static gboolean mock_http_headers (CockpitWebResponse *response, GHashTable *in_headers) { GHashTableIter iter; GHashTable *headers; gpointer name, value; headers = cockpit_web_server_new_table(); g_hash_table_iter_init (&iter, in_headers); while (g_hash_table_iter_next (&iter, &name, &value)) { if (g_str_has_prefix (name, "Header")) g_hash_table_insert (headers, g_strdup (name), g_strdup (value)); } g_hash_table_replace (headers, g_strdup ("Header3"), g_strdup ("three")); g_hash_table_replace (headers, g_strdup ("Header4"), g_strdup ("marmalade")); cockpit_web_response_headers_full (response, 201, "Yoo Hoo", -1, headers); cockpit_web_response_complete (response); g_hash_table_unref (headers); return TRUE; }
static void send_login_html (CockpitWebResponse *response, CockpitHandlerData *ws) { static const gchar *marker = "<head>"; CockpitWebFilter *filter; GBytes *environment; GError *error = NULL; GBytes *bytes; GBytes *url_bytes = NULL; CockpitWebFilter *filter2 = NULL; const gchar *url_root = NULL; gchar *base; environment = build_environment (ws->os_release); filter = cockpit_web_inject_new (marker, environment, 1); g_bytes_unref (environment); cockpit_web_response_add_filter (response, filter); g_object_unref (filter); url_root = cockpit_web_response_get_url_root (response); if (url_root) base = g_strdup_printf ("<base href=\"%s/\">", url_root); else base = g_strdup ("<base href=\"/\">"); url_bytes = g_bytes_new_take (base, strlen(base)); filter2 = cockpit_web_inject_new (marker, url_bytes, 1); g_bytes_unref (url_bytes); cockpit_web_response_add_filter (response, filter2); g_object_unref (filter2); cockpit_web_response_set_cache_type (response, COCKPIT_WEB_RESPONSE_NO_CACHE); bytes = cockpit_web_response_negotiation (ws->login_html, NULL, NULL, NULL, &error); if (error) { g_message ("%s", error->message); cockpit_web_response_error (response, 500, NULL, NULL); g_error_free (error); } else if (!bytes) { cockpit_web_response_error (response, 404, NULL, NULL); } else { /* The login Content-Security-Policy allows the page to have inline <script> and <style> tags. */ cockpit_web_response_headers (response, 200, "OK", -1, "Content-Security-Policy", "default-src 'self' 'unsafe-inline'; connect-src 'self' ws: wss:", NULL); if (cockpit_web_response_queue (response, bytes)) cockpit_web_response_complete (response); g_bytes_unref (bytes); } }
static gboolean on_transport_control (CockpitTransport *transport, const gchar *command, const gchar *channel, JsonObject *options, GBytes *message, CockpitChannelResponse *chesp) { const gchar *problem = NULL; if (!channel || !g_str_equal (channel, chesp->channel)) return FALSE; /* not handled */ if (g_str_equal (command, "done")) { ensure_headers (chesp, 200, "OK"); cockpit_web_response_complete (chesp->response); return TRUE; } else if (g_str_equal (command, "close")) { if (!cockpit_json_get_string (options, "problem", NULL, &problem)) { g_message ("%s: received close command with invalid problem", chesp->logname); problem = "disconnected"; } cockpit_channel_response_close (chesp, problem); } else { /* Ignore other control messages */ } return TRUE; /* handled */ }
static void send_login_html (CockpitWebResponse *response, CockpitHandlerData *ws) { GHashTable *headers = NULL; GList *l, *output = NULL; gchar *login_html; GMappedFile *file; GError *error = NULL; GBytes *body = NULL; gsize length; login_html = g_build_filename (ws->static_roots[0], "login.html", NULL); file = g_mapped_file_new (login_html, FALSE, &error); if (file == NULL) { g_warning ("%s: %s", login_html, error->message); cockpit_web_response_error (response, 500, NULL, NULL); g_clear_error (&error); goto out; } body = g_mapped_file_get_bytes (file); output = cockpit_template_expand (body, substitute_environment, ws->os_release); length = 0; for (l = output; l != NULL; l = g_list_next (l)) length += g_bytes_get_size (l->data); headers = cockpit_web_server_new_table (); g_hash_table_insert (headers, g_strdup ("Content-Type"), g_strdup ("text/html; charset=utf8")); cockpit_web_response_headers_full (response, 200, "OK", length, headers); for (l = output; l != NULL; l = g_list_next (l)) { if (!cockpit_web_response_queue (response, l->data)) break; } if (l == NULL) cockpit_web_response_complete (response); out: g_list_free_full (output, (GDestroyNotify)g_bytes_unref); if (headers) g_hash_table_unref (headers); g_free (login_html); if (body) g_bytes_unref (body); if (file) g_mapped_file_unref (file); }
