Be a lot more careful in parsing CGI response header. Closes #42.

dynamic.go

@@ -80,9 +80,22 @@ func handleCGI(config SysConfig, path string, cgiPath string, URL *url.URL, logE
 		logEntry.Status = 42
 		return
 	}
-	header, _, _ := bufio.NewReader(strings.NewReader(string(response))).ReadLine()
-	status, err := strconv.Atoi(strings.Fields(string(header))[0])
-	if err != nil {
+	header, _, err := bufio.NewReader(strings.NewReader(string(response))).ReadLine()
+	if err != nil || len(header) == 0 {
+		log.Println("Unable to parse first line of output from CGI process " + path + " as valid Gemini response header.  Line was: " + string(header))
+		conn.Write([]byte("42 CGI error!\r\n"))
+		logEntry.Status = 42
+		return
+	}
+	header_fields := strings.Fields(string(header))
+	if len(header_fields) == 0 {
+		log.Println("Unable to parse first line of output from CGI process " + path + " as valid Gemini response header.  Line was: " + string(header))
+		conn.Write([]byte("42 CGI error!\r\n"))
+		logEntry.Status = 42
+		return
+	}
+	status, err := strconv.Atoi(header_fields[0])
+	if err != nil || status < 10 || status > 70 {
 		log.Println("Unable to parse first line of output from CGI process " + path + " as valid Gemini response header.  Line was: " + string(header))
 		conn.Write([]byte("42 CGI error!\r\n"))
 		logEntry.Status = 42
@@ -144,8 +157,9 @@ func handleSCGI(URL *url.URL, scgiPath string, scgiSocket string, config SysConf
 			first = false
 			lines := strings.SplitN(string(buffer), "\r\n", 2)
 			status, err := strconv.Atoi(strings.Fields(lines[0])[0])
-			if err != nil {
+			if err != nil || status < 10 || status > 70 {
 				conn.Write([]byte("42 CGI error!\r\n"))
+				log.Println("Unable to parse first line of output from SCGI socket " + scgiSocket + " as valid Gemini response header.  Line was: " + lines[0])
 				logEntry.Status = 42
 				return
 			}