-const char jcc_rcs[] = "$Id: jcc.c,v 1.120 2007/01/26 14:18:42 fabiankeil Exp $";
+const char jcc_rcs[] = "$Id: jcc.c,v 1.134 2007/05/16 14:59:46 fabiankeil Exp $";
/*********************************************************************
*
* File : $Source: /cvsroot/ijbswa/current/jcc.c,v $
*
* Revisions :
* $Log: jcc.c,v $
+ * Revision 1.134 2007/05/16 14:59:46 fabiankeil
+ * - Fix config file loading on Unix if no config file is specified.
+ * Since r1.97 Privoxy would always interpret the last argument as
+ * config file, even if it's a valid command line option.
+ * - Abort in case of unrecognized command line options. Closes #1719696.
+ * - Remove a bunch of unnecessary strcpy() calls (yay for c&p without thinking).
+ * - Replace the remaining strcpy() and strcat() calls with strlcpy() and strcat().
+ *
+ * Revision 1.133 2007/05/04 11:23:19 fabiankeil
+ * - Don't rerun crunchers that only depend on the request URL.
+ * - Don't count redirects and CGI requests as "blocked requests".
+ *
+ * Revision 1.132 2007/04/25 15:15:17 fabiankeil
+ * Support crunching based on tags created by server-header taggers.
+ *
+ * Revision 1.131 2007/04/22 13:24:50 fabiankeil
+ * Make HTTP snippets static (again). Add a Content-Type for those
+ * with content so the browser doesn't guess it based on the URL.
+ *
+ * Revision 1.130 2007/04/19 13:47:34 fabiankeil
+ * Move crunching and request line rebuilding out of chat().
+ *
+ * Revision 1.129 2007/04/15 16:39:20 fabiankeil
+ * Introduce tags as alternative way to specify which
+ * actions apply to a request. At the moment tags can be
+ * created based on client and server headers.
+ *
+ * Revision 1.128 2007/03/25 16:55:54 fabiankeil
+ * Don't CLF-log CONNECT requests twice.
+ *
+ * Revision 1.127 2007/03/20 13:53:17 fabiankeil
+ * Log the source address for ACL-related connection drops.
+ *
+ * Revision 1.126 2007/03/17 15:20:05 fabiankeil
+ * New config option: enforce-blocks.
+ *
+ * Revision 1.125 2007/03/09 14:12:00 fabiankeil
+ * - Move null byte check into separate function.
+ * - Don't confuse the client with error pages
+ * if a CONNECT request was already confirmed.
+ *
+ * Revision 1.124 2007/02/23 14:59:54 fabiankeil
+ * Speed up NULL byte escaping and only log the complete
+ * NULL byte requests with header debugging enabled.
+ *
+ * Revision 1.123 2007/02/21 18:42:10 fabiankeil
+ * Answer requests that contain NULL bytes with
+ * a custom response instead of waiting for more
+ * data until the client eventually hangs up.
+ *
+ * Revision 1.122 2007/02/07 11:12:02 fabiankeil
+ * - Move delivery and logging of crunched responses
+ * from chat() into send_crunch_response().
+ * - Display the reason for generating http_responses.
+ * - Log the content length for LOG_LEVEL_CLF correctly
+ * (still incorrect for some fixed responses).
+ * - Reword an incorrect comment about
+ * treat-forbidden-connects-like-blocks violating
+ * the specs.
+ * - Add some log messages.
+ *
+ * Revision 1.121 2007/01/27 10:52:56 fabiankeil
+ * Move mutex initialization into separate
+ * function and exit in case of errors.
+ *
* Revision 1.120 2007/01/26 14:18:42 fabiankeil
* - Start to reduce chat()'s line count and move
* parts of it into separate functions.
