X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=cgi.c;h=fd72ee5e919649d954a762b2ff26a19b91954caa;hp=1307b87e48bfe566c59aba85c7592a25059d8251;hb=179a0805b3bdeb9c5c6a98163cde81ea38cb1035;hpb=4f4d26f5a63e82b6429a28db1b28698ec5f6c19c diff --git a/cgi.c b/cgi.c index 1307b87e..fd72ee5e 100644 --- a/cgi.c +++ b/cgi.c @@ -1,4 +1,3 @@ -const char cgi_rcs[] = "$Id: cgi.c,v 1.159 2014/10/18 11:31:25 fabiankeil Exp $"; /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/cgi.c,v $ @@ -8,8 +7,8 @@ const char cgi_rcs[] = "$Id: cgi.c,v 1.159 2014/10/18 11:31:25 fabiankeil Exp $" * This only contains the framework functions, the * actual handler functions are declared elsewhere. * - * Copyright : Written by and Copyright (C) 2001-2004, 2006-2008 - * the SourceForge Privoxy team. http://www.privoxy.org/ + * Copyright : Written by and Copyright (C) 2001-2017 + * members of the Privoxy team. https://www.privoxy.org/ * * Based on the Internet Junkbuster originally written * by and Copyright (C) 1997 Anonymous Coders and @@ -69,8 +68,6 @@ const char cgi_rcs[] = "$Id: cgi.c,v 1.159 2014/10/18 11:31:25 fabiankeil Exp $" /* jcc.h is for mutex semaphore globals only */ #include "jcc.h" -const char cgi_h_rcs[] = CGI_H_VERSION; - /* * List of CGI functions: name, handler, description * Note: Do NOT use single quotes in the description; @@ -96,10 +93,17 @@ static const struct cgi_dispatcher cgi_dispatchers[] = { "View the current configuration", #endif TRUE }, - { "show-version", - cgi_show_version, - "View the source code version numbers", - TRUE }, +#ifdef FEATURE_CLIENT_TAGS + /* + * This is marked as harmless because despite the description + * used in the menu the actual toggling is done through another + * path ("/toggle-client-tag"). + */ + { "client-tags", + cgi_show_client_tags, + "View or toggle the tags that can be set based on the clients address", + TRUE }, +#endif { "show-request", cgi_show_request, "View the request headers", @@ -114,6 +118,12 @@ static const struct cgi_dispatcher cgi_dispatchers[] = { "Toggle Privoxy on or off", FALSE }, #endif /* def FEATURE_TOGGLE */ +#ifdef FEATURE_CLIENT_TAGS + { "toggle-client-tag", + cgi_toggle_client_tag, + NULL, + FALSE }, +#endif #ifdef FEATURE_CGI_EDIT_ACTIONS { "edit-actions", /* Edit the actions list */ cgi_edit_actions, @@ -424,6 +434,7 @@ static int referrer_is_safe(const struct client_state *csp) { char *referrer; static const char alternative_prefix[] = "http://" CGI_SITE_1_HOST "/"; + const char *trusted_cgi_referrer = csp->config->trusted_cgi_referrer; referrer = grep_cgi_referrer(csp); @@ -442,6 +453,18 @@ static int referrer_is_safe(const struct client_state *csp) return TRUE; } + else if ((trusted_cgi_referrer != NULL) && (0 == strncmp(referrer, + trusted_cgi_referrer, strlen(trusted_cgi_referrer)))) + { + /* + * After some more testing this block should be merged with + * the previous one or the log level should bedowngraded. + */ + log_error(LOG_LEVEL_INFO, "Granting access to %s based on trusted referrer %s", + csp->http->url, referrer); + + return TRUE; + } else { /* Untrustworthy referrer */ @@ -807,8 +830,7 @@ jb_err get_number_param(struct client_state *csp, unsigned *pvalue) { const char *param; - char ch; - unsigned value; + char *endptr; assert(csp); assert(parameters); @@ -823,36 +845,12 @@ jb_err get_number_param(struct client_state *csp, return JB_ERR_CGI_PARAMS; } - /* We don't use atoi because I want to check this carefully... */ - - value = 0; - while ((ch = *param++) != '\0') + *pvalue = (unsigned int)strtol(param, &endptr, 0); + if (*endptr != '\0') { - if ((ch < '0') || (ch > '9')) - { - return JB_ERR_CGI_PARAMS; - } - - ch = (char)(ch - '0'); - - /* Note: - * - * defines UINT_MAX - * - * (UINT_MAX - ch) / 10 is the largest number that - * can be safely multiplied by 10 then have ch added. - */ - if (value > ((UINT_MAX - (unsigned)ch) / 10U)) - { - return JB_ERR_CGI_PARAMS; - } - - value = value * 10 + (unsigned)ch; + return JB_ERR_CGI_PARAMS; } - /* Success */ - *pvalue = value; - return JB_ERR_OK; } @@ -980,6 +978,9 @@ struct http_response *error_response(struct client_state *csp, case SOCKS_5T: socks_type = "socks5t-"; break; + case FORWARD_WEBSERVER: + socks_type = "webserver-"; + break; default: log_error(LOG_LEVEL_FATAL, "Unknown socks type: %d.", fwd->type); } @@ -1059,6 +1060,8 @@ jb_err cgi_error_disabled(const struct client_state *csp, assert(csp); assert(rsp); + rsp->status = strdup_or_die("403 Request not trusted or feature disabled"); + if (NULL == (exports = default_exports(csp, "cgi-error-disabled"))) { return JB_ERR_MEMORY; @@ -1585,12 +1588,24 @@ struct http_response *finish_http_response(struct client_state *csp, struct http return rsp; } + /* + * Add "Cross-origin resource sharing" (CORS) headers if enabled + */ + if (NULL != csp->config->cors_allowed_origin) + { + enlist_unique_header(rsp->headers, "Access-Control-Allow-Origin", + csp->config->cors_allowed_origin); + enlist_unique_header(rsp->headers, "Access-Control-Allow-Methods", "GET,POST"); + enlist_unique_header(rsp->headers, "Access-Control-Allow-Headers", "X-Requested-With"); + enlist_unique_header(rsp->headers, "Access-Control-Max-Age", "86400"); + } + /* * Fill in the HTTP Status, using HTTP/1.1 * unless the client asked for HTTP/1.0. */ snprintf(buf, sizeof(buf), "%s %s", - strcmpic(csp->http->ver, "HTTP/1.0") ? "HTTP/1.1" : "HTTP/1.0", + strcmpic(csp->http->version, "HTTP/1.0") ? "HTTP/1.1" : "HTTP/1.0", rsp->status ? rsp->status : "200 OK"); err = enlist_first(rsp->headers, buf); @@ -2119,15 +2134,12 @@ jb_err template_fill_for_cgi(const struct client_state *csp, err = template_load(csp, &rsp->body, templatename, 0); if (err == JB_ERR_FILE) { - free_map(exports); - return cgi_error_no_template(csp, rsp, templatename); + err = cgi_error_no_template(csp, rsp, templatename); } - else if (err) + else if (err == JB_ERR_OK) { - free_map(exports); - return err; /* JB_ERR_MEMORY */ + err = template_fill(&rsp->body, exports); } - err = template_fill(&rsp->body, exports); free_map(exports); return err; }