example in a previous message, but here it
is again: 

echo -en "HTTP/1.0 302 Found\r\n"
echo -en "Location: http://www.busybox.net\r\n"
echo -en "\r\n"

> 
> > It will intermittently fail. This has nothing to do with how the cgi
> > program writes to standard output. It's a consequence of the fact that
> > the server doesn't buffer standard input so it has no right to expect a
> > full line with its first read of cgi output.
> 
> We don't care about first line. We care about first four charachers only,
> I think.
> 

I think the busybox httpd server cgi program interaction is obviously
idiosyncratic in that the server doesn't parse returned headers and
mucks with the status line.

I'm not really complaining, but however you expect the httpd server and
cgi program to interact to get a valid http response back to a user
should work. 

If you're going to write the status line if you don't get one back from
the cgi program you should do that and you're not doing that because
you're using an unbuffered read to get at least four characters of the
first line of cgi output and that doesn't always work.

> > An expedient way to fix the problem is to do the full_read, that is,
> > receive all the cgi output before handling the first line.
> > 
> > If this is not sufficient then busybox httpd should line buffer standard
> > input so that it always handles the status line correctly. 
> 
> Yes, this will even handle the case when CGI writes "HTT" and
> "P/1.0 200 OK" separately.

That's not the problem. For example, if a cgi program writes:

echo -en "HTTP/1.0 302 Found\r\n"

The busybox httpd server has no right to assume it's got more than a
byte of data when a safe_read completes with good status because its
input isn't buffered. 

> --
> 
> vda

More information about the busybox mailing list