#include <signal.h>
#include <fcntl.h>
#include <errno.h>
+#include <assert.h>
#ifdef _WIN32
# ifndef FEATURE_PTHREAD
"(copyright_or_otherwise)_applying_to_any_cookie._";
/* HTTP snipplets. */
-const char CSUCCEED[] =
+const static char CSUCCEED[] =
"HTTP/1.0 200 Connection established\n"
"Proxy-Agent: Privoxy/" VERSION "\r\n\r\n";
-const char CHEADER[] =
+const static char CHEADER[] =
"HTTP/1.0 400 Invalid header received from browser\r\n"
+ "Proxy-Agent: Privoxy " VERSION "\r\n"
+ "Content-Type: text/plain\r\n"
"Connection: close\r\n\r\n"
"Invalid header received from browser.\r\n";
-const char CFORBIDDEN[] =
+const static char CFORBIDDEN[] =
"HTTP/1.0 403 Connection not allowable\r\n"
"Proxy-Agent: Privoxy " VERSION "\r\n"
"X-Hint: If you read this message interactively, then you know why this happens ,-)\r\n"
"Connection: close\r\n\r\n";
-const char FTP_RESPONSE[] =
+const static char FTP_RESPONSE[] =
"HTTP/1.0 400 Invalid request received from browser\r\n"
+ "Content-Type: text/plain\r\n"
"Connection: close\r\n\r\n"
"Invalid request. Privoxy doesn't support FTP.\r\n";
-const char GOPHER_RESPONSE[] =
+const static char GOPHER_RESPONSE[] =
"HTTP/1.0 400 Invalid request received from browser\r\n"
+ "Content-Type: text/plain\r\n"
"Connection: close\r\n\r\n"
"Invalid request. Privoxy doesn't support gopher.\r\n";
/* XXX: should be a template */
-const char MISSING_DESTINATION_RESPONSE[] =
+const static char MISSING_DESTINATION_RESPONSE[] =
"HTTP/1.0 400 Bad request received from browser\r\n"
"Proxy-Agent: Privoxy " VERSION "\r\n"
+ "Content-Type: text/plain\r\n"
"Connection: close\r\n\r\n"
"Bad request. Privoxy was unable to extract the destination.\r\n";
/* XXX: should be a template */
-const char NO_SERVER_DATA_RESPONSE[] =
+const static char NO_SERVER_DATA_RESPONSE[] =
"HTTP/1.0 502 Server or forwarder response empty\r\n"
"Proxy-Agent: Privoxy " VERSION "\r\n"
+ "Content-Type: text/plain\r\n"
"Connection: close\r\n\r\n"
"Empty server or forwarder response.\r\n"
"The connection was closed without sending any data.\r\n";
+/* XXX: should be a template */
+const static char NULL_BYTE_RESPONSE[] =
+ "HTTP/1.0 400 Bad request received from browser\r\n"
+ "Proxy-Agent: Privoxy " VERSION "\r\n"
+ "Content-Type: text/plain\r\n"
+ "Connection: close\r\n\r\n"
+ "Bad request. Null byte(s) before end of request.\r\n";
+
+/* A function to crunch a response */
+typedef struct http_response *(*crunch_func_ptr)(struct client_state *);
+
+/* Crunch function flags */
+#define CF_NO_FLAGS 0
+/* Cruncher applies to forced requests as well */
+#define CF_IGNORE_FORCE 1
+/* Crunched requests are counted for the block statistics */
+#define CF_COUNT_AS_REJECT 2
+
+/* A crunch function and its flags */
+struct cruncher
+{
+ const crunch_func_ptr cruncher;
+ const int flags;
+};
+
+/* Complete list of cruncher functions */
+const static struct cruncher crunchers_all[] = {
+ { direct_response, CF_COUNT_AS_REJECT|CF_IGNORE_FORCE},
+ { block_url, CF_COUNT_AS_REJECT },
+#ifdef FEATURE_TRUST
+ { trust_url, CF_COUNT_AS_REJECT },
+#endif /* def FEATURE_TRUST */
+ { redirect_url, CF_NO_FLAGS },
+ { dispatch_cgi, CF_IGNORE_FORCE},
+ { NULL, 0 }
+};
+
+/* Light version, used after tags are applied */
+const static struct cruncher crunchers_light[] = {
+ { block_url, CF_COUNT_AS_REJECT },
+ { redirect_url, CF_NO_FLAGS },
+ { NULL, 0 }
+};
+
+
#if !defined(_WIN32) && !defined(__OS2__) && !defined(AMIGA)
/*********************************************************************
*
{
if (!strncmpic(req, "GET ftp://", 10))
{
- strcpy(buf, FTP_RESPONSE);
+ strlcpy(buf, FTP_RESPONSE, sizeof(buf));
log_error(LOG_LEVEL_ERROR, "%s tried to use Privoxy as FTP proxy: %s",
csp->ip_addr_str, req);
}
else
{
- strcpy(buf, GOPHER_RESPONSE);
+ strlcpy(buf, GOPHER_RESPONSE, sizeof(buf));
log_error(LOG_LEVEL_ERROR, "%s tried to use Privoxy as gopher proxy: %s",
csp->ip_addr_str, req);
}
*********************************************************************/
jb_err get_request_destination_elsewhere(struct client_state *csp, struct list *headers)
{
- char buf[BUFFER_SIZE];
char *req;
if (!(csp->config->feature_flags & RUNTIME_FEATURE_ACCEPT_INTERCEPTED_REQUESTS))
log_error(LOG_LEVEL_ERROR, "%s's request: \'%s\' is invalid."
" Privoxy isn't configured to accept intercepted requests.",
csp->ip_addr_str, csp->http->cmd);
+ /* XXX: Use correct size */
log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s\" 400 0",
csp->ip_addr_str, csp->http->cmd);
- strcpy(buf, CHEADER);
- write_socket(csp->cfd, buf, strlen(buf));
+ write_socket(csp->cfd, CHEADER, strlen(CHEADER));
destroy_list(headers);
return JB_ERR_PARSE;
req = list_to_text(headers);
chomp(req);
+ /* XXX: Use correct size */
log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s\" 400 0",
csp->ip_addr_str, csp->http->cmd);
log_error(LOG_LEVEL_ERROR,
csp->ip_addr_str, csp->http->cmd, req);
freez(req);
- strcpy(buf, MISSING_DESTINATION_RESPONSE);
- write_socket(csp->cfd, buf, strlen(buf));
+ write_socket(csp->cfd, MISSING_DESTINATION_RESPONSE, strlen(MISSING_DESTINATION_RESPONSE));
destroy_list(headers);
return JB_ERR_PARSE;
}
+/*********************************************************************
+ *
+ * Function : crunch_reason
+ *
+ * Description : Translates the crunch reason code into a string.
