After three file modification time mismatches, turn the CGI editor off.

diff --git a/ChangeLog b/ChangeLog
index 9f66a97..c7a0420 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -16,6 +16,10 @@ ChangeLog for Privoxy
 - Not enabling limit-connect now allows CONNECT requests to all ports.
   In previous versions it would only allow CONNECT requests to port 443.
   Use +limit-connect{443} if you think you need the old default behaviour.
+- The CGI editor gets turned off after three edit requests with invalid
+  file modification timestamps. This makes life harder for attackers
+  who can leverage browser bugs to send fake Referers and intend to
+  brute-force edit URLs.
 - Fixed false-positives with the link-by-url filter and URLs that
   contain the pattern "/jump/".
 - The less-download-windows filter no longer messes

diff --git a/cgiedit.c b/cgiedit.c
index 190c1a1..e6506a8 100644 (file)
--- a/cgiedit.c
+++ b/cgiedit.c
@@ -1,4 +1,4 @@
-const char cgiedit_rcs[] = "$Id: cgiedit.c,v 1.57 2007/10/27 13:32:23 fabiankeil Exp $";
+const char cgiedit_rcs[] = "$Id: cgiedit.c,v 1.58 2007/11/28 17:57:01 fabiankeil Exp $";
 /*********************************************************************
  *
  * File        :  $Source: /cvsroot/ijbswa/current/cgiedit.c,v $
@@ -42,6 +42,10 @@ const char cgiedit_rcs[] = "$Id: cgiedit.c,v 1.57 2007/10/27 13:32:23 fabiankeil
  *
  * Revisions   :
  *    $Log: cgiedit.c,v $
+ *    Revision 1.58  2007/11/28 17:57:01  fabiankeil
+ *    Fix double free in cgi_edit_actions_list().
+ *    Reported by adlab in BR#1840145.
+ *
  *    Revision 1.57  2007/10/27 13:32:23  fabiankeil
  *    Plug minor 5-year-old memory leak. Spotted by
  *    Valgrind and triggered by Privoxy-Regression-Test.
@@ -495,6 +499,11 @@ struct file_line
 /** This file_line is in a {{description}} block. */
 #define FILE_LINE_DESCRIPTION_ENTRY    10
 
+/*
+ * Number of file modification time mismatches
+ * before the CGI editor gets turned off.
+ */
+#define ACCEPTABLE_TIMESTAMP_MISMATCHES 3
 
 /**
  * A configuration file, in a format that can be edited and written back to
@@ -2010,6 +2019,7 @@ jb_err edit_read_actions_file(struct client_state *csp,
 {
    jb_err err;
    struct editable_file *file;
+   static int acceptable_failures = ACCEPTABLE_TIMESTAMP_MISMATCHES - 1;
 
    assert(csp);
    assert(parameters);
@@ -2027,7 +2037,24 @@ jb_err edit_read_actions_file(struct client_state *csp,
       }
       else if (err == JB_ERR_MODIFIED)
       {
+         assert(require_version);
          err = cgi_error_modified(csp, rsp, lookup(parameters, "f"));
+         log_error(LOG_LEVEL_ERROR,
+            "Blocking CGI edit request due to modification time mismatch.");
+         if (acceptable_failures > 0)
+         {
+            log_error(LOG_LEVEL_INFO,
+               "The CGI editor will be turned off after another %d mismatche(s).",
+               acceptable_failures);
+            acceptable_failures--;
+         }
+         else
+         {
+            log_error(LOG_LEVEL_INFO,
+               "Timestamp mismatch limit reached, turning CGI editor off. "
+               "Reload the configuration file to reenable it.");
+            csp->config->feature_flags &= ~RUNTIME_FEATURE_CGI_EDIT_ACTIONS;
+         }
       }
       if (err == JB_ERR_OK)
       {