include $(TOPDIR)/rules.mk
PKG_NAME:=uhttpd
-PKG_RELEASE:=11
+PKG_RELEASE:=13
PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
+PKG_BUILD_DEPENDS := libcyassl liblua
include $(INCLUDE_DIR)/package.mk
# Server document root
option home /www
+ # Reject requests from RFC1918 IP addresses
+ # directed to the servers public IP(s).
+ # This is a DNS rebinding countermeasure.
+ option rfc1918_filter 1
+
# Certificate and private key for HTTPS.
# If no listen_https addresses are given,
# the key options are ignored.
[ -n "$val" -o -n "$def" ] && append UHTTPD_ARGS "$opt ${val:-$def}"
}
+append_bool() {
+ local cfg="$1"
+ local var="$2"
+ local opt="$3"
+ local def="$4"
+ local val
+
+ config_get_bool val "$cfg" "$var" "$def"
+ [ "$val" = 1 ] && append UHTTPD_ARGS "$opt"
+}
+
generate_keys() {
local cfg="$1"
local key="$2"
append_arg "$cfg" lua_handler "-L"
append_arg "$cfg" script_timeout "-t"
append_arg "$cfg" network_timeout "-T"
+ append_arg "$cfg" error_page "-E"
+ append_arg "$cfg" index_page "-I"
+
+ append_bool "$cfg" no_symlinks "-S" 0
+ append_bool "$cfg" no_dirlists "-D" 0
+ append_bool "$cfg" rfc1918_filter "-R" 0
config_get http "$cfg" listen_http
for listen in $http; do
if( pi->info )
setenv("PATH_INFO", pi->info, 1);
+ /* REDIRECT_STATUS, php-cgi wants it */
+ switch( req->redirect_status )
+ {
+ case 404:
+ setenv("REDIRECT_STATUS", "404", 1);
+ break;
+
+ default:
+ setenv("REDIRECT_STATUS", "200", 1);
+ break;
+ }
/* http version */
if( req->version > 1.0 )
static const char * uh_file_mime_lookup(const char *path)
{
struct mimetype *m = &uh_mime_types[0];
- char *e;
+ const char *e;
while( m->extn )
{
strncat(filename, files[i]->d_name,
sizeof(filename) - strlen(files[i]->d_name));
- if( !stat(filename, &s) && (s.st_mode & S_IFDIR) )
+ if( !stat(filename, &s) &&
+ (s.st_mode & S_IFDIR) && (s.st_mode & S_IXOTH)
+ )
uh_http_sendf(cl, req,
"<li><strong><a href='%s%s'>%s</a>/</strong><br />"
"<small>modified: %s<br />directory - %.02f kbyte"
strncat(filename, files[i]->d_name,
sizeof(filename) - strlen(files[i]->d_name));
- if( !stat(filename, &s) && !(s.st_mode & S_IFDIR) )
+ if( !stat(filename, &s) &&
+ !(s.st_mode & S_IFDIR) && (s.st_mode & S_IROTH)
+ )
uh_http_sendf(cl, req,
"<li><strong><a href='%s%s'>%s</a></strong><br />"
"<small>modified: %s<br />%s - %.02f kbyte<br />"
}
/* directory */
- else if( pi->stat.st_mode & S_IFDIR )
+ else if( (pi->stat.st_mode & S_IFDIR) && !cl->server->conf->no_dirlists )
{
/* write status */
uh_file_response_200(cl, req, NULL);
return ntohs(((struct sockaddr_in6 *)sa)->sin6_port);
}
+int sa_rfc1918(void *sa)
+{
+ struct sockaddr_in *v4 = (struct sockaddr_in *)sa;
+ unsigned long a = htonl(v4->sin_addr.s_addr);
+
+ if( v4->sin_family == AF_INET )
+ {
+ return ((a >= 0x0A000000) && (a <= 0x0AFFFFFF)) ||
+ ((a >= 0xAC100000) && (a <= 0xAC1FFFFF)) ||
+ ((a >= 0xC0A80000) && (a <= 0xC0A8FFFF));
+ }
+
+ return 0;
+}
+
/* Simple strstr() like function that takes len arguments for both haystack and needle. */
char *strfind(char *haystack, int hslen, const char *needle, int ndlen)
{
int i = 0;
struct stat s;
+ /* back out early if url is undefined */
+ if ( url == NULL )
+ return NULL;
memset(path_phys, 0, sizeof(path_phys));
memset(path_info, 0, sizeof(path_info));
memcpy(buffer, path_phys, sizeof(buffer));
pathptr = &buffer[strlen(buffer)];
- for( i = 0; i < array_size(uh_index_files); i++ )
+ if( cl->server->conf->index_file )
{
- strncat(buffer, uh_index_files[i], sizeof(buffer));
+ strncat(buffer, cl->server->conf->index_file, sizeof(buffer));
if( !stat(buffer, &s) && (s.st_mode & S_IFREG) )
{
memcpy(path_phys, buffer, sizeof(path_phys));
memcpy(&p.stat, &s, sizeof(p.stat));
- break;
}
+ }
+ else
+ {
+ for( i = 0; i < array_size(uh_index_files); i++ )
+ {
+ strncat(buffer, uh_index_files[i], sizeof(buffer));
- *pathptr = 0;
+ if( !stat(buffer, &s) && (s.st_mode & S_IFREG) )
+ {
+ memcpy(path_phys, buffer, sizeof(path_phys));
+ memcpy(&p.stat, &s, sizeof(p.stat));
+ break;
+ }
+
+ *pathptr = 0;
+ }
}
p.root = docroot;
