From: jongfoster Date: Sat, 26 May 2001 15:26:15 +0000 (+0000) Subject: ACL feature now provides more security by immediately dropping X-Git-Tag: v_2_9_9~478 X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff_plain;h=8e22cb9cdedac101a56a2f4e724aef21ef1a1cc4 ACL feature now provides more security by immediately dropping connections from untrusted hosts. --- diff --git a/filters.c b/filters.c index cab956f7..80fa4ca2 100644 --- a/filters.c +++ b/filters.c @@ -1,4 +1,4 @@ -const char filters_rcs[] = "$Id: filters.c,v 1.5 2001/05/25 22:34:30 jongfoster Exp $"; +const char filters_rcs[] = "$Id: filters.c,v 1.6 2001/05/26 00:28:36 jongfoster Exp $"; /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/filters.c,v $ @@ -38,6 +38,13 @@ const char filters_rcs[] = "$Id: filters.c,v 1.5 2001/05/25 22:34:30 jongfoster * * Revisions : * $Log: filters.c,v $ + * Revision 1.6 2001/05/26 00:28:36 jongfoster + * Automatic reloading of config file. + * Removed obsolete SIGHUP support (Unix) and Reload menu option (Win32). + * Most of the global variables have been moved to a new + * struct configuration_spec, accessed through csp->config->globalname + * Most of the globals remaining are used by the Win32 GUI. + * * Revision 1.5 2001/05/25 22:34:30 jongfoster * Hard tabs->Spaces * @@ -214,21 +221,23 @@ static const char CTRUST[] = * Decide yes or no based on ACL file. * * Parameters : - * 1 : src = Address the browser/user agent is requesting. - * 2 : dst = The proxy or gateway address this is going to. - * 3 : csp = Current client state (buffers, headers, etc...) + * 1 : dst = The proxy or gateway address this is going to. + * Or NULL to check all possible targets. + * 2 : csp = Current client state (buffers, headers, etc...) + * Also includes the client IP address. * * Returns : 0 = FALSE (don't block) and 1 = TRUE (do block) * *********************************************************************/ -int block_acl(struct access_control_addr *src, struct access_control_addr *dst, struct client_state *csp) +int block_acl(struct access_control_addr *dst, + struct client_state *csp) { struct file_list *fl; struct access_control_list *a, *acl; - struct access_control_addr s[1], d[1]; /* if not using an access control list, then permit the connection */ - if (((fl = csp->alist) == NULL) || ((acl = fl->f) == NULL)) + if (((fl = csp->alist) == NULL) || + ((acl = (struct access_control_list *) fl->f) == NULL)) { return(0); } @@ -236,28 +245,27 @@ int block_acl(struct access_control_addr *src, struct access_control_addr *dst, /* search the list */ for (a = acl->next ; a ; a = a->next) { - *s = *src; - *d = *dst; - - s->addr &= a->src->mask; - d->addr &= a->dst->mask; - - if ((s->addr == a->src->addr) - && (d->addr == a->dst->addr) - && ((s->port == a->src->port) - || (s->port == 0) - || (a->src->port == 0)) - && ((d->port == a->dst->port) - || (d->port == 0) - || (a->dst->port == 0))) + if ((csp->ip_addr_long & a->src->mask) == a->src->addr) { - if (a->action == ACL_PERMIT) + if (dst == NULL) { - return(0); + /* Just want to check if they have any access */ + if (a->action == ACL_PERMIT) + { + return(0); + } } - else + else if ( ((dst->addr & a->dst->mask) == a->dst->addr) + && ((dst->port == a->dst->port) || (a->dst->port == 0))) { - return(1); + if (a->action == ACL_PERMIT) + { + return(0); + } + else + { + return(1); + } } } } diff --git a/filters.h b/filters.h index 70643883..0e563c33 100644 --- a/filters.h +++ b/filters.h @@ -1,6 +1,6 @@ #ifndef _FILTERS_H #define _FILTERS_H -#define FILTERS_H_VERSION "$Id: filters.h,v 1.2 2001/05/20 01:21:20 jongfoster Exp $" +#define FILTERS_H_VERSION "$Id: filters.h,v 1.3 2001/05/22 18:46:04 oes Exp $" /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/filters.h,v $ @@ -40,6 +40,50 @@ * * Revisions : * $Log: filters.h,v $ + * Revision 1.3 2001/05/22 18:46:04 oes + * + * - Enabled filtering banners by size rather than URL + * by adding patterns that replace all standard banner + * sizes with the "Junkbuster" gif to the re_filterfile + * + * - Enabled filtering WebBugs by providing a pattern + * which kills all 1x1 images + * + * - Added support for PCRE_UNGREEDY behaviour to pcrs, + * which is selected by the (nonstandard and therefore + * capital) letter 'U' in the option string. + * It causes the quantifiers to be ungreedy by default. + * Appending a ? turns back to greedy (!). + * + * - Added a new interceptor ijb-send-banner, which + * sends back the "Junkbuster" gif. Without imagelist or + * MSIE detection