+ *
+ * Parameters :
+ * 1 : rsp = a http_response
+ *
+ * Returns : A string with the crunch reason or an error description.
+ *
+ *********************************************************************/
+const char *crunch_reason(const struct http_response *rsp)
+{
+ char * reason = NULL;
+
+ assert(rsp != NULL);
+ if (rsp == NULL)
+ {
+ return "Internal error while searching for crunch reason";
+ }
+
+ switch (rsp->reason)
+ {
+ case RSP_REASON_UNSUPPORTED:
+ reason = "Unsupported HTTP feature";
+ break;
+ case RSP_REASON_BLOCKED:
+ reason = "Blocked";
+ break;
+ case RSP_REASON_UNTRUSTED:
+ reason = "Untrusted";
+ break;
+ case RSP_REASON_REDIRECTED:
+ reason = "Redirected";
+ break;
+ case RSP_REASON_CGI_CALL:
+ reason = "CGI Call";
+ break;
+ case RSP_REASON_NO_SUCH_DOMAIN:
+ reason = "DNS failure";
+ break;
+ case RSP_REASON_FORWARDING_FAILED:
+ reason = "Forwarding failed";
+ break;
+ case RSP_REASON_CONNECT_FAILED:
+ reason = "Connection failure";
+ break;
+ case RSP_REASON_OUT_OF_MEMORY:
+ reason = "Out of memory (may mask other reasons)";
+ break;
+ default:
+ reason = "No reason recorded";
+ break;
+ }
+
+ return reason;
+}
+
+
+/*********************************************************************
+ *
+ * Function : send_crunch_response
+ *
+ * Description : Delivers already prepared response for
+ * intercepted requests, logs the interception
+ * and frees the response.
+ *
+ * Parameters :
+ * 1 : csp = Current client state (buffers, headers, etc...)
+ * 1 : rsp = Fully prepared response. Will be freed on exit.
+ *
+ * Returns : Nothing.
+ *
+ *********************************************************************/
+void send_crunch_response(struct client_state *csp, struct http_response *rsp)
+{
+ const struct http_request *http = csp->http;
+ char status_code[4];
+
+ assert(rsp != NULL);
+ assert(rsp->head != NULL);
+
+ if (rsp == NULL)
+ {
+ /*
+ * Not supposed to happen. If it does
+ * anyway, treat it as an unknown error.
+ */
+ cgi_error_unknown(csp, rsp, RSP_REASON_INTERNAL_ERROR);
+ /* return code doesn't matter */
+ }
+
+ if (rsp == NULL)
+ {
+ /* If rsp is still NULL, we have serious internal problems. */
+ log_error(LOG_LEVEL_FATAL,
+ "NULL response in send_crunch_response and cgi_error_unknown failed as well.");
+ }
+
+ /*
+ * Extract the status code from the actual head
+ * that was send to the client. It is the only
+ * way to get it right for all requests, including
+ * the fixed ones for out-of-memory problems.
+ *
+ * A head starts like this: 'HTTP/1.1 200...'
+ * 0123456789|11
+ * 10
+ */
+ status_code[0] = rsp->head[9];
+ status_code[1] = rsp->head[10];
+ status_code[2] = rsp->head[11];
+ status_code[3] = '\0';
+
+ /* Write the answer to the client */
+ if (write_socket(csp->cfd, rsp->head, rsp->head_length)
+ || write_socket(csp->cfd, rsp->body, rsp->content_length))
+ {
+ /* There is nothing we can do about it. */
+ log_error(LOG_LEVEL_ERROR, "write to: %s failed: %E", csp->http->host);
+ }
+
+ /* Log that the request was crunched and why. */
+ log_error(LOG_LEVEL_GPC, "%s%s crunch! (%s)",
+ http->hostport, http->path, crunch_reason(rsp));
+ log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s\" %s %d",
+ csp->ip_addr_str, http->ocmd, status_code, rsp->content_length);
+
+ /* Clean up and return */
+ if (cgi_error_memory() != rsp)
+ {
+ free_http_response(rsp);
+ }
+ return;
+}
+
+
+/*********************************************************************
+ *
+ * Function : request_contains_null_bytes
+ *
+ * Description : Checks for NULL bytes in the request and sends
+ * an error message to the client if any were found.
+ *
+ * Parameters :
+ * 1 : csp = Current client state (buffers, headers, etc...)
+ * 2 : buf = Data from the client's request to check.
+ * 3 : len = The data length.
+ *
+ * Returns : TRUE if the request contained one or more NULL bytes, or
+ * FALSE otherwise.
+ *
+ *********************************************************************/
+int request_contains_null_bytes(const struct client_state *csp, char *buf, int len)
+{
+ size_t c_len; /* Request lenght when treated as C string */
+
+ c_len = strlen(buf);
+
+ if (c_len < len)
+ {
+ /*
+ * Null byte(s) found. Log the request,
+ * return an error response and hang up.
