int websUrlHandlerRequest(webs_t wp) { websUrlHandlerType *sp; int i, first; a_assert(websValid(wp)); trace(8, T("%s %d %s\n"),__FILE__,__LINE__,__FUNCTION__); /* * Delete the socket handler as we don't want to start reading any * data on the connection as it may be for the next pipelined HTTP/1.1 * request if using Keep Alive */ socketDeleteHandler(wp->sid); wp->state = WEBS_PROCESSING; websStats.handlerHits++; websSetRequestPath(wp, websGetDefaultDir(), NULL); /* * Eliminate security hole */ websCondenseMultipleChars(wp->path, '/'); websCondenseMultipleChars(wp->url, '/'); /* * We loop over each handler in order till one accepts the request. * The security handler will handle the request if access is NOT allowed. */ first = 1; for (i = 0; i < websUrlHandlerMax; i++) { sp = &websUrlHandler[i]; if (sp->handler && gstrncmp(sp->urlPrefix, wp->path, sp->len) == 0) { if (first) { websSetEnv(wp); first = 0; } if ((*sp->handler)(wp, sp->urlPrefix, sp->webDir, sp->arg, wp->url, wp->path, wp->query)) { return 1; } if (!websValid(wp)) { trace(0, T("webs: handler %s called websDone, but didn't return 1\n"), sp->urlPrefix); return 1; } } } /* * If no handler processed the request, then return an error. Note: It is * the handlers responsibility to call websDone */ if (i >= websUrlHandlerMax) { websError(wp, 200, T("No handler for this URL %s"), wp->url); } return 0; }
int websFormHandler(webs_t wp, char_t *urlPrefix, char_t *webDir, int arg, char_t *url, char_t *path, char_t *query) { sym_t *sp; char_t formBuf[FNAMESIZE]; char_t *cp, *formName; int (*fn)(void *sock, char_t *path, char_t *args); a_assert(websValid(wp)); a_assert(url && *url); a_assert(path && *path == '/'); websStats.formHits++; /* * Extract the form name */ gstrncpy(formBuf, path, TSZ(formBuf)); if ((formName = gstrchr(&formBuf[1], '/')) == NULL) { websError(wp, 200, T("Missing form name")); return 1; } formName++; if ((cp = gstrchr(formName, '/')) != NULL) { *cp = '\0'; } /* * Lookup the C form function first and then try tcl (no javascript support * yet). */ sp = symLookup(formSymtab, formName); if (sp == NULL) { websError(wp, 200, T("Form %s is not defined"), formName); } else { fn = (int (*)(void *, char_t *, char_t *)) sp->content.value.integer; a_assert(fn); if (fn) { /* * For good practice, forms must call websDone() */ (*fn)((void*) wp, formName, query); /* * Remove the test to force websDone, since this prevents * the server "push" from a form> */ #if 0 /* push */ if (websValid(wp)) { websError(wp, 200, T("Form didn't call websDone")); } #endif /* push */ } } return 1; }
int websPageReadData(webs_t wp, char *buf, int nBytes) { #ifdef WEBS_PAGE_ROM a_assert(websValid(wp)); return websRomPageReadData(wp, buf, nBytes); #else a_assert(websValid(wp)); return gread(wp->docfd, buf, nBytes); #endif }
/* Do output back to the browser in the background. This is a socket write handler. This bypasses the output buffer and writes directly to the socket. */ static void fileWriteEvent(Webs *wp) { char *buf; ssize len, wrote; assert(wp); assert(websValid(wp)); /* Note: websWriteSocket may return less than we wanted. It will return -1 on a socket error. */ if ((buf = walloc(ME_GOAHEAD_LIMIT_BUFFER)) == NULL) { websError(wp, HTTP_CODE_INTERNAL_SERVER_ERROR, "Cannot get memory"); return; } /* OPT - we could potentially save this buffer so that on short-writes, it does not need to be re-read. */ while ((len = websPageReadData(wp, buf, ME_GOAHEAD_LIMIT_BUFFER)) > 0) { if ((wrote = websWriteSocket(wp, buf, len)) < 0) { break; } if (wrote != len) { websPageSeek(wp, - (len - wrote), SEEK_CUR); break; } } wfree(buf); if (len <= 0) { websDone(wp); } }
/* Don't use these routes. Use websWriteHeaders, websEndHeaders instead. Write a webs header. This is a convenience routine to write a common header for a form back to the browser. */ PUBLIC void websHeader(Webs *wp) { assure(websValid(wp)); websWriteHeaders(wp, -1, 0); websWriteEndHeaders(wp); websWrite(wp, "<html>\n"); }
static int websTidyUrl(webs_t wp) { char_t *parts[64]; /* Array of ptr's to URL parts */ char_t *token, *url, *tidyurl; int i, len, npart; a_assert(websValid(wp)); /* * Copy the string so we don't destroy the original (yet) */ url = bstrdup(B_L, wp->url); websDecodeUrl(url, url, gstrlen(url)); len = npart = 0; parts[0] = NULL; token = gstrtok(url, T("/")); /* * Look at each directory segment and process "." and ".." segments * Don't allow the browser to pop outside the root web. */ while (token != NULL) { if (gstrcmp(token, T("..")) == 0) { if (npart > 0) { npart--; } } else if (gstrcmp(token, T(".")) != 0) { parts[npart] = token; len += gstrlen(token) + 1; npart++; } token = gstrtok(NULL, T("/")); } /* * Re-construct URL. Need extra space all "/" and null. */ if (npart || (gstrcmp(url, T("/")) == 0) || (url[0] == '\0')) { tidyurl = balloc(B_L, (len + 2) * sizeof(char_t)); *tidyurl = '\0'; for (i = 0; i < npart; i++) { gstrcat(tidyurl, T("/")); gstrcat(tidyurl, parts[i]); } bfree(B_L, url); bfree(B_L, wp->url); wp->url = tidyurl; return 0; } else { bfree(B_L, url); return -1; } }
