Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Update comments on althttpd.c. No changes to code. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
3f569fa95d26b73c02366b40f7b63813 |
User & Date: | drh 2018-01-15 13:31:37.963 |
Context
2018-01-15
| ||
14:28 | Add caching to static content delivery in althttpd.c. (check-in: 635a6553e2 user: drh tags: trunk) | |
13:31 | Update comments on althttpd.c. No changes to code. (check-in: 3f569fa95d user: drh tags: trunk) | |
2018-01-13
| ||
20:37 | Fix typo in the how-to-corrupt document. (check-in: 66c7f7dcd6 user: drh tags: trunk) | |
Changes
Changes to misc/althttpd.c.
1 2 3 4 5 | /* ** A small, simple HTTP server. ** ** Features: ** | | | | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | /* ** A small, simple HTTP server. ** ** Features: ** ** * Launched from inetd/xinetd/stunnel4, or as a stand-alone server ** * One process per request ** * Deliver static content or run CGI ** * Virtual sites based on the "Host:" property of the HTTP header ** * Runs in a chroot jail ** * Unified log file in a CSV format ** * Small code base (this 1 file) to facilitate security auditing ** * Simple setup - no configuration files to mess with. ** ** This file implements a small and simple but secure and effective web ** server. There are no frills. Anything that could be reasonably ** omitted has been. ** ** Setup rules: |
︙ | ︙ | |||
29 30 31 32 33 34 35 | ** contain content. The directory is chosen based on the HTTP_HOST ** request header. If there is no HTTP_HOST header or if the ** corresponding host directory does not exist, then the ** "default.website" is used. If the HTTP_HOST header contains any ** charaters other than [a-zA-Z0-9_.,*~/] then a 403 error is ** generated. ** | | > > > > > > > | 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 | ** contain content. The directory is chosen based on the HTTP_HOST ** request header. If there is no HTTP_HOST header or if the ** corresponding host directory does not exist, then the ** "default.website" is used. If the HTTP_HOST header contains any ** charaters other than [a-zA-Z0-9_.,*~/] then a 403 error is ** generated. ** ** (3) Any file or directory whose name begins with "." or "-" is ignored, ** except for /.well-known/ at the top-level. The exception is for ** RFC-5785 to allow letsencrypt or certbot to generate a TSL cert ** using webroot. ** ** (4) Characters other than [0-9a-zA-Z,-./:_~] and any %HH characters ** escapes in the filename are all translated into "_". This is ** a defense against cross-site scripting attacks and other mischief. ** ** (5) Executable files are run as CGI. All other files are delivered ** as is. ** ** (6) For SSL support use stunnel and add the -https 1 option on the ** httpd command-line. ** ** (7) If a file named "-auth" exists in the same directory as the file to ** be run as CGI or to be delivered, then it contains information ** for HTTP Basic authorization. See file format details below. ** ** (8) To run as a stand-alone server, simply add the "-port N" command-line ** option to define which TCP port to listen on. ** ** (9) For static content, the mimetype is determined by the file suffix ** using a table built into the source code below. If you have ** unusual content files, you might need to extend this table. ** ** Command-line Options: ** ** --root DIR Defines the directory that contains the various ** $HOST.website subdirectories, each containing web content ** for a single virtual host. If launched as root and if ** "--user USER" also appears on the command-line and if |
︙ | ︙ | |||
150 151 152 153 154 155 156 157 158 159 160 161 162 163 | ** * "user NAME LOGIN:PASSWORD" checks to see if LOGIN:PASSWORD ** authorization credentials are provided, and if so sets the ** REMOTE_USER to NAME. ** * "realm TEXT" sets the realm to TEXT. ** ** There can be multiple "user" lines. If no "user" line matches, the ** request fails with a 401 error. */ #include <stdio.h> #include <ctype.h> #include <syslog.h> #include <stdlib.h> #include <sys/stat.h> #include <unistd.h> | > > > | 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 | ** * "user NAME LOGIN:PASSWORD" checks to see if LOGIN:PASSWORD ** authorization credentials are provided, and if so sets the ** REMOTE_USER to NAME. ** * "realm TEXT" sets the realm to TEXT. ** ** There can be multiple "user" lines. If no "user" line matches, the ** request fails with a 401 error. ** ** Because of security rule (7), there is no way for the content of the "-auth" ** file to leak out via HTTP request. */ #include <stdio.h> #include <ctype.h> #include <syslog.h> #include <stdlib.h> #include <sys/stat.h> #include <unistd.h> |
︙ | ︙ |