+ */
+ size_t tmp_len = c_len;
+
+ do
+ {
+ /*
+ * Replace NULL byte(s) with '°' characters
+ * so the request can be logged as string.
+ * XXX: Is there a better replacement character?
+ */
+ buf[tmp_len]='°';
+ tmp_len += strlen(buf+tmp_len);
+ } while (tmp_len < len);
+
+ log_error(LOG_LEVEL_ERROR, "%s\'s request contains at least one NULL byte "
+ "(length=%d, strlen=%d).", csp->ip_addr_str, len, c_len);
+ log_error(LOG_LEVEL_HEADER,
+ "Offending request data with NULL bytes turned into \'°\' characters: %s", buf);
+
+ write_socket(csp->cfd, NULL_BYTE_RESPONSE, strlen(NULL_BYTE_RESPONSE));
+
+ /* XXX: Log correct size */
+ log_error(LOG_LEVEL_CLF, "%s - - [%T] \"Invalid request\" 400 0", csp->ip_addr_str);
+
+ return TRUE;
+ }
+
+ return FALSE;
+}
+
+
+/*********************************************************************
+ *
+ * Function : crunch_response_triggered
+ *
+ * Description : Checks if the request has to be crunched,
+ * and delivers the crunch response if necessary.
+ *
+ * Parameters :
+ * 1 : csp = Current client state (buffers, headers, etc...)
+ * 2 : crunchers = list of cruncher functions to run
+ *
+ * Returns : TRUE if the request was answered with a crunch response
+ * FALSE otherwise.
+ *
+ *********************************************************************/
+int crunch_response_triggered(struct client_state *csp, const struct cruncher crunchers[])
+{
+ struct http_response *rsp = NULL;
+ const struct cruncher *c;
+
+ for (c = crunchers; c->cruncher != NULL; c++)
+ {
+ /*
+ * Check the cruncher if either Privoxy is toggled
+ * on and the request isn't forced, or if the cruncher
+ * applies to forced requests as well.
+ */
+ if (((csp->flags & CSP_FLAG_TOGGLED_ON) &&
+ !(csp->flags & CSP_FLAG_FORCED)) ||
+ (c->flags & CF_IGNORE_FORCE))
+ {
+ rsp = c->cruncher(csp);
+ if (NULL != rsp)
+ {
+ /* Deliver, log and free the interception response. */
+ send_crunch_response(csp, rsp);
+#ifdef FEATURE_STATISTICS
+ if (c->flags & CF_COUNT_AS_REJECT)
+ {
+ csp->flags |= CSP_FLAG_REJECTED;
+ }
+#endif /* def FEATURE_STATISTICS */
+
+ return TRUE;
+ }
+ }
+ }
+
+ return FALSE;
+}
+
+
+/*********************************************************************
+ *
+ * Function : build_request_line
+ *
+ * Description : Builds the HTTP request line.
+ *
+ * If a HTTP forwarder is used it expects the whole URL,
+ * web servers only get the path.
+ *
+ * Parameters :
+ * 1 : csp = Current client state (buffers, headers, etc...)
+ * 2 : fwd = The forwarding spec used for the request
+ *
+ * Returns : Nothing. Terminates in case of memory problems.
+ *
+ *********************************************************************/
+void build_request_line(struct client_state *csp, const struct forward_spec *fwd)
+{
+ struct http_request *http = csp->http;
+
+ assert(http->ssl == 0);
+
+ /*
+ * Downgrade http version from 1.1 to 1.0
+ * if +downgrade action applies.
+ */
+ if ( (csp->action->flags & ACTION_DOWNGRADE)
+ && (!strcmpic(http->ver, "HTTP/1.1")))
+ {
+ freez(http->ver);
+ http->ver = strdup("HTTP/1.0");
+
+ if (http->ver == NULL)
+ {
+ log_error(LOG_LEVEL_FATAL, "Out of memory downgrading HTTP version");
+ }
+ }
+
+ /*
+ * Rebuild the request line.
+ * XXX: If a http forwarder is used and the HTTP version
+ * wasn't downgraded, we don't have to rebuild anything.
+ */
+ freez(http->cmd);
+
+ http->cmd = strdup(http->gpc);
+ string_append(&http->cmd, " ");
+
+ if (fwd->forward_host)
+ {
+ string_append(&http->cmd, http->url);
+ }
+ else
+ {
+ string_append(&http->cmd, http->path);
+ }
+ string_append(&http->cmd, " ");
+ string_append(&http->cmd, http->ver);
+
+ if (http->cmd == NULL)
+ {
+ log_error(LOG_LEVEL_FATAL, "Out of memory writing HTTP command");
+ }
+ log_error(LOG_LEVEL_HEADER, "New HTTP Request-Line: %s", http->cmd);
+}
+
+
/*********************************************************************
*
* Function : chat
* Parameters :
* 1 : csp = Current client state (buffers, headers, etc...)
*
- * Returns : On success, the number of bytes written are returned (zero
- * indicates nothing was written). On error, -1 is returned,
- * and errno is set appropriately. If count is zero and the
- * file descriptor refers to a regular file, 0 will be
- * returned without causing any other effect. For a special
- * file, the results are not portable.
