Removed the "ViaHeader" directive and replaced it with the

"ViaProxyName" directive.  The "Via" HTTP header is _required_ by the
HTTP spec, so the code has been changed to always send the header.
However, including the proxy's host name could be considered a
security threat, so the "ViaProxyName" directive is used to set the
token sent in the "Via" header.  If the directive is not enabled the
proxy's host name will be used.

5 files changed, 47 insertions, 44 deletions

diff --git a/doc/tinyproxy.conf b/doc/tinyproxy.conf
index 9eacb95..6bc9729 100644
--- a/doc/tinyproxy.conf
+++ b/doc/tinyproxy.conf
@@ -166,11 +166,12 @@ Allow 127.0.0.1
 Allow 192.168.1.0/25
 
 #
-# Control whether the HTTP Via header should be included in requests or
-# responses.  The RFC says it should be there, but it could be a security
-# concern.  The default is off.
+# The "Via" header is required by the HTTP RFC, but using the real host name
+# is a security concern.  If the following directive is enabled, the string
+# supplied will be used as the host name in the Via header; otherwise, the
+# server's host name will be used.
 #
-#ViaHeader On
+ViaProxyName "tinyproxy"
 
 #
 # The location of the filter file.
diff --git a/src/grammar.y b/src/grammar.y
index 404f450..6d39a53 100644
--- a/src/grammar.y
+++ b/src/grammar.y
@@ -1,4 +1,4 @@
-/* $Id: grammar.y,v 1.21 2003-05-29 19:43:58 rjkaes Exp $
+/* $Id: grammar.y,v 1.22 2003-06-20 17:02:13 rjkaes Exp $
  *
  * This is the grammar for tinyproxy's configuration file. It needs to be
  * in sync with scanner.l. If you know more about yacc and lex than I do
@@ -51,11 +51,12 @@ int yylex(void);
 %token KW_FILTER KW_FILTERURLS KW_FILTEREXTENDED KW_FILTER_DEFAULT_DENY
 %token KW_FILTER_CASESENSITIVE
 %token KW_UPSTREAM
-%token KW_CONNECTPORT KW_BIND KW_HTTP_VIA
+%token KW_CONNECTPORT KW_BIND
 %token KW_STATHOST
 %token KW_ALLOW KW_DENY
 %token KW_ERRORPAGE KW_DEFAULT_ERRORPAGE
 %token KW_STATPAGE
+%token KW_VIA_PROXY_NAME
 
 /* yes/no switches */
 %token KW_YES KW_NO
@@ -210,14 +211,10 @@ statement
 		  log_message(LOG_WARNING, "The 'Bind' directive can not be used with transparent proxy support.  Ignoring the directive.");
 #endif
           }
-        | KW_HTTP_VIA yesno
+        | KW_VIA_PROXY_NAME string
           {
-	          if ($2) {
-			  log_message(LOG_INFO, "Enabling HTTP Via header.");
-			  config.via_http_header = TRUE;
-		  } else {
-			  config.via_http_header = FALSE;
-		  }
+		  log_message(LOG_INFO, "Setting \"Via\" proxy name to: %s", $2);
+		  config.via_proxy_name = $2;
           }
         | KW_STATHOST string
           {
@@ -258,7 +255,7 @@ string
 
 %%
 
-extern unsigned int yylineno;
+extern unsigned int scanner_lineno;
 
 void
 yyerror(char *s)
@@ -270,5 +267,6 @@ yyerror(char *s)
 		headerdisplayed = 1;
 	}
 
-	fprintf(stderr, "\t%s:%d: %s\n", config.config_file, yylineno, s);
+	fprintf(stderr, "\t%s:%d: %s\n", config.config_file, scanner_lineno, s);
+	exit(EXIT_FAILURE);
 }
diff --git a/src/reqs.c b/src/reqs.c
index a54535c..2a2f603 100644
--- a/src/reqs.c
+++ b/src/reqs.c
@@ -1,4 +1,4 @@
-/* $Id: reqs.c,v 1.103 2003-06-06 16:14:50 rjkaes Exp $
+/* $Id: reqs.c,v 1.104 2003-06-20 17:02:13 rjkaes Exp $
  *
  * This is where all the work in tinyproxy is actually done. Incoming
  * connections have a new child created for them. The child then
@@ -987,8 +987,8 @@ get_content_length(hashmap_t hashofheaders)
 }
 
 /*
- * Search for Via head in a hash of headers and either write a new Via header,
- * or append our information to the end of an existing Via header.
+ * Search for Via header in a hash of headers and either write a new Via
+ * header, or append our information to the end of an existing Via header.
  *
  * FIXME: Need to add code to "hide" our internal information for security
  * purposes.
@@ -998,11 +998,15 @@ write_via_header(int fd, hashmap_t hashofheaders,
 		 unsigned int major, unsigned int minor)
 {
 	ssize_t len;
-	char hostname[128];
+	char hostname[512];
 	char *data;
 	int ret;
 
