From: Rafael Sadowski <rafael@sizeofvoid.org>
Subject: Re: httpd timegm error check
To: Theo Buehler <tb@theobuehler.org>
Cc: tech@openbsd.org
Date: Fri, 19 Jun 2026 11:32:02 +0200

On Fri Jun 19, 2026 at 09:47:36AM +0200, Theo Buehler wrote:
> Split the logic chain into individual checks and use the timegm(3) error
> check from the manual.
> 

OK rsadowski@

> Index: server_file.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/server_file.c,v
> diff -u -p -r1.80 server_file.c
> --- server_file.c	29 Apr 2024 16:17:46 -0000	1.80
> +++ server_file.c	3 Jun 2026 08:53:29 -0000
> @@ -718,6 +718,7 @@ server_file_modified_since(struct http_d
>  {
>  	struct kv	 key, *since;
>  	struct tm	 tm;
> +	time_t		 t;
>  
>  	key.kv_key = "If-Modified-Since";
>  	if ((since = kv_find(&desc->http_headers, &key)) != NULL &&
> @@ -729,8 +730,12 @@ server_file_modified_since(struct http_d
>  		 * the requested time.
>  		 */
>  		if (strptime(since->kv_value,
> -		    "%a, %d %h %Y %T %Z", &tm) != NULL &&
> -		    timegm(&tm) >= mtim->tv_sec)
> +		    "%a, %d %h %Y %T %Z", &tm) == NULL)
> +			return (-1);
> +		tm.tm_wday = -1;
> +		if ((t = timegm(&tm)) == -1 && tm.tm_wday == -1)
> +			return (-1);
> +		if (t >= mtim->tv_sec)
>  			return (304);
>  	}
>  
>