Changeset 3232 in MondoRescue for branches/3.2/mindi-busybox/networking/httpd.c

Timestamp:

Jan 1, 2014, 12:47:38 AM (10 years ago)

Author:

Bruno Cornec

Message:

• Update mindi-busybox to 1.21.1

File:

• branches/3.2/mindi-busybox/networking/httpd.c (modified) (36 diffs)

branches/3.2/mindi-busybox/networking/httpd.c

@@ -21 +21 @@
  * The server changes directory to the location of the script and executes it
  * after setting QUERY_STRING and other environment variables.
+ *
+ * If directory URL is given, no index.html is found and CGI support is enabled,
+ * cgi-bin/index.cgi will be run. Directory to list is ../$QUERY_STRING.
+ * See httpd_indexcgi.c for an example GCI code.
  *
  * Doc:
@@ -51 +55 @@
  * /adm:admin:setup  # Require user admin, pwd setup on urls starting with /adm/
  * /adm:toor:PaSsWd  # or user toor, pwd PaSsWd on urls starting with /adm/
+ * /adm:root:*       # or user root, pwd from /etc/passwd on urls starting with /adm/
+ * /wiki:*:*         # or any user from /etc/passwd with according pwd on urls starting with /wiki/
  * .au:audio/basic   # additional mime type for audio.au files
  * *.php:/path/php   # run xxx.php through an interpreter
@@ -72 +78 @@
  *     A:*             # (optional line added for clarity)
  *
- * If a sub directory contains a config file it is parsed and merged with
+ * If a sub directory contains config file, it is parsed and merged with
  * any existing settings as if it was appended to the original configuration.
  *
@@ -94 +100 @@
  /* TODO: use TCP_CORK, parse_config() */
 
+//usage:#define httpd_trivial_usage
+//usage:       "[-ifv[v]]"
+//usage:       " [-c CONFFILE]"
+//usage:       " [-p [IP:]PORT]"
+//usage:    IF_FEATURE_HTTPD_SETUID(" [-u USER[:GRP]]")
+//usage:    IF_FEATURE_HTTPD_BASIC_AUTH(" [-r REALM]")
+//usage:       " [-h HOME]\n"
+//usage:       "or httpd -d/-e" IF_FEATURE_HTTPD_AUTH_MD5("/-m") " STRING"
+//usage:#define httpd_full_usage "\n\n"
+//usage:       "Listen for incoming HTTP requests\n"
+//usage:     "\n    -i      Inetd mode"
+//usage:     "\n    -f      Don't daemonize"
+//usage:     "\n    -v[v]       Verbose"
+//usage:     "\n    -p [IP:]PORT    Bind to IP:PORT (default *:80)"
+//usage:    IF_FEATURE_HTTPD_SETUID(
+//usage:     "\n    -u USER[:GRP]   Set uid/gid after binding to port")
+//usage:    IF_FEATURE_HTTPD_BASIC_AUTH(
+//usage:     "\n    -r REALM    Authentication Realm for Basic Authentication")
+//usage:     "\n    -h HOME     Home directory (default .)"
+//usage:     "\n    -c FILE     Configuration file (default {/etc,HOME}/httpd.conf)"
+//usage:    IF_FEATURE_HTTPD_AUTH_MD5(
+//usage:     "\n    -m STRING   MD5 crypt STRING")
+//usage:     "\n    -e STRING   HTML encode STRING"
+//usage:     "\n    -d STRING   URL decode STRING"
+
 #include "libbb.h"
+#if ENABLE_PAM
+/* PAM may include <locale.h>. We may need to undefine bbox's stub define: */
+# undef setlocale
+/* For some obscure reason, PAM is not in pam/xxx, but in security/xxx.
+ * Apparently they like to confuse people. */
+# include <security/pam_appl.h>
+# include <security/pam_misc.h>
+#endif
 #if ENABLE_FEATURE_HTTPD_USE_SENDFILE
 # include <sys/sendfile.h>
@@ -310 +349 @@
 #else
 enum {
-    range_start = 0,
+    range_start = -1,
     range_end = MAXINT(off_t) - 1,
     range_len = MAXINT(off_t),
@@ -332 +371 @@
     SET_PTR_TO_GLOBALS(xzalloc(sizeof(G))); \
     IF_FEATURE_HTTPD_BASIC_AUTH(g_realm = "Web Server Authentication";) \
+    IF_FEATURE_HTTPD_RANGES(range_start = -1;) \
     bind_addr_or_port = "80"; \
     index_page = index_html; \
@@ -757 +797 @@
  config_error:
         bb_error_msg("config error '%s' in '%s'", buf, filename);
-     } /* while (fgets) */
-
-     fclose(f);
+    } /* while (fgets) */
+
+    fclose(f);
 }
 
