From: oes <oes@users.sourceforge.net>
Date: Wed, 10 Oct 2001 16:44:36 +0000 (+0000)
Subject: Added CONNECT destination port limitation check
X-Git-Tag: v_2_9_10~143
X-Git-Url: http://www.privoxy.org/gitweb/%22https:/developer-manual/man-page/faq/@default-cgi@toggle?a=commitdiff_plain;h=9b0a6852b331c5c868a45fba80cbed62820be63f;p=privoxy.git
Added CONNECT destination port limitation check
---
diff --git a/jcc.c b/jcc.c
index c1e09ea8..dd89b04d 100644
--- a/jcc.c
+++ b/jcc.c
@@ -1,4 +1,4 @@
-const char jcc_rcs[] = "$Id: jcc.c,v 1.45 2001/10/07 15:42:11 oes Exp $";
+const char jcc_rcs[] = "$Id: jcc.c,v 1.46 2001/10/08 15:17:41 oes Exp $";
/*********************************************************************
*
* File : $Source: /cvsroot/ijbswa/current/jcc.c,v $
@@ -33,6 +33,9 @@ const char jcc_rcs[] = "$Id: jcc.c,v 1.45 2001/10/07 15:42:11 oes Exp $";
*
* Revisions :
* $Log: jcc.c,v $
+ * Revision 1.46 2001/10/08 15:17:41 oes
+ * Re-enabled SSL forwarding
+ *
* Revision 1.45 2001/10/07 15:42:11 oes
* Replaced 6 boolean members of csp with one bitmap (csp->flags)
*
@@ -607,6 +610,28 @@ static void chat(struct client_state *csp)
#ifdef FEATURE_COOKIE_JAR
+ /*
+ * Check if a CONNECT request is allowable:
+ * In the absence of a +limit-connect action, allow only port 443.
+ * If there is an action, allow whatever matches the specificaton.
+ */
+ if(http->ssl)
+ {
+ if( ( !(csp->action->flags & ACTION_LIMIT_CONNECT) && csp->http->port != 443)
+ || (csp->action->flags & ACTION_LIMIT_CONNECT
+ && !match_portlist(csp->action->string[ACTION_STRING_LIMIT_CONNECT], csp->http->port)) )
+ {
+ strcpy(buf, CFORBIDDEN);
+ write_socket(csp->cfd, buf, strlen(buf));
+
+ log_error(LOG_LEVEL_CONNECT, "Denying suspicious CONNECT request from %s", csp->ip_addr_str);
+ log_error(LOG_LEVEL_CLF, "%s - - [%T] \" \" 403 0", csp->ip_addr_str);
+
+ return;
+ }
+ }
+
+
/*
* Downgrade http version from 1.1 to 1.0 if +downgrade
* action applies