minihttpd: add more bloat - randomcrap - random crap programs of varying quality
(HTM) git clone git://git.codemadness.org/randomcrap
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
(DIR) LICENSE
---
(DIR) commit 0ed15f361ed9749a92676826bbf91fc88d5eddea
(DIR) parent b3f6ae5a47e6af99aebc0110bba78065b2a00330
(HTM) Author: Hiltjo Posthuma <hiltjo@codemadness.org>
Date: Fri, 15 Aug 2025 12:08:00 +0200
minihttpd: add more bloat
- Some request logging to stderr, useful for debugging.
- Some path sanitation (still totally insecure of course).
- export CGi variables.
Diffstat:
M minihttpd/httpd.sh | 25 +++++++++++++++++++------
1 file changed, 19 insertions(+), 6 deletions(-)
---
(DIR) diff --git a/minihttpd/httpd.sh b/minihttpd/httpd.sh
@@ -2,8 +2,15 @@
# insecure mini httpd intended for local testing.
# Dependencies: socat, file, UNIX tools, etc.
+# log(msg)
+log() {
+ # log
+ printf '%s\t%s\t%s\t%s\t%s\t%s\n' "$REMOTE_ADDR" "$1" "$REQUEST_METHOD" "HTTP/1.0" "$REQUEST_PATH" "$QUERY_STRING" >&2
+}
+
# httpheader(msg) {
httpheader() {
+ log "$1"
printf 'HTTP/1.0 %s \r\nDate: %s\r\nConnection: close\r\n'\
"$1" "$(TZ=UTC date +'%a, %d %b %Y %H:%M:%S +0000')"
}
@@ -57,6 +64,7 @@ servescript() {
t="$(mktemp)"
if "$1" > "$t"; then
cat "$t"
+ log '0 CGI' # CGI can return any HTTP status
else
httpstatus '500 Internal Server Error'
fi
@@ -68,6 +76,12 @@ percentdecode() {
printf '%s' "$1" | sed 's@+@ @g;s@%@\\x@g' | xargs -0 printf '%b'
}
+# sanitizepath(str)
+sanitizepath() {
+ # good enough for this crappy insecure local httpd.
+ printf '%s' "$1" | sed 's@\.\./@@;s@\./@@g'
+}
+
if test "$1" = ""; then
script="$(readlink -f "$0")"
socat TCP4-LISTEN:8080,reuseaddr,fork "SYSTEM:'$script httpd'"
@@ -91,10 +105,14 @@ elif test "$1" = "httpd"; then
else
file="${requestpath#/}"
file="$(percentdecode "$file")"
+ file="$(sanitizepath "$file")"
fi
realfile="${htdocsdir}/${file}"
basename="$(basename "$realfile")"
scriptname="/cgi-bin/${basename}" # only execute scripts in cgi-bin
+ # a few CGI variables (RFC3875) and custom ones.
+ QUERY_STRING="$query";REMOTE_ADDR="$SOCAT_PEERADDR";REQUEST_METHOD="$method";SERVER_PROTOCOL="$proto";REQUEST_PATH="/$file";RAW_REQUEST="$request"
+ for n in QUERY_STRING REMOTE_ADDR REQUEST_METHOD SERVER_PROTOCOL REQUEST_PATH RAW_REQUEST; do export "$n"; done
if test -d "$realfile"; then
if test "$file" != "${file%/}"; then
@@ -105,12 +123,7 @@ elif test "$1" = "httpd"; then
printf 'Location: %s\r\n\r\n' "/$file/"
fi
elif test "$requestpath" = "${scriptname}" && test -x "${scriptdir}/${basename}"; then
- # a few CGI variables (RFC3875).
- QUERY_STRING="$query"\
- REMOTE_ADDR="$SOCAT_PEERADDR"\
- REQUEST_METHOD="$method"\
- SERVER_PROTOCOL="$proto"\
- servescript "${scriptdir}/${basename}"
+ servescript "${scriptdir}/${basename}"
elif test -f "$realfile"; then
servefile "$realfile"
else