static void check_response_header(liStreamHttpResponse* shr) {
liResponse *resp = &shr->vr->response;
GList *l;
shr->transfer_encoding_chunked = FALSE;
/* Transfer-Encoding: chunked */
l = li_http_header_find_first(resp->headers, CONST_STR_LEN("transfer-encoding"));
if (l) {
for ( ; l ; l = li_http_header_find_next(l, CONST_STR_LEN("transfer-encoding")) ) {
liHttpHeader *hh = (liHttpHeader*) l->data;
if (0 == g_ascii_strcasecmp( LI_HEADER_VALUE(hh), "identity" )) {
/* ignore */
continue;
} if (0 == g_ascii_strcasecmp( LI_HEADER_VALUE(hh), "chunked" )) {
if (shr->transfer_encoding_chunked) {
VR_ERROR(shr->vr, "%s", "Response is chunked encoded twice");
li_vrequest_error(shr->vr);
return;
}
shr->transfer_encoding_chunked = TRUE;
} else {
VR_ERROR(shr->vr, "Response has unsupported Transfer-Encoding: %s", LI_HEADER_VALUE(hh));
li_vrequest_error(shr->vr);
return;
}
}
li_http_header_remove(resp->headers, CONST_STR_LEN("transfer-encoding"));
/* any non trivial transfer-encoding overwrites content-length */
if (shr->transfer_encoding_chunked) {
li_http_header_remove(resp->headers, CONST_STR_LEN("content-length"));
}
}
/* Upgrade: */
l = li_http_header_find_first(resp->headers, CONST_STR_LEN("upgrade"));
if (l) {
gboolean have_connection_upgrade = FALSE;
liHttpHeaderTokenizer header_tokenizer;
GString *token;
if (101 != resp->http_status) {
VR_ERROR(shr->vr, "Upgrade but status is %i instead of 101 'Switching Protocols'", resp->http_status);
li_vrequest_error(shr->vr);
return;
}
if (shr->transfer_encoding_chunked) {
VR_ERROR(shr->vr, "%s", "Upgrade with Transfer-Encoding: chunked");
li_vrequest_error(shr->vr);
return;
}
/* requires Connection: Upgrade header */
token = g_string_sized_new(15);
li_http_header_tokenizer_start(&header_tokenizer, resp->headers, CONST_STR_LEN("Connection"));
while (li_http_header_tokenizer_next(&header_tokenizer, token)) {
VR_ERROR(shr->vr, "Parsing header '%s'", ((liHttpHeader*)header_tokenizer.cur->data)->data->str);
VR_ERROR(shr->vr, "Connection token '%s'", token->str);
if (0 == g_ascii_strcasecmp(token->str, "Upgrade")) {
have_connection_upgrade = TRUE;
break;
}
}
g_string_free(token, TRUE); token = NULL;
if (!have_connection_upgrade) {
VR_ERROR(shr->vr, "%s", "Upgrade without Connection: Upgrade Transfer");
li_vrequest_error(shr->vr);
return;
}
shr->response_headers_finished = TRUE;
shr->vr->backend_drain->out->is_closed = FALSE;
{
/* li_vrequest_connection_upgrade releases vr->backend_drain; keep our own reference */
liStream *backend_drain = shr->vr->backend_drain;
shr->vr->backend_drain = NULL;
li_vrequest_connection_upgrade(shr->vr, backend_drain, &shr->stream);
li_stream_release(backend_drain);
}
return;
}
shr->response_headers_finished = TRUE;
li_vrequest_indirect_headers_ready(shr->vr);
return;
}
static liHandlerResult auth_basic(liVRequest *vr, gpointer param, gpointer *context) {
liHttpHeader *hdr;
gboolean auth_ok = FALSE;
AuthBasicData *bdata = param;
gboolean debug = _OPTION(vr, bdata->p, 0).boolean;
UNUSED(context);
if (li_vrequest_is_handled(vr)) {
if (debug || CORE_OPTION(LI_CORE_OPTION_DEBUG_REQUEST_HANDLING).boolean) {
VR_DEBUG(vr, "skipping auth.basic as request is already handled with current status %i", vr->response.http_status);
}
return LI_HANDLER_GO_ON;
