diff options
Diffstat (limited to 'source/web/cgi.c')
| -rw-r--r-- | source/web/cgi.c | 137 |
1 files changed, 28 insertions, 109 deletions
diff --git a/source/web/cgi.c b/source/web/cgi.c index a1aa4d753dc..ae60d72b7b7 100644 --- a/source/web/cgi.c +++ b/source/web/cgi.c @@ -18,16 +18,16 @@ */ -#include "includes.h" -#include "smb.h" +#include <stdio.h> +#include <stdlib.h> +#include <sys/stat.h> +#include <string.h> +#include <fcntl.h> +#include <unistd.h> +#include <pwd.h> #define MAX_VARIABLES 10000 -/* set the expiry on fixed pages */ -#define EXPIRY_TIME (60*60*24*7) - -#define CGI_LOGGING 0 - #ifdef DEBUG_COMMENTS extern void print_title(char *fmt, ...); #endif @@ -43,8 +43,6 @@ static int content_length; static int request_post; static int request_get; static char *query_string; -static char *baseurl; -static char *pathinfo; static void unescape(char *buf) { @@ -460,6 +458,8 @@ handle a http authentication line static int cgi_handle_authorization(char *line) { char *p, *user, *pass; + struct passwd *pwd; + int ret=0; if (strncasecmp(line,"Basic ", 6)) { cgi_setup_error("401 Bad Authorization", "", @@ -477,13 +477,20 @@ static int cgi_handle_authorization(char *line) pass = p+1; /* currently only allow connections as root */ - if (strcmp(user,"root")) { + if (strcasecmp(user,"root")) { cgi_setup_error("401 Bad Authorization", "", "incorrect username/password"); } + + pwd = getpwnam(user); + if (!strcmp((char *)crypt(pass, pwd->pw_passwd),pwd->pw_passwd)) { + ret = 1; + } - return password_ok(user, pass, strlen(pass), NULL); + memset(pass, 0, strlen(pass)); + + return ret; } @@ -505,6 +512,11 @@ static void cgi_download(char *file) } } + if (strstr(file,"..")) { + cgi_setup_error("404 File Not Found","", + "Relative paths not allowed"); + } + if (!file_exist(file, &st)) { cgi_setup_error("404 File Not Found","", "The requested file was not found"); @@ -516,16 +528,12 @@ static void cgi_download(char *file) } printf("HTTP/1.1 200 OK\r\n"); if ((p=strrchr(file,'.'))) { - if (strcmp(p,".gif")==0) { + if (strcmp(p,".gif")==0 || strcmp(p,".jpg")==0) { printf("Content-Type: image/gif\r\n"); - } else if (strcmp(p,".jpg")==0) { - printf("Content-Type: image/jpeg\r\n"); } else { printf("Content-Type: text/html\r\n"); } } - printf("Expires: %s\r\n", http_timestring(time(NULL)+EXPIRY_TIME)); - printf("Content-Length: %d\r\n\r\n", (int)st.st_size); while ((l=read(fd,buf,sizeof(buf)))>0) { fwrite(buf, 1, l, stdout); @@ -539,15 +547,12 @@ static void cgi_download(char *file) setup the cgi framework, handling the possability that this program is either run as a true cgi program by a web browser or is itself a mini web server ***************************************************************************/ -void cgi_setup(char *rootdir, int auth_required) +void cgi_setup(char *rootdir) { int authenticated = 0; char line[1024]; char *url=NULL; char *p; -#if CGI_LOGGING - FILE *f; -#endif if (chdir(rootdir)) { cgi_setup_error("400 Server Error", "", @@ -559,19 +564,9 @@ void cgi_setup(char *rootdir, int auth_required) return; } -#if CGI_LOGGING - f = fopen("/tmp/cgi.log", "a"); - if (f) fprintf(f,"\n[Date: %s %s (%s)]\n", - http_timestring(time(NULL)), - client_name(1), client_addr(1)); -#endif - /* we are a mini-web server. We need to read the request from stdin and handle authentication etc */ while (fgets(line, sizeof(line)-1, stdin)) { -#if CGI_LOGGING - if (f) fputs(line, f); -#endif if (line[0] == '\r' || line[0] == '\n') break; if (strncasecmp(line,"GET ", 4)==0) { request_get = 1; @@ -589,11 +584,8 @@ void cgi_setup(char *rootdir, int auth_required) } /* ignore all other requests! */ } -#if CGI_LOGGING - if (f) fclose(f); -#endif - if (auth_required && !authenticated) { + if (!authenticated) { cgi_setup_error("401 Authorization Required", "WWW-Authenticate: Basic realm=\"root\"\r\n", "You must be authenticated to use this service"); @@ -618,85 +610,12 @@ void cgi_setup(char *rootdir, int auth_required) *p = 0; } - if (strstr(url+1,"..")==0 && file_exist(url+1, NULL)) { + if (strcmp(url,"/")) { cgi_download(url+1); } printf("HTTP/1.1 200 OK\r\nConnection: close\r\n"); - printf("Date: %s\r\n", http_timestring(time(NULL))); - baseurl = ""; - pathinfo = url+1; -} - - -/*************************************************************************** -return the current pages URL - ***************************************************************************/ -char *cgi_baseurl(void) -{ - if (baseurl) { - return baseurl; - } - return getenv("SCRIPT_NAME"); -} - -/*************************************************************************** -return the root URL for images etc - ***************************************************************************/ -char *cgi_rooturl(void) -{ - if (baseurl) { - return "/"; - } - return "/swat/"; -} - - -/*************************************************************************** -return the current pages path info - ***************************************************************************/ -char *cgi_pathinfo(void) -{ - char *r; - if (pathinfo) { - return pathinfo; - } - r = getenv("PATH_INFO"); - if (!r) return ""; - if (*r == '/') r++; - return r; -} - -/*************************************************************************** -return the hostname of the client - ***************************************************************************/ -char *cgi_remote_host(void) -{ - if (baseurl) { - return client_name(1); - } - return getenv("REMOTE_HOST"); -} - -/*************************************************************************** -return the hostname of the client - ***************************************************************************/ -char *cgi_remote_addr(void) -{ - if (baseurl) { - return client_addr(1); - } - return getenv("REMOTE_ADDR"); + } -/*************************************************************************** -return True if the request was a POST - ***************************************************************************/ -BOOL cgi_waspost(void) -{ - if (baseurl) { - return request_post; - } - return strequal(getenv("REQUEST_METHOD"), "POST"); -} |