Sat, 21 Jan 2017 12:46:31 +0100
fixes socket fd leak when SSL_accept fails
/* * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. * * Copyright 2013 Olaf Wintermann. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ #include <ucx/string.h> #include "pathcheck.h" #include "../util/pblock.h" #include "../daemon/config.h" #include "../daemon/acl.h" #include "../daemon/acldata.h" #include "../daemon/session.h" #include "../daemon/vserver.h" #include "../daemon/vfs.h" #include "../config/acl.h" int require_auth(pblock *pb, Session *sn, Request *rq) { char *user = pblock_findkeyval(pb_key_auth_user, rq->vars); if(user == NULL) { pblock_nvinsert( "www-authenticate", "Basic realm=\"Webserver\"", rq->srvhdrs); protocol_status(sn, rq, PROTOCOL_UNAUTHORIZED, NULL); return REQ_ABORTED; } return REQ_PROCEED; } int require_access(pblock *pb, Session *sn, Request *rq) { char *mask_str = pblock_findval("mask", pb); if(!mask_str) { log_ereport(LOG_MISCONFIG, "require-access: missing mask parameter"); protocol_status(sn, rq, 500, NULL); return REQ_ABORTED; } char *method = pblock_findval("method", pb); if(method) { char *m = pblock_findkeyval(pb_key_method, rq->reqpb); if(strcmp(method, m)) { return REQ_NOACTION; } } uint32_t access_mask = 0; ssize_t n = 0; sstr_t *rights = sstrsplit(sstr(mask_str), sstrn(",", 1), &n); for(int i=0;i<n;i++) { sstr_t right = rights[i]; access_mask = access_mask | accstr2int(right); free(right.ptr); } free(rights); rq->aclreqaccess = access_mask; return REQ_PROCEED; } int append_acl(pblock *pb, Session *sn, Request *rq) { const VirtualServer *vs = request_get_vs(rq); WS_ASSERT(vs); char *aclname = pblock_findval("acl", pb); if(aclname) { ACLList *acl = acl_get(vs->acls, aclname); if(!acl) { log_ereport( LOG_MISCONFIG, "append-acl: acl %s not found", aclname); protocol_status(sn, rq, 500, NULL); return REQ_ABORTED; } acllist_append(sn, rq, acl); } return REQ_PROCEED; } int check_acl(pblock *pb, Session *sn, Request *rq) { int access_mask = ACL_READ_DATA | rq->aclreqaccess; // TODO: check method and path int ret = acl_evaluate(sn, rq, access_mask); if(ret == REQ_ABORTED) { // TODO: status, error, ... return REQ_ABORTED; } return REQ_PROCEED; } int find_index(pblock *pb, Session *sn, Request *rq) { char *inames = pblock_findval("index-names", pb); if(!inames) { log_ereport( LOG_MISCONFIG, "find-index: index-names parameter missing"); return REQ_ABORTED; } ssize_t ni = 0; sstr_t *names = sstrsplit(sstr(inames), S(","), &ni); if(ni <= 0) { log_ereport( LOG_MISCONFIG, "find-index: no files specified in index-names parameter"); return REQ_ABORTED; } int ret = REQ_NOACTION; char *path = pblock_findkeyval(pb_key_path, rq->vars); size_t pathlen = strlen(path); sstr_t p = sstrn(path, pathlen); if(path[pathlen-1] == '/') { for(int i=0;i<ni;i++) { sstr_t newpath = sstrcat(2, p, sstrtrim(names[i])); struct stat s; if(!stat(newpath.ptr, &s)) { pblock_kvinsert( pb_key_path, newpath.ptr, newpath.length, rq->vars); free(newpath.ptr); ret = REQ_PROCEED; } else { free(newpath.ptr); } } } for(int i=0;i<ni;i++) { free(names[i].ptr); } free(names); return ret; } int dir_redirect(pblock *pb, Session *sn, Request *rq) { char *path = pblock_findkeyval(pb_key_path, rq->vars); // TODO: VFS support struct stat s; if(stat(path, &s) != 0) { return REQ_NOACTION; } // TODO: remove code duplication (service.c) if(S_ISDIR(s.st_mode) && path[strlen(path)-1] != '/') { pblock_nvinsert("content-length", "0", rq->srvhdrs); pblock_removekey(pb_key_content_type, rq->srvhdrs); char *uri = pblock_findkeyval(pb_key_uri, rq->reqpb); size_t urilen = strlen(uri); char *location = pool_malloc(sn->pool, urilen + 2); memcpy(location, uri, urilen); location[urilen] = '/'; location[urilen+1] = '\0'; pblock_kvinsert(pb_key_location, location, urilen + 1, rq->srvhdrs); protocol_status(sn, rq, 302, NULL); http_start_response(sn, rq); return REQ_ABORTED; } return REQ_PROCEED; }