xref: /openbsd-src/usr.sbin/httpd/server_fcgi.c (revision fc405d53b73a2d73393cb97f684863d17b583e38) 
1 /*	$OpenBSD: server_fcgi.c,v 1.95 2022/08/15 12:29:17 claudio Exp $	*/
2 
3 /*
4  * Copyright (c) 2014 Florian Obser <florian@openbsd.org>
5  *
6  * Permission to use, copy, modify, and distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 #include <sys/types.h>
20 #include <sys/time.h>
21 #include <sys/socket.h>
22 #include <sys/un.h>
23 
24 #include <netinet/in.h>
25 #include <arpa/inet.h>
26 
27 #include <limits.h>
28 #include <errno.h>
29 #include <stdlib.h>
30 #include <string.h>
31 #include <stdio.h>
32 #include <time.h>
33 #include <ctype.h>
34 #include <event.h>
35 #include <unistd.h>
36 
37 #include "httpd.h"
38 #include "http.h"
39 
40 #define FCGI_PADDING_SIZE	 255
41 #define FCGI_RECORD_SIZE	 \
42     (sizeof(struct fcgi_record_header) + FCGI_CONTENT_SIZE + FCGI_PADDING_SIZE)
43 
44 #define FCGI_BEGIN_REQUEST	 1
45 #define FCGI_ABORT_REQUEST	 2
46 #define FCGI_END_REQUEST	 3
47 #define FCGI_PARAMS		 4
48 #define FCGI_STDIN		 5
49 #define FCGI_STDOUT		 6
50 #define FCGI_STDERR		 7
51 #define FCGI_DATA		 8
52 #define FCGI_GET_VALUES		 9
53 #define FCGI_GET_VALUES_RESULT	10
54 #define FCGI_UNKNOWN_TYPE	11
55 #define FCGI_MAXTYPE		(FCGI_UNKNOWN_TYPE)
56 
57 #define FCGI_RESPONDER		 1
58 
59 struct fcgi_record_header {
60 	uint8_t		version;
61 	uint8_t		type;
62 	uint16_t	id;
63 	uint16_t	content_len;
64 	uint8_t		padding_len;
65 	uint8_t		reserved;
66 } __packed;
67 
68 struct fcgi_begin_request_body {
69 	uint16_t	role;
70 	uint8_t		flags;
71 	uint8_t		reserved[5];
72 } __packed;
73 
74 struct server_fcgi_param {
75 	int		total_len;
76 	uint8_t		buf[FCGI_RECORD_SIZE];
77 };
78 
79 int	server_fcgi_header(struct client *, unsigned int);
80 void	server_fcgi_error(struct bufferevent *, short, void *);
81 void	server_fcgi_read(struct bufferevent *, void *);
82 int	server_fcgi_writeheader(struct client *, struct kv *, void *);
83 int	server_fcgi_writechunk(struct client *);
84 int	server_fcgi_getheaders(struct client *);
85 int	fcgi_add_param(struct server_fcgi_param *, const char *, const char *,
86 	    struct client *);
87 
88 int
89 server_fcgi(struct httpd *env, struct client *clt)
90 {
91 	struct server_fcgi_param	 param;
92 	struct server_config		*srv_conf = clt->clt_srv_conf;
93 	struct http_descriptor		*desc = clt->clt_descreq;
94 	struct fcgi_record_header	*h;
95 	struct fcgi_begin_request_body	*begin;
96 	struct fastcgi_param		*fcgiparam;
97 	char				 hbuf[HOST_NAME_MAX+1];
98 	size_t				 scriptlen;
99 	int				 pathlen;
100 	int				 fd = -1, ret;
101 	const char			*stripped, *alias, *errstr = NULL;
102 	char				*query_alias, *str, *script = NULL;
103 
104 	if ((fd = socket(srv_conf->fastcgi_ss.ss_family,
105 	    SOCK_STREAM | SOCK_NONBLOCK, 0)) == -1)
106 		goto fail;
107 	if ((connect(fd, (struct sockaddr *) &srv_conf->fastcgi_ss,
108 	    srv_conf->fastcgi_ss.ss_len)) == -1) {
109 		if (errno != EINPROGRESS)
110 			goto fail;
111 	}
112 
113 	memset(hbuf, 0, sizeof(hbuf));
