* check environment variable HTTPS in cgi.c @ 2017-02-28 8:05 Andreas Vögele 2017-03-18 15:17 ` Ingo Schwarze 0 siblings, 1 reply; 4+ messages in thread From: Andreas Vögele @ 2017-02-28 8:05 UTC (permalink / raw) To: tech [-- Attachment #1: Type: text/plain, Size: 227 bytes --] Hi, currently the scheme is hard-coded to "http" in cgi.c. The scheme could be set to "https" if the environment variable "HTTPS" is set to "on" by the web server. See the FastCGI setting in httpd.conf(5). Regards, Andreas [-- Attachment #2: cgi_c_https.diff --] [-- Type: text/x-patch, Size: 654 bytes --] --- mdocml-1.14.1/cgi.c.orig 2017-02-21 01:25:20.000000000 +0100 +++ mdocml-1.14.1/cgi.c 2017-02-25 16:28:06.751637253 +0100 @@ -562,9 +562,13 @@ * If we have just one result, then jump there now * without any delay. */ + const char *scheme = "http", *https; + if ((https = getenv("HTTPS")) != NULL && + strcmp(https, "on") == 0) + scheme = "https"; printf("Status: 303 See Other\r\n"); - printf("Location: http://%s/%s%s%s/%s", - HTTP_HOST, scriptname, + printf("Location: %s://%s/%s%s%s/%s", + scheme, HTTP_HOST, scriptname, *scriptname == '\0' ? "" : "/", req->q.manpath, r[0].file); printf("\r\n" ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: check environment variable HTTPS in cgi.c 2017-02-28 8:05 check environment variable HTTPS in cgi.c Andreas Vögele @ 2017-03-18 15:17 ` Ingo Schwarze 2017-03-18 15:48 ` Anthony J. Bentley 0 siblings, 1 reply; 4+ messages in thread From: Ingo Schwarze @ 2017-03-18 15:17 UTC (permalink / raw) To: Andreas Vögele; +Cc: tech Hi, Andreas Voegele wrote on Tue, Feb 28, 2017 at 09:05:09AM +0100: > currently the scheme is hard-coded to "http" in cgi.c. And it will stay like that. > The scheme could be set to "https" if the environment variable "HTTPS" > is set to "on" by the web server. Rejected. Minimizing the use of environment variables is among the chief design goals of man.cgi(8). It's bad enough that we can't avoid relying on PATH_INFO and QUERY_STRING. Besides, https:// is pointless for man.cgi(8). It is a read-only service, and publishing confidential manuals would be an oxymoron. Yours, Ingo -- To unsubscribe send an email to tech+unsubscribe@mdocml.bsd.lv ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: check environment variable HTTPS in cgi.c 2017-03-18 15:17 ` Ingo Schwarze @ 2017-03-18 15:48 ` Anthony J. Bentley 2017-03-18 16:53 ` Ingo Schwarze 0 siblings, 1 reply; 4+ messages in thread From: Anthony J. Bentley @ 2017-03-18 15:48 UTC (permalink / raw) To: tech; +Cc: Andreas Vögele Hi Ingo, I have desired to run man.cgi on HTTPS also. In some cases it can even be necessary; imagine manuals being served from a subdomain whose parent uses HSTS's includeSubDomains directive, for example. Ingo Schwarze writes: > Rejected. Minimizing the use of environment variables is among > the chief design goals of man.cgi(8). It's bad enough that we > can't avoid relying on PATH_INFO and QUERY_STRING. A solution that would not require environment variables would be to use a relative URI for redirects, as allowed in HTTP/1.1: https://tools.ietf.org/html/rfc7231#section-7.1.2 Hm, public non-confidential RFCs accessible over HTTPS? What madness is this? ;) -- Anthony J. Bentley -- To unsubscribe send an email to tech+unsubscribe@mdocml.bsd.lv ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: check environment variable HTTPS in cgi.c 2017-03-18 15:48 ` Anthony J. Bentley @ 2017-03-18 16:53 ` Ingo Schwarze 0 siblings, 