-	gethostname(hostname, sizeof(hostname));
+	if (config.via_proxy_name) {
+		strlcpy(hostname, config.via_proxy_name, sizeof(hostname));
+	} else if (gethostname(hostname, sizeof(hostname)) < 0) {
+		strcpy(hostname, "unknown");
+	}
 
 	/*
 	 * See if there is a "Via" header.  If so, again we need to do a bit
@@ -1089,17 +1093,15 @@ process_client_headers(struct conn_s *connptr, hashmap_t hashofheaders)
 	}
 
 	/* Send, or add the Via header */
-	if (config.via_http_header) {
-		ret = write_via_header(connptr->server_fd, hashofheaders,
-				       connptr->protocol.major,
-				       connptr->protocol.minor);
-		if (ret < 0) {
-			indicate_http_error(connptr, 503,
-					    "Could not send data to remote server",
-					    "detail", "A network error occurred while trying to write data to the remote web server.",
-					    NULL);
-			goto PULL_CLIENT_DATA;
-		}
+	ret = write_via_header(connptr->server_fd, hashofheaders,
+			       connptr->protocol.major,
+			       connptr->protocol.minor);
+	if (ret < 0) {
+		indicate_http_error(connptr, 503,
+				    "Could not send data to remote server",
+				    "detail", "A network error occurred while trying to write data to the remote web server.",
+				    NULL);
+		goto PULL_CLIENT_DATA;
 	}
 
 	/*
@@ -1239,13 +1241,11 @@ process_server_headers(struct conn_s *connptr)
 	}
 
 	/* Send, or add the Via header */
-	if (config.via_http_header) {
-		ret = write_via_header(connptr->client_fd, hashofheaders,
-				       connptr->protocol.major,
-				       connptr->protocol.minor);
-		if (ret < 0)
-			goto ERROR_EXIT;
-	}
+	ret = write_via_header(connptr->client_fd, hashofheaders,
+			       connptr->protocol.major,
+			       connptr->protocol.minor);
+	if (ret < 0)
+		goto ERROR_EXIT;
 
 	/*
 	 * All right, output all the remaining headers to the client.
diff --git a/src/scanner.l b/src/scanner.l
index f685b23..d1664a8 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -1,4 +1,4 @@
-/* $Id: scanner.l,v 1.19 2003-03-13 21:42:45 rjkaes Exp $
+/* $Id: scanner.l,v 1.20 2003-06-20 17:02:13 rjkaes Exp $
  *
  * This builds the scanner for the tinyproxy configuration file. This
  * file needs to stay in sync with grammar.y. If someone knows lex and yacc
@@ -54,7 +54,7 @@ static struct keyword keywords[] = {
         { "deny",                KW_DENY },
         { "connectport",         KW_CONNECTPORT },
         { "bind",                KW_BIND },
-        { "viaheader",           KW_HTTP_VIA },
+        { "viaproxyname",        KW_VIA_PROXY_NAME },
         { "stathost",            KW_STATHOST },
 	{ "errorfile",	         KW_ERRORPAGE },
 	{ "defaulterrorfile",    KW_DEFAULT_ERRORPAGE },
@@ -81,7 +81,8 @@ static struct keyword keywords[] = {
 
 #define MAX_REGEXP_LEN	1024
 
-unsigned int yylineno = 1;
+unsigned int scanner_lineno = 1;
+
 char tiny_buf[MAX_REGEXP_LEN];
 char *tiny_str;
 
@@ -103,7 +104,7 @@ word		[^ \#'"\(\)\{\}\\;\n\t,|\.]
 %%
 
 \#.*$		        ;
-\n                      { yylineno++; return '\n'; }
+\n                      { ++scanner_lineno; return '\n'; }
 :                       { return ':'; }
 {white}+                ;
 0x{digit}+              { yylval.num = strtol(yytext, NULL, 16); return NUMBER; }
diff --git a/src/tinyproxy.h b/src/tinyproxy.h
index 1c21762..d014748 100644
--- a/src/tinyproxy.h
+++ b/src/tinyproxy.h
@@ -1,4 +1,4 @@
-/* $Id: tinyproxy.h,v 1.40 2003-06-02 21:55:14 rjkaes Exp $
+/* $Id: tinyproxy.h,v 1.41 2003-06-20 17:02:12 rjkaes Exp $
  *
  * See 'tinyproxy.c' for a detailed description.
  *
@@ -61,7 +61,10 @@ struct config_s {
 	unsigned int idletimeout;
 	char* bind_address;
 
-	unsigned int via_http_header; /* boolean */
+	/*
+	 * The configured name to use in the HTTP "Via" header field.
+	 */
+	char* via_proxy_name;
 
 	/* 
 	 * Error page support.  This is an array of pointers to structures