114 	clt->clt_fcgi.state = FCGI_READ_HEADER;
115 	clt->clt_fcgi.toread = sizeof(struct fcgi_record_header);
116 	clt->clt_fcgi.status = 200;
117 	clt->clt_fcgi.headersdone = 0;
118 	clt->clt_fcgi.headerssent = 0;
119 
120 	if (clt->clt_srvevb != NULL)
121 		evbuffer_free(clt->clt_srvevb);
122 
123 	clt->clt_srvevb = evbuffer_new();
124 	if (clt->clt_srvevb == NULL) {
125 		errstr = "failed to allocate evbuffer";
126 		goto fail;
127 	}
128 
129 	close(clt->clt_fd);
130 	clt->clt_fd = fd;
131 
132 	if (clt->clt_srvbev != NULL)
133 		bufferevent_free(clt->clt_srvbev);
134 
135 	clt->clt_srvbev_throttled = 0;
136 	clt->clt_srvbev = bufferevent_new(fd, server_fcgi_read,
137 	    NULL, server_fcgi_error, clt);
138 	if (clt->clt_srvbev == NULL) {
139 		errstr = "failed to allocate fcgi buffer event";
140 		goto fail;
141 	}
142 
143 	memset(&param, 0, sizeof(param));
144 
145 	h = (struct fcgi_record_header *)&param.buf;
146 	h->version = 1;
147 	h->type = FCGI_BEGIN_REQUEST;
148 	h->id = htons(1);
149 	h->content_len = htons(sizeof(struct fcgi_begin_request_body));
150 	h->padding_len = 0;
151 
152 	begin = (struct fcgi_begin_request_body *)&param.buf[sizeof(struct
153 	    fcgi_record_header)];
154 	begin->role = htons(FCGI_RESPONDER);
155 
156 	if (bufferevent_write(clt->clt_srvbev, &param.buf,
157 	    sizeof(struct fcgi_record_header) +
158 	    sizeof(struct fcgi_begin_request_body)) == -1) {
159 		errstr = "failed to write to evbuffer";
160 		goto fail;
161 	}
162 
163 	h->type = FCGI_PARAMS;
164 	h->content_len = param.total_len = 0;
165 
166 	alias = desc->http_path_alias != NULL
167 	    ? desc->http_path_alias
168 	    : desc->http_path;
169 
170 	query_alias = desc->http_query_alias != NULL
171 	    ? desc->http_query_alias
172 	    : desc->http_query;
173 
174 	stripped = server_root_strip(alias, srv_conf->strip);
175 	if ((pathlen = asprintf(&script, "%s%s", srv_conf->root, stripped))
176 	    == -1) {
177 		errstr = "failed to get script name";
178 		goto fail;
179 	}
180 
181 	scriptlen = path_info(script);
182 	/*
183 	 * no part of root should show up in PATH_INFO.
184 	 * therefore scriptlen should be >= strlen(root)
185 	 */
186 	if (scriptlen < strlen(srv_conf->root))
187 		scriptlen = strlen(srv_conf->root);
188 	if ((int)scriptlen < pathlen) {
189 		if (fcgi_add_param(&param, "PATH_INFO",
190 		    script + scriptlen, clt) == -1) {
191 			errstr = "failed to encode param";
192 			goto fail;
193 		}
194 		script[scriptlen] = '\0';
195 	} else {
196 		/* RFC 3875 mandates that PATH_INFO is empty if not set */
197 		if (fcgi_add_param(&param, "PATH_INFO", "", clt) == -1) {
198 			errstr = "failed to encode param";
199 			goto fail;
200 		}
201 	}
202 
203 	/*
204 	 * calculate length of http SCRIPT_NAME:
205 	 * add length of stripped prefix,
206 	 * subtract length of prepended local root
207 	 */
208 	scriptlen += (stripped - alias) - strlen(srv_conf->root);
209 	if ((str = strndup(alias, scriptlen)) == NULL)
210 		goto fail;
211 	ret = fcgi_add_param(&param, "SCRIPT_NAME", str, clt);
