8 files changed, 19 insertions, 15 deletions
diff --git a/Makefile b/Makefile
index f278c85e..35f9d1f8 100644
--- a/Makefile
+++ b/Makefile
@@ -97,7 +97,7 @@ src/utils/strwidth.nim: res/map/charwidth_gen.nim src/utils/proptable.nim
 twtstr = src/utils/twtstr.nim src/utils/charcategory.nim src/utils/map.nim \
 	src/utils/twtuni.nim src/types/opt.nim
 dynstream = src/io/dynstream.nim src/io/dynstream_aux.c
-lcgi = $(dynstream) $(twtstr) adapter/protocol/lcgi.nim
+lcgi = $(dynstream) $(twtstr) $(sandbox) adapter/protocol/lcgi.nim
 lcgi_ssl = $(lcgi) adapter/protocol/lcgi_ssl.nim
 sandbox = src/utils/sandbox.nim $(chaseccomp)
 
@@ -112,12 +112,12 @@ $(OUTDIR_CGI_BIN)/gemini: $(lcgi_ssl)
 $(OUTDIR_CGI_BIN)/stbi: adapter/img/stbi.nim adapter/img/stb_image.c \
 		adapter/img/stb_image.h $(sandbox) $(dynstream)
 $(OUTDIR_CGI_BIN)/jebp: adapter/img/jebp.c adapter/img/jebp.h $(sandbox)
-$(OUTDIR_CGI_BIN)/sixel: src/types/color.nim src/utils/sandbox.nim $(twtstr) $(dynstream)
+$(OUTDIR_CGI_BIN)/sixel: src/types/color.nim $(sandbox) $(twtstr) $(dynstream)
 $(OUTDIR_CGI_BIN)/canvas: src/types/canvastypes.nim src/types/path.nim \
 	src/io/bufreader.nim src/types/color.nim src/types/line.nim \
-	src/utils/sandbox.nim $(dynstream) $(twtstr)
+	$(sandbox) $(dynstream) $(twtstr)
 $(OUTDIR_CGI_BIN)/resize: adapter/img/stb_image_resize.h adapter/img/stb_image_resize.c \
-	src/utils/sandbox.nim $(dynstream) $(twtstr)
+	$(sandbox) $(dynstream) $(twtstr)
 $(OUTDIR_LIBEXEC)/urlenc: $(twtstr)
 $(OUTDIR_LIBEXEC)/nc: $(lcgi)
 $(OUTDIR_LIBEXEC)/gopher2html: adapter/gophertypes.nim $(twtstr)
diff --git a/adapter/protocol/ftp.nim b/adapter/protocol/ftp.nim
index c62fe61f..97a860cc 100644
--- a/adapter/protocol/ftp.nim
+++ b/adapter/protocol/ftp.nim
@@ -106,6 +106,7 @@ proc main() =
     os.sdie(401, "Unauthorized", obuf)
   discard os.sendCommand(ps, "TYPE", "I", obuf) # request raw data
   let passive = os.passiveMode(ps, host, ipv6)
+  enterNetworkSandbox()
   var path = percentDecode(getEnvEmpty("MAPPED_URI_PATH", "/"))
   if os.sendCommand(ps, "CWD", path, obuf) == 250:
     if path[^1] != '/':
diff --git a/adapter/protocol/gemini.nim b/adapter/protocol/gemini.nim
index 29e10310..a030428f 100644
--- a/adapter/protocol/gemini.nim
+++ b/adapter/protocol/gemini.nim
@@ -165,7 +165,7 @@ proc readResponse(os: PosixStream; ssl: ptr SSL; reqBuf: string) =
   var n = 0
   while n < buffer.len:
     let m = SSL_read(ssl, addr buffer[n], cint(buffer.len - n))
-    if m == 0:
+    if m <= 0:
       break
     n += m
   let status0 = buffer[0]
@@ -174,7 +174,7 @@ proc readResponse(os: PosixStream; ssl: ptr SSL; reqBuf: string) =
     os.die("InvalidResponse", "invalid status code")
   while n < 1024 + 3: # max meta len is 1024
     let m = SSL_read(ssl, addr buffer[n], cint(buffer.len - n))
-    if m == 0:
+    if m <= 0:
       break
     n += m
   let i = buffer.find("\r\n")
@@ -211,11 +211,10 @@ proc readResponse(os: PosixStream; ssl: ptr SSL; reqBuf: string) =
       os.sendDataLoop(buffer.toOpenArray(0, int(n) - 1))
   of '3': # redirect
     # META is the redirection URL.
-    let c = if status1 == '0':
-      '7' # temporary
-    else:
-      '1' # permanent
-    os.sendDataLoop("Status: 30" & c & "\nLocation: " & meta & "\n\n")
+    # Using an HTTP permanent redirect would send another POST and
+    # break redirection after form submission (search), so we send
+    # See Other.
+    os.sendDataLoop("Status: 303\nLocation: " & meta & "\n\n")
   of '4': # temporary failure
     # META is additional information.
     let tmp = case status1
@@ -284,8 +283,10 @@ proc main() =
   var storedDigest: string
   var theirDigest: string
   var theirTime: Time
-  case os.connect(ssl, host, port, knownHosts, storedDigest, theirDigest,
+  let res = os.connect(ssl, host, port, knownHosts, storedDigest, theirDigest,
     theirTime, tmpEntry)
+  enterNetworkSandbox()
+  case res
   of ccrFoundValid:
     discard SSL_write(ssl, cstring(reqBuf), cint(reqBuf.len))
     os.readResponse(ssl, reqBuf)
diff --git a/adapter/protocol/gopher.nim b/adapter/protocol/gopher.nim
index b97ced2b..218e2da4 100644
--- a/adapter/protocol/gopher.nim
+++ b/adapter/protocol/gopher.nim
@@ -27,6 +27,7 @@ Content-Type: text/html
 proc loadRegular(os: PosixStream; t: GopherType; path: var string;
     host, port, query: string) =
   let ps = os.connectSocket(host, port)
+  enterNetworkSandbox()
   if query != "":
     path &= '\t'
     path &= query
diff --git a/adapter/protocol/lcgi.nim b/adapter/protocol/lcgi.nim
index 590c63c8..5a7bf718 100644
--- a/adapter/protocol/lcgi.nim
+++ b/adapter/protocol/lcgi.nim
@@ -4,10 +4,12 @@ import std/posix
 import std/strutils
 
