X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=cgi.c;h=0fa5527917df19d1cc154c9d15ba7a1718ebad90;hp=2da5ab3d564932bf4f138e808937394f6fd4d541;hb=4bce17214422953aa0d3c2ae03b8bd34d8faa479;hpb=bc635cfc433ad1870057fd56b2fd0f2602c3f055 diff --git a/cgi.c b/cgi.c index 2da5ab3d..0fa55279 100644 --- a/cgi.c +++ b/cgi.c @@ -1,4 +1,4 @@ -const char cgi_rcs[] = "$Id: cgi.c,v 1.83 2006/12/17 19:35:19 fabiankeil Exp $"; +const char cgi_rcs[] = "$Id: cgi.c,v 1.86 2007/01/09 11:54:26 fabiankeil Exp $"; /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/cgi.c,v $ @@ -11,8 +11,8 @@ const char cgi_rcs[] = "$Id: cgi.c,v 1.83 2006/12/17 19:35:19 fabiankeil Exp $"; * Functions declared include: * * - * Copyright : Written by and Copyright (C) 2001 the SourceForge - * Privoxy team. http://www.privoxy.org/ + * Copyright : Written by and Copyright (C) 2001-2004, 2006-2007 + * the SourceForge Privoxy team. http://www.privoxy.org/ * * Based on the Internet Junkbuster originally written * by and Copyright (C) 1997 Anonymous Coders and @@ -38,6 +38,18 @@ const char cgi_rcs[] = "$Id: cgi.c,v 1.83 2006/12/17 19:35:19 fabiankeil Exp $"; * * Revisions : * $Log: cgi.c,v $ + * Revision 1.86 2007/01/09 11:54:26 fabiankeil + * Fix strdup() error handling in cgi_error_unknown() + * and cgi_error_no_template(). Reported by Markus Elfring. + * + * Revision 1.85 2007/01/05 14:19:02 fabiankeil + * Handle pcrs_execute() errors in template_fill() properly. + * + * Revision 1.84 2006/12/28 17:54:22 fabiankeil + * Fixed gcc43 conversion warnings and replaced sprintf + * calls with snprintf to give OpenBSD's gcc one less reason + * to complain. + * * Revision 1.83 2006/12/17 19:35:19 fabiankeil * Escape ampersand in Privoxy menu. * @@ -666,7 +678,7 @@ static const struct cgi_dispatcher cgi_dispatchers[] = { NULL, TRUE /* Send a built-in image */ }, { "send-stylesheet", cgi_send_stylesheet, - NULL, TRUE /* Send templates/cgi-style.css */ }, + NULL, FALSE /* Send templates/cgi-style.css */ }, { "t", cgi_transparent_image, NULL, TRUE /* Send a transparent image (short name) */ }, @@ -833,7 +845,7 @@ struct http_response *dispatch_cgi(struct client_state *csp) * Returns : pointer to value (no copy!), or NULL if none found. * *********************************************************************/ -char *grep_cgi_referrer(struct client_state *csp) +char *grep_cgi_referrer(const struct client_state *csp) { struct list_entry *p; @@ -850,6 +862,54 @@ char *grep_cgi_referrer(struct client_state *csp) } +/********************************************************************* + * + * Function : referrer_is_safe + * + * Description : Decides whether we trust the Referer for + * CGI pages which are only meant to be reachable + * through Privoxy's web interface directly. + * + * Parameters : + * 1 : csp = Current client state (buffers, headers, etc...) + * + * Returns : TRUE if the referrer is safe, or + * FALSE if the referrer is unsafe or not set. + * + *********************************************************************/ +int referrer_is_safe (const struct client_state *csp) +{ + char *referrer; + const char alternative_prefix[] = "http://" CGI_SITE_1_HOST "/"; + + referrer = grep_cgi_referrer(csp); + + if (NULL == referrer) + { + /* No referrer, no access */ + log_error(LOG_LEVEL_ERROR, "Denying access to %s. No referrer found.", + csp->http->url); + } + else if ((0 == strncmp(referrer, CGI_PREFIX, sizeof(CGI_PREFIX)-1) + || (0 == strncmp(referrer, alternative_prefix, strlen(alternative_prefix))))) + { + /* Trustworthy referrer */ + log_error(LOG_LEVEL_CGI, "Granting access to %s, referrer %s is trustworthy.", + csp->http->url, referrer); + + return