It allows to configure another page or site that can be used
to reach sensitive CGI ressources.
Example:
trusted-cgi-referer http://www.example.org/blafasel
Currently the parameter is a vanilla string (not a regular
expression) and has to match the beginning of the Referer
the client used to reach a harmful ressource.
Sponsored by: Robert Klemme
-const char cgi_rcs[] = "$Id: cgi.c,v 1.169 2017/01/23 13:05:26 fabiankeil Exp $";
+const char cgi_rcs[] = "$Id: cgi.c,v 1.170 2017/01/23 16:12:18 fabiankeil Exp $";
/*********************************************************************
*
* File : $Source: /cvsroot/ijbswa/current/cgi.c,v $
/*********************************************************************
*
* File : $Source: /cvsroot/ijbswa/current/cgi.c,v $
{
char *referrer;
static const char alternative_prefix[] = "http://" CGI_SITE_1_HOST "/";
{
char *referrer;
static const char alternative_prefix[] = "http://" CGI_SITE_1_HOST "/";
+ const char *trusted_cgi_referrer = csp->config->trusted_cgi_referrer;
referrer = grep_cgi_referrer(csp);
referrer = grep_cgi_referrer(csp);
+ else if ((trusted_cgi_referrer != NULL) && (0 == strncmp(referrer,
+ trusted_cgi_referrer, strlen(trusted_cgi_referrer))))
+ {
+ /*
+ * After some more testing this block should be merged with
+ * the previous one or the log level should bedowngraded.
+ */
+ log_error(LOG_LEVEL_INFO, "Granting access to %s based on trusted referrer %s",
+ csp->http->url, referrer);
+
+ return TRUE;
+ }
else
{
/* Untrustworthy referrer */
else
{
/* Untrustworthy referrer */
-const char loadcfg_rcs[] = "$Id: loadcfg.c,v 1.153 2016/05/22 12:43:07 fabiankeil Exp $";
+const char loadcfg_rcs[] = "$Id: loadcfg.c,v 1.154 2016/09/27 22:48:28 ler762 Exp $";
/*********************************************************************
*
* File : $Source: /cvsroot/ijbswa/current/loadcfg.c,v $
/*********************************************************************
*
* File : $Source: /cvsroot/ijbswa/current/loadcfg.c,v $
#define hash_toggle 447966U /* "toggle" */
#define hash_trust_info_url 430331967U /* "trust-info-url" */
#define hash_trust_x_forwarded_for 2971537414U /* "trust-x-forwarded-for" */
#define hash_toggle 447966U /* "toggle" */
#define hash_trust_info_url 430331967U /* "trust-info-url" */
#define hash_trust_x_forwarded_for 2971537414U /* "trust-x-forwarded-for" */
+#define hash_trusted_cgi_referrer 4270883427U /* "trusted-cgi-referrer" */
#define hash_trustfile 56494766U /* "trustfile" */
#define hash_usermanual 1416668518U /* "user-manual" */
#define hash_activity_animation 1817904738U /* "activity-animation" */
#define hash_trustfile 56494766U /* "trustfile" */
#define hash_usermanual 1416668518U /* "user-manual" */
#define hash_activity_animation 1817904738U /* "activity-animation" */
freez(config->proxy_info_url);
freez(config->proxy_args);
freez(config->usermanual);
freez(config->proxy_info_url);
freez(config->proxy_args);
freez(config->usermanual);
+ freez(config->trusted_cgi_referrer);
#ifdef FEATURE_TRUST
freez(config->trustfile);
#ifdef FEATURE_TRUST
freez(config->trustfile);
config->client_tag_lifetime = 60;
#endif
config->trust_x_forwarded_for = 0;
config->client_tag_lifetime = 60;
#endif
config->trust_x_forwarded_for = 0;
+ config->trusted_cgi_referrer = NULL;
/*
* 128 client sockets ought to be enough for everybody who can't
* be bothered to read the documentation to figure out how to
/*
* 128 client sockets ought to be enough for everybody who can't
* be bothered to read the documentation to figure out how to
config->trust_x_forwarded_for = parse_toggle_state(cmd, arg);
break;
config->trust_x_forwarded_for = parse_toggle_state(cmd, arg);
break;
+/* *************************************************************************
+ * trusted-cgi-referrer http://www.example.org/some/path.html
+ * *************************************************************************/
+ case hash_trusted_cgi_referrer :
+ /*
+ * We don't validate the specified referrer as
+ * it's only used for string comparison.
+ */
+ freez(config->trusted_cgi_referrer);
+ config->trusted_cgi_referrer = strdup_or_die(arg);
+ break;
+
/* *************************************************************************
* trustfile filename
* (In confdir by default.)
/* *************************************************************************
* trustfile filename
* (In confdir by default.)
#ifndef PROJECT_H_INCLUDED
#define PROJECT_H_INCLUDED
/** Version string. */
#ifndef PROJECT_H_INCLUDED
#define PROJECT_H_INCLUDED
/** Version string. */
-#define PROJECT_H_VERSION "$Id: project.h,v 1.218 2016/12/24 16:00:49 fabiankeil Exp $"
+#define PROJECT_H_VERSION "$Id: project.h,v 1.219 2017/01/23 16:10:28 fabiankeil Exp $"
/*********************************************************************
*
* File : $Source: /cvsroot/ijbswa/current/project.h,v $
/*********************************************************************
*
* File : $Source: /cvsroot/ijbswa/current/project.h,v $
/** IP addresses to bind to. Defaults to HADDR_DEFAULT == 127.0.0.1. */
const char *haddr[MAX_LISTENING_SOCKETS];
/** IP addresses to bind to. Defaults to HADDR_DEFAULT == 127.0.0.1. */
const char *haddr[MAX_LISTENING_SOCKETS];
+ /** Trusted referring site that can be used to reach CGI
+ * pages that aren't marked as harmful.
+ */
+ const char *trusted_cgi_referrer;
+
/** Ports to bind to. Defaults to HADDR_PORT == 8118. */
int hport[MAX_LISTENING_SOCKETS];
/** Ports to bind to. Defaults to HADDR_PORT == 8118. */
int hport[MAX_LISTENING_SOCKETS];