212 	free(str);
213 	if (ret == -1) {
214 		errstr = "failed to encode param";
215 		goto fail;
216 	}
217 	if (fcgi_add_param(&param, "SCRIPT_FILENAME", server_root_strip(script,
218 	    srv_conf->fcgistrip), clt) == -1) {
219 		errstr = "failed to encode param";
220 		goto fail;
221 	}
222 
223 	if (query_alias) {
224 		if (fcgi_add_param(&param, "QUERY_STRING", query_alias,
225 		    clt) == -1) {
226 			errstr = "failed to encode param";
227 			goto fail;
228 		}
229 	} else if (fcgi_add_param(&param, "QUERY_STRING", "", clt) == -1) {
230 		errstr = "failed to encode param";
231 		goto fail;
232 	}
233 
234 	if (fcgi_add_param(&param, "DOCUMENT_ROOT", server_root_strip(
235 	    srv_conf->root, srv_conf->fcgistrip), clt) == -1) {
236 		errstr = "failed to encode param";
237 		goto fail;
238 	}
239 	if (fcgi_add_param(&param, "DOCUMENT_URI", alias,
240 	    clt) == -1) {
241 		errstr = "failed to encode param";
242 		goto fail;
243 	}
244 	if (fcgi_add_param(&param, "GATEWAY_INTERFACE", "CGI/1.1",
245 	    clt) == -1) {
246 		errstr = "failed to encode param";
247 		goto fail;
248 	}
249 
250 	if (srv_conf->flags & SRVFLAG_AUTH) {
251 		if (fcgi_add_param(&param, "REMOTE_USER",
252 		    clt->clt_remote_user, clt) == -1) {
253 			errstr = "failed to encode param";
254 			goto fail;
255 		}
256 	}
257 
258 	/* Add HTTP_* headers */
259 	if (server_headers(clt, desc, server_fcgi_writeheader, &param) == -1) {
260 		errstr = "failed to encode param";
261 		goto fail;
262 	}
263 
264 	if (srv_conf->flags & SRVFLAG_TLS) {
265 		if (fcgi_add_param(&param, "HTTPS", "on", clt) == -1) {
266 			errstr = "failed to encode param";
267 			goto fail;
268 		}
269 		if (srv_conf->tls_flags != 0 && fcgi_add_param(&param,
270 		    "TLS_PEER_VERIFY", printb_flags(srv_conf->tls_flags,
271 		    TLSFLAG_BITS), clt) == -1) {
272 			errstr = "failed to encode param";
273 			goto fail;
274 		}
275 	}
276 
277 	TAILQ_FOREACH(fcgiparam, &srv_conf->fcgiparams, entry) {
278 		if (fcgi_add_param(&param, fcgiparam->name, fcgiparam->value,
279 		    clt) == -1) {
280 			errstr = "failed to encode param";
281 			goto fail;
282 		}
283 	}
284 
285 	(void)print_host(&clt->clt_ss, hbuf, sizeof(hbuf));
286 	if (fcgi_add_param(&param, "REMOTE_ADDR", hbuf, clt) == -1) {
287 		errstr = "failed to encode param";
288 		goto fail;
289 	}
290 
291 	(void)snprintf(hbuf, sizeof(hbuf), "%d", ntohs(clt->clt_port));
292 	if (fcgi_add_param(&param, "REMOTE_PORT", hbuf, clt) == -1) {
293 		errstr = "failed to encode param";
294 		goto fail;
295 	}
296 
297 	if (fcgi_add_param(&param, "REQUEST_METHOD",
298 	    server_httpmethod_byid(desc->http_method), clt) == -1) {
299 		errstr = "failed to encode param";
300 		goto fail;
301 	}
302 
303 	if (!desc->http_query) {
304 		if (fcgi_add_param(&param, "REQUEST_URI", desc->http_path_orig,
305 		    clt) == -1) {
306 			errstr = "failed to encode param";
307 			goto fail;
308 		}
309 	} else {
310 		if (asprintf(&str, "%s?%s", desc->http_path_orig,
311 		    desc->http_query) == -1) {