static gboolean mock_http_host (CockpitWebResponse *response, GHashTable *in_headers) { GHashTable *headers; headers = cockpit_web_server_new_table(); g_hash_table_insert (headers, g_strdup ("Host"), g_strdup (g_hash_table_lookup (in_headers, "Host"))); cockpit_web_response_headers_full (response, 201, "Yoo Hoo", -1, headers); cockpit_web_response_complete (response); g_hash_table_unref (headers); return TRUE; }
static void on_login_complete (GObject *object, GAsyncResult *result, gpointer user_data) { CockpitWebResponse *response = user_data; GError *error = NULL; JsonObject *response_data = NULL; GHashTable *headers; GIOStream *io_stream; GBytes *content; io_stream = cockpit_web_response_get_stream (response); headers = cockpit_web_server_new_table (); response_data = cockpit_auth_login_finish (COCKPIT_AUTH (object), result, io_stream, headers, &error); /* Never cache a login response */ cockpit_web_response_set_cache_type (response, COCKPIT_WEB_RESPONSE_NO_CACHE); if (error) { if (response_data) { g_hash_table_insert (headers, g_strdup ("Content-Type"), g_strdup ("application/json")); content = cockpit_json_write_bytes (response_data); cockpit_web_response_headers_full (response, 401, "Authentication required", -1, headers); cockpit_web_response_queue (response, content); cockpit_web_response_complete (response); g_bytes_unref (content); } else { cockpit_web_response_gerror (response, headers, error); } g_error_free (error); } else { send_login_response (response, response_data, headers); } if (response_data) json_object_unref (response_data); g_hash_table_unref (headers); g_object_unref (response); }
static void process_delayed_reply (CockpitRequest *request, const gchar *path, GHashTable *headers) { CockpitWebResponse *response; const gchar *host; const gchar *body; GBytes *bytes; gsize length; gchar *url; g_assert (request->delayed_reply > 299); response = cockpit_web_response_new (request->io, NULL, NULL, headers); g_signal_connect_data (response, "done", G_CALLBACK (on_web_response_done), g_object_ref (request->web_server), (GClosureNotify)g_object_unref, 0); if (request->delayed_reply == 301) { body = "<html><head><title>Moved</title></head>" "<body>Please use TLS</body></html>"; host = g_hash_table_lookup (headers, "Host"); url = g_strdup_printf ("https://%s%s", host != NULL ? host : "", path); length = strlen (body); cockpit_web_response_headers (response, 301, "Moved Permanently", length, "Content-Type", "text/html", "Location", url, NULL); g_free (url); bytes = g_bytes_new_static (body, length); if (cockpit_web_response_queue (response, bytes)) cockpit_web_response_complete (response); g_bytes_unref (bytes); } else { cockpit_web_response_error (response, request->delayed_reply, NULL, NULL); } g_object_unref (response); }