+ * Returns : Nothing.
*
*********************************************************************/
static void chat(struct client_state *csp)
{
-/*
- * This next lines are a little ugly, but they simplifies the if statements
- * below. Basically if TOGGLE, then we want the if to test if the
- * CSP_FLAG_TOGGLED_ON flag ist set, else we don't. And if FEATURE_FORCE_LOAD,
- * then we want the if to test for CSP_FLAG_FORCED , else we don't
- */
-#ifdef FEATURE_TOGGLE
-# define IS_TOGGLED_ON_AND (csp->flags & CSP_FLAG_TOGGLED_ON) &&
-#else /* ifndef FEATURE_TOGGLE */
-# define IS_TOGGLED_ON_AND
-#endif /* ndef FEATURE_TOGGLE */
-#ifdef FEATURE_FORCE_LOAD
-# define IS_NOT_FORCED_AND !(csp->flags & CSP_FLAG_FORCED) &&
-#else /* ifndef FEATURE_FORCE_LOAD */
-# define IS_NOT_FORCED_AND
-#endif /* def FEATURE_FORCE_LOAD */
-
-#define IS_ENABLED_AND IS_TOGGLED_ON_AND IS_NOT_FORCED_AND
-
char buf[BUFFER_SIZE];
char *hdr;
char *p;
http = csp->http;
+ memset(buf, 0, sizeof(buf));
+
/*
* Read the client's request. Note that since we're not using select() we
* could get blocked here if a client connected, then didn't say anything!
for (;;)
{
- len = read_socket(csp->cfd, buf, sizeof(buf));
+ len = read_socket(csp->cfd, buf, sizeof(buf) - 1);
if (len <= 0) break; /* error! */
-
+
+ if (request_contains_null_bytes(csp, buf, len))
+ {
+ /* NULL bytes found and dealt with, just hang up. */
+ return;
+ }
+
/*
* If there is no memory left for buffering the
* request, there is nothing we can do but hang up
}
#ifdef FEATURE_FORCE_LOAD
- /* If this request contains the FORCE_PREFIX,
- * better get rid of it now and set the force flag --oes
+ /*
+ * If this request contains the FORCE_PREFIX and blocks
+ * aren't enforced, get rid of it and set the force flag.
*/
-
if (strstr(req, FORCE_PREFIX))
{
- strclean(req, FORCE_PREFIX);
- log_error(LOG_LEVEL_FORCE, "Enforcing request \"%s\".\n", req);
- csp->flags |= CSP_FLAG_FORCED;
+ if (csp->config->feature_flags & RUNTIME_FEATURE_ENFORCE_BLOCKS)
+ {
+ log_error(LOG_LEVEL_FORCE,
+ "Ignored force prefix in request: \"%s\".", req);
+ }
+ else
+ {
+ strclean(req, FORCE_PREFIX);
+ log_error(LOG_LEVEL_FORCE, "Enforcing request: \"%s\".", req);
+ csp->flags |= CSP_FLAG_FORCED;
+ }
}
#endif /* def FEATURE_FORCE_LOAD */
if (http->cmd == NULL)
{
- strcpy(buf, CHEADER);
- write_socket(csp->cfd, buf, strlen(buf));
-
- log_error(LOG_LEVEL_CLF, "%s - - [%T] \" \" 400 0", csp->ip_addr_str);
+ write_socket(csp->cfd, CHEADER, strlen(CHEADER));
+ /* XXX: Use correct size */
+ log_error(LOG_LEVEL_CLF, "%s - - [%T] \"Invalid request\" 400 0", csp->ip_addr_str);
+ log_error(LOG_LEVEL_ERROR, "Invalid header received from %s.", csp->ip_addr_str);
free_http_request(http);
return;
{
if ( ( ( p = get_header(csp) ) != NULL) && ( *p == '\0' ) )
{
- len = read_socket(csp->cfd, buf, sizeof(buf));
+ len = read_socket(csp->cfd, buf, sizeof(buf) - 1);
if (len <= 0)
{
log_error(LOG_LEVEL_ERROR, "read from client failed: %E");
/*
* If we still don't know the request destination,
* the request is invalid or the client uses
- * Privoxy without it's knowledge.
+ * Privoxy without its knowledge.
*/
if (JB_ERR_OK != get_request_destination_elsewhere(csp, headers))
{
{
if (csp->action->flags & ACTION_TREAT_FORBIDDEN_CONNECTS_LIKE_BLOCKS)
{
- /* The response will violate the specs, but makes unblocking easier. */
+ /*
+ * The response may confuse some clients,
+ * but makes unblocking easier.