312 			errstr = "failed to encode param";
313 			goto fail;
314 		}
315 		ret = fcgi_add_param(&param, "REQUEST_URI", str, clt);
316 		free(str);
317 		if (ret == -1) {
318 			errstr = "failed to encode param";
319 			goto fail;
320 		}
321 	}
322 
323 	(void)print_host(&clt->clt_srv_ss, hbuf, sizeof(hbuf));
324 	if (fcgi_add_param(&param, "SERVER_ADDR", hbuf, clt) == -1) {
325 		errstr = "failed to encode param";
326 		goto fail;
327 	}
328 
329 	(void)snprintf(hbuf, sizeof(hbuf), "%d",
330 	    ntohs(server_socket_getport(&clt->clt_srv_ss)));
331 	if (fcgi_add_param(&param, "SERVER_PORT", hbuf, clt) == -1) {
332 		errstr = "failed to encode param";
333 		goto fail;
334 	}
335 
336 	if (fcgi_add_param(&param, "SERVER_NAME", srv_conf->name,
337 	    clt) == -1) {
338 		errstr = "failed to encode param";
339 		goto fail;
340 	}
341 
342 	if (fcgi_add_param(&param, "SERVER_PROTOCOL", desc->http_version,
343 	    clt) == -1) {
344 		errstr = "failed to encode param";
345 		goto fail;
346 	}
347 
348 	if (fcgi_add_param(&param, "SERVER_SOFTWARE", HTTPD_SERVERNAME,
349 	    clt) == -1) {
350 		errstr = "failed to encode param";
351 		goto fail;
352 	}
353 
354 	if (param.total_len != 0) {	/* send last params record */
355 		if (bufferevent_write(clt->clt_srvbev, &param.buf,
356 		    sizeof(struct fcgi_record_header) +
357 		    ntohs(h->content_len)) == -1) {
358 			errstr = "failed to write to client evbuffer";
359 			goto fail;
360 		}
361 	}
362 
363 	/* send "no more params" message */
364 	h->content_len = 0;
365 	if (bufferevent_write(clt->clt_srvbev, &param.buf,
366 	    sizeof(struct fcgi_record_header)) == -1) {
367 		errstr = "failed to write to client evbuffer";
368 		goto fail;
369 	}
370 
371 	bufferevent_settimeout(clt->clt_srvbev,
372 	    srv_conf->timeout.tv_sec, srv_conf->timeout.tv_sec);
373 	bufferevent_enable(clt->clt_srvbev, EV_READ|EV_WRITE);
374 	if (clt->clt_toread != 0) {
375 		server_read_httpcontent(clt->clt_bev, clt);
376 		bufferevent_enable(clt->clt_bev, EV_READ);
377 	} else {
378 		bufferevent_disable(clt->clt_bev, EV_READ);
379 		fcgi_add_stdin(clt, NULL);
380 	}
381 
382 	if (strcmp(desc->http_version, "HTTP/1.1") == 0) {
383 		clt->clt_fcgi.chunked = 1;
384 	} else {
385 		/* HTTP/1.0 does not support chunked encoding */
386 		clt->clt_fcgi.chunked = 0;
387 		clt->clt_persist = 0;
388 	}
389 	clt->clt_fcgi.end = 0;
390 	clt->clt_done = 0;
391 
392 	free(script);
393 	return (0);
394  fail:
395 	free(script);
396 	if (errstr == NULL)
397 		errstr = strerror(errno);
398 	if (fd != -1 && clt->clt_fd != fd)
399 		close(fd);
400 	server_abort_http(clt, 500, errstr);
401 	return (-1);
402 }
403 
404 int
405 fcgi_add_stdin(struct client *clt, struct evbuffer *evbuf)
406 {
407 	struct fcgi_record_header	h;
408 
409 	memset(&h, 0, sizeof(h));
410 	h.version = 1;
411 	h.type = FCGI_STDIN;
412 	h.id = htons(1);
413 	h.padding_len = 0;
414 
415 	if (evbuf == NULL) {
416 		h.content_len = 0;
417 		return bufferevent_write(clt->clt_srvbev, &h,
418 		    sizeof(struct fcgi_record_header));