/** * cockpit_web_response_content: * @self: the response * @headers: headers to include or NULL * @block: first block to send * * This is a simple way to send an HTTP response as a single * call. The response will be complete after this call, and will * send in the main-loop. * * The var args are additional GBytes* blocks to send, followed by * a trailing NULL. * * Don't include Content-Length or Connection in @headers. * * This calls cockpit_web_response_headers_full(), * cockpit_web_response_queue() and cockpit_web_response_complete() * internally. */ void cockpit_web_response_content (CockpitWebResponse *self, GHashTable *headers, GBytes *block, ...) { GBytes *first; gsize length = 0; va_list va; va_list va2; g_return_if_fail (COCKPIT_IS_WEB_RESPONSE (self)); first = block; va_start (va, block); va_copy (va2, va); while (block) { length += g_bytes_get_size (block); block = va_arg (va, GBytes *); } va_end (va); cockpit_web_response_headers_full (self, 200, "OK", length, headers); block = first; for (;;) { if (!block) { cockpit_web_response_complete (self); break; } if (!cockpit_web_response_queue (self, block)) break; block = va_arg (va2, GBytes *); } va_end (va2); }
static gboolean on_timeout_send (gpointer data) { CockpitWebResponse *response = data; gint *at = g_object_get_data (data, "at"); gchar *string; GBytes *bytes; string = g_strdup_printf ("%d ", *at); (*at) += 1; bytes = g_bytes_new_take (string, strlen (string)); cockpit_web_response_queue (response, bytes); g_bytes_unref (bytes); if (*at == 10) { cockpit_web_response_complete (response); return FALSE; } return TRUE; }
static gboolean redirect_to_checksum_path (CockpitWebService *service, CockpitWebResponse *response, const gchar *checksum, const gchar *path) { CockpitCreds *creds; gchar *location; const gchar *body; GBytes *bytes; gboolean ret; gsize length; creds = cockpit_web_service_get_creds (service); location = g_strdup_printf ("/%s/$%s%s", cockpit_creds_get_application (creds), checksum, path); body = "<html><head><title>Temporary redirect</title></head>" "<body>Access via checksum</body></html>"; length = strlen (body); cockpit_web_response_headers (response, 307, "Temporary Redirect", length, "Content-Type", "text/html", "Location", location, NULL); g_free (location); bytes = g_bytes_new_static (body, length); ret = cockpit_web_response_queue (response, bytes); if (ret) cockpit_web_response_complete (response); g_bytes_unref (bytes); return ret; }
static void cockpit_channel_response_close (CockpitChannelResponse *chesp, const gchar *problem) { CockpitWebResponding state; /* Ensure no more signals arrive about our response */ g_signal_handler_disconnect (chesp->transport, chesp->transport_recv); g_signal_handler_disconnect (chesp->transport, chesp->transport_control); g_signal_handler_disconnect (chesp->transport, chesp->transport_closed); /* The web response should not yet be complete */ state = cockpit_web_response_get_state (chesp->response); if (problem == NULL) { /* Closed without any data */ if (state == COCKPIT_WEB_RESPONSE_READY) { ensure_headers (chesp, 204, "OK"); cockpit_web_response_complete (chesp->response); g_debug ("%s: no content in external channel", chesp->logname); } else if (state < COCKPIT_WEB_RESPONSE_COMPLETE) { g_message ("%s: truncated data in external channel", chesp->logname); cockpit_web_response_abort (chesp->response); } else { g_debug ("%s: completed serving external channel", chesp->logname); } } else if (state == COCKPIT_WEB_RESPONSE_READY) { if (g_str_equal (problem, "not-found")) { g_debug ("%s: not found", chesp->logname); cockpit_web_response_error (chesp->response, 404, NULL, NULL); } else if (g_str_equal (problem, "no-host") || g_str_equal (problem, "no-cockpit") || g_str_equal (problem, "unknown-hostkey") || g_str_equal (problem, "authentication-failed")) { g_debug ("%s: remote server unavailable: %s", chesp->logname, problem); cockpit_web_response_error (chesp->response, 502, NULL, NULL); } else { g_message ("%s: external channel failed: %s", chesp->logname, problem); cockpit_web_response_error (chesp->response, 500, NULL, NULL); } } else { if (g_str_equal (problem, "disconnected")) g_debug ("%s: failure while serving external channel: %s", chesp->logname, problem); else g_message ("%s: failure while serving external channel: %s", chesp->logname, problem); cockpit_web_response_abort (chesp->response); } g_object_unref (chesp->response); g_object_unref (chesp->transport); g_hash_table_unref (chesp->headers); cockpit_channel_inject_free (chesp->inject); json_object_unref (chesp->open); g_free (chesp->channel); g_free (chesp); }
