X-Git-Url: http://www.privoxy.org/gitweb/?a=blobdiff_plain;f=filters.c;h=6dd679eee3159cc9c337ac50a2beaba61d8b3555;hb=f9888d9c1d0b5b4e082718508532ddaf2ba8759c;hp=36eccf41e0e2690ca1657688dfc674c4c0acc898;hpb=e31e6acde20ecc193f9fc6ecbba227f560b8e96e;p=privoxy.git diff --git a/filters.c b/filters.c index 36eccf41..6dd679ee 100644 --- a/filters.c +++ b/filters.c @@ -1,4 +1,4 @@ -const char filters_rcs[] = "$Id: filters.c,v 1.76 2007/01/01 19:36:37 fabiankeil Exp $"; +const char filters_rcs[] = "$Id: filters.c,v 1.84 2007/03/20 15:16:34 fabiankeil Exp $"; /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/filters.c,v $ @@ -13,7 +13,7 @@ const char filters_rcs[] = "$Id: filters.c,v 1.76 2007/01/01 19:36:37 fabiankeil * `jpeg_inspect_response', `execute_single_pcrs_command', * `rewrite_url', `get_last_url' * - * Copyright : Written by and Copyright (C) 2001, 2004-2006 the SourceForge + * Copyright : Written by and Copyright (C) 2001, 2004-2007 the SourceForge * Privoxy team. http://www.privoxy.org/ * * Based on the Internet Junkbuster originally written @@ -40,6 +40,42 @@ const char filters_rcs[] = "$Id: filters.c,v 1.76 2007/01/01 19:36:37 fabiankeil * * Revisions : * $Log: filters.c,v $ + * Revision 1.84 2007/03/20 15:16:34 fabiankeil + * Use dedicated header filter actions instead of abusing "filter". + * Replace "filter-client-headers" and "filter-client-headers" + * with "server-header-filter" and "client-header-filter". + * + * Revision 1.83 2007/03/17 15:20:05 fabiankeil + * New config option: enforce-blocks. + * + * Revision 1.82 2007/03/13 11:28:43 fabiankeil + * - Fix port handling in acl_addr() and use a temporary acl spec + * copy so error messages don't contain a truncated version. + * - Log size of iob before and after decompression. + * + * Revision 1.81 2007/03/05 14:40:53 fabiankeil + * - Cosmetical changes for LOG_LEVEL_RE_FILTER messages. + * - Hide the "Go there anyway" link for blocked CONNECT + * requests where going there anyway doesn't work anyway. + * + * Revision 1.80 2007/02/07 10:55:20 fabiankeil + * - Save the reason for generating http_responses. + * - Block (+block) with status code 403 instead of 404. + * - Use a different kludge to remember a failed decompression. + * + * Revision 1.79 2007/01/31 16:21:38 fabiankeil + * Search for Max-Forwards headers case-insensitive, + * don't generate the "501 unsupported" message for invalid + * Max-Forwards values and don't increase negative ones. + * + * Revision 1.78 2007/01/28 13:41:18 fabiankeil + * - Add HEAD support to finish_http_response. + * - Add error favicon to internal HTML error messages. + * + * Revision 1.77 2007/01/12 15:36:44 fabiankeil + * Mark *csp as immutable for is_untrusted_url() + * and is_imageurl(). Closes FR 1237736. + * * Revision 1.76 2007/01/01 19:36:37 fabiankeil * Integrate a modified version of Wil Mahan's * zlib patch (PR #895531). @@ -632,20 +668,33 @@ int block_acl(struct access_control_addr *dst, struct client_state *csp) * Returns : 0 => Ok, everything else is an error. * *********************************************************************/ -int acl_addr(char *aspec, struct access_control_addr *aca) +int acl_addr(const char *aspec, struct access_control_addr *aca) { - int i, masklength, port; + int i, masklength; + long port; char *p; + char *acl_spec = NULL; masklength = 32; port = 0; - if ((p = strchr(aspec, '/')) != NULL) + /* + * Use a temporary acl spec copy so we can log + * the unmodified original in case of parse errors. + */ + acl_spec = strdup(aspec); + if (acl_spec == NULL) { - *p++ = '\0'; + /* XXX: This will be logged as parse error. */ + return(-1); + } + if ((p = strchr(acl_spec, '/')) != NULL) + { + *p++ = '\0'; if (ijb_isdigit(*p) == 0) { + free(acl_spec); return(-1); } masklength = atoi(p); @@ -653,26 +702,32 @@ int acl_addr(char *aspec, struct access_control_addr *aca) if ((masklength < 0) || (masklength > 32)) { + free(acl_spec); return(-1); } - if ((p = strchr(aspec, ':')) != NULL) + if ((p = strchr(acl_spec, ':')) != NULL) { + char *endptr; + *p++ = '\0'; + port = strtol(p, &endptr, 10); - if (ijb_isdigit(*p) == 0) + if (port <= 0 || port > 65535 || *endptr != '\0') { + free(acl_spec); return(-1); } - port = atoi(p); } - aca->port = port; + aca->port = (unsigned long)port; - aca->addr = ntohl(resolve_hostname_to_ip(aspec)); + aca->addr = ntohl(resolve_hostname_to_ip(acl_spec)); + free(acl_spec); if (aca->addr == INADDR_NONE) { + /* XXX: This will be logged as parse error. */ return(-1); } @@ -970,7 +1025,7 @@ struct http_response *block_url(struct client_state *csp) } else { - rsp->status = strdup("404 Request for blocked URL"); + rsp->status = strdup("403 Request for blocked URL"); } if (rsp->status == NULL) @@ -988,7 +1043,15 @@ struct http_response *block_url(struct client_state *csp) #ifdef FEATURE_FORCE_LOAD err = map(exports, "force-prefix", 1, FORCE_PREFIX, 1); - if (csp->http->ssl != 0) + /* + * Export the force conditional block killer if + * + * - Privoxy was compiled without FEATURE_FORCE_LOAD, or + * - Privoxy is configured to enforce blocks, or + * - it's a CONNECT request and enforcing wouldn't work anyway. + */ + if ((csp->config->feature_flags & RUNTIME_FEATURE_ENFORCE_BLOCKS) + || (0 == strcmpic(csp->http->gpc, "connect"))) #endif /* ndef FEATURE_FORCE_LOAD */ { err = map_block_killer(exports, "force-support"); @@ -1013,8 +1076,9 @@ struct http_response *block_url(struct client_state *csp) return cgi_error_memory(); } } + rsp->reason = RSP_REASON_BLOCKED; - return finish_http_response(rsp); + return finish_http_response(csp, rsp); } @@ -1136,10 +1200,22 @@ struct http_response *trust_url(struct client_state *csp) } /* - * Export the force prefix or the force conditional block killer + * Export the force conditional block killer if + * + * - Privoxy was compiled without FEATURE_FORCE_LOAD, or + * - Privoxy is configured to enforce blocks, or + * - it's a CONNECT request and enforcing wouldn't work anyway. */ #ifdef FEATURE_FORCE_LOAD - err = map(exports, "force-prefix", 1, FORCE_PREFIX, 1); + if ((csp->config->feature_flags & RUNTIME_FEATURE_ENFORCE_BLOCKS) + || (0 == strcmpic(csp->http->gpc, "connect"))) + { + err = map_block_killer(exports, "force-support"); + } + else + { + err = map(exports, "force-prefix", 1, FORCE_PREFIX, 1); + } #else /* ifndef FEATURE_FORCE_LOAD */ err = map_block_killer(exports, "force-support"); #endif /* ndef FEATURE_FORCE_LOAD */ @@ -1160,8 +1236,9 @@ struct http_response *trust_url(struct client_state *csp) free_http_response(rsp); return cgi_error_memory(); } + rsp->reason = RSP_REASON_UNTRUSTED; - return finish_http_response(rsp); + return finish_http_response(csp, rsp); } #endif /* def FEATURE_TRUST */ @@ -1462,8 +1539,10 @@ struct http_response *redirect_url(struct client_state *csp) free_http_response(rsp); return cgi_error_memory(); } + rsp->reason = RSP_REASON_REDIRECTED; freez(new_url); - return finish_http_response(rsp); + + return finish_http_response(csp, rsp); } } @@ -1652,6 +1731,7 @@ int is_untrusted_url(const struct client_state *csp) return 