@@ -791 +831 @@
 }
 #endif
-
-/*
- * Given a URL encoded string, convert it to plain ascii.
- * Since decoding always makes strings smaller, the decode is done in-place.
- * Thus, callers should xstrdup() the argument if they do not want the
- * argument modified.  The return is the original pointer, allowing this
- * function to be easily used as arguments to other functions.
- *
- * string    The first string to decode.
- * option_d  1 if called for httpd -d
- *
- * Returns a pointer to the decoded string (same as input).
- */
-static unsigned hex_to_bin(unsigned char c)
-{
-    unsigned v;
-
-    v = c - '0';
-    if (v <= 9)
-        return v;
-    /* c | 0x20: letters to lower case, non-letters
-     * to (potentially different) non-letters */
-    v = (unsigned)(c | 0x20) - 'a';
-    if (v <= 5)
-        return v + 10;
-    return ~0;
-/* For testing:
-void t(char c) { printf("'%c'(%u) %u\n", c, c, hex_to_bin(c)); }
-int main() { t(0x10); t(0x20); t('0'); t('9'); t('A'); t('F'); t('a'); t('f');
-t('0'-1); t('9'+1); t('A'-1); t('F'+1); t('a'-1); t('f'+1); return 0; }
-*/
-}
-static char *decodeString(char *orig, int option_d)
-{
-    /* note that decoded string is always shorter than original */
-    char *string = orig;
-    char *ptr = string;
-    char c;
-
-    while ((c = *ptr++) != '\0') {
-        unsigned v;
-
-        if (option_d && c == '+') {
-            *string++ = ' ';
-            continue;
-        }
-        if (c != '%') {
-            *string++ = c;
-            continue;
-        }
-        v = hex_to_bin(ptr[0]);
-        if (v > 15) {
- bad_hex:
-            if (!option_d)
-                return NULL;
-            *string++ = '%';
-            continue;
-        }
-        v = (v * 16) | hex_to_bin(ptr[1]);
-        if (v > 255)
-            goto bad_hex;
-        if (!option_d && (v == '/' || v == '\0')) {
-            /* caller takes it as indication of invalid
-             * (dangerous wrt exploits) chars */
-            return orig + 1;
-        }
-        *string++ = v;
-        ptr += 2;
-    }
-    *string = '\0';
-    return orig;
-}
 
 #if ENABLE_FEATURE_HTTPD_BASIC_AUTH
@@ -1066 +1034 @@
 static void send_headers_and_exit(int responseNum)
 {
+    IF_FEATURE_HTTPD_GZIP(content_gzip = 0;)
     send_headers(responseNum);
     log_and_exit();
@@ -1298 +1267 @@
  * Parameters:
  * const char *url              The requested URL (with leading /).
+ * const char *orig_uri         The original URI before rewriting (if any)
  * int post_len                 Length of the POST body.
  * const char *cookie           For set HTTP_COOKIE.
@@ -1304 +1274 @@
 static void send_cgi_and_exit(
         const char *url,
+        const char *orig_uri,
         const char *request,
         int post_len,
@@ -1310 +1281 @@
 static void send_cgi_and_exit(
         const char *url,
+        const char *orig_uri,
         const char *request,
         int post_len,
@@ -1317 +1289 @@
     struct fd_pair fromCgi;  /* CGI -> httpd pipe */
     struct fd_pair toCgi;    /* httpd -> CGI pipe */
-    char *script;
+    char *script, *last_slash;
     int pid;
 