 import io/dynstream
+import utils/sandbox
 import utils/twtstr
 
 export dynstream
 export twtstr
+export sandbox
 
 export STDIN_FILENO, STDOUT_FILENO
 
diff --git a/adapter/protocol/lcgi_ssl.nim b/adapter/protocol/lcgi_ssl.nim
index 977336c7..aca51a9b 100644
--- a/adapter/protocol/lcgi_ssl.nim
+++ b/adapter/protocol/lcgi_ssl.nim
@@ -2,7 +2,7 @@ import std/posix
 
 import lcgi
 
-export lcgi, dynstream, twtstr
+export lcgi, dynstream, twtstr, sandbox
 
 const libssl = staticExec("pkg-config --libs --silence-errors libssl libcrypto")
 
diff --git a/adapter/protocol/sftp.nim b/adapter/protocol/sftp.nim
index 2182a574..a2f1071c 100644
--- a/adapter/protocol/sftp.nim
+++ b/adapter/protocol/sftp.nim
@@ -251,6 +251,7 @@ proc main() =
     os.die("InternalError", "handshake failed")
   #TODO check known hosts file...
   os.authenticate(session, host)
+  enterNetworkSandbox()
   let sftpSession = libssh2_sftp_init(session)
   let path = percentDecode(getEnvEmpty("MAPPED_URI_PATH", "/"))
   let handle = sftpSession.libssh2_sftp_opendir(cstring(path))
diff --git a/todo b/todo
index ec717c14..8e107b1e 100644
--- a/todo
+++ b/todo
@@ -28,8 +28,6 @@ buffer:
 	  buffer
 	* this also includes not crashing when the buffer dies while
 	  container is reading...
-- important: improve sandboxing
-	* sandbox more built-in CGI protocol handlers
 - configurable/better url filtering in loader
 - when the log buffer crashes, print its contents to stderr
 	* easiest way seems to be to just dump its cache file