Install cgiwrapd/nph-cgiwrapd as a separate binary and removes suid

and execute permissions for security reasons

PR:		41454
Submitted by:	maintainer

2 files changed, 10 insertions, 1 deletions

diff --git a/www/cgiwrap/Makefile b/www/cgiwrap/Makefile
index d8926489f8eb..f16432e85f78 100644
--- a/www/cgiwrap/Makefile
+++ b/www/cgiwrap/Makefile
@@ -7,6 +7,7 @@
 
 PORTNAME=	cgiwrap
 PORTVERSION=	3.7.1
+PORTREVISION=	1
 CATEGORIES=	www security
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	${PORTNAME}
@@ -51,7 +52,11 @@ pre-install:
 	@${MKDIR} ${MAINCGIDIR}
 
 post-install:
-	strip ${MAINCGIDIR}/cgiwrap
+	${STRIP_CMD} ${MAINCGIDIR}/cgiwrap
+	${RM} ${MAINCGIDIR}/cgiwrapd ${MAINCGIDIR}/nph-cgiwrapd
+	${CP} ${MAINCGIDIR}/cgiwrap ${MAINCGIDIR}/cgiwrapd
+	${LN} ${MAINCGIDIR}/cgiwrapd ${MAINCGIDIR}/nph-cgiwrapd
+	${CHMOD} 644 ${MAINCGIDIR}/cgiwrapd
 .if !defined(NOPORTDOCS)
 	@${MKDIR} ${DOCSDIR}
 .for file in accesscontrol.html afs.html changes.html comments.html \
diff --git a/www/cgiwrap/pkg-message b/www/cgiwrap/pkg-message
index c4dfb9e01971..cc9557fe7320 100644
--- a/www/cgiwrap/pkg-message
+++ b/www/cgiwrap/pkg-message
@@ -9,6 +9,10 @@ The cgiwrap scripts have been installed in:
     ${PREFIX}/www/cgi-bin
 ...the default location for Apache's cgi-bin directory.
 
+The cgiwrapd and nph-cgiwrapd scripts are disabled by default, as they
+may give away sensitive information about the CGI environment.  To
+enable them, you must chmod 4755 ${PREFIX}/www/cgi-bin/cgiwrapd
+
 Access control enabled, you must create either
 ${PREFIX}/etc/cgiwrap.allow or ${PREFIX}/etc/cgiwrap.deny before
 cgiwrap will function.