0 replies; 4+ messages in thread From: Ingo Schwarze @ 2017-03-18 16:53 UTC (permalink / raw) To: Anthony J. Bentley; +Cc: tech, Andreas Voegele Hi Anthony, Anthony J. Bentley wrote on Sat, Mar 18, 2017 at 09:48:47AM -0600: > use a relative URI for redirects, as allowed in HTTP/1.1: > https://tools.ietf.org/html/rfc7231#section-7.1.2 That's actually a fine idea in its own right. It simplifies things, and i see no downside. Thanks for the suggestion, Ingo Log Message: ----------- Simplify: write HTTP 303 redirects with relative locations. Suggested by bentley@. Delete the HTTP_HOST configuration variable that is now obsolete. Modified Files: -------------- mdocml: cgi.c cgi.h.example man.cgi.8 Revision Data ------------- Index: cgi.c =================================================================== RCS file: /home/cvs/mdocml/mdocml/cgi.c,v retrieving revision 1.152 retrieving revision 1.153 diff -Lcgi.c -Lcgi.c -u -p -r1.152 -r1.153 --- cgi.c +++ cgi.c @@ -554,8 +554,8 @@ pg_error_internal(void) static void pg_redirect(const struct req *req, const char *name) { - printf("Status: 303 See Other\r\n"); - printf("Location: http://%s/", HTTP_HOST); + printf("Status: 303 See Other\r\n" + "Location: /"); if (*scriptname != '\0') printf("%s/", scriptname); if (strcmp(req->q.manpath, req->p[0])) @@ -591,14 +591,15 @@ pg_searchres(const struct req *req, stru * If we have just one result, then jump there now * without any delay. */ - printf("Status: 303 See Other\r\n"); - printf("Location: http://%s/%s%s%s/%s", - HTTP_HOST, scriptname, - *scriptname == '\0' ? "" : "/", - req->q.manpath, r[0].file); - printf("\r\n" - "Content-Type: text/html; charset=utf-8\r\n" - "\r\n"); + printf("Status: 303 See Other\r\n" + "Location: /"); + if (*scriptname != '\0') + printf("%s/", scriptname); + if (strcmp(req->q.manpath, req->p[0])) + printf("%s/", req->q.manpath); + printf("%s\r\n" + "Content-Type: text/html; charset=utf-8\r\n\r\n", + r[0].file); return; } Index: cgi.h.example =================================================================== RCS file: /home/cvs/mdocml/mdocml/cgi.h.example,v retrieving revision 1.5 retrieving revision 1.6 diff -Lcgi.h.example -Lcgi.h.example -u -p -r1.5 -r1.6 --- cgi.h.example +++ cgi.h.example @@ -1,6 +1,5 @@ /* Example compile-time configuration file for man.cgi(8). */ -#define HTTP_HOST "mdocml.bsd.lv" #define SCRIPT_NAME "cgi-bin/man.cgi" #define MAN_DIR "/man" #define CSS_DIR "" Index: man.cgi.8 =================================================================== RCS file: /home/cvs/mdocml/mdocml/man.cgi.8,v retrieving revision 1.21 retrieving revision 1.22 diff -Lman.cgi.8 -Lman.cgi.8 -u -p -r1.21 -r1.22 --- man.cgi.8 +++ man.cgi.8 @@ -186,11 +186,6 @@ Otherwise, a leading slash is needed. This is used in generated HTML code. .It Dv CUSTOMIZE_TITLE An ASCII string to be used for the HTML <TITLE> element. -.It Dv HTTP_HOST -The FQDN of the (possibly virtual) host the HTTP server is running on. -This is used for -.Ic Location: -headers in HTTP 303 responses. .It Dv MAN_DIR A file system path to the .Nm -- To unsubscribe send an email to tech+unsubscribe@mdocml.bsd.lv ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-03-18 16:53 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-02-28 8:05 check environment variable HTTPS in cgi.c Andreas Vögele 2017-03-18 15:17 ` Ingo Schwarze 2017-03-18 15:48 ` Anthony J. Bentley 2017-03-18 16:53 ` Ingo Schwarze
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).