OpenWrt http server does not detect cgi-get ? query delimiter

Hi,

I am new to Openwrt platform and face issues with working with uhttpd server for running REST based cgi get/post calls ported from tinyhttp server.
My problem is cgi-get call query delimiter ? is not working in openwrt uhttpd server.

http://<192.168.1.1>/cgi-bin/pre_login_status_app.cgi?sts
returns as
{"result":1,"reason":5,"errorstr":"pre_login_status_app.cgi:argc:1 argv[0]:/www/cgi-bin/pre_login_status_app.cgi argv[1]:(null)"}

=> ?sts is not being detected as separate string and only obtained as null

Other different combintions return error by http server itself
://192.168.1.1/cgi-bin/pre_login_status_app.cgi;sts
<>Not Found<>The requested URL /cgi-bin/pre_login_status_app.cgi;sts was not found on this server.

://192.168.1.1/cgi-bin/pre_login_status_app.cgi sts
<>Not Found<>The requested URL /cgi-bin/pre_login_status_app.cgi%20sts was not found on this server.

://192.168.1.1/cgi-bin/pre_login_status_app.cgi:sts
<>Not Found<>The requested URL /cgi-bin/pre_login_status_app.cgi:sts was not found on this server.

Hardware/software details:

Console Logs:

root@OpenWrt:~# uname -a
Linux OpenWrt 4.4.60 #1 SMP PREEMPT Fri Sep 13 22:46:54 CST 2019 armv7l GNU/Linux

root@OpenWrt:~# ps | grep http
 1981 root      1400 S    /usr/sbin/uhttpd -f -h /www -r OpenWrt -x /cgi-bin -u /ub

root@OpenWrt:/www/cgi-bin# cat /etc/config/uhttpd

config uhttpd 'main'
        list listen_http '0.0.0.0:80'
        list listen_http '[::]:80'
        list listen_https '0.0.0.0:443'
        list listen_https '[::]:443'
        option redirect_https '1'
        option home '/www'
        option rfc1918_filter '1'
        option max_requests '3'
        option max_connections '100'
        option cert '/etc/uhttpd.crt'
        option key '/etc/uhttpd.key'
        option cgi_prefix '/cgi-bin'
        option script_timeout '60'
        option network_timeout '30'
        option http_keepalive '20'
        option tcp_keepalive '1'
        option ubus_prefix '/ubus'

config cert 'px5g'
        option days '730'
        option bits '1024'
        option country 'ZZ'
        option state 'Somewhere'
        option location 'Uknown'
        option commonname 'OpenWrt'

root@OpenWrt:/www/cgi-bin# ls -l
-rwxr-xr-x    1 root     root           135 Sep 13 13:44 luci
-rwxr-xr-x    1 root     root          8696 Sep 13 14:58 pre_login_status_app.cgi

Code Snippet:

int CGIMain(int argc,char* argv[])
{
    head("Content-type:text/html;charset=UTF-8");
    head("Cache-Control:private,max-age=0;");
    int result = 0;
    int reason = 0;

char errorbuff[120]={0};
    sprintf(errorbuff,
"app-pre_login_status_app.cgi:argc:%d:argv[0]:%s:argv[1]:%s",
argc,argv[0],argv[1]);
    if(argc==2)
    {
        if(!strcmp(argv[1],"sts"))
        {
          app_result_errstr(1,2,errorbuff);
         }  
        else
        {
              app_result_errstr(1,4,errorbuff);
        }
    }
    else
    {
        if(argc != 2)
            reason = 5;
        app_result_errstr(1,5,errorbuff);
    }
    return 0;
}

My two cents:

• 15.05 is way too old, you should seriously consider upgrading.
• Are HTTP parameters supposed to reach the CGI as call parameters? I could be wrong, but I had the idea those arrived as environment variables.

I'd go beyond "seriously consider" and into "must" on upgrade to a more secure version, as well as one that is supported (meaning v18, v19, or master at this point).

Also, be aware that uhttpd is a very lightweight server that

• Should never be exposed to the Internet
• Lacks features that some might consider "basic"

With nginx and Apache available as packages, either could be a more appropriate server to use.

The uhttpd does not expose query string parameters arguments via the argv vector as specified by https://tools.ietf.org/html/rfc3875#section-4.4 - instead you need to parse to parse QUERY_STRING environment variable.

Yes, now i am able to get the sts string by reading the QUERY_STRING env variable.
Thanks

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.