419 	} else {
420 		h.content_len = htons(EVBUFFER_LENGTH(evbuf));
421 		if (bufferevent_write(clt->clt_srvbev, &h,
422 		    sizeof(struct fcgi_record_header)) == -1)
423 			return -1;
424 		return bufferevent_write_buffer(clt->clt_srvbev, evbuf);
425 	}
426 	return (0);
427 }
428 
429 int
430 fcgi_add_param(struct server_fcgi_param *p, const char *key,
431     const char *val, struct client *clt)
432 {
433 	struct fcgi_record_header	*h;
434 	int				 len = 0;
435 	int				 key_len = strlen(key);
436 	int				 val_len = strlen(val);
437 	uint8_t				*param;
438 
439 	len += key_len + val_len;
440 	len += key_len > 127 ? 4 : 1;
441 	len += val_len > 127 ? 4 : 1;
442 
443 	DPRINTF("%s: %s[%d] => %s[%d], total_len: %d", __func__, key, key_len,
444 	    val, val_len, p->total_len);
445 
446 	if (len > FCGI_CONTENT_SIZE)
447 		return (-1);
448 
449 	if (p->total_len + len > FCGI_CONTENT_SIZE) {
450 		if (bufferevent_write(clt->clt_srvbev, p->buf,
451 		    sizeof(struct fcgi_record_header) + p->total_len) == -1)
452 			return (-1);
453 		p->total_len = 0;
454 	}
455 
456 	h = (struct fcgi_record_header *)p->buf;
457 	param = p->buf + sizeof(*h) + p->total_len;
458 
459 	if (key_len > 127) {
460 		*param++ = ((key_len >> 24) & 0xff) | 0x80;
461 		*param++ = ((key_len >> 16) & 0xff);
462 		*param++ = ((key_len >> 8) & 0xff);
463 		*param++ = (key_len & 0xff);
464 	} else
465 		*param++ = key_len;
466 
467 	if (val_len > 127) {
468 		*param++ = ((val_len >> 24) & 0xff) | 0x80;
469 		*param++ = ((val_len >> 16) & 0xff);
470 		*param++ = ((val_len >> 8) & 0xff);
471 		*param++ = (val_len & 0xff);
472 	} else
473 		*param++ = val_len;
474 
475 	memcpy(param, key, key_len);
476 	param += key_len;
477 	memcpy(param, val, val_len);
478 
479 	p->total_len += len;
480 
481 	h->content_len = htons(p->total_len);
482 	return (0);
483 }
484 
485 void
486 server_fcgi_error(struct bufferevent *bev, short error, void *arg)
487 {
488 	struct client		*clt = arg;
489 	struct http_descriptor	*desc = clt->clt_descreq;
490 
491 	if ((error & EVBUFFER_EOF) && !clt->clt_fcgi.headersdone) {
492 		server_abort_http(clt, 500, "malformed or no headers");
493 		return;
494 	}
495 
496 	/* send the end marker if not already */
497 	if (desc->http_method != HTTP_METHOD_HEAD && clt->clt_fcgi.chunked &&
498 	    !clt->clt_fcgi.end++)
499 		server_bufferevent_print(clt, "0\r\n\r\n");
500 
501 	server_file_error(bev, error, arg);
502 }
503 
504 void
505 server_fcgi_read(struct bufferevent *bev, void *arg)
506 {
507 	uint8_t				 buf[FCGI_RECORD_SIZE];
508 	struct client			*clt = (struct client *) arg;
509 	struct fcgi_record_header	*h;
510 	size_t				 len;
511 	char				*ptr;
512 
513 	do {
514 		len = bufferevent_read(bev, buf, clt->clt_fcgi.toread);
515 		if (evbuffer_add(clt->clt_srvevb, buf, len) == -1) {
516 			server_abort_http(clt, 500, "short write");
517 			return;
518 		}
519 		clt->clt_fcgi.toread -= len;
520 		DPRINTF("%s: len: %lu toread: %d state: %d type: %d",
521 		    __func__, len, clt->clt_fcgi.toread,
