check environment variable HTTPS in cgi.c

check environment variable HTTPS in cgi.c

[Andreas Vögele]

[-- Attachment #1: Type: text/plain, Size: 227 bytes --]

Hi,

currently the scheme is hard-coded to "http" in cgi.c. The scheme could 
be set to "https" if the environment variable "HTTPS" is set to "on" by 
the web server. See the FastCGI setting in httpd.conf(5).

Regards,
Andreas

[-- Attachment #2: cgi_c_https.diff --]
[-- Type: text/x-patch, Size: 654 bytes --]

--- mdocml-1.14.1/cgi.c.orig	2017-02-21 01:25:20.000000000 +0100
+++ mdocml-1.14.1/cgi.c	2017-02-25 16:28:06.751637253 +0100
@@ -562,9 +562,13 @@
 		 * If we have just one result, then jump there now
 		 * without any delay.
 		 */
+		const char *scheme = "http", *https;
+		if ((https = getenv("HTTPS")) != NULL &&
+		    strcmp(https, "on") == 0)
+			scheme = "https";
 		printf("Status: 303 See Other\r\n");
-		printf("Location: http://%s/%s%s%s/%s",
-		    HTTP_HOST, scriptname,
+		printf("Location: %s://%s/%s%s%s/%s",
+		    scheme, HTTP_HOST, scriptname,
 		    *scriptname == '\0' ? "" : "/",
 		    req->q.manpath, r[0].file);
 		printf("\r\n"

Re: check environment variable HTTPS in cgi.c

[Ingo Schwarze]

Hi,

Andreas Voegele wrote on Tue, Feb 28, 2017 at 09:05:09AM +0100:

> currently the scheme is hard-coded to "http" in cgi.c.

And it will stay like that.

> The scheme could be set to "https" if the environment variable "HTTPS"
> is set to "on" by the web server.

Rejected.  Minimizing the use of environment variables is among
the chief design goals of man.cgi(8).  It's bad enough that we
can't avoid relying on PATH_INFO and QUERY_STRING.

Besides, https:// is pointless for man.cgi(8).
It is a read-only service, and publishing confidential
manuals would be an oxymoron.

Yours,
  Ingo
--
 To unsubscribe send an email to tech+unsubscribe@mdocml.bsd.lv

Re: check environment variable HTTPS in cgi.c

[Anthony J. Bentley]

Hi Ingo,

I have desired to run man.cgi on HTTPS also. In some cases it can even
be necessary; imagine manuals being served from a subdomain whose parent
uses HSTS's includeSubDomains directive, for example.

Ingo Schwarze writes:
> Rejected.  Minimizing the use of environment variables is among
> the chief design goals of man.cgi(8).  It's bad enough that we
> can't avoid relying on PATH_INFO and QUERY_STRING.

A solution that would not require environment variables would be to
use a relative URI for redirects, as allowed in HTTP/1.1:

https://tools.ietf.org/html/rfc7231#section-7.1.2

Hm, public non-confidential RFCs accessible over HTTPS? What madness
is this? ;)

-- 
Anthony J. Bentley
--
 To unsubscribe send an email to tech+unsubscribe@mdocml.bsd.lv

Re: check environment variable HTTPS in cgi.c

[Ingo Schwarze]

Hi Anthony,

Anthony J. Bentley wrote on Sat, Mar 18, 2017 at 09:48:47AM -0600:

> use a relative URI for redirects, as allowed in HTTP/1.1:
> https://tools.ietf.org/html/rfc7231#section-7.1.2

That's actually a fine idea in its own right.
It simplifies things, and i see no downside.

Thanks for the suggestion,
  Ingo


Log Message:
-----------
Simplify: write HTTP 303 redirects with relative locations.
Suggested by bentley@.

Delete the HTTP_HOST configuration variable that is now obsolete.

Modified Files:
--------------
    mdocml:
        cgi.c
        cgi.h.example
        man.cgi.8

Revision Data
-------------
Index: cgi.c
===================================================================
RCS file: /home/cvs/mdocml/mdocml/cgi.c,v
retrieving revision 1.152
retrieving revision 1.153
diff -Lcgi.c -Lcgi.c -u -p -r1.152 -r1.153
--- cgi.c
+++ cgi.c
@@ -554,8 +554,8 @@ pg_error_internal(void)
 static void
 pg_redirect(const struct req *req, const char *name)
 {
-	printf("Status: 303 See Other\r\n");
-	printf("Location: http://%s/", HTTP_HOST);
+	printf("Status: 303 See Other\r\n"
+	    "Location: /");
 	if (*scriptname != '\0')
 		printf("%s/", scriptname);
 	if (strcmp(req->q.manpath, req->p[0]))
@@ -591,14 +591,15 @@ pg_searchres(const struct req *req, stru
 		 * If we have just one result, then jump there now
 		 * without any delay.
 		 */
-		printf("Status: 303 See Other\r\n");
-		printf("Location: http://%s/%s%s%s/%s",
-		    HTTP_HOST, scriptname,
-		    *scriptname == '\0' ? "" : "/",
-		    req->q.manpath, r[0].file);
-		printf("\r\n"
-		     "Content-Type: text/html; charset=utf-8\r\n"
-		     "\r\n");
+		printf("Status: 303 See Other\r\n"
+		    "Location: /");
+		if (*scriptname != '\0')
+			printf("%s/", scriptname);
+		if (strcmp(req->q.manpath, req->p[0]))
+			printf("%s/", req->q.manpath);
+		printf("%s\r\n"
+		    "Content-Type: text/html; charset=utf-8\r\n\r\n",
+		    r[0].file);
 		return;
 	}
 
Index: cgi.h.example
===================================================================
RCS file: /home/cvs/mdocml/mdocml/cgi.h.example,v
retrieving revision 1.5
retrieving revision 1.6
diff -Lcgi.h.example -Lcgi.h.example -u -p -r1.5 -r1.6
--- cgi.h.example
+++ cgi.h.example
@@ -1,6 +1,5 @@
 /* Example compile-time configuration file for man.cgi(8). */
 
-#define	HTTP_HOST "mdocml.bsd.lv"
 #define	SCRIPT_NAME "cgi-bin/man.cgi"
 #define	MAN_DIR "/man"
 #define	CSS_DIR ""
Index: man.cgi.8
===================================================================
RCS file: /home/cvs/mdocml/mdocml/man.cgi.8,v
retrieving revision 1.21
retrieving revision 1.22
diff -Lman.cgi.8 -Lman.cgi.8 -u -p -r1.21 -r1.22
--- man.cgi.8
+++ man.cgi.8
@@ -186,11 +186,6 @@ Otherwise, a leading slash is needed.
 This is used in generated HTML code.
 .It Dv CUSTOMIZE_TITLE
 An ASCII string to be used for the HTML <TITLE> element.
-.It Dv HTTP_HOST
-The FQDN of the (possibly virtual) host the HTTP server is running on.
-This is used for
-.Ic Location:
-headers in HTTP 303 responses.
 .It Dv MAN_DIR
 A file system path to the
 .Nm
--
 To unsubscribe send an email to tech+unsubscribe@mdocml.bsd.lv