+ */
log_error(LOG_LEVEL_ERROR, "Marking suspicious CONNECT request from %s for blocking.",
csp->ip_addr_str);
csp->action->flags |= ACTION_BLOCK;
}
else
{
- strcpy(buf, CFORBIDDEN);
- write_socket(csp->cfd, buf, strlen(buf));
+ write_socket(csp->cfd, CFORBIDDEN, strlen(CFORBIDDEN));
log_error(LOG_LEVEL_CONNECT, "Denying suspicious CONNECT request from %s", csp->ip_addr_str);
log_error(LOG_LEVEL_CLF, "%s - - [%T] \" \" 403 0", csp->ip_addr_str);
return;
}
- /*
- * Downgrade http version from 1.1 to 1.0 if +downgrade
- * action applies
- */
- if ( (http->ssl == 0)
- && (!strcmpic(http->ver, "HTTP/1.1"))
- && (csp->action->flags & ACTION_DOWNGRADE))
- {
- freez(http->ver);
- http->ver = strdup("HTTP/1.0");
-
- if (http->ver == NULL)
- {
- log_error(LOG_LEVEL_FATAL, "Out of memory downgrading HTTP version");
- }
- }
-
/*
* Save a copy of the original request for logging
*/
/*
* (Re)build the HTTP request for non-SSL requests.
- * If forwarding, use the whole URL, else, use only the path.
*/
if (http->ssl == 0)
{
- freez(http->cmd);
-
- http->cmd = strdup(http->gpc);
- string_append(&http->cmd, " ");
-
- if (fwd->forward_host)
- {
- string_append(&http->cmd, http->url);
- }
- else
- {
- string_append(&http->cmd, http->path);
- }
- string_append(&http->cmd, " ");
- string_append(&http->cmd, http->ver);
-
- if (http->cmd == NULL)
- {
- log_error(LOG_LEVEL_FATAL, "Out of memory writing HTTP command");
- }
- log_error(LOG_LEVEL_HEADER, "New HTTP Request-Line: %s", http->cmd);
+ build_request_line(csp, fwd);
}
enlist(csp->headers, http->cmd);
enlist(csp->action->multi[ACTION_MULTI_WAFER], VANILLA_WAFER);
}
+ hdr = sed(client_patterns, add_client_headers, csp);
+ if (hdr == NULL)
+ {
+ /* FIXME Should handle error properly */
+ log_error(LOG_LEVEL_FATAL, "Out of memory parsing client header");
+ }
+ csp->flags |= CSP_FLAG_CLIENT_HEADER_PARSING_DONE;
#ifdef FEATURE_KILL_POPUPS
block_popups = ((csp->action->flags & ACTION_NO_POPUPS) != 0);
jpeg_inspect = ((csp->action->flags & ACTION_JPEG_INSPECT) != 0);
/*
- * We have a request. Now, check to see if we need to
- * intercept it, i.e. If ..
+ * We have a request. Check if one of the crunchers wants it.
*/
-
- if (
- /* We may not forward the request by rfc2616 sect 14.31 */
- (NULL != (rsp = direct_response(csp)))
-
- /* or we are enabled and... */
- || (IS_ENABLED_AND (
-
- /* ..the request was blocked */
- ( NULL != (rsp = block_url(csp)))
-
- /* ..or untrusted */
-#ifdef FEATURE_TRUST
- || ( NULL != (rsp = trust_url(csp)))
-#endif /* def FEATURE_TRUST */
-
- /* ..or a redirect kicked in */
- || ( NULL != (rsp = redirect_url(csp)))
- ))
-
- /*
- * .. or a CGI call was detected and answered.
- *
- * This check comes last to give the user the power
- * to deny acces to some (or all) of the cgi pages.
- */
- || (NULL != (rsp = dispatch_cgi(csp)))
-
- )
+ if (crunch_response_triggered(csp, crunchers_all))
{
- /* Write the answer to the client */
- if (write_socket(csp->cfd, rsp->head, rsp->head_length)
- || write_socket(csp->cfd, rsp->body, rsp->content_length))
- {
- log_error(LOG_LEVEL_ERROR, "write to: %s failed: %E", http->host);
- }
-
-#ifdef FEATURE_STATISTICS
- /* Count as a rejected request */
- csp->flags |= CSP_FLAG_REJECTED;
-#endif /* def FEATURE_STATISTICS */
-
- /* Log (FIXME: All intercept reasons appear as "crunch" with Status 200) */
- log_error(LOG_LEVEL_GPC, "%s%s crunch!", http->hostport, http->path);
- log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s\" 200 3", csp->ip_addr_str, http->ocmd);
+ /*
+ * Yes. The client got the crunch response
+ * and we are done here after cleaning up.
+ */
+ freez(hdr);
+ list_remove_all(csp->headers);
- /* Clean up and return */
- free_http_response(rsp);
return;
}
- hdr = sed(client_patterns, add_client_headers, csp);
- if (hdr == NULL)
- {
- /* FIXME Should handle error properly */
- log_error(LOG_LEVEL_FATAL, "Out of memory parsing client header");
- }
-
+ /*
+ * The headers can't be removed earlier because
+ * they were still needed for the referrer check
+ * in case of CGI crunches.
+ *
+ * XXX: Would it be worth to move the referrer check
+ * into client_referrer() and set a flag if it's trusted?