522 		    clt->clt_fcgi.state, clt->clt_fcgi.type);
523 
524 		if (clt->clt_fcgi.toread != 0)
525 			return;
526 
527 		switch (clt->clt_fcgi.state) {
528 		case FCGI_READ_HEADER:
529 			clt->clt_fcgi.state = FCGI_READ_CONTENT;
530 			h = (struct fcgi_record_header *)
531 			    EVBUFFER_DATA(clt->clt_srvevb);
532 			DPRINTF("%s: record header: version %d type %d id %d "
533 			    "content len %d padding %d", __func__,
534 			    h->version, h->type, ntohs(h->id),
535 			    ntohs(h->content_len), h->padding_len);
536 			clt->clt_fcgi.type = h->type;
537 			clt->clt_fcgi.toread = ntohs(h->content_len);
538 			clt->clt_fcgi.padding_len = h->padding_len;
539 			evbuffer_drain(clt->clt_srvevb,
540 			    EVBUFFER_LENGTH(clt->clt_srvevb));
541 			if (clt->clt_fcgi.toread != 0)
542 				break;
543 			else if (clt->clt_fcgi.type == FCGI_STDOUT &&
544 			    !clt->clt_chunk) {
545 				server_abort_http(clt, 500, "empty stdout");
546 				return;
547 			}
548 
549 			/* fallthrough if content_len == 0 */
550 		case FCGI_READ_CONTENT:
551 			switch (clt->clt_fcgi.type) {
552 			case FCGI_STDERR:
553 				if (EVBUFFER_LENGTH(clt->clt_srvevb) > 0 &&
554 				    (ptr = get_string(
555 				    EVBUFFER_DATA(clt->clt_srvevb),
556 				    EVBUFFER_LENGTH(clt->clt_srvevb)))
557 				    != NULL) {
558 					server_sendlog(clt->clt_srv_conf,
559 					    IMSG_LOG_ERROR, "%s", ptr);
560 					free(ptr);
561 				}
562 				break;
563 			case FCGI_STDOUT:
564 				++clt->clt_chunk;
565 				if (!clt->clt_fcgi.headersdone) {
566 					clt->clt_fcgi.headersdone =
567 					    server_fcgi_getheaders(clt);
568 					if (!EVBUFFER_LENGTH(clt->clt_srvevb))
569 						break;
570 				}
571 				/* FALLTHROUGH */
572 			case FCGI_END_REQUEST:
573 				if (clt->clt_fcgi.headersdone &&
574 				    !clt->clt_fcgi.headerssent) {
575 					if (server_fcgi_header(clt,
576 					    clt->clt_fcgi.status) == -1) {
577 						server_abort_http(clt, 500,
578 						    "malformed fcgi headers");
579 						return;
580 					}
581 				}
582 				/* Don't send content for HEAD requests */
583 				if (clt->clt_fcgi.headerssent &&
584 				    clt->clt_descreq->http_method
585 				    == HTTP_METHOD_HEAD)
586 					/* nothing */ ;
587 				else if (server_fcgi_writechunk(clt) == -1) {
588 					server_abort_http(clt, 500,
589 					    "encoding error");
590 					return;
591 				}
592 				if (clt->clt_fcgi.type == FCGI_END_REQUEST) {
593 					bufferevent_enable(clt->clt_bev,
594 					    EV_READ|EV_WRITE);
595 					if (clt->clt_persist)
596 						clt->clt_toread =
597 						    TOREAD_HTTP_HEADER;
598 					else
599 						clt->clt_toread =
600 						    TOREAD_HTTP_NONE;
601 					clt->clt_done = 0;
602 					server_reset_http(clt);
603 				}
604 				break;
605 			}
606 			evbuffer_drain(clt->clt_srvevb,
607 			    EVBUFFER_LENGTH(clt->clt_srvevb));
608 			if (!clt->clt_fcgi.padding_len) {
609 				clt->clt_fcgi.state = FCGI_READ_HEADER;
610 				clt->clt_fcgi.toread =
611 				    sizeof(struct fcgi_record_header);
612 			} else {
613 				clt->clt_fcgi.state = FCGI_READ_PADDING;
