Site enumeration
Mark Otzen took a quick look at rc-httpd/werc
UPDATE: rc-httpd on 9front now filters "." hosts, preventing this issue.
With the standard rc-httpd select handler setup, sites can be enuerated with an empty or missing host, or a path of ".".
› 233c.cat v.org/
› 9base.werc.cat v.org/
› 9front.cat v.org/
› 9front.werc.cat v.org/
› 9gridchan.net/
› 9p.cat v.org/
› 9times.cat v.org/
› acme.cat v.org/
› ants.9gridchan.net/
› archeology.cat v.org/
› bell labs.co/
› books.cat v.org/
› bootstrap.cat v.org/
› boyd.cat v.org/
› cat v.org/
› catv.inri.net/
› co.bell labs.co/
a sample of cat-v's /sites directory
It's simple to fix
#!/bin/rc
rfork n
# Route requests to werc.
# Change paths to match your system.
PLAN9=/
if(~ $SERVER_NAME nug.only9fans.com){
PATH_INFO=$location
FS_ROOT=/srv/sites/$SERVER_NAME/
exec static-or-cgi /srv/bin/werc.rc
}
if not
error 503
Just write the servers that should match in your if statement. Mark also noted a / at the end of FS_ROOT may avoid some concatenation attacks.
Namespace
There's a /rc/bin/service/!tcp80.namespace , copy it to tcp80.namespace and customise for your installation. I also start a ramfs in mine, to avoid sharing a tmp with rc-httpd.