/** * cockpit_web_response_error: * @self: the response * @status: the HTTP status code * @headers: headers to include or NULL * @format: printf format of error message * * Send an error message with a basic HTML page containing * the error. */ void cockpit_web_response_error (CockpitWebResponse *self, guint code, GHashTable *headers, const gchar *format, ...) { va_list var_args; gchar *reason = NULL; const gchar *message; GBytes *input = NULL; GList *output, *l; GError *error = NULL; g_return_if_fail (COCKPIT_IS_WEB_RESPONSE (self)); if (format) { va_start (var_args, format); reason = g_strdup_vprintf (format, var_args); va_end (var_args); message = reason; } else { switch (code) { case 400: message = "Bad request"; break; case 401: message = "Not Authorized"; break; case 403: message = "Forbidden"; break; case 404: message = "Not Found"; break; case 405: message = "Method Not Allowed"; break; case 413: message = "Request Entity Too Large"; break; case 502: message = "Remote Page is Unavailable"; break; case 500: message = "Internal Server Error"; break; default: if (code < 100) reason = g_strdup_printf ("%u Continue", code); else if (code < 200) reason = g_strdup_printf ("%u OK", code); else if (code < 300) reason = g_strdup_printf ("%u Moved", code); else reason = g_strdup_printf ("%u Failed", code); message = reason; break; } } g_debug ("%s: returning error: %u %s", self->logname, code, message); if (cockpit_web_failure_resource) { input = g_resources_lookup_data (cockpit_web_failure_resource, G_RESOURCE_LOOKUP_FLAGS_NONE, &error); if (input == NULL) { g_critical ("couldn't load: %s: %s", cockpit_web_failure_resource, error->message); g_error_free (error); } } if (!input) input = g_bytes_new_static (default_failure_template, strlen (default_failure_template)); if (headers) { if (!g_hash_table_lookup (headers, "Content-Type")) g_hash_table_replace (headers, g_strdup ("Content-Type"), g_strdup ("text/html; charset=utf8")); cockpit_web_response_headers_full (self, code, message, -1, headers); } else { cockpit_web_response_headers (self, code, message, -1, "Content-Type", "text/html; charset=utf8", NULL); } output = cockpit_template_expand (input, substitute_message, (gpointer)message); g_bytes_unref (input); for (l = output; l != NULL; l = g_list_next (l)) { if (!cockpit_web_response_queue (self, l->data)) break; } if (l == NULL) cockpit_web_response_complete (self); g_list_free_full (output, (GDestroyNotify)g_bytes_unref); g_free (reason); }
/** * cockpit_web_response_file: * @response: the response * @path: escaped path, or NULL to get from response * @roots: directories to look for file in * * Serve a file from disk as an HTTP response. */ void cockpit_web_response_file (CockpitWebResponse *response, const gchar *escaped, const gchar **roots) { const gchar *csp_header; GError *error = NULL; gchar *unescaped = NULL; gchar *path = NULL; GMappedFile *file = NULL; const gchar *root; GBytes *body; g_return_if_fail (COCKPIT_IS_WEB_RESPONSE (response)); if (!escaped) escaped = cockpit_web_response_get_path (response); g_return_if_fail (escaped != NULL); /* Someone is trying to escape the root directory, or access hidden files? */ unescaped = g_uri_unescape_string (escaped, NULL); if (strstr (unescaped, "/.") || strstr (unescaped, "../") || strstr (unescaped, "//")) { g_debug ("%s: invalid path request", escaped); cockpit_web_response_error (response, 404, NULL, "Not Found"); goto out; } again: root = *(roots++); if (root == NULL) { cockpit_web_response_error (response, 404, NULL, "Not Found"); goto out; } g_free (path); path = g_build_filename (root, unescaped, NULL); if (g_file_test (path, G_FILE_TEST_IS_DIR)) { cockpit_web_response_error (response, 403, NULL, "Directory Listing Denied"); goto out; } /* As a double check