614 				clt->clt_fcgi.toread =
615 				    clt->clt_fcgi.padding_len;
616 			}
617 			break;
618 		case FCGI_READ_PADDING:
619 			evbuffer_drain(clt->clt_srvevb,
620 			    EVBUFFER_LENGTH(clt->clt_srvevb));
621 			clt->clt_fcgi.state = FCGI_READ_HEADER;
622 			clt->clt_fcgi.toread =
623 			    sizeof(struct fcgi_record_header);
624 			break;
625 		}
626 	} while (len > 0);
627 }
628 
629 int
630 server_fcgi_header(struct client *clt, unsigned int code)
631 {
632 	struct server_config	*srv_conf = clt->clt_srv_conf;
633 	struct http_descriptor	*desc = clt->clt_descreq;
634 	struct http_descriptor	*resp = clt->clt_descresp;
635 	const char		*error;
636 	char			 tmbuf[32];
637 	struct kv		*kv, *cl, key;
638 
639 	clt->clt_fcgi.headerssent = 1;
640 
641 	if (desc == NULL || (error = server_httperror_byid(code)) == NULL)
642 		return (-1);
643 
644 	if (server_log_http(clt, code, 0) == -1)
645 		return (-1);
646 
647 	/* Add error codes */
648 	if (kv_setkey(&resp->http_pathquery, "%u", code) == -1 ||
649 	    kv_set(&resp->http_pathquery, "%s", error) == -1)
650 		return (-1);
651 
652 	/* Add headers */
653 	if (kv_add(&resp->http_headers, "Server", HTTPD_SERVERNAME) == NULL)
654 		return (-1);
655 
656 	if (clt->clt_fcgi.type == FCGI_END_REQUEST ||
657 	    EVBUFFER_LENGTH(clt->clt_srvevb) == 0) {
658 		/* Can't chunk encode an empty body. */
659 		clt->clt_fcgi.chunked = 0;
660 
661 		/* But then we need a Content-Length unless method is HEAD... */
662 		if (desc->http_method != HTTP_METHOD_HEAD) {
663 			key.kv_key = "Content-Length";
664 			if ((kv = kv_find(&resp->http_headers, &key)) == NULL) {
665 				if (kv_add(&resp->http_headers,
666 				    "Content-Length", "0") == NULL)
667 					return (-1);
668 			}
669 		}
670 	}
671 
672 	/* Send chunked encoding header */
673 	if (clt->clt_fcgi.chunked) {
674 		/* but only if no Content-Length header is supplied */
675 		key.kv_key = "Content-Length";
676 		if ((kv = kv_find(&resp->http_headers, &key)) != NULL) {
677 			clt->clt_fcgi.chunked = 0;
678 		} else {
679 			/*
680 			 * XXX What if the FastCGI added some kind of
681 			 * Transfer-Encoding, like gzip, deflate or even
682 			 * "chunked"?
683 			 */
684 			if (kv_add(&resp->http_headers,
685 			    "Transfer-Encoding", "chunked") == NULL)
686 				return (-1);
687 		}
688 	}
689 
690 	/* Is it a persistent connection? */
691 	if (clt->clt_persist) {
692 		if (kv_add(&resp->http_headers,
693 		    "Connection", "keep-alive") == NULL)
694 			return (-1);
695 	} else if (kv_add(&resp->http_headers, "Connection", "close") == NULL)
696 		return (-1);
697 
698 	/* HSTS header */
699 	if (srv_conf->flags & SRVFLAG_SERVER_HSTS &&
700 	    srv_conf->flags & SRVFLAG_TLS) {
701 		if ((cl =
702 		    kv_add(&resp->http_headers, "Strict-Transport-Security",
703 		    NULL)) == NULL ||
704 		    kv_set(cl, "max-age=%d%s%s", srv_conf->hsts_max_age,
705 		    srv_conf->hsts_flags & HSTSFLAG_SUBDOMAINS ?
706 		    "; includeSubDomains" : "",
707 		    srv_conf->hsts_flags & HSTSFLAG_PRELOAD ?