@@ -1331 +1303 @@
 
     /* Check for [dirs/]script.cgi/PATH_INFO */
-    script = (char*)url;
+    last_slash = script = (char*)url;
     while ((script = strchr(script + 1, '/')) != NULL) {
+        int dir;
         *script = '\0';
-        if (!is_directory(url + 1, 1, NULL)) {
+        dir = is_directory(url + 1, /*followlinks:*/ 1);
+        *script = '/';
+        if (!dir) {
             /* not directory, found script.cgi/PATH_INFO */
-            *script = '/';
             break;
         }
-        *script = '/'; /* is directory, find next '/' */
+        /* is directory, find next '/' */
+        last_slash = script;
     }
     setenv1("PATH_INFO", script);   /* set to /PATH_INFO or "" */
     setenv1("REQUEST_METHOD", request);
     if (g_query) {
-        putenv(xasprintf("%s=%s?%s", "REQUEST_URI", url, g_query));
+        putenv(xasprintf("%s=%s?%s", "REQUEST_URI", orig_uri, g_query));
     } else {
-        setenv1("REQUEST_URI", url);
+        setenv1("REQUEST_URI", orig_uri);
     }
     if (script != NULL)
@@ -1420 +1395 @@
     }
 
-    if (!pid) {
+    if (pid == 0) {
         /* Child process */
         char *argv[3];
@@ -1436 +1411 @@
 
         /* Chdiring to script's dir */
-        script = strrchr(url, '/');
+        script = last_slash;
         if (script != url) { /* paranoia */
             *script = '\0';
             if (chdir(url + 1) != 0) {
-                bb_perror_msg("chdir(%s)", url + 1);
+                bb_perror_msg("can't change directory to '%s'", url + 1);
                 goto error_execing_cgi;
             }
@@ -1616 +1591 @@
      || content_gzip /* we are sending compressed page: can't do ranges */  ///why?
     ) {
-        range_start = 0;
+        range_start = -1;
     }
     range_len = MAXINT(off_t);
-    if (range_start) {
-        if (!range_end) {
+    if (range_start >= 0) {
+        if (!range_end || range_end > file_size - 1) {
             range_end = file_size - 1;
         }
@@ -1627 +1602 @@
         ) {
             lseek(fd, 0, SEEK_SET);
-            range_start = 0;
+            range_start = -1;
         } else {
             range_len = range_end - range_start + 1;
@@ -1650 +1625 @@
                 goto fin;
             }
-            IF_FEATURE_HTTPD_RANGES(range_len -= sz;)
+            IF_FEATURE_HTTPD_RANGES(range_len -= count;)
             if (count == 0 || range_len == 0)
                 log_and_exit();
@@ -1701 +1676 @@
 
 #if ENABLE_FEATURE_HTTPD_BASIC_AUTH
+
+# if ENABLE_PAM
+struct pam_userinfo {
+    const char *name;
+    const char *pw;
+};
+
+static int pam_talker(int num_msg,
+        const struct pam_message **msg,
+        struct pam_response **resp,
+        void *appdata_ptr)
+{
+    int i;
+    struct pam_userinfo *userinfo = (struct pam_userinfo *) appdata_ptr;
+    struct pam_response *response;
+
+    if (!resp || !msg || !userinfo)
+        return PAM_CONV_ERR;
+
+    /* allocate memory to store response */
+    response = xzalloc(num_msg * sizeof(*response));
+
+    /* copy values */
+    for (i = 0; i < num_msg; i++) {
+        const char *s;
+
+        switch (msg[i]->msg_style) {
+        case PAM_PROMPT_ECHO_ON:
+            s = userinfo->name;
+            break;
+        case PAM_PROMPT_ECHO_OFF:
+            s = userinfo->pw;
+            break;
+        case PAM_ERROR_MSG:
+            case PAM_TEXT_INFO:
+                s = "";
+            break;
+        default:
+            free(response);
+            return PAM_CONV_ERR;
+        }
+        response[i].resp = xstrdup(s);
+        if (PAM_SUCCESS != 0)
+            response[i].resp_retcode = PAM_SUCCESS;
+    }
+    *resp = response;
+    return PAM_SUCCESS;
+}
+# endif
+
 /*
  * Config file entries are of the form "/<path>:<user>:<passwd>".
@@ -1710 +1735 @@
  * Returns 1 if user_and_passwd is OK.
  */
-static int check_user_passwd(const char *path, const char *user_and_passwd)
+static int check_user_passwd(const char *path, char *user_and_passwd)
 {
     Htaccess *cur;
@@ -1718 +1743 @@
         const char *dir_prefix;
         size_t len;
+        int r;
 
