[package] firewall: make ESTABLISHED,RELATED rules match before INVALID, use conntrac...

[openwrt.git] / package / uhttpd / src / uhttpd-cgi.c

diff --git a/package/uhttpd/src/uhttpd-cgi.c b/package/uhttpd/src/uhttpd-cgi.c
index 8c17251..ed68851 100644 (file)
--- a/package/uhttpd/src/uhttpd-cgi.c
+++ b/package/uhttpd/src/uhttpd-cgi.c
@@ -157,6 +157,8 @@ void uh_cgi_request(
        fd_set reader;
        fd_set writer;
 
+       sigset_t ss;
+
        struct sigaction sa;
        struct timeval timeout;
        struct http_response *res;
@@ -187,6 +189,10 @@ void uh_cgi_request(
 
                /* exec child */
                case 0:
+                       /* unblock signals */
+                       sigemptyset(&ss);
+                       sigprocmask(SIG_SETMASK, &ss, NULL);
+
                        /* restore SIGTERM */
                        sa.sa_flags = 0;
                        sa.sa_handler = SIG_DFL;
@@ -201,6 +207,10 @@ void uh_cgi_request(
                        dup2(rfd[1], 1);
                        dup2(wfd[0], 0);
 
+                       /* avoid leaking our pipe into child-child processes */
+                       fd_cloexec(rfd[1]);
+                       fd_cloexec(wfd[0]);
+
                        /* check for regular, world-executable file _or_ interpreter */
                        if( ((pi->stat.st_mode & S_IFREG) &&
                             (pi->stat.st_mode & S_IXOTH)) || (ip != NULL)