diff options
author | Robert James Kaes <rjkaes@users.sourceforge.net> | 2004-08-12 20:15:04 +0000 |
---|---|---|
committer | Robert James Kaes <rjkaes@users.sourceforge.net> | 2004-08-12 20:15:04 +0000 |
commit | b3943c21f2862dc180d47248fb02a990dc977432 (patch) | |
tree | c6efec07274a467e7a5ed185f3713cbb8b38a6e0 | |
parent | 28dd133623823d216ef681a6a38b5a1c5fe837ac (diff) | |
download | tinyproxy-b3943c21f2862dc180d47248fb02a990dc977432.tar.gz tinyproxy-b3943c21f2862dc180d47248fb02a990dc977432.zip |
(check_allowed_connect_ports): By default DENY any CONNECT requests
unless explicitly allowed by a configuration directive.
-rw-r--r-- | src/reqs.c | 22 |
1 files changed, 9 insertions, 13 deletions
@@ -1,4 +1,4 @@ -/* $Id: reqs.c,v 1.115 2004-08-12 19:57:15 rjkaes Exp $ +/* $Id: reqs.c,v 1.116 2004-08-12 20:15:04 rjkaes Exp $ * * This is where all the work in tinyproxy is actually done. Incoming * connections have a new child created for them. The child then @@ -111,7 +111,6 @@ add_connect_port_allowed(int port) * * Returns: 1 if allowed * 0 if denied - * negative upon error */ static int check_allowed_connect_ports(int port) @@ -119,20 +118,17 @@ check_allowed_connect_ports(int port) ssize_t i; int *data; - /* - * If the port list doesn't exist, allow everything. This might need - * to be changed in the future. - */ + /* + * A port list is REQUIRED for a CONNECT request to function + * properly. This closes a potential security hole. + */ if (!ports_allowed_by_connect) - return 1; + return 0; for (i = 0; i != vector_length(ports_allowed_by_connect); ++i) { data = vector_getentry(ports_allowed_by_connect, i, NULL); - if (!data) - return -1; - - if (*data == port) - return 1; + if (data && *data == port) + return 1; } return 0; @@ -762,7 +758,7 @@ process_request(struct conn_s *connptr, hashmap_t hashofheaders) } /* Verify that the port in the CONNECT method is allowed */ - if (check_allowed_connect_ports(request->port) <= 0) { + if (!check_allowed_connect_ports(request->port)) { indicate_http_error(connptr, 403, "Access violation", "detail", "The CONNECT method not allowed " \ "with the port you tried to use.", |