}
/* check for Authorization header */
hdr = li_http_header_lookup(vr->request.headers, CONST_STR_LEN("Authorization"));
if (!hdr || !g_str_has_prefix(LI_HEADER_VALUE(hdr), "Basic ")) {
if (debug) {
VR_DEBUG(vr, "requesting authorization from client for realm \"%s\"", bdata->realm->str);
}
} else {
gchar *decoded, *username = NULL, *password;
size_t len;
/* auth_info contains username:password encoded in base64 */
if (NULL != (decoded = (gchar*)g_base64_decode(LI_HEADER_VALUE(hdr) + sizeof("Basic ") - 1, &len))) {
/* bogus data? */
if (NULL != (password = strchr(decoded, ':'))) {
*password = '******';
password++;
username = decoded;
} else {
g_free(decoded);
}
}
if (!username) {
if (debug) {
VR_DEBUG(vr, "couldn't parse authorization info from client for realm \"%s\"", bdata->realm->str);
}
} else {
GString user = li_const_gstring(username, password - username - 1);
GString pass = li_const_gstring(password, len - (password - username));
if (bdata->backend(vr, &user, &pass, bdata, debug)) {
auth_ok = TRUE;
li_environment_set(&vr->env, CONST_STR_LEN("REMOTE_USER"), username, password - username - 1);
li_environment_set(&vr->env, CONST_STR_LEN("AUTH_TYPE"), CONST_STR_LEN("Basic"));
} else {
if (debug) {
VR_DEBUG(vr, "wrong authorization info from client on realm \"%s\" (user: \"%s\")", bdata->realm->str, username);
}
}
g_free(decoded);
}
}
g_string_truncate(vr->wrk->tmp_str, 0);
g_string_append_len(vr->wrk->tmp_str, CONST_STR_LEN("Basic realm=\""));
g_string_append_len(vr->wrk->tmp_str, GSTR_LEN(bdata->realm));
g_string_append_c(vr->wrk->tmp_str, '"');
/* generate header always */
if (!auth_ok) {
li_http_header_overwrite(vr->response.headers, CONST_STR_LEN("WWW-Authenticate"), GSTR_LEN(vr->wrk->tmp_str));
/* we already checked for handled */
if (!li_vrequest_handle_direct(vr))
return LI_HANDLER_ERROR;
vr->response.http_status = 401;
return LI_HANDLER_GO_ON;
} else {
/* lets hope browser just ignore the header if status is not 401
* but this way it is easier to use a later "auth.deny;"
*/
li_http_header_overwrite(vr->response.headers, CONST_STR_LEN("WWW-Authenticate"), GSTR_LEN(vr->wrk->tmp_str));
}
if (debug) {
VR_DEBUG(vr, "client authorization successful for realm \"%s\"", bdata->realm->str);
}
return LI_HANDLER_GO_ON;
}
gboolean li_request_validate_header(liConnection *con) {
liRequest *req = &con->mainvr->request;
liHttpHeader *hh;
GList *l;
if (con->info.is_ssl) {
g_string_append_len(req->uri.scheme, CONST_STR_LEN("https"));
} else {
g_string_append_len(req->uri.scheme, CONST_STR_LEN("http"));
}
switch (req->http_version) {
case LI_HTTP_VERSION_1_0:
if (!li_http_header_is(req->headers, CONST_STR_LEN("connection"), CONST_STR_LEN("keep-alive")))
con->info.keep_alive = FALSE;
break;
case LI_HTTP_VERSION_1_1:
if (li_http_header_is(req->headers, CONST_STR_LEN("connection"), CONST_STR_LEN("close")))
con->info.keep_alive = FALSE;
break;
case LI_HTTP_VERSION_UNSET:
bad_request(con, 505); /* Version not Supported */
return FALSE;
}
if (req->uri.raw->len == 0) {
bad_request(con, 400); /* bad request */
return FALSE;
}
/* get hostname */
l = li_http_header_find_first(req->headers, CONST_STR_LEN("host"));
if (NULL != l) {
if (NULL != li_http_header_find_next(l, CONST_STR_LEN("host"))) {
/* more than one "host" header */
