Executing CGI scripts with caddy-cgi by finding them with good matcher

Dergar · December 24, 2023, 6:26pm

1. The problem I’m having:

My first help topic was about templates and SHTML files.

Now I want to run my old Perl CGI scripts using package caddy-cgi.

Sample web-site structure looks like this:

.
├── cgi
│   ├── 1.sh
│   ├── image4scriptUse.png
│   ├── scriptOutput.txt
│   └── subdir
│       └── 2.sh
└── index.html

Now, for testing I am using *.sh scripts. Later I would switch to Perl scripts.

I want:

execute (“cgi”) ONLY scripts with extension *.sh inside “/cgi” directory, including all subdirs
reject all direct requests to all files and directories with HTTP 403, that are not scripts with .sh extension - in “cgi” directory (and “cgi” directory by itself), including all subdirs

I do not want write for every script such line in Caddyfile: cgi /cgi/1.sh /cgi/1.sh as stated in package README.

I want clever and nice matcher

Something like this in Caddyfile:

        @mycgimatcher {
                path /cgi/* *.sh
        }

        cgi @mycgimatcher /srv/{path}

Now half of my wishes is working. Scripts working well, but I got HTTP 500 for request with path “/cgi/” (Caddy error “CGI error: exec: no command”) and “/cgi/scriptOutput.txt” (Caddy error “CGI error: fork/exec scriptOutput.txt: permission denied”).

That means, that package caddy-cgi is trying to execute EVERYTHING inside “/cgi/” path and it is potential security problem. Yes, my “scriptOutput.txt” is not a script and can not be executed, but it seems to me that there even should not be any trying for execution un-proper files.

2. Error messages and/or full log output:

2023/12/24 18:03:59.540	INFO	CGI error: fork/exec scriptOutput.txt: permission denied
...
2023/12/24 18:03:59.540	INFO	CGI error: fork/exec scriptOutput.txt: permission denied

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

a. System environment:

Ubuntu Server 22, x86_64, Docker with official Alpine image and my built container.

d. My complete Caddy config:

{
        debug
        acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
        order cgi before respond
}

example.com {
        file_server {
                index index.html
        }

        templates {
                between "<!--#" "-->"
                mime "text/html"
        }

        root * /srv

        @mycgimatcher {
                path /cgi/*
# *.sh
        }

        cgi @mycgimatcher /srv/{path}
}

Mohammed90 · December 25, 2023, 7:52am

This indicates the matter needs to be reported to the caddy-cgi repo, not us. Please check with the plug-in author. If the issue is determined to be a defect in Caddy, we can look into it then.

francislavoie · December 25, 2023, 9:44am

You can use the path_regexp matcher to write a more precise condition than with path

system · January 24, 2024, 9:44am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.