708 		    "; preload" : "") == -1)
709 			return (-1);
710 	}
711 
712 	/* Date header is mandatory and should be added as late as possible */
713 	key.kv_key = "Date";
714 	if (kv_find(&resp->http_headers, &key) == NULL &&
715 	    (server_http_time(time(NULL), tmbuf, sizeof(tmbuf)) <= 0 ||
716 	    kv_add(&resp->http_headers, "Date", tmbuf) == NULL))
717 		return (-1);
718 
719 	if (server_writeresponse_http(clt) == -1 ||
720 	    server_bufferevent_print(clt, "\r\n") == -1 ||
721 	    server_headers(clt, resp, server_writeheader_http, NULL) == -1 ||
722 	    server_bufferevent_print(clt, "\r\n") == -1)
723 		return (-1);
724 
725 	return (0);
726 }
727 
728 int
729 server_fcgi_writeheader(struct client *clt, struct kv *hdr, void *arg)
730 {
731 	struct server_fcgi_param	*param = arg;
732 	char				*val, *name, *p;
733 	const char			*key;
734 	int				 ret;
735 
736 	/* The key might have been updated in the parent */
737 	if (hdr->kv_parent != NULL && hdr->kv_parent->kv_key != NULL)
738 		key = hdr->kv_parent->kv_key;
739 	else
740 		key = hdr->kv_key;
741 
742 	val = hdr->kv_value;
743 
744 	if (strcasecmp(key, "Content-Length") == 0 ||
745 	    strcasecmp(key, "Content-Type") == 0) {
746 		if ((name = strdup(key)) == NULL)
747 			return (-1);
748 	} else {
749 		if (asprintf(&name, "HTTP_%s", key) == -1)
750 			return (-1);
751 	}
752 
753 	/*
754 	 * RFC 7230 defines a header field-name as a "token" and a "token"
755 	 * is defined as one or more characters for which isalpha or
756 	 * isdigit is true plus a list of additional characters.
757 	 * According to RFC 3875 a CGI environment variable is created
758 	 * by converting all letters to upper case and replacing '-'
759 	 * with '_'.
760 	 */
761 	for (p = name; *p != '\0'; p++) {
762 		if (isalpha((unsigned char)*p))
763 			*p = toupper((unsigned char)*p);
764 		else if (!(*p == '!' || *p == '#' || *p == '$' || *p == '%' ||
765 		    *p == '&' || *p == '\'' || *p == '*' || *p == '+' ||
766 		    *p == '.' || *p == '^' || *p == '_' || *p == '`' ||
767 		    *p == '|' || *p == '~' || isdigit((unsigned char)*p)))
768 			*p = '_';
769 	}
770 
771 	ret = fcgi_add_param(param, name, val, clt);
772 	free(name);
773 
774 	return (ret);
775 }
776 
777 int
778 server_fcgi_writechunk(struct client *clt)
779 {
780 	struct evbuffer *evb = clt->clt_srvevb;
781 	size_t		 len;
782 
783 	if (clt->clt_fcgi.type == FCGI_END_REQUEST) {
784 		len = 0;
785 	} else
786 		len = EVBUFFER_LENGTH(evb);
787 
788 	if (clt->clt_fcgi.chunked) {
789 		/* If len is 0, make sure to write the end marker only once */
790 		if (len == 0 && clt->clt_fcgi.end++)
791 			return (0);
792 		if (server_bufferevent_printf(clt, "%zx\r\n", len) == -1 ||
793 		    server_bufferevent_write_chunk(clt, evb, len) == -1 ||
794 		    server_bufferevent_print(clt, "\r\n") == -1)
795 			return (-1);
796 	} else if (len)
797 		return (server_bufferevent_write_buffer(clt, evb));
798 
799 	return (0);
800 }
801 
802 int
803 server_fcgi_getheaders(struct client *clt)
804 {
805 	struct http_descriptor	*resp = clt->clt_descresp;
806 	struct evbuffer		*evb = clt->clt_srvevb;
807 	int			 code, ret;
808 	char			*line, *key, *value;
809 	const char		*errstr;
810 
811 	while ((line = evbuffer_getline(evb)) != NULL && *line != '\0') {
812 		key = line;
813 
814 		if ((value = strchr(key, ':')) == NULL)
815 			break;
816 
817 		*value++ = '\0';
818 		value += strspn(value, " \t");
819 
820 		DPRINTF("%s: %s: %s", __func__, key, value);
821 
822 		if (strcasecmp("Status", key) == 0) {
823 			value[strcspn(value, " \t")] = '\0';
824 			code = (int)strtonum(value, 100, 600, &errstr);
825 			if (errstr != NULL || server_httperror_byid(
826 			    code) == NULL)
827 				code = 200;
828 			clt->clt_fcgi.status = code;
829 		} else {
830 			(void)kv_add(&resp->http_headers, key, value);
831 		}
832 		free(line);
833 	}
834 
835 	ret = (line != NULL && *line == '\0');
836 
837 	free(line);
838 	return ret;
839 }
840