X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=jcc.c;h=7c09830b8cf92311c3c3ffbdcbec3248e247a576;hp=c1e09ea8e981adac57712e171317f8d2fccfb533;hb=b6619e83a3f38095ff7732bd765e601de26fb717;hpb=ba8be56b388eb04451dc700b64f03fde6829fe54

diff --git a/jcc.c b/jcc.c
index c1e09ea8..7c09830b 100644
--- a/jcc.c
+++ b/jcc.c
@@ -1,4 +1,4 @@
-const char jcc_rcs[] = "$Id: jcc.c,v 1.45 2001/10/07 15:42:11 oes Exp $";
+const char jcc_rcs[] = "$Id: jcc.c,v 1.47 2001/10/10 16:44:36 oes Exp $";
 /*********************************************************************
  *
  * File        :  $Source: /cvsroot/ijbswa/current/jcc.c,v $
@@ -33,6 +33,12 @@ const char jcc_rcs[] = "$Id: jcc.c,v 1.45 2001/10/07 15:42:11 oes Exp $";
  *
  * Revisions   :
  *    $Log: jcc.c,v $
+ *    Revision 1.47  2001/10/10 16:44:36  oes
+ *    Added CONNECT destination port limitation check
+ *
+ *    Revision 1.46  2001/10/08 15:17:41  oes
+ *    Re-enabled SSL forwarding
+ *
  *    Revision 1.45  2001/10/07 15:42:11  oes
  *    Replaced 6 boolean members of csp with one bitmap (csp->flags)
  *
@@ -605,7 +611,28 @@ static void chat(struct client_state *csp)
       url_actions(http, csp);
    }
 
-#ifdef FEATURE_COOKIE_JAR
+
+   /*
+    * Check if a CONNECT request is allowable:
+    * In the absence of a +limit-connect action, allow only port 443.
+    * If there is an action, allow whatever matches the specificaton.
+    */
+   if(http->ssl)
+   {
+      if(  ( !(csp->action->flags & ACTION_LIMIT_CONNECT) && csp->http->port != 443) 
+           || (csp->action->flags & ACTION_LIMIT_CONNECT
+              && !match_portlist(csp->action->string[ACTION_STRING_LIMIT_CONNECT], csp->http->port)) )
+      {
+         strcpy(buf, CFORBIDDEN);
+         write_socket(csp->cfd, buf, strlen(buf));
+         
+         log_error(LOG_LEVEL_CONNECT, "Denying suspicious CONNECT request from %s", csp->ip_addr_str);
+         log_error(LOG_LEVEL_CLF, "%s - - [%T] \" \" 403 0", csp->ip_addr_str);
+
+         return;
+      }
+   }
+            
 
    /*
     * Downgrade http version from 1.1 to 1.0 if +downgrade
@@ -644,6 +671,7 @@ static void chat(struct client_state *csp)
    enlist(csp->headers, http->cmd);
 
 
+#ifdef FEATURE_COOKIE_JAR
    /*
     * If we're logging cookies in a cookie jar, and the user has not
     * supplied any wafers, and the user has not told us to suppress the
@@ -657,6 +685,7 @@ static void chat(struct client_state *csp)
    }
 #endif /* def FEATURE_COOKIE_JAR */
 
+
 #ifdef FEATURE_KILL_POPUPS
    block_popups               = ((csp->action->flags & ACTION_NO_POPUPS) != 0);
 #endif /* def FEATURE_KILL_POPUPS */