/* The upload handler functions as a filter. It never actually handles a request */ static bool uploadHandler(Webs *wp) { assert(websValid(wp)); if (!(wp->flags & WEBS_UPLOAD)) { return 0; } return initUpload(wp); }
void websPageSeek(webs_t wp, long offset) { a_assert(websValid(wp)); #ifdef WEBS_PAGE_ROM websRomPageSeek(wp, offset, SEEK_CUR); #else glseek(wp->docfd, offset, SEEK_CUR); #endif }
int websPageOpen(webs_t wp, char_t *lpath, char_t *path, int mode, int perm) { a_assert(websValid(wp)); #ifdef WEBS_PAGE_ROM return websRomPageOpen(wp, path, mode, perm); #else return (wp->docfd = gopen(lpath, mode, perm)); #endif /* WEBS_PAGE_ROM */ }
static void websDefaultWriteEvent(webs_t wp) { int len, wrote, flags, bytes, written; char *buf; a_assert(websValid(wp)); flags = websGetRequestFlags(wp); websSetTimeMark(wp); wrote = bytes = 0; written = websGetRequestWritten(wp); /* * We only do this for non-ASP documents */ if ( !(flags & WEBS_ASP)) { bytes = websGetRequestBytes(wp); /* * Note: websWriteDataNonBlock may return less than we wanted. It will * return -1 on a socket error */ if ((buf = balloc(B_L, PAGE_READ_BUFSIZE)) == NULL) { websError(wp, 200, T("Can't get memory")); } else { while ((len = websPageReadData(wp, buf, PAGE_READ_BUFSIZE)) > 0) { if ((wrote = websWriteDataNonBlock(wp, buf, len)) < 0) { break; } written += wrote; if (wrote != len) { websPageSeek(wp, - (len - wrote)); break; } } /* * Safety. If we are at EOF, we must be done */ if (len == 0) { a_assert(written >= bytes); written = bytes; } bfree(B_L, buf); } } /* * We're done if an error, or all bytes output */ websSetRequestWritten(wp, written); if (wrote < 0 || written >= bytes) { websDone(wp, 200); } }
void websPageClose(webs_t wp) { a_assert(websValid(wp)); #ifdef WEBS_PAGE_ROM websRomPageClose(wp->docfd); #else if (wp->docfd >= 0) { gclose(wp->docfd); wp->docfd = -1; } #endif }
int websPageOpen(webs_t wp, char_t *lpath, char_t *path, int mode, int perm) { #if defined(WIN32) errno_t error; #endif a_assert(websValid(wp)); #ifdef WEBS_PAGE_ROM return websRomPageOpen(wp, path, mode, perm); #elif defined(WIN32) error = _sopen_s(&(wp->docfd), lpath, mode, _SH_DENYNO, _S_IREAD); return (wp->docfd = gopen(lpath, mode, _S_IREAD)); #else return (wp->docfd = gopen(lpath, mode, perm)); #endif /* WEBS_PAGE_ROM */ }
int websRomPageOpen(webs_t wp, char_t *path, int mode, int perm) { websRomPageIndexType *wip; sym_t *sp; a_assert(websValid(wp)); a_assert(path && *path); if ((sp = symLookup(romTab, path)) == NULL) { return -1; } wip = (websRomPageIndexType*) sp->content.value.integer; wip->pos = 0; return (wp->docfd = wip - websRomPageIndex); }
int websRomPageReadData(webs_t wp, char *buf, int nBytes) { websRomPageIndexType *wip; int len; a_assert(websValid(wp)); a_assert(buf); a_assert(wp->docfd >= 0); wip = &websRomPageIndex[wp->docfd]; len = min(wip->size - wip->pos, nBytes); memcpy(buf, &wip->page[wip->pos], len); wip->pos += len; return len; }
static int websPublishHandler(webs_t wp, char_t *urlPrefix, char_t *webDir, int sid, char_t *url, char_t *path, char_t *query) { int len; a_assert(websValid(wp)); a_assert(path); /* * Trim the urlPrefix off the path and set the webdirectory. Add one to step * over the trailing '/' */ len = gstrlen(urlPrefix) + 1; websSetRequestPath(wp, webDir, &path[len]); return 0; }
void websHeader(webs_t wp) { a_assert(websValid(wp)); websWrite(wp, T("HTTP/1.0 200 OK\n")); /* * By license terms the following line of code must not be modified */ websWrite(wp, T("Server: %s\r\n"), WEBS_NAME); websWrite(wp, T("Pragma: no-cache\n")); websWrite(wp, T("Cache-control: no-cache\n")); websWrite(wp, T("Content-Type: text/html\n")); websWrite(wp, T("\n")); websWrite(wp, T("<html>\n")); }
/* Javascript write command. This implemements <% write("text"); %> command */ PUBLIC int websJstWrite(int jid, Webs *wp, int argc, char **argv) { int i; assert(websValid(wp)); for (i = 0; i < argc; ) { assert(argv); if (websWriteBlock(wp, argv[i], strlen(argv[i])) < 0) { return -1; } if (++i < argc) { if (websWriteBlock(wp, " ", 1) < 0) { return -1; } } } return 0; }
