On Fri, Jan 11, 2019 at 10:50:21AM -0600, Adam Thompson wrote:
> Running 6.4 (-stable, via openup/mtier).
> I have bgpd(8) talking to my border router, acting as a route collector.
> That part seems fine.
> I now have httpd(8) configured trivially to run bgplg(8) (per the bgplg(8)
> manpage) but it's not working, and I can't tell why. **EDIT: yes, I can,
> see below**
>
> httpd.conf:
> ===start===
> server "*" {
> listen on * port 80
> location "/cgi-bin/*" {
> fastcgi
> root ""
> }
> }
> ===end===
>
> On the client end, I get:
>
> bgpmirror# wget -v http://localhost/cgi-bin/bgplg
> --2019-01-11 10:12:05-- http://localhost/cgi-bin/bgplg
> Resolving localhost (localhost)... 127.0.0.1, ::1
> Connecting to localhost (localhost)|127.0.0.1|:80... connected.
> HTTP request sent, awaiting response... 200 No headers, assuming HTTP/0.9
> Length: unspecified
> Saving to: 'bgplg'
> (it never completes until I kill it)
>
> Ktrace'ing slowcgi and httpd in -d mode reveals that bgplg execve's
> properly, loads, spits out "invalid character in input" and dies. Slowcgi
> and/or httpd do not handle this... well, at all, really. That error message
> also does not get logged anywhere nor is visible anywhere except ktrace
> logs.
>
> Looking at the bgplg source code, this means there's something funky in its
> environment that it doesn't like. Ah. It looks like it's the "*" in
> server_name, as passed in by slowcgi:
> slowcgi: env[18], SERVER_NAME=*
>
> Yup. That's the problem, all right: /usr/src/usr.bin/bgplg/bgplg.c:115
> excludes '*'. But I want my looking glass to be accessible from at least
> two different hostnames, and I really would prefer to not have to define
> them all manually in httpd.conf(5).
>
> The naive local fix is trivial (adding '*' to the strchr call in line 115),
> but what else might I be breaking or letting in? Clearly this is supposed
> to ensure the environment is sanitized before continuing, but is "*"
> forbidden because it's unsafe, or simply because it never occurred to
> anyone?
>
> Thoughts / suggestions ?
>
You can use 'server match "."' to match any hostname.
The page title will be "." though.