         dir_prefix = cur->before_colon;
@@ -1733 +1759 @@
         if (len != 1 /* dir_prefix "/" matches all, don't need to check */
          && (strncmp(dir_prefix, path, len) != 0
-            || (path[len] != '/' && path[len] != '\0'))
+            || (path[len] != '/' && path[len] != '\0')
+            )
         ) {
             continue;
@@ -1742 +1769 @@
 
         if (ENABLE_FEATURE_HTTPD_AUTH_MD5) {
-            char *md5_passwd;
-
-            md5_passwd = strchr(cur->after_colon, ':');
-            if (md5_passwd && md5_passwd[1] == '$' && md5_passwd[2] == '1'
-             && md5_passwd[3] == '$' && md5_passwd[4]
+            char *colon_after_user;
+            const char *passwd;
+# if ENABLE_FEATURE_SHADOWPASSWDS && !ENABLE_PAM
+            char sp_buf[256];
+# endif
+
+            colon_after_user = strchr(user_and_passwd, ':');
+            if (!colon_after_user)
+                goto bad_input;
+
+            /* compare "user:" */
+            if (cur->after_colon[0] != '*'
+             && strncmp(cur->after_colon, user_and_passwd,
+                    colon_after_user - user_and_passwd + 1) != 0
             ) {
+                continue;
+            }
+            /* this cfg entry is '*' or matches username from peer */
+
+            passwd = strchr(cur->after_colon, ':');
+            if (!passwd)
+                goto bad_input;
+            passwd++;
+            if (passwd[0] == '*') {
+# if ENABLE_PAM
+                struct pam_userinfo userinfo;
+                struct pam_conv conv_info = { &pam_talker, (void *) &userinfo };
+                pam_handle_t *pamh;
+
+                *colon_after_user = '\0';
+                userinfo.name = user_and_passwd;
+                userinfo.pw = colon_after_user + 1;
+                r = pam_start("httpd", user_and_passwd, &conv_info, &pamh) != PAM_SUCCESS;
+                if (r == 0) {
+                    r = pam_authenticate(pamh, PAM_DISALLOW_NULL_AUTHTOK) != PAM_SUCCESS
+                     || pam_acct_mgmt(pamh, PAM_DISALLOW_NULL_AUTHTOK)    != PAM_SUCCESS
+                    ;
+                    pam_end(pamh, PAM_SUCCESS);
+                }
+                *colon_after_user = ':';
+                goto end_check_passwd;
+# else
+#  if ENABLE_FEATURE_SHADOWPASSWDS
+                /* Using _r function to avoid pulling in static buffers */
+                struct spwd spw;
+#  endif
+                struct passwd *pw;
+
+                *colon_after_user = '\0';
+                pw = getpwnam(user_and_passwd);
+                *colon_after_user = ':';
+                if (!pw || !pw->pw_passwd)
+                    continue;
+                passwd = pw->pw_passwd;
+#  if ENABLE_FEATURE_SHADOWPASSWDS
+                if ((passwd[0] == 'x' || passwd[0] == '*') && !passwd[1]) {
+                    /* getspnam_r may return 0 yet set result to NULL.
+                     * At least glibc 2.4 does this. Be extra paranoid here. */
+                    struct spwd *result = NULL;
+                    r = getspnam_r(pw->pw_name, &spw, sp_buf, sizeof(sp_buf), &result);
+                    if (r == 0 && result)
+                        passwd = result->sp_pwdp;
+                }
+#  endif
+                /* In this case, passwd is ALWAYS encrypted:
+                 * it came from /etc/passwd or /etc/shadow!
+                 */
+                goto check_encrypted;
+# endif /* ENABLE_PAM */
+            }
+            /* Else: passwd is from httpd.conf, it is either plaintext or encrypted */
+
+            if (passwd[0] == '$' && isdigit(passwd[1])) {
                 char *encrypted;
-                int r, user_len_p1;
-
-                md5_passwd++;
-                user_len_p1 = md5_passwd - cur->after_colon;
-                /* comparing "user:" */
-                if (strncmp(cur->after_colon, user_and_passwd, user_len_p1) != 0) {
-                    continue;
-                }
-
+# if !ENABLE_PAM
+ check_encrypted:
+# endif
+                /* encrypt pwd from peer and check match with local one */
                 encrypted = pw_encrypt(
-                    user_and_passwd + user_len_p1 /* cleartext pwd from user */,
-                    md5_passwd /*salt */, 1 /* cleanup */);
-                r = strcmp(encrypted, md5_passwd);
+                    /* pwd (from peer): */  colon_after_user + 1,
+                    /* salt: */ passwd,
+                    /* cleanup: */ 0
+                );
+                r = strcmp(encrypted, passwd);
                 free(encrypted);
-                if (r == 0)
-                    goto set_remoteuser_var; /* Ok */
-                continue;
-            }
-        }
-
+            } else {
+                /* local passwd is from httpd.conf and it's plaintext */
+                r = strcmp(colon_after_user + 1, passwd);
+            }
+            goto end_check_passwd;
+        }
+ bad_input:
         /* Comparing plaintext "user:pass" in one go */
-        if (strcmp(cur->after_colon, user_and_passwd) == 0) {
- set_remoteuser_var:
+        r = strcmp(cur->after_colon, user_and_passwd);
+ end_check_passwd:
+        if (r == 0) {
             remoteuser = xstrndup(user_and_passwd,
-                    strchrnul(user_and_passwd, ':') - user_and_passwd);
+                strchrnul(user_and_passwd, ':') - user_and_passwd
+            );
             return 1; /* Ok */
         }
@@ -1912 +2006 @@
 