of above behavior */ g_assert (path_has_prefix (path, root)); g_clear_error (&error); file = g_mapped_file_new (path, FALSE, &error); if (file == NULL) { if (g_error_matches (error, G_FILE_ERROR, G_FILE_ERROR_NOENT) || g_error_matches (error, G_FILE_ERROR, G_FILE_ERROR_NAMETOOLONG)) { g_debug ("%s: file not found in root: %s", escaped, root); goto again; } else if (g_error_matches (error, G_FILE_ERROR, G_FILE_ERROR_PERM) || g_error_matches (error, G_FILE_ERROR, G_FILE_ERROR_ACCES) || g_error_matches (error, G_FILE_ERROR, G_FILE_ERROR_ISDIR)) { cockpit_web_response_error (response, 403, NULL, "Access denied"); goto out; } else { g_warning ("%s: %s", path, error->message); cockpit_web_response_error (response, 500, NULL, "Internal server error"); goto out; } } body = g_mapped_file_get_bytes (file); /* * The default Content-Security-Policy for .html files allows * the site to have inline <script> and <style> tags. This code * is not used when serving resources once logged in, only for * static resources when we don't yet have a session. */ csp_header = NULL; if (g_str_has_suffix (unescaped, ".html")) csp_header = "Content-Security-Policy"; cockpit_web_response_headers (response, 200, "OK", g_bytes_get_size (body), csp_header, "default-src 'self' 'unsafe-inline'; connect-src 'self' ws: wss:", NULL); if (cockpit_web_response_queue (response, body)) cockpit_web_response_complete (response); g_bytes_unref (body); out: g_free (unescaped); g_clear_error (&error); g_free (path); if (file) g_mapped_file_unref (file); }
static void send_login_html (CockpitWebResponse *response, CockpitHandlerData *ws, GHashTable *headers) { static const gchar *marker = "<meta insert_dynamic_content_here>"; CockpitWebFilter *filter; GBytes *environment; GError *error = NULL; GBytes *bytes; GBytes *url_bytes = NULL; CockpitWebFilter *filter2 = NULL; const gchar *url_root = NULL; gchar *base; gchar *language = NULL; gchar **languages = NULL; GBytes *po_bytes; CockpitWebFilter *filter3 = NULL; environment = build_environment (ws->os_release); filter = cockpit_web_inject_new (marker, environment, 1); g_bytes_unref (environment); cockpit_web_response_add_filter (response, filter); g_object_unref (filter); url_root = cockpit_web_response_get_url_root (response); if (url_root) base = g_strdup_printf ("<base href=\"%s/\">", url_root); else base = g_strdup ("<base href=\"/\">"); url_bytes = g_bytes_new_take (base, strlen(base)); filter2 = cockpit_web_inject_new (marker, url_bytes, 1); g_bytes_unref (url_bytes); cockpit_web_response_add_filter (response, filter2); g_object_unref (filter2); cockpit_web_response_set_cache_type (response, COCKPIT_WEB_RESPONSE_NO_CACHE); if (ws->login_po_html) { language = cockpit_web_server_parse_cookie (headers, "CockpitLang"); if (!language) { languages = cockpit_web_server_parse_languages (headers, NULL); language = languages[0]; } po_bytes = cockpit_web_response_negotiation (ws->login_po_html, NULL, language, NULL, &error); if (error) { g_message ("%s", error->message); g_clear_error (&error); } else { filter3 = cockpit_web_inject_new (marker, po_bytes, 1); g_bytes_unref (po_bytes); cockpit_web_response_add_filter (response, filter3); g_object_unref (filter3); } } bytes = cockpit_web_response_negotiation (ws->login_html, NULL, NULL, NULL, &error); if (error) { g_message ("%s", error->message); cockpit_web_response_error (response, 500, NULL, NULL); g_error_free (error); } else if (!bytes) { cockpit_web_response_error (response, 404, NULL, NULL); } else { /* The login Content-Security-Policy allows the page to have inline <script> and <style> tags. */ cockpit_web_response_headers (response, 200, "OK", -1, "Content-Type", "text/html", "Content-Security-Policy", "default-src 'self' 'unsafe-inline'; connect-src 'self' ws: wss:", NULL); if (cockpit_web_response_queue (response, bytes)) cockpit_web_response_complete (response); g_bytes_unref (bytes); } g_strfreev (languages); }
