X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=jcc.c;h=7c09830b8cf92311c3c3ffbdcbec3248e247a576;hp=1b0cb5505a867f64b6a7c500e06032d0bbf106ce;hb=045bd78d8b185b981d4651c10361f0c9dc193677;hpb=d9ff96f6158dc9e9e64c216253ae35e75c13295c

diff --git a/jcc.c b/jcc.c
index 1b0cb550..7c09830b 100644
--- a/jcc.c
+++ b/jcc.c
@@ -1,4 +1,4 @@
-const char jcc_rcs[] = "$Id: jcc.c,v 1.44 2001/10/02 18:13:57 oes Exp $";
+const char jcc_rcs[] = "$Id: jcc.c,v 1.47 2001/10/10 16:44:36 oes Exp $";
 /*********************************************************************
  *
  * File        :  $Source: /cvsroot/ijbswa/current/jcc.c,v $
@@ -33,6 +33,31 @@ const char jcc_rcs[] = "$Id: jcc.c,v 1.44 2001/10/02 18:13:57 oes Exp $";
  *
  * Revisions   :
  *    $Log: jcc.c,v $
+ *    Revision 1.47  2001/10/10 16:44:36  oes
+ *    Added CONNECT destination port limitation check
+ *
+ *    Revision 1.46  2001/10/08 15:17:41  oes
+ *    Re-enabled SSL forwarding
+ *
+ *    Revision 1.45  2001/10/07 15:42:11  oes
+ *    Replaced 6 boolean members of csp with one bitmap (csp->flags)
+ *
+ *    Moved downgrading of the HTTP version from parse_http_request to
+ *      chat(), since we can't decide if it is necessary before we have
+ *      determined the actions for the URL. The HTTP command is now
+ *      *always* re-built so the repairs need no longer be special-cased.
+ *
+ *    filter_popups now gets a csp pointer so it can raise the new
+ *      CSP_FLAG_MODIFIED flag.
+ *
+ *    Bugfix
+ *
+ *    Added configurable size limit for the IOB. If the IOB grows so
+ *      large that the next read would exceed the limit, the header
+ *      is generated, and the header & unfiltered buffer are flushed
+ *      to the client. Chat then continues in non-buffering,
+ *      non-filtering body mode.
+ *
  *    Revision 1.44  2001/10/02 18:13:57  oes
  *    Ooops
  *
@@ -539,23 +564,34 @@ static void chat(struct client_state *csp)
     * we have to do one of the following:
     *
     * create = use the original HTTP request to create a new
-    *          HTTP request that has only the path component
-    *          without the http://domainspec
-    * pass   = pass the original HTTP request unchanged
+    *          HTTP request that has either the path component
+    *          without the http://domainspec (w/path) or the
+    *          full orininal URL (w/url)
+    *          Note that the path and/or the HTTP version may
+    *          have been altered by now.
+    * 
+    * connect = Open a socket to the host:port of the server
+    *           and short-circuit server and client socket.
     *
-    * drop   = drop the HTTP request
+    * pass =  Pass the request unchanged if forwarding a CONNECT
+    *         request to a parent proxy. Note that we'll be sending
+    *         the CFAIL message ourselves if connecting to the parent
+    *         fails, but we won't send a CSUCCEED message if it works,
+    *         since that would result in a double message (ours and the
+    *         parent's). After sending the request to the parent, we simply
+    *         tunnel.
     *
-    * here's the matrix:
+    * here's the matrix: 
     *                        SSL
     *                    0        1
     *                +--------+--------+
     *                |        |        |
-    *             0  | create | drop   |
-    *                |        |        |
+    *             0  | create | connect|
+    *                | w/path |        |
     *  Forwarding    +--------+--------+
     *                |        |        |
-    *             1  | pass   | pass   |
-    *                |        |        |
+    *             1  | create | pass   |
+    *                | w/url  |        |
     *                +--------+--------+
     *
     */
@@ -575,7 +611,28 @@ static void chat(struct client_state *csp)
       url_actions(http, csp);
    }
 
-#ifdef FEATURE_COOKIE_JAR
+
+   /*
+    * Check if a CONNECT request is allowable:
+    * In the absence of a +limit-connect action, allow only port 443.
+    * If there is an action, allow whatever matches the specificaton.
+    */
+   if(http->ssl)
+   {
+      if(  ( !(csp->action->flags & ACTION_LIMIT_CONNECT) && csp->http->port != 443) 
+           || (csp->action->flags & ACTION_LIMIT_CONNECT
+              && !match_portlist(csp->action->string[ACTION_STRING_LIMIT_CONNECT], csp->http->port)) )
+      {
+         strcpy(buf, CFORBIDDEN);
+         write_socket(csp->cfd, buf, strlen(buf));
+         
+         log_error(LOG_LEVEL_CONNECT, "Denying suspicious CONNECT request from %s", csp->ip_addr_str);
+         log_error(LOG_LEVEL_CLF, "%s - - [%T] \" \" 403 0", csp->ip_addr_str);
+
+         return;
+      }
+   }
+            
 
    /*
     * Downgrade http version from 1.1 to 1.0 if +downgrade
@@ -588,10 +645,10 @@ static void chat(struct client_state *csp)
    }
 
    /*
-    * (Re)build the HTTP request. If forwarding, use the whole URL,
-    * else, use only the path.
+    * (Re)build the HTTP request for non-SSL requests.
+    * If forwarding, use the whole URL, else, use only the path.
     */
-   if (http->ssl == 0)
+   if (http->ssl == 0)  
    {  
       freez(http->cmd);
 
@@ -610,10 +667,11 @@ static void chat(struct client_state *csp)
       http->cmd = strsav(http->cmd, " ");
       http->cmd = strsav(http->cmd, http->ver);
 
-      enlist(csp->headers, http->cmd);
    }
+   enlist(csp->headers, http->cmd);
 
 
+#ifdef FEATURE_COOKIE_JAR
    /*
     * If we're logging cookies in a cookie jar, and the user has not
     * supplied any wafers, and the user has not told us to suppress the
@@ -627,6 +685,7 @@ static void chat(struct client_state *csp)
    }
 #endif /* def FEATURE_COOKIE_JAR */
 
+
 #ifdef FEATURE_KILL_POPUPS
    block_popups               = ((csp->action->flags & ACTION_NO_POPUPS) != 0);
 #endif /* def FEATURE_KILL_POPUPS */