     /* Extract url args if present */
-    g_query = NULL;
+    /* g_query = NULL; - already is */
     tptr = strchr(urlcopy, '?');
     if (tptr) {
@@ -1920 +2014 @@
 
     /* Decode URL escape sequences */
-    tptr = decodeString(urlcopy, 0);
+    tptr = percent_decode_in_place(urlcopy, /*strict:*/ 1);
     if (tptr == NULL)
         send_headers_and_exit(HTTP_BAD_REQUEST);
@@ -1932 +2026 @@
      * but don't strdup, retain trailing slash, protect root */
     urlp = tptr = urlcopy;
-    do {
+    for (;;) {
         if (*urlp == '/') {
             /* skip duplicate (or initial) slash */
             if (*tptr == '/') {
-                continue;
+                goto next_char;
             }
             if (*tptr == '.') {
-                /* skip extra "/./" */
-                if (tptr[1] == '/' || !tptr[1]) {
-                    continue;
+                if (tptr[1] == '.' && (tptr[2] == '/' || tptr[2] == '\0')) {
+                    /* "..": be careful */
+                    /* protect root */
+                    if (urlp == urlcopy)
+                        send_headers_and_exit(HTTP_BAD_REQUEST);
+                    /* omit previous dir */
+                    while (*--urlp != '/')
+                        continue;
+                    /* skip to "./" or ".<NUL>" */
+                    tptr++;
                 }
-                /* "..": be careful */
-                if (tptr[1] == '.' && (tptr[2] == '/' || !tptr[2])) {
-                    ++tptr;
-                    if (urlp == urlcopy) /* protect root */
-                        send_headers_and_exit(HTTP_BAD_REQUEST);
-                    while (*--urlp != '/') /* omit previous dir */;
-                        continue;
+                if (tptr[1] == '/' || tptr[1] == '\0') {
+                    /* skip extra "/./" */
+                    goto next_char;
                 }
             }
         }
         *++urlp = *tptr;
-    } while (*++tptr);
-    *++urlp = '\0';       /* terminate after last character */
+        if (*urlp == '\0')
+            break;
+ next_char:
+        tptr++;
+    }
 
