When a child process is terminated, the parent calls waitpid() to check for dead children. This returns -1 on error (e.g. there are no other children or a signal interrupted waitpid()), the pid (> 0) for dead children OR 0 if there are some children which are still alive. Fixes gnosek/fcgiwrap#18.
If the purpose of fcgiwrap is to wrap cgit, then I want to be sure that no other program can be executed under the privileges of the fcgiwrap user. When the option `-p path` is given, only the programs specified by `path` are allowed to execute (multiple occurrences of `-p` are merged to form a list of allowed programs). Note that this value will be matched literally, no attempt is done to canonicalize the path. This also implies that glob patterns or directories will never match.
Use the same error handler for 403s and 502s. This basically ports the required fixes from error_403 (previous commit) to the 502 error on failed exec(). Two user-visible side effects: - error message now says "403 Forbidden" instead of "403" - failed exec() gets logged over stderr (also, use \r\n instead of \n as a line seprator but that has been fixed up by the parent process before).
Report 403 errors over normal stdout/stderr (after setting up the pipes). Properly reporting the error response over stdout requires: - flushing the I/O, which would otherwise get buffered - skipping atexit handlers (would otherwise close the FCGI connection cleanly, interfering with the parent process still trying to talk over it)
It's not a security issue (executing the file would fail, anyway) but it's a sensible sanity check.
This was an unfortunate copypasta error that slipped in with 9836d6d. The HAVE_SYSTEMD macro should only be defined based on the presence of the library, not the unit files, since the units are useless without the library support.
This should ease testing and deployment in simpler cases
If present, it overrides DOCUMENT_ROOT and SCRIPT_NAME and prevents mangling of PATH_INFO. Should allow cleaner configs when script names don't come from request URIs directly.
He's been added to the contributors in README.rst.