0; } } + return 1; } #endif /* def FEATURE_TRUST */ @@ -1745,22 +1825,26 @@ char *pcrs_filter_response(struct client_state *csp) * uncompress it first, adjusting size and iob->eod. * Note that decompression occurs after de-chunking. */ - if (csp->content_type & CT_GZIP || csp->content_type & CT_DEFLATE) + if (csp->content_type & (CT_GZIP | CT_DEFLATE)) { /* Notice that we at least tried to decompress. */ if (JB_ERR_OK != decompress_iob(csp)) { /* * We failed to decompress the data; there's no point - * in continuing since we can't filter. This is - * slightly tricky because we need to remember not to - * modify the Content-Encoding header later; using - * CT_TABOO flag is a kludge for this purpose. + * in continuing since we can't filter. + * + * XXX: Actually the Accept-Encoding header may + * just be incorrect in which case we could continue + * with filtering. + * + * Unset CT_GZIP and CT_DEFLATE to remember not + * to modify the Content-Encoding header later. */ - csp->content_type |= CT_TABOO; + csp->content_type &= ~CT_GZIP; + csp->content_type &= ~CT_DEFLATE; return(NULL); } - log_error(LOG_LEVEL_RE_FILTER, "Decompressing successful"); /* * Decompression gives us a completely new iob, @@ -1797,6 +1881,12 @@ char *pcrs_filter_response(struct client_state *csp) */ for (b = fl->f; b; b = b->next) { + if (b->type != FT_CONTENT_FILTER) + { + /* Skip header filters */ + continue; + } + for (filtername = csp->action->multi[ACTION_MULTI_FILTER]->first; filtername ; filtername = filtername->next) { @@ -1858,7 +1948,7 @@ char *pcrs_filter_response(struct client_state *csp) } log_error(LOG_LEVEL_RE_FILTER, - "re_filtering %s%s (size %d) with filter %s produced %d hits (new size %d).", + "filtering %s%s (size %d) with \'%s\' produced %d hits (new size %d).", csp->http->hostport, csp->http->path, prev_size, b->name, current_hits, size); hits += current_hits; @@ -2237,29 +2327,42 @@ struct http_response *direct_response(struct client_state *csp) { for (p = csp->headers->first; (p != NULL) ; p = p->next) { - if (!strncmp("Max-Forwards:", p->str, 13) - && (*(p->str+13) != '\0') && (atoi(p->str+13) == 0)) + if (!strncmpic("Max-Forwards:", p->str, 13)) { - /* FIXME: We could handle at least TRACE here, - but that would require a verbatim copy of - the request which we don't have anymore */ + unsigned int max_forwards; - log_error(LOG_LEVEL_HEADER, "Found Max-Forwards:0 in OPTIONS or TRACE request -- Returning 501"); - - /* Get mem for response or fail*/ - if (NULL == (rsp = alloc_http_response())) + /* + * If it's a Max-Forwards value of zero, + * we have to intercept the request. + */ + if (1 == sscanf(p->str+12, ": %u", &max_forwards) && max_forwards == 0) { - return cgi_error_memory(); - } + /* + * FIXME: We could handle at least TRACE here, + * but that would require a verbatim copy of + * the request which we don't have anymore + */ + log_error(LOG_LEVEL_HEADER, + "Detected header \'%s\' in OPTIONS or TRACE request. Returning 501.", + p->str); + + /* Get mem for response or fail*/ + if (NULL == (rsp = alloc_http_response())) + { + return cgi_error_memory(); + } - if (NULL == (rsp->status = strdup("501 Not Implemented"))) - { - free_http_response(rsp); - return cgi_error_memory(); - } + if (NULL == (rsp->status = strdup("501 Not Implemented"))) + { + free_http_response(rsp); + return cgi_error_memory(); + } - rsp->is_static = 1; - return(finish_http_response(rsp)); + rsp->is_static = 1; + rsp->reason = RSP_REASON_UNSUPPORTED; + + return(finish_http_response(csp, rsp)); + } } } }