httpd: if remote IP is denied, send FORBIDDEN reply earlier
While at it, fix sighup_handler to not clobber errno. function old new delta send_HTTP_FORBIDDEN_and_exit_if_denied_ip - 47 +47 sighup_handler 15 30 +15 handle_incoming_and_exit 2791 2763 -28 checkPermIP 48 - -48 ------------------------------------------------------------------------------ (add/remove: 1/1 grow/shrink: 1/1 up/down: 62/-76) Total: -14 bytes Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
parent
60bf77f7e7
commit
51792e126b
@ -95,9 +95,7 @@
|
|||||||
* If -c is not set, an attempt will be made to open the default
|
* If -c is not set, an attempt will be made to open the default
|
||||||
* root configuration file. If -c is set and the file is not found, the
|
* root configuration file. If -c is set and the file is not found, the
|
||||||
* server exits with an error.
|
* server exits with an error.
|
||||||
*
|
|
||||||
*/
|
*/
|
||||||
/* TODO: use TCP_CORK, parse_config() */
|
|
||||||
//config:config HTTPD
|
//config:config HTTPD
|
||||||
//config: bool "httpd (32 kb)"
|
//config: bool "httpd (32 kb)"
|
||||||
//config: default y
|
//config: default y
|
||||||
@ -246,6 +244,8 @@
|
|||||||
//usage: "\n -e STRING HTML encode STRING"
|
//usage: "\n -e STRING HTML encode STRING"
|
||||||
//usage: "\n -d STRING URL decode STRING"
|
//usage: "\n -d STRING URL decode STRING"
|
||||||
|
|
||||||
|
/* TODO: use TCP_CORK, parse_config() */
|
||||||
|
|
||||||
#include "libbb.h"
|
#include "libbb.h"
|
||||||
#include "common_bufsiz.h"
|
#include "common_bufsiz.h"
|
||||||
#if ENABLE_PAM
|
#if ENABLE_PAM
|
||||||
@ -1817,7 +1817,7 @@ static NOINLINE void send_file_and_exit(const char *url, int what)
|
|||||||
log_and_exit();
|
log_and_exit();
|
||||||
}
|
}
|
||||||
|
|
||||||
static int checkPermIP(void)
|
static void send_HTTP_FORBIDDEN_and_exit_if_denied_ip(void)
|
||||||
{
|
{
|
||||||
Htaccess_IP *cur;
|
Htaccess_IP *cur;
|
||||||
|
|
||||||
@ -1837,10 +1837,13 @@ static int checkPermIP(void)
|
|||||||
);
|
);
|
||||||
#endif
|
#endif
|
||||||
if ((rmt_ip & cur->mask) == cur->ip)
|
if ((rmt_ip & cur->mask) == cur->ip)
|
||||||
return (cur->allow_deny == 'A'); /* A -> 1 */
|
if (cur->allow_deny == 'A')
|
||||||
|
return;
|
||||||
|
send_headers_and_exit(HTTP_FORBIDDEN);
|
||||||
}
|
}
|
||||||
|
|
||||||
return !flg_deny_all; /* depends on whether we saw "D:*" */
|
if (flg_deny_all) /* depends on whether we saw "D:*" */
|
||||||
|
send_headers_and_exit(HTTP_FORBIDDEN);
|
||||||
}
|
}
|
||||||
|
|
||||||
#if ENABLE_FEATURE_HTTPD_BASIC_AUTH
|
#if ENABLE_FEATURE_HTTPD_BASIC_AUTH
|
||||||
@ -2090,7 +2093,6 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr)
|
|||||||
#if ENABLE_FEATURE_HTTPD_BASIC_AUTH
|
#if ENABLE_FEATURE_HTTPD_BASIC_AUTH
|
||||||
smallint authorized = -1;
|
smallint authorized = -1;
|
||||||
#endif
|
#endif
|
||||||
smallint ip_allowed;
|
|
||||||
char http_major_version;
|
char http_major_version;
|
||||||
#if ENABLE_FEATURE_HTTPD_PROXY
|
#if ENABLE_FEATURE_HTTPD_PROXY
|
||||||
char http_minor_version;
|
char http_minor_version;
|
||||||
@ -2240,14 +2242,14 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr)
|
|||||||
bb_error_msg("url:%s", urlcopy);
|
bb_error_msg("url:%s", urlcopy);
|
||||||
|
|
||||||
tptr = urlcopy;
|
tptr = urlcopy;
|
||||||
ip_allowed = checkPermIP();
|
send_HTTP_FORBIDDEN_and_exit_if_denied_ip();
|
||||||
while (ip_allowed && (tptr = strchr(tptr + 1, '/')) != NULL) {
|
while ((tptr = strchr(tptr + 1, '/')) != NULL) {
|
||||||
/* have path1/path2 */
|
/* have path1/path2 */
|
||||||
*tptr = '\0';
|
*tptr = '\0';
|
||||||
if (is_directory(urlcopy + 1, /*followlinks:*/ 1)) {
|
if (is_directory(urlcopy + 1, /*followlinks:*/ 1)) {
|
||||||
/* may have subdir config */
|
/* may have subdir config */
|
||||||
parse_conf(urlcopy + 1, SUBDIR_PARSE);
|
parse_conf(urlcopy + 1, SUBDIR_PARSE);
|
||||||
ip_allowed = checkPermIP();
|
send_HTTP_FORBIDDEN_and_exit_if_denied_ip();
|
||||||
}
|
}
|
||||||
*tptr = '/';
|
*tptr = '/';
|
||||||
}
|
}
|
||||||
@ -2380,7 +2382,7 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr)
|
|||||||
/* We are done reading headers, disable peer timeout */
|
/* We are done reading headers, disable peer timeout */
|
||||||
alarm(0);
|
alarm(0);
|
||||||
|
|
||||||
if (strcmp(bb_basename(urlcopy), HTTPD_CONF) == 0 || !ip_allowed) {
|
if (strcmp(bb_basename(urlcopy), HTTPD_CONF) == 0) {
|
||||||
/* protect listing [/path]/httpd.conf or IP deny */
|
/* protect listing [/path]/httpd.conf or IP deny */
|
||||||
send_headers_and_exit(HTTP_FORBIDDEN);
|
send_headers_and_exit(HTTP_FORBIDDEN);
|
||||||
}
|
}
|
||||||
@ -2593,7 +2595,9 @@ static void mini_httpd_inetd(void)
|
|||||||
|
|
||||||
static void sighup_handler(int sig UNUSED_PARAM)
|
static void sighup_handler(int sig UNUSED_PARAM)
|
||||||
{
|
{
|
||||||
|
int sv = errno;
|
||||||
parse_conf(DEFAULT_PATH_HTTPD_CONF, SIGNALED_PARSE);
|
parse_conf(DEFAULT_PATH_HTTPD_CONF, SIGNALED_PARSE);
|
||||||
|
errno = sv;
|
||||||
}
|
}
|
||||||
|
|
||||||
enum {
|
enum {
|
||||||
|
Loading…
Reference in New Issue
Block a user