/** * cockpit_web_response_file: * @response: the response * @path: escaped path, or NULL to get from response * @roots: directories to look for file in * * Serve a file from disk as an HTTP response. */ void cockpit_web_response_file (CockpitWebResponse *response, const gchar *escaped, gboolean cache_forever, const gchar **roots) { const gchar *cache_control; GError *error = NULL; gchar *unescaped; char *path = NULL; gchar *built = NULL; GMappedFile *file = NULL; const gchar *root; GBytes *body; g_return_if_fail (COCKPIT_IS_WEB_RESPONSE (response)); if (!escaped) escaped = cockpit_web_response_get_path (response); g_return_if_fail (escaped != NULL); again: root = *(roots++); if (root == NULL) { cockpit_web_response_error (response, 404, NULL, "Not Found"); goto out; } unescaped = g_uri_unescape_string (escaped, NULL); built = g_build_filename (root, unescaped, NULL); g_free (unescaped); path = realpath (built, NULL); g_free (built); if (path == NULL) { if (errno == ENOENT || errno == ENOTDIR || errno == ELOOP || errno == ENAMETOOLONG) { g_debug ("%s: file not found in root: %s", escaped, root); goto again; } else if (errno == EACCES) { cockpit_web_response_error (response, 403, NULL, "Access Denied"); goto out; } else { g_warning ("%s: resolving path failed: %m", escaped); cockpit_web_response_error (response, 500, NULL, "Internal Server Error"); goto out; } } /* Double check that realpath() did the right thing */ g_return_if_fail (strstr (path, "../") == NULL); g_return_if_fail (!g_str_has_suffix (path, "/..")); /* Someone is trying to escape the root directory */ if (!path_has_prefix (path, root) && !path_has_prefix (path, cockpit_web_exception_escape_root)) { g_debug ("%s: request tried to escape the root directory: %s: %s", escaped, root, path); cockpit_web_response_error (response, 404, NULL, "Not Found"); goto out; } if (g_file_test (path, G_FILE_TEST_IS_DIR)) { cockpit_web_response_error (response, 403, NULL, "Directory Listing Denied"); goto out; } file = g_mapped_file_new (path, FALSE, &error); if (file == NULL) { if (g_error_matches (error, G_FILE_ERROR, G_FILE_ERROR_PERM) || g_error_matches (error, G_FILE_ERROR, G_FILE_ERROR_ACCES) || g_error_matches (error, G_FILE_ERROR, G_FILE_ERROR_ISDIR)) { cockpit_web_response_error (response, 403, NULL, "Access denied"); g_clear_error (&error); goto out; } else { g_warning ("%s: %s", path, error->message); cockpit_web_response_error (response, 500, NULL, "Internal server error"); g_clear_error (&error); goto out; } } body = g_mapped_file_get_bytes (file); cache_control = cache_forever ? "max-age=31556926, public" : NULL; cockpit_web_response_headers (response, 200, "OK", g_bytes_get_size (body), "Cache-Control", cache_control, NULL); if (cockpit_web_response_queue (response, body)) cockpit_web_response_complete (response); g_bytes_unref (body); out: free (path); if (file) g_mapped_file_unref (file); }
/** * cockpit_web_response_error: * @self: the response * @status: the HTTP status code * @headers: headers to include or NULL * @format: printf format of error message * * Send an error message with a basic HTML page containing * the error. */ void cockpit_web_response_error (CockpitWebResponse *self, guint code, GHashTable *headers, const gchar *format, ...) { gchar *body = NULL; va_list var_args; gchar *reason = NULL; const gchar *message; GBytes *content; gsize length; if (format) { va_start (var_args, format); reason = g_strdup_vprintf (format, var_args); va_end (var_args); message = reason; } else { switch (code) { case 400: message = "Bad request"; break; case 401: message = "Not Authorized"; break; case 403: message = "Forbidden"; break; case 404: message = "Not Found"; break; case 405: message = "Method Not Allowed"; break; case 413: message = "Request Entity Too Large"; break; case 500: message = "Internal Server Error"; break; default: if (code < 100) reason = g_strdup_printf ("%u Continue", code); else if (code < 200) reason = g_strdup_printf ("%u OK", code); else if (code < 300) reason = g_strdup_printf ("%u Moved", code); else reason = g_strdup_printf ("%u Failed", code); message = reason; break; } } body = g_strdup_printf ("<html><head><title>%u %s</title></head>" "<body>%s</body></html>", code, message, message); g_debug ("%s: returning error: %u %s", self->logname, code, message); length = strlen (body); content = g_bytes_new_take (body, length); cockpit_web_response_headers_full (self, code, message, length, headers); if (cockpit_web_response_queue (self, content)) cockpit_web_response_complete (self); g_bytes_unref (content); g_free (reason); }
void cockpit_channel_response_serve (CockpitWebService *service, GHashTable *in_headers, CockpitWebResponse *response, const gchar *where, const gchar *path) { CockpitChannelResponse *chesp = NULL; CockpitTransport *transport = NULL; CockpitCacheType cache_type = COCKPIT_WEB_RESPONSE_CACHE_PRIVATE; const gchar *host = NULL; const gchar *pragma; gchar *quoted_etag = NULL; GHashTable *out_headers = NULL; gchar *val = NULL; gboolean handled = FALSE; GHashTableIter iter; const gchar *checksum; JsonObject *object = NULL; JsonObject *heads; gchar *channel = NULL; gchar *language = NULL; gpointer key; gpointer value; g_return_if_fail (COCKPIT_IS_WEB_SERVICE (service)); g_return_if_fail (in_headers != NULL); g_return_if_fail (COCKPIT_IS_WEB_RESPONSE (response)); g_return_if_fail (path != NULL); if (where == NULL) { host = "localhost"; } else if (where[0] == '@') { host = where + 1; } else if (where[0] == '$') { quoted_etag = g_strdup_printf ("\"%s\"", where); cache_type = COCKPIT_WEB_RESPONSE_CACHE_FOREVER; pragma = g_hash_table_lookup (in_headers, "Pragma"); if ((!pragma || !strstr (pragma, "no-cache")) && (g_strcmp0 (g_hash_table_lookup (in_headers, "If-None-Match"), where) == 0 || g_strcmp0 (g_hash_table_lookup (in_headers, "If-None-Match"), quoted_etag) == 0)) { cockpit_web_response_headers (response, 304, "Not Modified", 0, "ETag", quoted_etag, NULL); cockpit_web_response_complete (response); handled = TRUE; goto out; } transport = cockpit_web_service_find_transport (service, where + 1); if (!transport) goto out; host = cockpit_web_service_get_host (service, transport); if (!host) { g_warn_if_reached (); goto out; } } else { goto out; } cockpit_web_response_set_cache_type (response, cache_type); object = cockpit_transport_build_json ("command", "open", "payload", "http-stream1", "internal", "packages", "method", "GET", "host", host, "path", path, "binary", "raw", NULL); if (!transport) { transport = cockpit_web_service_ensure_transport (service, object); if (!transport) goto out; } if (where) { /* * Maybe send back a redirect to the checksum url. We only do this if actually * accessing a file, and not a some sort of data like '/checksum', or a root path * like '/' */ if (where[0] == '@' && strchr (path, '.')) { checksum = cockpit_web_service_get_checksum (service, transport); if (checksum) { handled = redirect_to_checksum_path (service, response, checksum, path); goto out; } } } out_headers = cockpit_web_server_new_table (); channel = cockpit_web_service_unique_channel (service); json_object_set_string_member (object, "channel", channel); if (quoted_etag) { /* * If we have a checksum, then use it as an ETag. It is intentional that * a cockpit-bridge version could (in the future) override this. */ g_hash_table_insert (out_headers, g_strdup ("ETag"), quoted_etag); quoted_etag = NULL; } heads = json_object_new (); g_hash_table_iter_init (&iter, in_headers); while (g_hash_table_iter_next (&iter, &key, &value)) { val = NULL; if (g_ascii_strcasecmp (key, "Host") == 0 || g_ascii_strcasecmp (key, "Cookie") == 0 || g_ascii_strcasecmp (key, "Referer") == 0 || g_ascii_strcasecmp (key, "Connection") == 0 || g_ascii_strcasecmp (key, "Pragma") == 0 || g_ascii_strcasecmp (key, "Cache-Control") == 0 || g_ascii_strcasecmp (key, "User-Agent") == 0 || g_ascii_strcasecmp (key, "Accept-Charset") == 0 || g_ascii_strcasecmp (key, "Accept-Ranges") == 0 || g_ascii_strcasecmp (key, "Content-Length") == 0 || g_ascii_strcasecmp (key, "Content-MD5") == 0 || g_ascii_strcasecmp (key, "Content-Range") == 0 || g_ascii_strcasecmp (key, "Range") == 0 || g_ascii_strcasecmp (key, "TE") == 0 || g_ascii_strcasecmp (key, "Trailer") == 0 || g_ascii_strcasecmp (key, "Upgrade") == 0 || g_ascii_strcasecmp (key, "Transfer-Encoding") == 0) continue; json_object_set_string_member (heads, key, value); g_free (val); } /* Parse the language out of the CockpitLang cookie */ language = cockpit_web_server_parse_cookie (in_headers, "CockpitLang"); if (language) json_object_set_string_member (heads, "Accept-Language", language); json_object_set_string_member (heads, "Host", host); json_object_set_object_member (object, "headers", heads); chesp = cockpit_channel_response_create (service, response, transport, cockpit_web_response_get_path (response), out_headers, object); if (!where) chesp->inject = cockpit_channel_inject_new (service, path); handled = TRUE; out: g_free (language); if (object) json_object_unref (object); g_free (quoted_etag); if (out_headers) g_hash_table_unref (out_headers); g_free (channel); if (!handled) cockpit_web_response_error (response, 404, NULL, NULL); }
/** * cockpit_web_response_file: * @response: the response * @path: escaped path, or NULL to get from response * @roots: directories to look for file in * * Serve a file from disk as an HTTP response. */ void cockpit_web_response_file (CockpitWebResponse *response, const gchar *escaped, gboolean cache_forever, const gchar **roots) { const gchar *cache_control; GError *error = NULL; gchar *unescaped = NULL; gchar *path = NULL; GMappedFile *file = NULL; const gchar *root; GBytes *body; g_return_if_fail (COCKPIT_IS_WEB_RESPONSE (response)); if (!escaped) escaped = cockpit_web_response_get_path (response); g_return_if_fail (escaped != NULL); /* Someone is trying to escape the root directory, or access hidden files? */ unescaped = g_uri_unescape_string (escaped, NULL); if (strstr (unescaped, "/.") || strstr (unescaped, "../") || strstr (unescaped, "//")) { g_debug ("%s: invalid path request", escaped); cockpit_web_response_error (response, 404, NULL, "Not Found"); goto out; } again: root = *(roots++); if (root == NULL) { cockpit_web_response_error (response, 404, NULL, "Not Found"); goto out; } g_free (path); path = g_build_filename (root, unescaped, NULL); if (g_file_test (path, G_FILE_TEST_IS_DIR)) { cockpit_web_response_error (response, 403, NULL, "Directory Listing Denied"); goto out; } /* As a double check of above behavior */ g_assert (path_has_prefix (path, root)); g_clear_error (&error); file = g_mapped_file_new (path, FALSE, &error); if (file == NULL) { if (g_error_matches (error, G_FILE_ERROR, G_FILE_ERROR_NOENT) || g_error_matches (error, G_FILE_ERROR, G_FILE_ERROR_NAMETOOLONG)) { g_debug ("%s: file not found in root: %s", escaped, root); goto again; } else if (g_error_matches (error, G_FILE_ERROR, G_FILE_ERROR_PERM) || g_error_matches (error, G_FILE_ERROR, G_FILE_ERROR_ACCES) || g_error_matches (error, G_FILE_ERROR, G_FILE_ERROR_ISDIR)) { cockpit_web_response_error (response, 403, NULL, "Access denied"); goto out; } else { g_warning ("%s: %s", path, error->message); cockpit_web_response_error (response, 500, NULL, "Internal server error"); goto out; } } body = g_mapped_file_get_bytes (file); cache_control = cache_forever ? "max-age=31556926, public" : NULL; cockpit_web_response_headers (response, 200, "OK", g_bytes_get_size (body), "Cache-Control", cache_control, NULL); if (cockpit_web_response_queue (response, body)) cockpit_web_response_complete (response); g_bytes_unref (body); out: g_free (unescaped); g_clear_error (&error); g_free (path); if (file) g_mapped_file_unref (file); }