const char * sa_straddr(void *sa);
const char * sa_strport(void *sa);
int sa_port(void *sa);
+int sa_rfc1918(void *sa);
char *strfind(char *haystack, int hslen, const char *needle, int ndlen);
while( waitpid(-1, NULL, WNOHANG) > 0 ) { }
}
-static void uh_config_parse(const char *path)
+static void uh_config_parse(struct config *conf)
{
FILE *c;
char line[512];
char *pass = NULL;
char *eol = NULL;
- if( (c = fopen(path ? path : "/etc/httpd.conf", "r")) != NULL )
+ const char *path = conf->file ? conf->file : "/etc/httpd.conf";
+
+
+ if( (c = fopen(path, "r")) != NULL )
{
memset(line, 0, sizeof(line));
"Notice: No password set for user %s, ignoring "
"authentication on %s\n", user, line
);
+ }
+ }
+ else if( !strncmp(line, "I:", 2) )
+ {
+ if( !(user = strchr(line, ':')) || (*user++ = 0) ||
+ !(eol = strchr(user, '\n')) || (*eol++ = 0) )
+ continue;
- break;
- }
+ conf->index_file = strdup(user);
+ }
+ else if( !strncmp(line, "E404:", 5) )
+ {
+ if( !(user = strchr(line, ':')) || (*user++ = 0) ||
+ !(eol = strchr(user, '\n')) || (*eol++ = 0) )
+ continue;
+
+ conf->error_handler = strdup(user);
}
}
}
/* valid enough */
+ req.redirect_status = 200;
return &req;
}
}
#endif
- while( (opt = getopt(argc, argv, "fSC:K:p:s:h:c:l:L:d:r:m:x:t:T:")) > 0 )
- {
+ while( (opt = getopt(argc, argv,
+ "fSDRC:K:E:I:p:s:h:c:l:L:d:r:m:x:t:T:")) > 0
+ ) {
switch(opt)
{
/* [addr:]port */
}
break;
+ /* error handler */
+ case 'E':
+ if( (strlen(optarg) == 0) || (optarg[0] != '/') )
+ {
+ fprintf(stderr, "Error: Invalid error handler: %s\n",
+ optarg);
+ exit(1);
+ }
+ conf.error_handler = optarg;
+ break;
+
+ /* index file */
+ case 'I':
+ if( (strlen(optarg) == 0) || (optarg[0] == '/') )
+ {
+ fprintf(stderr, "Error: Invalid index page: %s\n",
+ optarg);
+ exit(1);
+ }
+ conf.index_file = optarg;
+ break;
+
/* don't follow symlinks */
case 'S':
conf.no_symlinks = 1;
break;
+ /* don't list directories */
+ case 'D':
+ conf.no_dirlists = 1;
+ break;
+
+ case 'R':
+ conf.rfc1918_filter = 1;
+ break;
+
#ifdef HAVE_CGI
/* cgi prefix */
case 'x':
" -K file ASN.1 server private key file\n"
#endif
" -h directory Specify the document root, default is '.'\n"
+ " -E string Use given virtual URL as 404 error handler\n"
+ " -I string Use given filename as index page for directories\n"
" -S Do not follow symbolic links outside of the docroot\n"
+ " -D Do not allow directory listings, send 403 instead\n"
+ " -R Enable RFC1918 filter\n"
#ifdef HAVE_LUA
" -l string URL prefix for Lua handler, default is '/lua'\n"
" -L file Lua handler script, omit to disable Lua\n"
conf.realm = "Protected Area";
/* config file */
- uh_config_parse(conf.file);
+ uh_config_parse(&conf);
/* default network timeout */
if( conf.network_timeout <= 0 )
/* parse message header */
if( (req = uh_http_header_recv(cl)) != NULL )
{
+ /* RFC1918 filtering required? */
+ if( conf.rfc1918_filter && sa_rfc1918(&cl->peeraddr) &&
+ !sa_rfc1918(&cl->servaddr) )
+ {
+ uh_http_sendhf(cl, 403, "Forbidden",
+ "Rejected request from RFC1918 IP to public server address");
+ }
+ else
#ifdef HAVE_LUA
/* Lua request? */
if( L && uh_path_match(conf.lua_prefix, req->url) )
/* 404 */
else
{
- uh_http_sendhf(cl, 404, "Not Found",
- "No such file or directory");
+ /* Try to invoke an error handler */
+ pin = uh_path_lookup(cl, conf.error_handler);
+
+ if( pin && uh_auth_check(cl, req, pin) )
+ {
+ req->redirect_status = 404;
+
+#ifdef HAVE_CGI
+ if( uh_path_match(conf.cgi_prefix, pin->name) )
+ {
+ uh_cgi_request(cl, req, pin);
+ }
+ else
+#endif
+ {
+ uh_file_request(cl, req, pin);
+ }
+ }
+ else
+ {
+ uh_http_sendhf(cl, 404, "Not Found",
+ "No such file or directory");
+ }
}
}
char docroot[PATH_MAX];
char *realm;
char *file;
+ char *index_file;
+ char *error_handler;
int no_symlinks;
+ int no_dirlists;
int network_timeout;
+ int rfc1918_filter;
#ifdef HAVE_CGI
char *cgi_prefix;
#endif
struct http_request {
int method;
float version;
+ int redirect_status;
char *url;
char *headers[UH_LIMIT_HEADERS];
struct auth_realm *realm;
projects / openwrt / svn-archive / archive.git / commitdiff