TRUE; + } + else + { + /* Untrustworthy referrer */ + log_error(LOG_LEVEL_ERROR, "Denying access to %s, referrer %s isn't trustworthy.", + csp->http->url, referrer); + } + + return FALSE; + +} + /********************************************************************* * * Function : dispatch_known_cgi @@ -878,7 +938,6 @@ static struct http_response *dispatch_known_cgi(struct client_state * csp, struct http_response *rsp; char *query_args_start; char *path_copy; - char *referrer; jb_err err; if (NULL == (path_copy = strdup(path))) @@ -941,10 +1000,7 @@ static struct http_response *dispatch_known_cgi(struct client_state * csp, * If the called CGI is either harmless, or referred * from a trusted source, start it. */ - if (d->harmless - || ((NULL != (referrer = grep_cgi_referrer(csp))) - && (0 == strncmp(referrer, CGI_PREFIX, sizeof(CGI_PREFIX)-1))) - ) + if (d->harmless || referrer_is_safe(csp)) { err = (d->handler)(csp, rsp, param_list); } @@ -1340,7 +1396,9 @@ struct http_response *error_response(struct client_state *csp, * Description : CGI function that is called to generate an error * response if the actions editor or toggle CGI are * accessed despite having being disabled at compile- - * or run-time. + * or run-time, or if the user followed an untrusted link + * to access a unsafe CGI feature that is only reachable + * through Privoxy directly. * * Parameters : * 1 : csp = Current client state (buffers, headers, etc...) @@ -1360,10 +1418,15 @@ jb_err cgi_error_disabled(struct client_state *csp, assert(csp); assert(rsp); - if (NULL == (exports = default_exports(csp, NULL))) + if (NULL == (exports = default_exports(csp, "cgi-error-disabled"))) { return JB_ERR_MEMORY; } + if (map(exports, "url", 1, csp->http->url, 1)) + { + /* Not important enough to do anything */ + log_error(LOG_LEVEL_ERROR, "Failed to fill in url."); + } return template_fill_for_cgi(csp, "cgi-error-disabled", exports, rsp); } @@ -1496,7 +1559,7 @@ jb_err cgi_error_no_template(struct client_state *csp, strcat(rsp->body, body_suffix); rsp->status = strdup(status); - if (rsp->body == NULL) + if (rsp->status == NULL) { return JB_ERR_MEMORY; } @@ -1573,7 +1636,7 @@ jb_err cgi_error_unknown(struct client_state *csp, strcat(rsp->body, body_suffix); rsp->status = strdup(status); - if (rsp->body == NULL) + if (rsp->status == NULL) { return JB_ERR_MEMORY; } @@ -2130,7 +2193,7 @@ jb_err template_load(struct client_state *csp, char **template_ptr, * Caller must free(). * 2 : exports = map with fill in symbol -> name pairs * - * Returns : JB_ERR_OK on success + * Returns : JB_ERR_OK on success (and for uncritical errors) * JB_ERR_MEMORY on out-of-memory error * *********************************************************************/ @@ -2201,15 +2264,35 @@ jb_err template_fill(char **template_ptr, const struct map *exports) } else { - pcrs_execute(job, file_buffer, size, &tmp_out_buffer, &size); - free(file_buffer); + error = pcrs_execute(job, file_buffer, size, &tmp_out_buffer, &size); + pcrs_free_job(job); if (NULL == tmp_out_buffer) { *template_ptr = NULL; return JB_ERR_MEMORY; } - file_buffer = tmp_out_buffer; + + if (error < 0) + { + /* + * Substitution failed, keep the original buffer, + * log the problem and ignore it. + * + * The user might see some unresolved @CGI_VARIABLES@, + * but returning a special CGI error page seems unreasonable + * and could mask more important error messages. + */ + free(tmp_out_buffer); + log_error(LOG_LEVEL_ERROR, "Failed to execute s/%s/%s/%s. %s", + buf, m->value, flags, pcrs_strerror(error)); + } + else + { + /* Substitution succeeded, use modified buffer. */ + free(file_buffer); + file_buffer = tmp_out_buffer; + } } }