From 9b0a6852b331c5c868a45fba80cbed62820be63f Mon Sep 17 00:00:00 2001 From: oes Date: Wed, 10 Oct 2001 16:44:36 +0000 Subject: [PATCH] Added CONNECT destination port limitation check --- jcc.c | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/jcc.c b/jcc.c index c1e09ea8..dd89b04d 100644 --- a/jcc.c +++ b/jcc.c @@ -1,4 +1,4 @@ -const char jcc_rcs[] = "$Id: jcc.c,v 1.45 2001/10/07 15:42:11 oes Exp $"; +const char jcc_rcs[] = "$Id: jcc.c,v 1.46 2001/10/08 15:17:41 oes Exp $"; /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/jcc.c,v $ @@ -33,6 +33,9 @@ const char jcc_rcs[] = "$Id: jcc.c,v 1.45 2001/10/07 15:42:11 oes Exp $"; * * Revisions : * $Log: jcc.c,v $ + * Revision 1.46 2001/10/08 15:17:41 oes + * Re-enabled SSL forwarding + * * Revision 1.45 2001/10/07 15:42:11 oes * Replaced 6 boolean members of csp with one bitmap (csp->flags) * @@ -607,6 +610,28 @@ static void chat(struct client_state *csp) #ifdef FEATURE_COOKIE_JAR + /* + * Check if a CONNECT request is allowable: + * In the absence of a +limit-connect action, allow only port 443. + * If there is an action, allow whatever matches the specificaton. + */ + if(http->ssl) + { + if( ( !(csp->action->flags & ACTION_LIMIT_CONNECT) && csp->http->port != 443) + || (csp->action->flags & ACTION_LIMIT_CONNECT + && !match_portlist(csp->action->string[ACTION_STRING_LIMIT_CONNECT], csp->http->port)) ) + { + strcpy(buf, CFORBIDDEN); + write_socket(csp->cfd, buf, strlen(buf)); + + log_error(LOG_LEVEL_CONNECT, "Denying suspicious CONNECT request from %s", csp->ip_addr_str); + log_error(LOG_LEVEL_CLF, "%s - - [%T] \" \" 403 0", csp->ip_addr_str); + + return; + } + } + + /* * Downgrade http version from 1.1 to 1.0 if +downgrade * action applies -- 2.49.0