+ */
list_remove_all(csp->headers);
log_error(LOG_LEVEL_GPC, "%s%s", http->hostport, http->path);
{
/* Socks error. */
rsp = error_response(csp, "forwarding-failed", errno);
-
- log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s\" 503 0",
- csp->ip_addr_str, http->ocmd);
}
else if (errno == EINVAL)
{
rsp = error_response(csp, "no-such-domain", errno);
-
- log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s\" 404 0",
- csp->ip_addr_str, http->ocmd);
}
else
{
rsp = error_response(csp, "connect-failed", errno);
-
log_error(LOG_LEVEL_CONNECT, "connect to: %s failed: %E",
http->hostport);
-
- log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s\" 503 0",
- csp->ip_addr_str, http->ocmd);
}
/* Write the answer to the client */
- if(rsp)
+ if (rsp != NULL)
{
- if (write_socket(csp->cfd, rsp->head, rsp->head_length)
- || write_socket(csp->cfd, rsp->body, rsp->content_length))
- {
- log_error(LOG_LEVEL_ERROR, "write to: %s failed: %E", http->host);
- }
+ send_crunch_response(csp, rsp);
}
- free_http_response(rsp);
freez(hdr);
return;
}
log_error(LOG_LEVEL_CONNECT, "write header to: %s failed: %E",
http->hostport);
- log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s\" 503 0",
- csp->ip_addr_str, http->ocmd);
-
rsp = error_response(csp, "connect-failed", errno);
if(rsp)
{
- if (write_socket(csp->cfd, rsp->head, rsp->head_length)
- || write_socket(csp->cfd, rsp->body, rsp->content_length))
- {
- log_error(LOG_LEVEL_ERROR, "write to: %s failed: %E", http->host);
- }
+ send_crunch_response(csp, rsp);
}
- free_http_response(rsp);
freez(hdr);
return;
}
* so just send the "connect succeeded" message to the
* client, flush the rest, and get out of the way.
*/
- log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s\" 200 2\n",
- csp->ip_addr_str, http->ocmd);
-
- if (write_socket(csp->cfd, CSUCCEED, sizeof(CSUCCEED)-1))
+ if (write_socket(csp->cfd, CSUCCEED, strlen(CSUCCEED)))
{
freez(hdr);
return;
if (FD_ISSET(csp->cfd, &rfds))
{
- len = read_socket(csp->cfd, buf, sizeof(buf));
+ len = read_socket(csp->cfd, buf, sizeof(buf) - 1);
if (len <= 0)
{
{
log_error(LOG_LEVEL_ERROR, "read from: %s failed: %E", http->host);
- log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s\" 503 0",
- csp->ip_addr_str, http->ocmd);
+ if (http->ssl && (fwd->forward_host == NULL))
+ {
+ /*
+ * Just hang up. We already confirmed the client's CONNECT
+ * request with status code 200 and unencrypted content is
+ * no longer welcome.
+ */
+ log_error(LOG_LEVEL_ERROR,
+ "CONNECT already confirmed. Unable to tell the client about the problem.");
+ return;
+ }
rsp = error_response(csp, "connect-failed", errno);
if(rsp)
{
- if (write_socket(csp->cfd, rsp->head, rsp->head_length)
- || write_socket(csp->cfd, rsp->body, rsp->content_length))
- {
- log_error(LOG_LEVEL_ERROR, "write to: %s failed: %E", http->host);
- }
+ send_crunch_response(csp, rsp);
}
- free_http_response(rsp);
return;
}
log_error(LOG_LEVEL_FATAL, "Out of memory parsing server header");
}
+ /*
+ * Shouldn't happen because this was the second sed run
+ * and tags are only created for the first one.
+ */
+ assert(!crunch_response_triggered(csp, crunchers_all));
+
if (write_socket(csp->cfd, hdr, strlen(hdr))
|| write_socket(csp->cfd, p != NULL ? p : csp->iob->cur, csp->content_length))
{
*/
log_error(LOG_LEVEL_ERROR, "Out of memory while trying to flush.");
rsp = cgi_error_memory();
+ send_crunch_response(csp, rsp);
- if (write_socket(csp->cfd, rsp->head, rsp->head_length)
- || write_socket(csp->cfd, rsp->body, rsp->content_length))
- {
- log_error(LOG_LEVEL_ERROR, "write to: %s failed: %E", http->host);
- }
+ return;
+ }
+
+ if (crunch_response_triggered(csp, crunchers_light))
+ {
+ /*
+ * One of the tags created by a server-header
+ * tagger triggered a crunch. We already
+ * delivered the crunch response to the client
+ * and are done here after cleaning up.