int websAspWrite(int ejid, webs_t wp, int argc, char_t **argv) { int i; a_assert(websValid(wp)); for (i = 0; i < argc; ) { a_assert(argv); if (websWriteBlock(wp, argv[i], gstrlen(argv[i])) < 0) { return -1; } if (++i < argc) { if (websWriteBlock(wp, T(" "), 2) < 0) { return -1; } } } return 0; }
/* Process an action request. Returns 1 always to indicate it handled the URL */ static bool actionHandler(Webs *wp) { WebsKey *sp; char actionBuf[BIT_GOAHEAD_LIMIT_URI + 1]; char *cp, *actionName; WebsAction fn; assert(websValid(wp)); assert(actionTable >= 0); /* Extract the action name */ scopy(actionBuf, sizeof(actionBuf), wp->path); if ((actionName = strchr(&actionBuf[1], '/')) == NULL) { websError(wp, HTTP_CODE_NOT_FOUND, "Missing action name"); return 1; } actionName++; if ((cp = strchr(actionName, '/')) != NULL) { *cp = '\0'; } /* Lookup the C action function first and then try tcl (no javascript support yet). */ sp = hashLookup(actionTable, actionName); if (sp == NULL) { websError(wp, HTTP_CODE_NOT_FOUND, "Action %s is not defined", actionName); } else { fn = (WebsAction) sp->content.value.symbol; assert(fn); if (fn) { #if BIT_GOAHEAD_LEGACY (*((WebsProc) fn))((void*) wp, actionName, wp->query); #else (*fn)((void*) wp); #endif } } return 1; }
/* Process an action request. Returns 1 always to indicate it handled the URL */ static bool actionHandler(Webs *wp) { WebsKey *sp; char formBuf[BIT_LIMIT_FILENAME]; char *cp, *formName; WebsAction fn; assure(websValid(wp)); assure(formSymtab >= 0); /* Extract the form name */ scopy(formBuf, sizeof(formBuf), wp->path); if ((formName = strchr(&formBuf[1], '/')) == NULL) { websError(wp, HTTP_CODE_NOT_FOUND, "Missing form name"); return 1; } formName++; if ((cp = strchr(formName, '/')) != NULL) { *cp = '\0'; } /* Lookup the C form function first and then try tcl (no javascript support yet). */ sp = hashLookup(formSymtab, formName); if (sp == NULL) { websError(wp, HTTP_CODE_NOT_FOUND, "Action %s is not defined", formName); } else { fn = (WebsAction) sp->content.value.symbol; assure(fn); if (fn) { #if BIT_LEGACY (*fn)((void*) wp, formName, wp->query); #else (*fn)((void*) wp); #endif } } return 1; }
long websRomPageSeek(webs_t wp, long offset, int origin) { websRomPageIndexType *wip; long pos; a_assert(websValid(wp)); a_assert(origin == SEEK_SET || origin == SEEK_CUR || origin == SEEK_END); a_assert(wp->docfd >= 0); wip = &websRomPageIndex[wp->docfd]; if (origin != SEEK_SET && origin != SEEK_CUR && origin != SEEK_END) { errno = EINVAL; return -1; } if (wp->docfd < 0) { errno = EBADF; return -1; } pos = offset; switch (origin) { case SEEK_CUR: pos = wip->pos + offset; break; case SEEK_END: pos = wip->size + offset; break; default: break; } if (pos < 0) { errno = EBADF; return -1; } return (wip->pos = pos); }
void websHeader(webs_t wp) { a_assert(websValid(wp)); websWrite(wp, T("HTTP/1.0 200 OK\n")); /* * By license terms the following line of code must not be modified */ websWrite(wp, T("Server: %s\r\n"), WEBS_NAME); websWrite(wp, T("Pragma: no-cache\n")); websWrite(wp, T("Cache-control: no-cache\n")); websWrite(wp, T("Content-Type: text/html\n")); websWrite(wp, T("\n")); websWrite(wp, T("<html>\n<head>\n")); websWrite(wp, T("<title>My Title</title>")); websWrite(wp, T("<link rel=\"stylesheet\" href=\"/style/normal_ws.css\"\ type=\"text/css\">")); websWrite(wp, T("<meta http-equiv=\"content-type\" content=\"text/html;\ charset=utf-8\">")); websWrite(wp, T("</head>\n<body>\n")); }
void websFooter(webs_t wp) { a_assert(websValid(wp)); websWrite(wp, T("</body>\n</html>\n")); }
/* * Process a form request. Returns 1 always to indicate it handled the URL */ int websCgiHandler(webs_t wp, char_t *urlPrefix, char_t *webDir, int arg, char_t *url, char_t *path, char_t* query) { cgiRec *cgip; sym_t *s; char_t cgiBuf[FNAMESIZE], *stdIn, *stdOut, cwd[FNAMESIZE]; char_t *cp, *cgiName, *cgiPath, **argp, **envp, **ep; int n, envpsize, argpsize, pHandle, cid; a_assert(websValid(wp)); a_assert(url && *url); a_assert(path && *path == '/'); websStats.cgiHits++; /* * Extract the form name and then build the full path name. The form * name will follow the first '/' in path. */ gstrncpy(cgiBuf, path, TSZ(cgiBuf)); if ((cgiName = gstrchr(&cgiBuf[1], '/')) == NULL) { websError(wp, 200, T("Missing CGI name")); return 1; } cgiName++; if ((cp = gstrchr(cgiName, '/')) != NULL) { *cp = '\0'; } fmtAlloc(&cgiPath, FNAMESIZE, T("%s/%s/%s"), websGetDefaultDir(), CGI_BIN, cgiName); #ifndef VXWORKS /* * See if the file exists and is executable. If not error out. * Don't do this step for VxWorks, since the module may already * be part of the OS image, rather than in the file system. */ { gstat_t sbuf; if (gstat(cgiPath, &sbuf) != 0 || (sbuf.st_mode & S_IFREG) == 0) { websError(wp, 200, T("CGI process file does not exist")); bfree(B_L, cgiPath); return 1; } #if (defined (WIN) || defined (CE)) if (gstrstr(cgiPath, T(".exe")) == NULL && gstrstr(cgiPath, T(".bat")) == NULL) { #elif (defined (NW)) if (gstrstr(cgiPath, T(".nlm")) == NULL) { #else if (gaccess(cgiPath, X_OK) != 0) { #endif /* WIN || CE */ websError(wp, 200, T("CGI process file is not executable")); bfree(B_L, cgiPath); return 1; } } #endif /* ! VXWORKS */ /* * Get the CWD for resetting after launching the child process CGI */ ggetcwd(cwd, FNAMESIZE); /* * Retrieve the directory of the child process CGI */ if ((cp = gstrrchr(cgiPath, '/')) != NULL) { *cp = '\0'; gchdir(cgiPath); *cp = '/'; } /* * Build command line arguments. Only used if there is no non-encoded * = character. This is indicative of a ISINDEX query. POST separators * are & and others are +. argp will point to a balloc'd array of * pointers. Each pointer will point to substring within the * query string. This array of string pointers is how the spawn or * exec routines expect command line arguments to be passed. Since * we don't know ahead of time how many individual items there are in * the query string, the for loop includes logic to grow the array * size via brealloc. */ argpsize = 10; argp = balloc(B_L, argpsize * sizeof(char_t *)); *argp = cgiPath; n = 1; if (gstrchr(query, '=') == NULL) { websDecodeUrl(query, query, gstrlen(query)); for (cp = gstrtok(query, T(" ")); cp != NULL; ) { *(argp+n) = cp; n++; if (n >= argpsize) { argpsize *= 2; argp = brealloc(B_L, argp, argpsize * sizeof(char_t *)); } cp = gstrtok(NULL, T(" ")); } } *(argp+n) = NULL; /* * Add all CGI variables to the environment strings to be passed * to the spawned CGI process. This includes a few we don't * already have in the symbol table, plus all those that are in * the cgiVars symbol table. envp will point to a balloc'd array of * pointers. Each pointer will point to a balloc'd string containing * the keyword value pair in the form keyword=value. Since we don't * know ahead of time how many environment strings there will be the * for loop includes logic to grow the array size via brealloc. */ envpsize = WEBS_SYM_INIT; envp = balloc(B_L, envpsize * sizeof(char_t *)); n = 0; fmtAlloc(envp+n, FNAMESIZE, T("%s=%s"),T("PATH_TRANSLATED"), cgiPath); n++; fmtAlloc(envp+n, FNAMESIZE, T("%s=%s/%s"),T("SCRIPT_NAME"), CGI_BIN, cgiName); n++; fmtAlloc(envp+n, FNAMESIZE, T("%s=%s"),T("REMOTE_USER"), wp->userName); n++; fmtAlloc(envp+n, FNAMESIZE, T("%s=%s"),T("AUTH_TYPE"), wp->authType); n++; for (s = symFirst(wp->cgiVars); s != NULL; s = symNext(wp->cgiVars)) { if (s->content.valid && s->content.type == string && gstrcmp(s->name.value.string, T("REMOTE_HOST")) != 0 && gstrcmp(s->name.value.string, T("HTTP_AUTHORIZATION")) != 0) { fmtAlloc(envp+n, FNAMESIZE, T("%s=%s"), s->name.value.string, s->content.value.string); n++; if (n >= envpsize) { envpsize *= 2; envp = brealloc(B_L, envp, envpsize * sizeof(char_t *)); } } } if (wp->flags & WEBS_CGI_UPLOAD){ // set filename into enviornment variables fmtAlloc(envp+n, FNAMESIZE, T("%s=%s"), T("UPLOAD_FILENAME"), wp->cgiStdin); n++; } *(envp+n) = NULL; /* * Create temporary file name(s) for the child's stdin and stdout. * For POST data the stdin temp file (and name) should already exist. */ if (wp->cgiStdin == NULL) { wp->cgiStdin = websGetCgiCommName(wp); } stdIn = wp->cgiStdin; stdOut = websGetCgiCommName(wp); /* * Now launch the process. If not successful, do the cleanup of resources. * If successful, the cleanup will be done after the process completes. */ if ((pHandle = websLaunchCgiProc(cgiPath, argp, envp, stdIn, stdOut)) == -1) { websError(wp, 200, T("failed to spawn CGI task")); for (ep = envp; *ep != NULL; ep++) { bfreeSafe(B_L, *ep); } bfreeSafe(B_L, cgiPath); bfreeSafe(B_L, argp); bfreeSafe(B_L, envp); bfreeSafe(B_L, stdOut); } else { /* * If the spawn was successful, put this wp on a queue to be * checked for completion. */ cid = hAllocEntry((void***) &cgiList, &cgiMax, sizeof(cgiRec)); cgip = cgiList[cid]; cgip->handle = pHandle; cgip->stdIn = stdIn; cgip->stdOut = stdOut; cgip->cgiPath = cgiPath; cgip->argp = argp; cgip->envp = envp; cgip->wp = wp; cgip->fplacemark = 0; websTimeoutCancel(wp); } /* * Restore the current working directory after spawning child CGI */ gchdir(cwd); return 1; } /******************************************************************************/ /* * Any entry in the cgiList need to be checked to see if it has */ void websCgiGatherOutput (cgiRec *cgip) { gstat_t sbuf; char_t cgiBuf[FNAMESIZE]; if ((gstat(cgip->stdOut, &sbuf) == 0) && (sbuf.st_size > cgip->fplacemark)) { int fdout; fdout = gopen(cgip->stdOut, O_RDONLY | O_BINARY, 0444 ); /* * Check to see if any data is available in the * output file and send its contents to the socket. */ if (fdout >= 0) { webs_t wp = cgip->wp; int nRead; /* * Write the HTTP header on our first pass */ if (cgip->fplacemark == 0) { websWrite(wp, T("HTTP/1.0 200 OK\r\n")); } glseek(fdout, cgip->fplacemark, SEEK_SET); while ((nRead = gread(fdout, cgiBuf, FNAMESIZE)) > 0) { websWriteBlock(wp, cgiBuf, nRead); cgip->fplacemark += nRead; } gclose(fdout); } } } /******************************************************************************/ /* * Any entry in the cgiList need to be checked to see if it has * completed, and if so, process its output and clean up. */ void websCgiCleanup() { cgiRec *cgip; webs_t wp; char_t **ep; int cid, nTries; for (cid = 0; cid < cgiMax; cid++) { if ((cgip = cgiList[cid]) != NULL) { int exit_status; wp = cgip->wp; websCgiGatherOutput (cgip); if ( websCheckCgiProc(cgip->handle, &exit_status) == 0) { /* * We get here if the CGI process has terminated. Clean up. */ nTries = 0; /* * Make sure we didn't miss something during a task switch. * Maximum wait is 100 times 10 msecs (1 second). */ while ((cgip->fplacemark == 0) && (nTries < 100)) { websCgiGatherOutput(cgip); /* * There are some cases when we detect app exit * before the file is ready. */ if (cgip->fplacemark == 0) { #ifdef WIN Sleep(10); #endif /* WIN*/ } nTries++; } if (cgip->fplacemark == 0) { websError(wp, 200, T("CGI generated no output")); } else { websDone(wp, 200); } /* * Remove the temporary re-direction files */ gunlink(cgip->stdIn); gunlink(cgip->stdOut); /* * Free all the memory buffers pointed to by cgip. * The stdin file name (wp->cgiStdin) gets freed as * part of websFree(). */ cgiMax = hFree((void***) &cgiList, cid); for (ep = cgip->envp; ep != NULL && *ep != NULL; ep++) { bfreeSafe(B_L, *ep); } bfreeSafe(B_L, cgip->cgiPath); bfreeSafe(B_L, cgip->argp); bfreeSafe(B_L, cgip->envp); bfreeSafe(B_L, cgip->stdOut); bfreeSafe(B_L, cgip); #if 0 //DAVIDM - we do not want this, netflash does it for us if(wp->has_firmware_upload_clean){ if (WIFEXITED(exit_status) && WEXITSTATUS(exit_status) != 0) return; sync(); doSystem("sleep 3 && reboot &"); } #endif } } } }
PUBLIC int websProcessUploadData(Webs *wp) { char *line, *nextTok; ssize len, nbytes; int done, rc; for (done = 0, line = 0; !done; ) { if (wp->uploadState == UPLOAD_BOUNDARY || wp->uploadState == UPLOAD_CONTENT_HEADER) { /* Parse the next input line */ line = wp->input.servp; if ((nextTok = memchr(line, '\n', bufLen(&wp->input))) == 0) { /* Incomplete line */ break; } *nextTok++ = '\0'; nbytes = nextTok - line; websConsumeInput(wp, nbytes); strim(line, "\r", WEBS_TRIM_END); len = strlen(line); if (line[len - 1] == '\r') { line[len - 1] = '\0'; } } switch (wp->uploadState) { case 0: if (initUpload(wp) < 0) { done++; } break; case UPLOAD_BOUNDARY: if (processContentBoundary(wp, line) < 0) { done++; } break; case UPLOAD_CONTENT_HEADER: if (processUploadHeader(wp, line) < 0) { done++; } break; case UPLOAD_CONTENT_DATA: if ((rc = processContentData(wp)) < 0) { done++; } if (bufLen(&wp->input) < wp->boundaryLen) { /* Incomplete boundary - return to get more data */ done++; } break; case UPLOAD_CONTENT_END: done++; break; } } if (!websValid(wp)) { return -1; } bufCompact(&wp->input); return 0; }
int websValidateUrl(webs_t wp, char_t *path) { /* Thanks to Dhanwa T ([email protected]) for this fix -- previously, if an URL was requested having more than (the hardcoded) 64 parts, the webServer would experience a hard crash as it attempted to write past the end of the array 'parts'. Also fixes: http://www.securiteam.com/securitynews/5MP0C1580W.html */ char_t *parts[MAX_URL_DEPTH]; /* Array of ptr's to URL parts */ char_t *token, *dir, *lpath; int i, len, npart; a_assert(websValid(wp)); a_assert(path); dir = websGetRequestDir(wp); if (dir == NULL || *dir == '\0') { return -1; } /* * Copy the string so we don't destroy the original */ path = bstrdup(B_L, path); websDecodeUrl(path, path, gstrlen(path)); len = npart = 0; parts[0] = NULL; /* * Fixed by Matt Moore, 22 Jul 02 * http://www.securiteam.com/securitynews/5RP0I007PG.html * http://www.securiteam.com/securitynews/5QP010U3FS.html * * There were reports that a directory traversal exploit was * possible in the WebServer running under Windows if directory paths * outside the server's specified root web were given by URL-encoding the * backslash character, like: * * GoAhead is vulnerable to a directory traversal bug. A request such as * * GoAhead-server/../../../../../../../ results in an error message * 'Cannot open URL'. * However, by encoding the '/' character, it is possible to break out of * the web root and read arbitrary files from the server. * Hence a request like: * * GoAhead-server/..%5C..%5C..%5C..%5C..%5C..%5C/winnt/win.ini returns the * contents of the win.ini file. * (Note that the description uses forward slashes (0x2F), but the example * uses backslashes (0x5C). In my tests, forward slashes are correctly * trapped, but backslashes are not. The code below substitutes forward * slashes for backslashes before attempting to validate that there are no * unauthorized paths being accessed. */ token = gstrchr(path, '\\'); while (token != NULL) { *token = '/'; token = gstrchr(token, '\\'); } token = gstrtok(path, T("/")); /* * Look at each directory segment and process "." and ".." segments * Don't allow the browser to pop outside the root web. */ while (token != NULL) { if (npart >= MAX_URL_DEPTH) { /* * malformed URL -- too many parts for us to process. */ bfree(B_L, path); return -1; } if (gstrcmp(token, T("..")) == 0) { if (npart > 0) { npart--; } } else if (gstrcmp(token, T(".")) != 0) { parts[npart] = token; len += gstrlen(token) + 1; npart++; } token = gstrtok(NULL, T("/")); } #ifdef WIN32 if (isBadWindowsPath(parts, npart)) { bfree(B_L, path); return -1; } #endif /* * Create local path for document. Need extra space all "/" and null. */ if (npart || (gstrcmp(path, T("/")) == 0) || (path[0] == '\0')) { lpath = balloc(B_L, (gstrlen(dir) + 1 + len + 1) * sizeof(char_t)); gstrcpy(lpath, dir); for (i = 0; i < npart; i++) { gstrcat(lpath, T("/")); gstrcat(lpath, parts[i]); } websSetRequestLpath(wp, lpath); bfree(B_L, path); bfree(B_L, lpath); } else { bfree(B_L, path); return -1; } return 0; }
int websDefaultHandler(webs_t wp, char_t *urlPrefix, char_t *webDir, int arg, char_t *url, char_t *path, char_t *query) { websStatType sbuf; char_t *lpath, *tmp, *date; int bytes, flags, nchars, rc; a_assert(websValid(wp)); a_assert(url && *url); a_assert(path); a_assert(query); flags = websGetRequestFlags(wp); /* * We do whitelist validation in addition to standard URL validation. * The whitelist should really catch anything invalid first. * If the whitelist check fails, rebuild the list and try again. * Also validate if we are not on a secure connection, but the whitelist * entry has the SSL flag set, do not serve the page. */ #ifdef WEBS_WHITELIST_SUPPORT printf ("wp->url: (%s)\n", wp->url); if ((rc = websWhitelistCheck(wp->url)) < 0) { websBuildWhitelist(); if ((rc = websWhitelistCheck(wp->url)) < 0) { websError(wp, 404, T("Cannot open URL: type 1")); return 1; } } if (!(flags & WEBS_SECURE) && (rc & WHITELIST_SSL)) { websError(wp, 500, T("HTTPS access required")); return 1; } #endif /* WEBS_WHITELIST_SUPPORT */ /* * Validate the URL and ensure that ".."s don't give access to unwanted files */ if (websValidateUrl(wp, path) < 0) { /* * preventing a cross-site scripting exploit -- you may restore the * following line of code to revert to the original behavior... websError(wp, 500, T("Invalid URL %s"), url); */ websError(wp, 500, T("Invalid URL")); websBuildWhitelist(); return 1; } lpath = websGetRequestLpath(wp); nchars = gstrlen(lpath) - 1; if (lpath[nchars] == '/' || lpath[nchars] == '\\') { lpath[nchars] = '\0'; } /* * If the file is a directory, redirect using the nominated default page */ if (websPageIsDirectory(lpath)) { nchars = gstrlen(path); if (path[nchars-1] == '/' || path[nchars-1] == '\\') { path[--nchars] = '\0'; } nchars += gstrlen(websDefaultPage) + 2; fmtAlloc(&tmp, nchars, T("%s/%s"), path, websDefaultPage); printf ("websDefaultHandler: tmp(%s)\n", tmp); websRedirect(wp, tmp); bfreeSafe(B_L, tmp); return 1; } printf ("we now open the web pages\n"); printf ("lpath(%s), path(%s)\n", lpath, path); /* * Open the document. Stat for later use. */ if (websPageOpen(wp, lpath, path, O_RDONLY | O_BINARY, 0666) < 0) { /* 10 Dec 02 BgP -- according to * <http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html>, * the