bad_request(con, 400); /* bad request */
return FALSE;
}
hh = (liHttpHeader*) l->data;
g_string_append_len(req->uri.authority, LI_HEADER_VALUE_LEN(hh));
/* check header after we parsed the url, as it may override uri.authority */
}
/* Need hostname in HTTP/1.1 */
if (req->uri.authority->len == 0 && req->http_version == LI_HTTP_VERSION_1_1) {
bad_request(con, 400); /* bad request */
return FALSE;
}
/* may override hostname */
if (!request_parse_url(con->mainvr)) {
bad_request(con, 400); /* bad request */
return FALSE;
}
if (req->uri.host->len == 0 && req->uri.authority->len != 0) {
if (!li_parse_hostname(&req->uri)) {
bad_request(con, 400); /* bad request */
return FALSE;
}
}
/* remove trailing dots from hostname */
{
guint i = req->uri.host->len;
while (i > 0 && req->uri.host->str[i-1] == '.') i--;
g_string_truncate(req->uri.host, i);
}
/* content-length */
hh = li_http_header_lookup(req->headers, CONST_STR_LEN("content-length"));
if (hh) {
const gchar *val = LI_HEADER_VALUE(hh);
gint64 r;
char *err;
r = g_ascii_strtoll(val, &err, 10);
if (*err != '\0') {
_VR_DEBUG(con->srv, con->mainvr, "content-length is not a number: %s (Status: 400)", err);
bad_request(con, 400); /* bad request */
return FALSE;
}
/**
* negative content-length is not supported
* and is a bad request
*/
if (r < 0) {
bad_request(con, 400); /* bad request */
return FALSE;
}
/**
* check if we had a over- or underrun in the string conversion
*/
if (r == G_MININT64 || r == G_MAXINT64) {
if (errno == ERANGE) {
bad_request(con, 413); /* Request Entity Too Large */
return FALSE;
}
}
con->mainvr->request.content_length = r;
}
/* Expect: 100-continue */
l = li_http_header_find_first(req->headers, CONST_STR_LEN("expect"));
if (l) {
gboolean expect_100_cont = FALSE;
for ( ; l ; l = li_http_header_find_next(l, CONST_STR_LEN("expect")) ) {
hh = (liHttpHeader*) l->data;
if (0 == g_ascii_strcasecmp( LI_HEADER_VALUE(hh), "100-continue" )) {
expect_100_cont = TRUE;
} else {
/* we only support 100-continue */
bad_request(con, 417); /* Expectation Failed */
return FALSE;
}
}
if (expect_100_cont && req->http_version == LI_HTTP_VERSION_1_0) {
/* only HTTP/1.1 clients can send us this header */
bad_request(con, 417); /* Expectation Failed */
return FALSE;
}
con->expect_100_cont = expect_100_cont;
}
/* TODO: headers:
* - If-Modified-Since (different duplicate check)
* - If-None-Match (different duplicate check)
* - Range (duplicate check)
*/
switch(con->mainvr->request.http_method) {
case LI_HTTP_METHOD_GET:
case LI_HTTP_METHOD_HEAD:
/* content-length is forbidden for those */
if (con->mainvr->request.content_length > 0) {
VR_ERROR(con->mainvr, "%s", "GET/HEAD with content-length -> 400");
bad_request(con, 400); /* bad request */
return FALSE;
}
con->mainvr->request.content_length = 0;
break;
case LI_HTTP_METHOD_POST:
/* content-length is required for them */
if (con->mainvr->request.content_length == -1) {
/* content-length is missing */
VR_ERROR(con->mainvr, "%s", "POST-request, but content-length missing -> 411");
bad_request(con, 411); /* Length Required */
return FALSE;
}
break;
default:
if (con->mainvr->request.content_length == -1)
con->mainvr->request.content_length = 0;
/* the may have a content-length */
break;
}
return TRUE;
}
