Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Improved documentation comments on the althttpd.c server program. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA1: |
d217041b2b858c07b86725b69efcb48f |
User & Date: | drh 2014-10-05 23:01:20.910 |
Context
2014-10-06
| ||
00:35 | Detect and disable a "bashdoor" attack against althttpd.c. (check-in: 389e06d34a user: drh tags: trunk) | |
2014-10-05
| ||
23:01 | Improved documentation comments on the althttpd.c server program. (check-in: d217041b2b user: drh tags: trunk) | |
20:54 | Update the HTTP server to prohibit malformed and possibly malicious HTTP_HOST parameters. (check-in: 5bb4dfcc73 user: drh tags: trunk) | |
Changes
Changes to misc/althttpd.c.
1 2 3 4 5 | /* ** A small, simple HTTP server. ** ** Features: ** | | > > | > > | > > | > | < | > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 | /* ** A small, simple HTTP server. ** ** Features: ** ** * Launched from inetd, or as a stand-alone server ** * One process per request ** * Deliver static content or run CGI ** * Virtual sites based on the "Host:" property of the HTTP header ** * Runs in a chroot jail ** * Unified log file in a CSV format ** * Very small code base (1 file) to facilitate security auditing ** * Simple setup - no configuration files to mess with. ** ** This file implements a small and simple but secure and effective web ** server. There are no frills. Anything that could be reasonably ** omitted has been. ** ** Setup rules: ** ** (1) Launch as root from inetd like this: ** ** httpd -logfile logfile -root /home/www -user nobody ** ** It will automatically chroot to /home/www and become user nobody. ** The logfile name should be relative to the chroot jail. ** ** (2) Directories of the form "*.website" (ex: www_hwaci_com.website) ** contain content. The directory is chosen based on the HTTP_HOST ** request header. If there is no HTTP_HOST header or if the ** corresponding host directory does not exist, then the ** "default.website" is used. If the HTTP_HOST header contains any ** charaters other than [a-zA-Z0-9_.,*~/] then a 403 error is ** generated. ** ** (3) Any file or directory whose name begins with "." or "-" is ignored. ** ** (4) Characters other than [0-9a-zA-Z,-./:_~] and any %HH characters ** escapes in the filename are all translated into "_". This is ** a defense against cross-site scripting attacks and other mischief. ** ** (5) Executable files are run as CGI. All other files are delivered ** as is. ** ** (6) For SSL support use stunnel and add the -https 1 option on the ** httpd command-line. ** ** (7) If a file named "-auth" exists in the same directory as the file to ** be run as CGI or to be delivered, then it contains information ** for HTTP Basic authorization. See file format details below. ** ** (8) To run as a stand-alone server, simply add the "-port N" command-line ** option to define which TCP port to listen on. ** ** Command-line Options: ** ** --root DIR Defines the directory that contains the various ** $HOST.website subdirectories, each containing web content ** for a single virtual host. If launched as root and if ** "--user USER" also appears on the command-line and if ** "--jail 0" is omitted, then the process runs in a chroot ** jail rooted at this directory and under the userid USER. ** This option is required for xinetd launch but defaults ** to "." for a stand-alone web server. ** ** --user USER Define the user under which the process should run if ** originally launched as root. This process will refuse to ** run as root (for security). If this option is omitted and ** the process is launched as root, it will abort without ** processing any HTTP requests. ** ** --logfile FILE Append a single-line, CSV-format, log file entry to FILE ** for each HTTP request. FILE should be a full pathname. ** The FILE name is interpreted inside the chroot jail. ** ** --https Indicates that input is coming over SSL and is being ** decoded upstream, perhaps by stunnel. (This program ** only understands plaintext.) ** ** --family ipv4 Only accept input from IPV4 or IPV6, respectively. ** --family ipv6 These options are only meaningful if althttpd is run ** as a stand-alone server. ** ** --jail BOOLEAN Indicates whether or not to form a chroot jail if ** initially run as root. The default is true, so the only ** useful variant of this option is "--jail 0" which prevents ** the formation of the chroot jail. ** ** --debug Disables input timeouts. This is useful for debugging ** when inputs is being typed in manually. ** ** Command-line options can take either one or two initial "-" characters. ** So "--debug" and "-debug" mean the same thing, for example. ** ** ** Security Features: ** ** (1) This program automatically puts itself inside a chroot jail if ** it can and if not specifically prohibited by the "--jail 0" ** command-line option. The root of the jail is the directory that ** contains the various $HOST.website content subdirectories. ** ** (2) No input is read while this process has root privileges. Root ** privileges are dropped prior to reading any input (but after entering ** the chroot jail, of course). If root privileges cannot be dropped ** (for example because the --user command-line option was omitted or ** because the user specified by the --user option does not exist), ** then the process aborts with an error prior to reading any input. ** ** (3) The length of an HTTP request is limited to MAX_CONTENT_LENGTH bytes ** (default: 20 million). Any HTTP request longer than this fails ** with an error. ** ** (4) There are hard-coded time-outs on each HTTP request. If this process ** waits longer than the timeout for the complete request, or for CGI ** to finish running, then this process aborts. (The timeout feature ** can be disabled using the --debug command-line option.) ** ** (5) If the HTTP_HOST request header contains characters other than ** [0-9a-zA-Z,-./:_~] then the entire request is rejected. ** ** (6) Any characters in the URI pathname other than [0-9a-zA-Z,-./:_~] ** are converted into "_". This applies to the pathname only, not ** to the query parameters or fragment. ** ** (7) If the first character of any URI pathname component is "." or "-" ** then a 404 Not Found reply is generated. This prevents attacks ** such as including ".." or "." directory elements in the pathname ** and allows placing files and directories in the content subdirectory ** that are invisible to all HTTP requests, by making the first ** character of the file or subdirectory name "-" or ".". ** ** (8) The request URI must begin with "/" or else a 404 error is generated. ** ** ** Basic Authorization: ** ** If the file "-auth" exists in the same directory as the content file ** (for both static content and CGI) then it contains the information used ** for basic authorization. The file format is as follows: |
︙ | ︙ | |||
1789 1790 1791 1792 1793 1794 1795 | Malfunction(__LINE__, "no such user [%s]", zPermUser); } } if( getuid()==0 ){ Malfunction(__LINE__, "cannot run as root"); } | | | 1878 1879 1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 | Malfunction(__LINE__, "no such user [%s]", zPermUser); } } if( getuid()==0 ){ Malfunction(__LINE__, "cannot run as root"); } /* Get the IP address from whence the request originates */ { address remoteAddr; unsigned int size = sizeof(remoteAddr); char zHost[NI_MAXHOST]; if( getpeername(0, &remoteAddr.sa, &size)>=0 ){ getnameinfo(&remoteAddr.sa, size, zHost, sizeof(zHost), 0, 0, |
︙ | ︙ |