support, or if tinygif = 1, or the + * URL isn't recognized as an imageurl, a lame HTML + * explanation is sent instead. + * + * - Added new feature, which permits blocking remote + * script redirects and firing back a local redirect + * to the browser. + * The feature is conditionally compiled, i.e. it + * can be disabled with --disable-fast-redirects, + * plus it must be activated by a "fast-redirects" + * line in the config file, has its own log level + * and of course wants to be displayed by show-proxy-args + * Note: Boy, all the #ifdefs in 1001 locations and + * all the fumbling with configure.in and acconfig.h + * were *way* more work than the feature itself :-( + * + * - Because a generic redirect template was needed for + * this, tinygif = 3 now uses the same. + * + * - Moved GIFs, and other static HTTP response templates + * to project.h + * + * - Some minor fixes + * + * - Removed some >400 CRs again (Jon, you really worked + * a lot! ;-) + * * Revision 1.2 2001/05/20 01:21:20 jongfoster * Version 2.9.4 checkin. * - Merged popupfile and cookiefile, and added control over PCRS @@ -67,7 +111,7 @@ extern "C" { #endif #ifdef ACL_FILES -extern int block_acl(struct access_control_addr *src, struct access_control_addr *dst, struct client_state *csp); +extern int block_acl(struct access_control_addr *dst, struct client_state *csp); extern int acl_addr(char *aspec, struct access_control_addr *aca); #endif /* def ACL_FILES */ diff --git a/jbsockets.c b/jbsockets.c index 69f3e3a3..00ed5b3d 100644 --- a/jbsockets.c +++ b/jbsockets.c @@ -1,4 +1,4 @@ -const char jbsockets_rcs[] = "$Id: jbsockets.c,v 1.3 2001/05/25 21:57:54 jongfoster Exp $"; +const char jbsockets_rcs[] = "$Id: jbsockets.c,v 1.4 2001/05/26 00:37:42 jongfoster Exp $"; /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/jbsockets.c,v $ @@ -35,6 +35,9 @@ const char jbsockets_rcs[] = "$Id: jbsockets.c,v 1.3 2001/05/25 21:57:54 jongfos * * Revisions : * $Log: jbsockets.c,v $ + * Revision 1.4 2001/05/26 00:37:42 jongfoster + * Cosmetic indentation correction. + * * Revision 1.3 2001/05/25 21:57:54 jongfoster * Now gives a warning under Windows if you try to bind * it to a port that's already in use. @@ -116,7 +119,7 @@ int connect_to(char *host, int portnum, struct client_state *csp) #endif /* !defined(_WIN32) && !defined(__BEOS__) && !defined(AMIGA) */ #ifdef ACL_FILES - struct access_control_addr src[1], dst[1]; + struct access_control_addr dst[1]; #endif /* def ACL_FILES */ memset((char *)&inaddr, 0, sizeof inaddr); @@ -127,13 +130,10 @@ int connect_to(char *host, int portnum, struct client_state *csp) } #ifdef ACL_FILES - src->addr = csp->ip_addr_long; - src->port = 0; - dst->addr = ntohl(addr); dst->port = portnum; - if (block_acl(src, dst, csp)) + if (block_acl(dst, csp)) { errno = EPERM; return(-1); diff --git a/jcc.c b/jcc.c index 38ac12d9..0970e0be 100644 --- a/jcc.c +++ b/jcc.c @@ -1,4 +1,4 @@ -const char jcc_rcs[] = "$Id: jcc.c,v 1.8 2001/05/25 22:43:18 jongfoster Exp $"; +const char jcc_rcs[] = "$Id: jcc.c,v 1.9 2001/05/26 00:28:36 jongfoster Exp $"; /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/jcc.c,v $ @@ -33,6 +33,13 @@ const char jcc_rcs[] = "$Id: jcc.c,v 1.8 2001/05/25 22:43:18 jongfoster Exp $"; * * Revisions : * $Log: jcc.c,v $ + * Revision 1.9 2001/05/26 00:28:36 jongfoster + * Automatic reloading of config file. + * Removed obsolete SIGHUP support (Unix) and Reload menu option (Win32). + * Most of the global variables have been moved to a new + * struct configuration_spec, accessed through csp->config->globalname + * Most of the globals remaining are used by the Win32 GUI. + * * Revision 1.8 2001/05/25 22:43:18 jongfoster * Fixing minor memory leak and buffer overflow. * @@ -1113,29 +1120,38 @@ static void listen_loop(void) { exit(1); } -#endif +#endif + freez(csp); continue; } else { log_error(LOG_LEVEL_CONNECT, "OK"); - } + } #if defined(TOGGLE) /* by haroon - most of credit to srt19170 */ csp->toggled_on = g_bToggleIJB; #endif - /* add it to the list of clients */ - csp->next = clients->next; - clients->next = csp; - if (run_loader(csp)) { log_error(LOG_LEVEL_FATAL, "a loader failed - must exit"); /* Never get here - LOG_LEVEL_FATAL causes program exit */ } - + + if (block_acl(NULL,csp)) + { + log_error(LOG_LEVEL_CONNECT, "Connection dropped due to ACL"); + close_socket(csp->cfd); + freez(csp); + continue; + } + + /* add it to the list of clients */ + csp->next = clients->next; + clients->next = csp; + if (config->multi_threaded) { int child_id;