     /* If URL is a directory, add '/' */
     if (urlp[-1] != '/') {
-        if (is_directory(urlcopy + 1, 1, NULL)) {
+        if (is_directory(urlcopy + 1, /*followlinks:*/ 1)) {
             found_moved_temporarily = urlcopy;
         }
@@ -1973 +2073 @@
         /* have path1/path2 */
         *tptr = '\0';
-        if (is_directory(urlcopy + 1, 1, NULL)) {
+        if (is_directory(urlcopy + 1, /*followlinks:*/ 1)) {
             /* may have subdir config */
             parse_conf(urlcopy + 1, SUBDIR_PARSE);
@@ -2072 +2172 @@
                     range_start = BB_STRTOOFF(s, &s, 10);
                     if (s[0] != '-' || range_start < 0) {
-                        range_start = 0;
+                        range_start = -1;
                     } else if (s[1]) {
                         range_end = BB_STRTOOFF(s+1, NULL, 10);
                         if (errno || range_end < range_start)
-                            range_start = 0;
+                            range_start = -1;
                     }
                 }
@@ -2110 +2210 @@
 
 #if ENABLE_FEATURE_HTTPD_BASIC_AUTH
-    /* Case: no "Authorization:" was seen, but page does require passwd.
+    /* Case: no "Authorization:" was seen, but page might require passwd.
      * Check that with dummy user:pass */
     if (authorized < 0)
-        authorized = check_user_passwd(urlcopy, ":");
+        authorized = check_user_passwd(urlcopy, (char *) "");
     if (!authorized)
         send_headers_and_exit(HTTP_UNAUTHORIZED);
@@ -2159 +2259 @@
             send_headers_and_exit(HTTP_FORBIDDEN);
         }
-        send_cgi_and_exit(urlcopy, prequest, length, cookie, content_type);
-    }
-#endif
-
-    if (urlp[-1] == '/')
+        send_cgi_and_exit(urlcopy, urlcopy, prequest, length, cookie, content_type);
+    }
+#endif
+
+    if (urlp[-1] == '/') {
+        /* When index_page string is appended to <dir>/ URL, it overwrites
+         * the query string. If we fall back to call /cgi-bin/index.cgi,
+         * query string would be lost and not available to the CGI.
+         * Work around it by making a deep copy.
+         */
+        if (ENABLE_FEATURE_HTTPD_CGI)
+            g_query = xstrdup(g_query); /* ok for NULL too */
         strcpy(urlp, index_page);
+    }
     if (stat(tptr, &sb) == 0) {
 #if ENABLE_FEATURE_HTTPD_CONFIG_WITH_SCRIPT_INTERPR
@@ -2172 +2280 @@
             for (cur = script_i; cur; cur = cur->next) {
                 if (strcmp(cur->before_colon + 1, suffix) == 0) {
-                    send_cgi_and_exit(urlcopy, prequest, length, cookie, content_type);
+                    send_cgi_and_exit(urlcopy, urlcopy, prequest, length, cookie, content_type);
                 }
             }
@@ -2185 +2293 @@
          * Try cgi-bin/index.cgi */
         if (access("/cgi-bin/index.cgi"+1, X_OK) == 0) {
-            urlp[0] = '\0';
-            g_query = urlcopy;
-            send_cgi_and_exit("/cgi-bin/index.cgi", prequest, length, cookie, content_type);
+            urlp[0] = '\0'; /* remove index_page */
+            send_cgi_and_exit("/cgi-bin/index.cgi", urlcopy, prequest, length, cookie, content_type);
         }
     }
@@ -2286 +2393 @@
             re_exec(argv_copy);
         }
+        argv_copy[0][0] &= 0x7f;
         /* parent, or vfork failed */
         close(n);
@@ -2379 +2487 @@
         );
     if (opt & OPT_DECODE_URL) {
-        fputs(decodeString(url_for_decode, 1), stdout);
+        fputs(percent_decode_in_place(url_for_decode, /*strict:*/ 0), stdout);
         return 0;
     }
@@ -2394 +2502 @@
         salt[1] = '1';
         salt[2] = '$';
-        crypt_make_salt(salt + 3, 4, 0);
-        puts(pw_encrypt(pass, salt, 1));
+        crypt_make_salt(salt + 3, 4);
+        puts(pw_encrypt(pass, salt, /*cleanup:*/ 0));
         return 0;
     }