proper code to return here is NOT 400 (old code), which is used * to indicate a malformed request. Here, the request is good, but the * error we need to tell the client about is 404 (Not Found). */ /* * 17 Mar 03 BgP -- prevent a cross-site scripting exploit websError(wp, 404, T("Cannot open URL %s"), url); */ websError(wp, 404, T("Cannot open URL, type 2")); websBuildWhitelist(); return 1; } printf ("lpath(%s), path(%s)\n", lpath, path); if (websPageStat(wp, lpath, path, &sbuf) < 0) { /* * 17 Mar 03 BgP * prevent a cross-site scripting exploit websError(wp, 400, T("Cannot stat page for URL %s"), url); */ websError(wp, 400, T("Cannot stat page for URL")); websBuildWhitelist(); return 1; } /* * If the page has not been modified since the user last received it and it * is not dynamically generated each time (ASP), then optimize request by * sending a 304 Use local copy response */ websStats.localHits++; #ifdef WEBS_IF_MODIFIED_SUPPORT if (flags & WEBS_IF_MODIFIED && !(flags & WEBS_ASP)) { if (sbuf.mtime <= wp->since) { websWrite(wp, T("HTTP/1.0 304 Use local copy\r\n")); /* * by license terms the following line of code must * not be modified. */ websWrite(wp, T("Server: %s\r\n"), WEBS_NAME); if (flags & WEBS_KEEP_ALIVE) { websWrite(wp, T("Connection: keep-alive\r\n")); } websWrite(wp, T("\r\n")); websSetRequestFlags(wp, flags |= WEBS_HEADER_DONE); websDone(wp, 304); return 1; } } #endif /* * Output the normal HTTP response header */ if ((date = websGetDateString(NULL)) != NULL) { websWrite(wp, T("HTTP/1.0 200 OK\r\nDate: %s\r\n"), date); /* * The Server HTTP header below must not be modified unless * explicitly allowed by licensing terms. */ #ifdef WEBS_SSL_SUPPORT websWrite(wp, T("Server: %s/%s %s/%s\r\n"), WEBS_NAME, WEBS_VERSION, SSL_NAME, SSL_VERSION); #else websWrite(wp, T("Server: %s/%s\r\n"), WEBS_NAME, WEBS_VERSION); #endif bfree(B_L, date); } flags |= WEBS_HEADER_DONE; /* * If this is an ASP request, ensure the remote browser doesn't cache it. * Send back both HTTP/1.0 and HTTP/1.1 cache control directives */ if (flags & WEBS_ASP) { bytes = 0; websWrite(wp, T("Pragma: no-cache\r\nCache-Control: no-cache\r\n")); } else { if ((date = websGetDateString(&sbuf)) != NULL) { websWrite(wp, T("Last-modified: %s\r\n"), date); bfree(B_L, date); } bytes = sbuf.size; } if (bytes) { websWrite(wp, T("Content-length: %d\r\n"), bytes); websSetRequestBytes(wp, bytes); } websWrite(wp, T("Content-type: %s\r\n"), websGetRequestType(wp)); if ((flags & WEBS_KEEP_ALIVE) && !(flags & WEBS_ASP)) { websWrite(wp, T("Connection: keep-alive\r\n")); } websWrite(wp, T("\r\n")); /* * All done if the browser did a HEAD request */ if (flags & WEBS_HEAD_REQUEST) { websDone(wp, 200); return 1; } /* * Evaluate ASP requests */ if (flags & WEBS_ASP) { if (websAspRequest(wp, lpath) < 0) { return 1; } websDone(wp, 200); return 1; } /* * Return the data via background write */ websSetRequestSocketHandler(wp, SOCKET_WRITABLE, websDefaultWriteEvent); return 1; }
int websDefaultHandler(webs_t wp, char_t *urlPrefix, char_t *webDir, int arg, char_t *url, char_t *path, char_t *query) { websStatType sbuf; char_t *lpath, *tmp, *date; int bytes, flags, nchars; a_assert(websValid(wp)); a_assert(url && *url); a_assert(path); a_assert(query); /* * Validate the URL and ensure that ".."s don't give access to unwanted files */ flags = websGetRequestFlags(wp); if (websValidateUrl(wp, path) < 0) { websError(wp, 500, T("Invalid URL %s"), url); return 1; } lpath = websGetRequestLpath(wp); nchars = gstrlen(lpath) - 1; if (lpath[nchars] == '/' || lpath[nchars] == '\\') { lpath[nchars] = '\0'; } /* * If the file is a directory, redirect using the nominated default page */ if (websPageIsDirectory(lpath)) { nchars = gstrlen(path); if (path[nchars-1] == '/' || path[nchars-1] == '\\') { path[--nchars] = '\0'; } nchars += gstrlen(websDefaultPage) + 2; fmtAlloc(&tmp, nchars, T("%s/%s"), path, websDefaultPage); websRedirect(wp, tmp); bfreeSafe(B_L, tmp); return 1; } /* * Open the document. Stat for later use. */ if (websPageOpen(wp, lpath, path, SOCKET_RDONLY | SOCKET_BINARY, 0666) < 0) { websError(wp, 400, T("Cannot open URL <b>%s</b>"), url); return 1; } if (websPageStat(wp, lpath, path, &sbuf) < 0) { websError(wp, 400, T("Cannot stat page for URL <b>%s</b>"), url); return 1; } /* * If the page has not been modified since the user last received it and it * is not dynamically generated each time (ASP), then optimize request by * sending a 304 Use local copy response */ websStats.localHits++; #ifdef WEBS_IF_MODIFIED_SUPPORT if (flags & WEBS_IF_MODIFIED && !