X-Git-Url: http://www.privoxy.org/gitweb/?a=blobdiff_plain;f=cgi.c;h=f2d2429c748ca95d0b3bd4b6cd85b9a1d635f718;hb=458286da6fac00c2da1b78d9dbeb8f071b222f7e;hp=736c482bbce8e204fabba2211fe3d1a0c41f9cfd;hpb=65c44f3fcbb7a6a5115ac41008beb0b085885c22;p=privoxy.git diff --git a/cgi.c b/cgi.c index 736c482b..f2d2429c 100644 --- a/cgi.c +++ b/cgi.c @@ -1,4 +1,4 @@ -const char cgi_rcs[] = "$Id: cgi.c,v 1.82 2006/12/17 17:53:39 fabiankeil Exp $"; +const char cgi_rcs[] = "$Id: cgi.c,v 1.88 2007/01/23 13:14:32 fabiankeil Exp $"; /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/cgi.c,v $ @@ -11,8 +11,8 @@ const char cgi_rcs[] = "$Id: cgi.c,v 1.82 2006/12/17 17:53:39 fabiankeil Exp $"; * Functions declared include: * * - * Copyright : Written by and Copyright (C) 2001 the SourceForge - * Privoxy team. http://www.privoxy.org/ + * Copyright : Written by and Copyright (C) 2001-2004, 2006-2007 + * the SourceForge Privoxy team. http://www.privoxy.org/ * * Based on the Internet Junkbuster originally written * by and Copyright (C) 1997 Anonymous Coders and @@ -38,6 +38,37 @@ const char cgi_rcs[] = "$Id: cgi.c,v 1.82 2006/12/17 17:53:39 fabiankeil Exp $"; * * Revisions : * $Log: cgi.c,v $ + * Revision 1.88 2007/01/23 13:14:32 fabiankeil + * - Map variables that aren't guaranteed to be + * pure ASCII html_encoded. + * - Use CGI_PREFIX to generate URL for user manual + * CGI page to make sure CGI_SITE_2_PATH is included. + * + * Revision 1.87 2007/01/22 15:34:13 fabiankeil + * - "Protect" against a rather lame JavaScript-based + * Privoxy detection "attack" and check the referrer + * before delivering the CGI style sheet. + * - Move referrer check for unsafe CGI pages into + * referrer_is_safe() and log the result. + * - Map @url@ in cgi-error-disabled page. + * It's required for the "go there anyway" link. + * - Mark *csp as immutable for grep_cgi_referrer(). + * + * Revision 1.86 2007/01/09 11:54:26 fabiankeil + * Fix strdup() error handling in cgi_error_unknown() + * and cgi_error_no_template(). Reported by Markus Elfring. + * + * Revision 1.85 2007/01/05 14:19:02 fabiankeil + * Handle pcrs_execute() errors in template_fill() properly. + * + * Revision 1.84 2006/12/28 17:54:22 fabiankeil + * Fixed gcc43 conversion warnings and replaced sprintf + * calls with snprintf to give OpenBSD's gcc one less reason + * to complain. + * + * Revision 1.83 2006/12/17 19:35:19 fabiankeil + * Escape ampersand in Privoxy menu. + * * Revision 1.82 2006/12/17 17:53:39 fabiankeil * Suppress the toggle link if remote toggling is disabled. * @@ -655,6 +686,12 @@ static const struct cgi_dispatcher cgi_dispatchers[] = { cgi_edit_actions_section_swap, NULL, FALSE /* Swap two sections in the actionsfile */ }, #endif /* def FEATURE_CGI_EDIT_ACTIONS */ + { "error-favicon.ico", + cgi_send_error_favicon, + NULL, TRUE /* Sends the favicon image for error pages. */ }, + { "favicon.ico", + cgi_send_default_favicon, + NULL, TRUE /* Sends the default favicon image. */ }, { "robots.txt", cgi_robots_txt, NULL, TRUE /* Sends a robots.txt file to tell robots to go away. */ }, @@ -663,7 +700,7 @@ static const struct cgi_dispatcher cgi_dispatchers[] = { NULL, TRUE /* Send a built-in image */ }, { "send-stylesheet", cgi_send_stylesheet, - NULL, TRUE /* Send templates/cgi-style.css */ }, + NULL, FALSE /* Send templates/cgi-style.css */ }, { "t", cgi_transparent_image, NULL, TRUE /* Send a transparent image (short name) */ }, @@ -830,7 +867,7 @@ struct http_response *dispatch_cgi(struct client_state *csp) * Returns : pointer to value (no copy!), or NULL if none found. * *********************************************************************/ -char *grep_cgi_referrer(struct client_state *csp) +char *grep_cgi_referrer(const struct client_state *csp) { struct