Documentation Source Text

Check-in [5bb4dfcc73]
Login
Home Timeline Branches Tickets Wiki More...

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Update the HTTP server to prohibit malformed and possibly malicious HTTP_HOST parameters.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 5bb4dfcc73b900a9f9544333b604dceefba464c9
User & Date: drh 2014-10-05 20:54:57
Context
2014-10-05
23:01
Improved documentation comments on the althttpd.c server program. (check-in: d217041b2b user: drh tags: trunk)
20:54
Update the HTTP server to prohibit malformed and possibly malicious HTTP_HOST parameters. (check-in: 5bb4dfcc73 user: drh tags: trunk)
20:07
Move the 3.8.7 release into October. Updates to URI documentation. (check-in: 55869edbde user: drh tags: trunk)
Changes
Hide Diffs Side-by-Side Diffs Show Whitespace Changes Patch

Changes to misc/althttpd.c. 

   888    888   /* 1x */   0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
   889    889   /* 2x */   0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  1,  1,  1,  1,
   890    890   /* 3x */   1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  0,  0,  0,  0,  0,
   891    891   /* 4x */   0,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
   892    892   /* 5x */   1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  0,  0,  0,  0,  1,
   893    893   /* 6x */   0,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
   894    894   /* 7x */   1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  0,  0,  0,  1,  0,
          895  +/* 8x */   0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
          896  +/* 9x */   0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
          897  +/* Ax */   0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
          898  +/* Bx */   0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
          899  +/* Cx */   0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
          900  +/* Dx */   0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
          901  +/* Ex */   0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
          902  +/* Fx */   0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
   895    903   };
          904  +
          905  +/*
          906  +** Remove all disallowed characters in the input string z[].  Convert any
          907  +** disallowed characters into "_".
          908  +**
          909  +** Not that the three character sequence "%XX" where X is any byte is
          910  +** converted into a single "_" character.
          911  +**
          912  +** Return the number of characters converted.  An "%XX" -> "_" conversion
          913  +** counts as a single character.
          914  +*/
          915  +static int sanitizeString(char *z){
          916  +  int nChange = 0;
          917  +  while( *z ){
          918  +    if( !allowedInName[*(unsigned char*)z] ){
          919  +      if( *z=='%' && z[1]!=0 && z[2]!=0 ){
          920  +        int i;
          921  +        for(i=3; (z[i-2] = z[i])!=0; i++){}
          922  +      }
          923  +      *z = '_';
          924  +      nChange++;
          925  +    }
          926  +    z++;
          927  +  }
          928  +  return nChange;
          929  +}
   896    930   
   897    931   /*
   898    932   ** Count the number of "/" characters in a string.
   899    933   */
   900    934   static int countSlashes(const char *z){
   901    935     int n = 0;
   902    936     while( *z ) if( *(z++)=='/' ) n++;
................................................................................
  1015   1049           closeConnection = 1;
  1016   1050         }else if( !forceClose && strcasecmp(zVal, "keep-alive")==0 ){
  1017   1051           closeConnection = 0;
  1018   1052         }
  1019   1053       }else if( strcasecmp(zFieldName,"Host:")==0 ){
  1020   1054         int inSquare = 0;
  1021   1055         char c;
         1056  +      if( sanitizeString(zVal) ) Forbidden();
  1022   1057         zHttpHost = StrDup(zVal);
  1023   1058         zServerPort = zServerName = StrDup(zHttpHost);
  1024   1059         while( zServerPort && (c = *zServerPort)!=0
  1025   1060                 && (c!=':' || inSquare) ){
  1026   1061           if( c=='[' ) inSquare = 1;
  1027   1062           if( c==']' ) inSquare = 0;
  1028   1063           zServerPort++;
................................................................................
  1035   1070           zServerPort = StrDup(zRealPort);
  1036   1071         }
  1037   1072       }else if( strcasecmp(zFieldName,"Authorization:")==0 ){
  1038   1073         zAuthType = GetFirstElement(StrDup(zVal), &zAuthArg);
  1039   1074       }
  1040   1075     }
  1041   1076   
  1042         -  /* Disallow referring from certain clients */
         1077  +  /* Disallow requests from certain clients */
  1043   1078     if( zAgent ){
  1044   1079       if( strstr(zAgent, "Windows_9")!=0
  1045   1080        || strstr(zAgent, "Download_Master")!=0
  1046   1081        || strstr(zAgent, "Ezooms/")!=0
  1047   1082      /*|| strstr(zAgent, "bingbot")!=0*/
  1048   1083        || strstr(zAgent, "AhrefsBot")!=0
  1049   1084       ){
................................................................................
  1135   1170     /* Make sure the running time is not too great */
  1136   1171     if( useTimeout ) alarm(10);
  1137   1172   
  1138   1173     /* Convert all unusual characters in the script name into "_".
  1139   1174     **
  1140   1175     ** This is a defense against various attacks, XSS attacks in particular.
  1141   1176     */
  1142         -  for(z=zScript; *z; z++){
  1143         -    unsigned char c = *(unsigned char*)z;
  1144         -    if( (c&0x80)!=0 || !allowedInName[c] ){
  1145         -      *z = '_';
  1146         -      if( c=='%' && z[1]!=0 && z[2]!=0 ){
  1147         -        for(i=3; (z[i-2] = z[i])!=0; i++){}
  1148         -      }
  1149         -    }
  1150         -  }
         1177  +  sanitizeString(zScript);
  1151   1178   
  1152         -  /* Don't allow "/." or "/-" to to occur anywhere in the entity name.
         1179  +  /* Do not allow "/." or "/-" to to occur anywhere in the entity name.
  1153   1180     ** This prevents attacks involving ".." and also allows us to create
  1154         -  ** files and directories whose names begin with "-" which are invisible
  1155         -  ** to the webserver.
         1181  +  ** files and directories whose names begin with "-" or "." which are
         1182  +  ** invisible to the webserver.
  1156   1183     */
  1157   1184     for(z=zScript; *z; z++){
  1158   1185       if( *z=='/' && (z[1]=='.' || z[1]=='-') ){
  1159   1186          NotFound(__LINE__);
  1160   1187       }
  1161   1188     }
  1162   1189

This page was generated in about 0.009s by Fossil 2.12 [db1afa75be] 2020-08-14 18:54:03