(flags & WEBS_ASP)) { if (sbuf.mtime <= wp->since) { websWrite(wp, T("HTTP/1.0 304 Use local copy\r\n")); /* * by license terms the following line of code must * not be modified. */ websWrite(wp, T("Server: %s\r\n"), WEBS_NAME); if (flags & WEBS_KEEP_ALIVE) { websWrite(wp, T("Connection: keep-alive\r\n")); } websWrite(wp, T("\r\n")); websSetRequestFlags(wp, flags |= WEBS_HEADER_DONE); websDone(wp, 304); return 1; } } #endif /* * Output the normal HTTP response header */ if ((date = websGetDateString(NULL)) != NULL) { websWrite(wp, T("HTTP/1.0 200 OK\r\nDate: %s\r\n"), date); /* * By license terms the following line of code must not be modified. */ websWrite(wp, T("Server: %s\r\n"), WEBS_NAME); bfree(B_L, date); } flags |= WEBS_HEADER_DONE; /* * If this is an ASP request, ensure the remote browser doesn't cache it. * Send back both HTTP/1.0 and HTTP/1.1 cache control directives */ if (flags & WEBS_ASP) { bytes = 0; websWrite(wp, T("Pragma: no-cache\r\nCache-Control: no-cache\r\n")); } else { if ((date = websGetDateString(&sbuf)) != NULL) { websWrite(wp, T("Last-modified: %s\r\n"), date); bfree(B_L, date); } bytes = sbuf.size; } if (bytes) { websWrite(wp, T("Content-length: %d\r\n"), bytes); websSetRequestBytes(wp, bytes); } websWrite(wp, T("Content-type: %s\r\n"), websGetRequestType(wp)); if ((flags & WEBS_KEEP_ALIVE) && !(flags & WEBS_ASP)) { websWrite(wp, T("Connection: keep-alive\r\n")); } websWrite(wp, T("\r\n")); /* * All done if the browser did a HEAD request */ if (flags & WEBS_HEAD_REQUEST) { websDone(wp, 200); return 1; } /* * Evaluate ASP requests */ if (flags & WEBS_ASP) { if (websAspRequest(wp, lpath) < 0) { return 1; } websDone(wp, 200); return 1; } #ifdef WEBS_SSL_SUPPORT if (wp->flags & WEBS_SECURE) { websDefaultWriteEvent(wp); } else { websSetRequestSocketHandler(wp, SOCKET_WRITABLE, websDefaultWriteEvent); } #else /* * For normal web documents, return the data via background write */ websSetRequestSocketHandler(wp, SOCKET_WRITABLE, websDefaultWriteEvent); #endif return 1; }
PUBLIC void websFooter(Webs *wp) { assure(websValid(wp)); websWrite(wp, "</html>\n"); }
int websValidateUrl(webs_t wp, char_t *path) { char_t *parts[64]; /* Array of ptr's to URL parts */ char_t *token, *dir, *lpath; int i, len, npart; a_assert(websValid(wp)); a_assert(path); dir = websGetRequestDir(wp); if (dir == NULL || *dir == '\0') { return -1; } /* * Copy the string so we don't destroy the original */ path = bstrdup(B_L, path); websDecodeUrl(path, path, gstrlen(path)); len = npart = 0; parts[0] = NULL; /* * 22 Jul 02 -- there were reports that a directory traversal exploit was * possible in the WebServer running under Windows if directory paths * outside the server's specified root web were given by URL-encoding the * backslash character, like: * * GoAhead is vulnerable to a directory traversal bug. A request such as * * GoAhead-server/../../../../../../../ results in an error message * 'Cannot open URL'. * However, by encoding the '/' character, it is possible to break out of * the * web root and read arbitrary files from the server. * Hence a request like: * * GoAhead-server/..%5C..%5C..%5C..%5C..%5C..%5C/winnt/win.ini returns the * contents of the win.ini file. * (Note that the description uses forward slashes (0x2F), but the example * uses backslashes (0x5C). In my tests, forward slashes are correctly * trapped, but backslashes are not. The code below substitutes forward * slashes for backslashes before attempting to validate that there are no * unauthorized paths being accessed. */ token = gstrchr(path, '\\'); while (token != NULL) { *token = '/'; token = gstrchr(token, '\\'); } token = gstrtok(path, T("/")); /* * Look at each directory segment and process "." and ".." segments * Don't allow the browser to pop outside the root web. */ while (token != NULL) { if (gstrcmp(token, T("..")) == 0) { if (npart > 0) { npart--; } } else if (gstrcmp(token, T(".")) != 0) { parts[npart] = token; len += gstrlen(token) + 1; npart++; } token = gstrtok(NULL, T("/")); } /* * Create local path for document. Need extra space all "/" and null. */ if (npart || (gstrcmp(path, T("/")) == 0) || (path[0] == '\0')) { lpath = balloc(B_L, (gstrlen(dir) + 1 + len + 1) * sizeof(char_t)); gstrcpy(lpath, dir); for (i = 0; i < npart; i++) { gstrcat(lpath, T("/")); gstrcat(lpath, parts[i]); } websSetRequestLpath(wp, lpath); bfree(B_L, path); bfree(B_L, lpath); } else { bfree(B_L, path); return -1; } return 0; }