list_entry *p; @@ -847,6 +884,54 @@ char *grep_cgi_referrer(struct client_state *csp) } +/********************************************************************* + * + * Function : referrer_is_safe + * + * Description : Decides whether we trust the Referer for + * CGI pages which are only meant to be reachable + * through Privoxy's web interface directly. + * + * Parameters : + * 1 : csp = Current client state (buffers, headers, etc...) + * + * Returns : TRUE if the referrer is safe, or + * FALSE if the referrer is unsafe or not set. + * + *********************************************************************/ +int referrer_is_safe (const struct client_state *csp) +{ + char *referrer; + const char alternative_prefix[] = "http://" CGI_SITE_1_HOST "/"; + + referrer = grep_cgi_referrer(csp); + + if (NULL == referrer) + { + /* No referrer, no access */ + log_error(LOG_LEVEL_ERROR, "Denying access to %s. No referrer found.", + csp->http->url); + } + else if ((0 == strncmp(referrer, CGI_PREFIX, sizeof(CGI_PREFIX)-1) + || (0 == strncmp(referrer, alternative_prefix, strlen(alternative_prefix))))) + { + /* Trustworthy referrer */ + log_error(LOG_LEVEL_CGI, "Granting access to %s, referrer %s is trustworthy.", + csp->http->url, referrer); + + return TRUE; + } + else + { + /* Untrustworthy referrer */ + log_error(LOG_LEVEL_ERROR, "Denying access to %s, referrer %s isn't trustworthy.", + csp->http->url, referrer); + } + + return FALSE; + +} + /********************************************************************* * * Function : dispatch_known_cgi @@ -875,7 +960,6 @@ static struct http_response *dispatch_known_cgi(struct client_state * csp, struct http_response *rsp; char *query_args_start; char *path_copy; - char *referrer; jb_err err; if (NULL == (path_copy = strdup(path))) @@ -938,10 +1022,7 @@ static struct http_response *dispatch_known_cgi(struct client_state * csp, * If the called CGI is either harmless, or referred * from a trusted source, start it. */ - if (d->harmless - || ((NULL != (referrer = grep_cgi_referrer(csp))) - && (0 == strncmp(referrer, CGI_PREFIX, sizeof(CGI_PREFIX)-1))) - ) + if (d->harmless || referrer_is_safe(csp)) { err = (d->handler)(csp, rsp, param_list); } @@ -1072,7 +1153,7 @@ char get_char_param(const struct map *parameters, ch = *(lookup(parameters, param_name)); if ((ch >= 'a') && (ch <= 'z')) { - ch = ch - 'a' + 'A'; + ch = (char)(ch - 'a' + 'A'); } return ch; @@ -1204,7 +1285,7 @@ jb_err get_number_param(struct client_state *csp, return JB_ERR_CGI_PARAMS; } - ch -= '0'; + ch = (char)(ch - '0'); /* Note: * @@ -1218,7 +1299,7 @@ jb_err get_number_param(struct client_state *csp, return JB_ERR_CGI_PARAMS; } - value = value * 10 + ch; + value = value * 10 + (unsigned)ch; } /* Success */ @@ -1337,7 +1418,9 @@ struct http_response *error_response(struct client_state *csp, * Description : CGI function that is called to generate an error * response if the actions editor or toggle CGI are * accessed despite having being disabled at compile- - * or run-time. + * or run-time, or if the user followed an untrusted link + * to access a unsafe CGI feature that is only reachable + * through Privoxy directly. * * Parameters : * 1 : csp = Current client state (buffers, headers, etc...) @@ -1357,10 +1440,15 @@ jb_err cgi_error_disabled(struct client_state *csp, assert(csp); assert(rsp); - if (NULL == (exports = default_exports(csp, NULL))) + if (NULL == (exports = default_exports(csp, "cgi-error-disabled"))) { return JB_ERR_MEMORY; } + if (map(exports, "url", 1, html_encode(csp->http->url), 0)) + { + /* Not important enough to do anything */ + log_error(LOG_LEVEL_ERROR, "Failed to fill in url."); + } return template_fill_for_cgi(csp, "cgi-error-disabled", exports, rsp); } @@ -1493,7 +1581,7 @@ jb_err cgi_error_no_template(struct client_state *csp, strcat(rsp->body, body_suffix); rsp->status = strdup(status); - if (rsp->body == NULL) + if (rsp->status == NULL) { return JB_ERR_MEMORY; } @@ -1558,7 +1646,7 @@ jb_err cgi_error_unknown(struct client_state *csp, rsp->head_length = 0; rsp->is_static = 0; - sprintf(errnumbuf, "%d", error_to_report); + snprintf(errnumbuf, sizeof(errnumbuf), "%d", error_to_report); rsp->body = malloc(strlen(body_prefix) + strlen(errnumbuf) + strlen(body_suffix) + 1); if (rsp->body == NULL) @@ -1570,7 +1658,7 @@ jb_err cgi_error_unknown(struct client_state *csp, strcat(rsp->body, body_suffix); rsp->status = strdup(status); - if (rsp->body == NULL) + if (rsp->status == NULL) { return JB_ERR_MEMORY; } @@ -1801,7 +1889,7 @@ struct http_response *finish_http_response(struct http_response *rsp) /* * Fill in the HTTP Status */ - sprintf(buf, "HTTP/1.0 %s", rsp->status ? rsp->status : "200 OK"); + snprintf(buf, sizeof(buf), "HTTP/1.0 %s", rsp->status ? rsp->status : "200 OK"); err = enlist_first(rsp->headers, buf); /* @@ -1813,7 +1901,7 @@ struct http_response *finish_http_response(struct http_response *rsp) } if (!err) { - sprintf(buf, "Content-Length: %d", (int)rsp->content_length); + snprintf(buf, sizeof(buf), "Content-Length: %d", (int)rsp->content_length); err = enlist(rsp->headers, buf); } @@ -2127,7 +2215,7 @@ jb_err template_load(struct client_state *csp, char **template_ptr, * Caller must free(). * 2 : exports = map with fill in symbol -> name pairs * - * Returns : JB_ERR_OK on success + * Returns : JB_ERR_OK on success (and for uncritical errors) * JB_ERR_MEMORY on out-of-memory error * *********************************************************************/ @@ -2198,15 +2286,35 @@ jb_err template_fill(char **template_ptr, const struct map *exports) } else { - pcrs_execute(job, file_buffer, size, &tmp_out_buffer, &size); - free(file_buffer); + error = pcrs_execute(job, file_buffer, size, &tmp_out_buffer, &size); + pcrs_free_job(job); if (NULL == tmp_out_buffer) { *template_ptr = NULL; return JB_ERR_MEMORY; } - file_buffer = tmp_out_buffer; + + if (error < 0) + { + /* + * Substitution failed, keep the original buffer, + * log the problem and ignore it. + * + * The user might see some unresolved @CGI_VARIABLES@, + * but returning a special CGI error page seems unreasonable + * and could mask more important error messages. + */ + free(tmp_out_buffer); + log_error(LOG_LEVEL_ERROR, "Failed to execute s/%s/%s/%s. %s", + buf, m->value, flags, pcrs_strerror(error)); + } + else + { + /* Substitution succeeded, use modified buffer. */ + free(file_buffer); + file_buffer = tmp_out_buffer; + } } } @@ -2307,11 +2415,13 @@ struct map *default_exports(const struct client_state *csp, const char *caller) if (!strncmpic(csp->config->usermanual, "file://", 7) || !strncmpic(csp->config->usermanual, "http", 4)) { - if (!err) err = map(exports, "user-manual", 1, csp->config->usermanual ,1); + /* Manual is located somewhere else, just link to it. */ + if (!err) err = map(exports, "user-manual", 1, html_encode(csp->config->usermanual), 0); } else { - if (!err) err = map(exports, "user-manual", 1, "http://"CGI_SITE_2_HOST"/user-manual/" ,1); + /* Manual is delivered by Privoxy. */ + if (!err) err = map(exports, "user-manual", 1, html_encode(CGI_PREFIX"user-manual/"), 0); } if (!err) err = map(exports, "actions-help-prefix", 1, ACTIONS_HELP_PREFIX ,1); #ifdef FEATURE_TOGGLE @@ -2525,11 +2635,23 @@ char *make_menu(const char *self, const unsigned feature_flags) if (d->description && strcmp(d->name, self)) { - string_append(&result, "
  • name); string_append(&result, "\">"); string_append(&result, d->description); - string_append(&result, "
    • "); + string_append(&result, "\n"); } }