From eb7d670180a9e22a4a1581c5b29825a5ece9d18f Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Sat, 21 Jul 2007 11:51:36 +0000 Subject: [PATCH] As Hal noticed, checking dispatch_cgi() as the last cruncher looks like a bug if CGI requests are blocked unintentionally, so don't do it unless the user enabled the new config option "allow-cgi-request-crunching". --- jcc.c | 23 ++++++++++++++++++++++- loadcfg.c | 26 +++++++++++++++++++++++++- project.h | 8 +++++++- 3 files changed, 54 insertions(+), 3 deletions(-) diff --git a/jcc.c b/jcc.c index cccc49bb..408612bb 100644 --- a/jcc.c +++ b/jcc.c @@ -1,4 +1,4 @@ -const char jcc_rcs[] = "$Id: jcc.c,v 1.138 2007/06/03 18:45:18 fabiankeil Exp $"; +const char jcc_rcs[] = "$Id: jcc.c,v 1.139 2007/07/14 07:46:41 fabiankeil Exp $"; /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/jcc.c,v $ @@ -33,6 +33,14 @@ const char jcc_rcs[] = "$Id: jcc.c,v 1.138 2007/06/03 18:45:18 fabiankeil Exp $" * * Revisions : * $Log: jcc.c,v $ + * Revision 1.139 2007/07/14 07:46:41 fabiankeil + * - Allow to rewrite the request destination behind the client's back. + * - Turn the weird-looking unconditional for loop that + * reads the client request into a conditional while loop. + * Move the stuff that only runs once out of the loop. + * - Move parts of chat(), server_content_type() and the + * necessary stuff to fix BR#1750917 into get_filter_function(). + * * Revision 1.138 2007/06/03 18:45:18 fabiankeil * Temporary workaround for BR#1730105. * @@ -1587,6 +1595,19 @@ int crunch_response_triggered(struct client_state *csp, const struct cruncher cr struct http_response *rsp = NULL; const struct cruncher *c; + /* + * If CGI request crunching is disabled, + * check the CGI dispatcher out of order to + * prevent unintentional blocks or redirects. + */ + if (!(csp->config->feature_flags & RUNTIME_FEATURE_CGI_CRUNCHING) + && (NULL != (rsp = dispatch_cgi(csp)))) + { + /* Deliver, log and free the interception response. */ + send_crunch_response(csp, rsp); + return TRUE; + } + for (c = crunchers; c->cruncher != NULL; c++) { /* diff --git a/loadcfg.c b/loadcfg.c index dd322344..260f9214 100644 --- a/loadcfg.c +++ b/loadcfg.c @@ -1,4 +1,4 @@ -const char loadcfg_rcs[] = "$Id: loadcfg.c,v 1.63 2007/04/09 18:11:36 fabiankeil Exp $"; +const char loadcfg_rcs[] = "$Id: loadcfg.c,v 1.64 2007/05/21 10:44:08 fabiankeil Exp $"; /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/loadcfg.c,v $ @@ -35,6 +35,15 @@ const char loadcfg_rcs[] = "$Id: loadcfg.c,v 1.63 2007/04/09 18:11:36 fabiankeil * * Revisions : * $Log: loadcfg.c,v $ + * Revision 1.64 2007/05/21 10:44:08 fabiankeil + * - Use strlcpy() instead of strcpy(). + * - Stop treating actions files special. Expect a complete file name + * (with or without path) like it's done for the rest of the files. + * Closes FR#588084. + * - Remove an unnecessary temporary memory allocation. + * - Don't log anything to the console when running as + * daemon and no errors occurred. + * * Revision 1.63 2007/04/09 18:11:36 fabiankeil * Don't mistake VC++'s _snprintf() for a snprintf() replacement. * @@ -486,6 +495,7 @@ static struct file_list *current_configfile = NULL; #define hash_actions_file 1196306641ul /* "actionsfile" */ #define hash_accept_intercepted_requests 1513024973ul /* "accept-intercepted-requests" */ #define hash_admin_address 4112573064ul /* "admin-address" */ +#define hash_allow_cgi_request_crunching 258915987ul /* "allow-cgi-request-crunching" */ #define hash_buffer_limit 1881726070ul /* "buffer-limit */ #define hash_confdir 1978389ul /* "confdir" */ #define hash_debug 78263ul /* "debug" */ @@ -818,6 +828,20 @@ struct configuration_spec * load_config(void) config->admin_address = strdup(arg); continue; +/* ************************************************************************* + * allow-cgi-request-crunching + * *************************************************************************/ + case hash_allow_cgi_request_crunching: + if ((*arg != '\0') && (0 != atoi(arg))) + { + config->feature_flags |= RUNTIME_FEATURE_CGI_CRUNCHING; + } + else + { + config->feature_flags &= ~RUNTIME_FEATURE_CGI_CRUNCHING; + } + continue; + /* ************************************************************************* * buffer-limit n * *************************************************************************/ diff --git a/project.h b/project.h index 6ef421c4..efc2400e 100644 --- a/project.h +++ b/project.h @@ -1,7 +1,7 @@ #ifndef PROJECT_H_INCLUDED #define PROJECT_H_INCLUDED /** Version string. */ -#define PROJECT_H_VERSION "$Id: project.h,v 1.97 2007/05/27 12:38:08 fabiankeil Exp $" +#define PROJECT_H_VERSION "$Id: project.h,v 1.98 2007/07/14 07:31:26 fabiankeil Exp $" /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/project.h,v $ @@ -37,6 +37,9 @@ * * Revisions : * $Log: project.h,v $ + * Revision 1.98 2007/07/14 07:31:26 fabiankeil + * Add new csp->content_type flag (CT_DECLARED). + * * Revision 1.97 2007/05/27 12:38:08 fabiankeil * - Remove some left-overs from the switch to dedicated header filters. * - Adjust "X-Filter: No" to disable dedicated header filters. @@ -1579,6 +1582,9 @@ struct access_control_list /** configuration_spec::feature_flags: Don't allow to circumvent blocks with the force prefix. */ #define RUNTIME_FEATURE_ENFORCE_BLOCKS 32 +/** configuration_spec::feature_flags: Allow to block or redirect CGI requests. */ +#define RUNTIME_FEATURE_CGI_CRUNCHING 64 + /** * Data loaded from the configuration file. -- 2.39.2