+ */
+ freez(hdr);
return;
}
return;
}
- byte_count += hdrlen + (size_t)(flushed + len);
+ byte_count += hdrlen + (size_t)flushed + (size_t)len;
freez(hdr);
content_filter = NULL;
server_body = 1;
{
log_error(LOG_LEVEL_ERROR, "Out of memory while looking for end of server headers.");
rsp = cgi_error_memory();
-
- if (write_socket(csp->cfd, rsp->head, rsp->head_length)
- || write_socket(csp->cfd, rsp->body, rsp->content_length))
- {
- log_error(LOG_LEVEL_ERROR, "write to: %s failed: %E", http->host);
- }
+ send_crunch_response(csp, rsp);
+
return;
}
{
log_error(LOG_LEVEL_ERROR, "Empty server or forwarder response.");
log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s\" 502 0", csp->ip_addr_str, http->cmd);
- strcpy(buf, NO_SERVER_DATA_RESPONSE);
- write_socket(csp->cfd, buf, strlen(buf));
+ write_socket(csp->cfd, NO_SERVER_DATA_RESPONSE, strlen(NO_SERVER_DATA_RESPONSE));
free_http_request(http);
return;
}
log_error(LOG_LEVEL_FATAL, "Out of memory parsing server header");
}
+ if (crunch_response_triggered(csp, crunchers_light))
+ {
+ /*
+ * One of the tags created by a server-header
+ * tagger triggered a crunch. We already
+ * delivered the crunch response to the client
+ * and are done here after cleaning up.
+ */
+ freez(hdr);
+ return;
+ }
#ifdef FEATURE_KILL_POPUPS
/* Start blocking popups if appropriate. */
return; /* huh? we should never get here */
}
+ if (csp->content_length == 0)
+ {
+ /*
+ * If Privoxy didn't recalculate the
+ * Content-Lenght, byte_count is still
+ * correct.
+ */
+ csp->content_length = byte_count;
+ }
+
log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s\" 200 %d",
- csp->ip_addr_str, http->ocmd, byte_count);
+ csp->ip_addr_str, http->ocmd, csp->content_length);
}
void usage(const char *myname)
{
printf("Privoxy version " VERSION " (" HOME_PAGE_URL ")\n"
-#if !defined(unix)
- "Usage: %s [--help] [--version] [configfile]\n"
-#else
- "Usage: %s [--help] [--version] [--no-daemon] [--pidfile pidfile] [--user user[.group]] [configfile]\n"
-#endif
- "Aborting.\n", myname);
-
+ "Usage: %s "
+#if defined(unix)
+ "[--chroot] "
+#endif /* defined(unix) */
+ "[--help] "
+#if defined(unix)
+ "[--no-daemon] [--pidfile pidfile] [--user user[.group]] "
+#endif /* defined(unix) */
+ "[--version] [configfile]\n"
+ "Aborting\n", myname);
+
exit(2);
}
/*
* Parse the command line arguments
+ *
+ * XXX: simply printing usage information in case of
+ * invalid arguments isn't particular user friendly.
*/
while (++argc_pos < argc)
{
{
do_chroot = 1;
}
-
#endif /* defined(unix) */
+
+ else if (argc_pos + 1 != argc)
+ {
+ /*
+ * This is neither the last command line
+ * option, nor was it recognized before,
+ * therefore it must be invalid.
+ */
+ usage(argv[0]);
+ }
+ else
+
#endif /* defined(_WIN32) && !defined(_WIN_CONSOLE) */
{
configfile = argv[argc_pos];
#if defined(unix)
if ( *configfile != '/' )
{
- char *abs_file, cwd[1024];
+ char cwd[BUFFER_SIZE];
+ char *abs_file;
+ size_t abs_file_size;
/* make config-filename absolute here */
- if ( !(getcwd(cwd, sizeof(cwd))))
+ if (NULL == getcwd(cwd, sizeof(cwd)))
{
- perror("get working dir failed");
+ perror("failed to get current working directory");
exit( 1 );
}
- if (!(basedir = strdup(cwd))
- || (!(abs_file = malloc( strlen( basedir ) + strlen( configfile ) + 5 ))))
+ /* XXX: why + 5? */
+ abs_file_size = strlen(cwd) + strlen(configfile) + 5;
+ basedir = strdup(cwd);
+
+ if (NULL == basedir ||
+ NULL == (abs_file = malloc(abs_file_size)))
{
perror("malloc failed");
exit( 1 );
}
- strcpy( abs_file, basedir );
- strcat( abs_file, "/" );
- strcat( abs_file, configfile );
+ strlcpy(abs_file, basedir, abs_file_size);
+ strlcat(abs_file, "/", abs_file_size );
+ strlcat(abs_file, configfile, abs_file_size);
configfile = abs_file;
}
#endif /* defined unix */
{
char putenv_dummy[64];
- strcpy(putenv_dummy, "HOME=/");
+ strlcpy(putenv_dummy, "HOME=/", sizeof(putenv_dummy));
if (putenv(putenv_dummy) != 0)
{
log_error(LOG_LEVEL_FATAL, "Cannot putenv(): HOME");
}
- snprintf(putenv_dummy, 64, "USER=%s", pw->pw_name);
+ snprintf(putenv_dummy, sizeof(putenv_dummy), "USER=%s", pw->pw_name);
if (putenv(putenv_dummy) != 0)
{
log_error(LOG_LEVEL_FATAL, "Cannot putenv(): USER");
#ifdef FEATURE_ACL
if (block_acl(NULL,csp))
{
- log_error(LOG_LEVEL_CONNECT, "Connection dropped due to ACL");
+ log_error(LOG_LEVEL_CONNECT, "Connection from %s dropped due to ACL", csp->ip_addr_str);
close_socket(csp->cfd);
freez(csp);
continue;