summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert James Kaes <rjkaes@users.sourceforge.net>2004-08-12 20:15:04 +0000
committerRobert James Kaes <rjkaes@users.sourceforge.net>2004-08-12 20:15:04 +0000
commitb3943c21f2862dc180d47248fb02a990dc977432 (patch)
treec6efec07274a467e7a5ed185f3713cbb8b38a6e0
parent28dd133623823d216ef681a6a38b5a1c5fe837ac (diff)
downloadtinyproxy-b3943c21f2862dc180d47248fb02a990dc977432.tar.gz
tinyproxy-b3943c21f2862dc180d47248fb02a990dc977432.zip
(check_allowed_connect_ports): By default DENY any CONNECT requests
unless explicitly allowed by a configuration directive.
-rw-r--r--src/reqs.c22
1 files changed, 9 insertions, 13 deletions
diff --git a/src/reqs.c b/src/reqs.c
index 3dd4b1d..f15578c 100644
--- a/src/reqs.c
+++ b/src/reqs.c
@@ -1,4 +1,4 @@
-/* $Id: reqs.c,v 1.115 2004-08-12 19:57:15 rjkaes Exp $
+/* $Id: reqs.c,v 1.116 2004-08-12 20:15:04 rjkaes Exp $
*
* This is where all the work in tinyproxy is actually done. Incoming
* connections have a new child created for them. The child then
@@ -111,7 +111,6 @@ add_connect_port_allowed(int port)
*
* Returns: 1 if allowed
* 0 if denied
- * negative upon error
*/
static int
check_allowed_connect_ports(int port)
@@ -119,20 +118,17 @@ check_allowed_connect_ports(int port)
ssize_t i;
int *data;
- /*
- * If the port list doesn't exist, allow everything. This might need
- * to be changed in the future.
- */
+ /*
+ * A port list is REQUIRED for a CONNECT request to function
+ * properly. This closes a potential security hole.
+ */
if (!ports_allowed_by_connect)
- return 1;
+ return 0;
for (i = 0; i != vector_length(ports_allowed_by_connect); ++i) {
data = vector_getentry(ports_allowed_by_connect, i, NULL);
- if (!data)
- return -1;
-
- if (*data == port)
- return 1;
+ if (data && *data == port)
+ return 1;
}
return 0;
@@ -762,7 +758,7 @@ process_request(struct conn_s *connptr, hashmap_t hashofheaders)
}
/* Verify that the port in the CONNECT method is allowed */
- if (check_allowed_connect_ports(request->port) <= 0) {
+ if (!check_allowed_connect_ports(request->port)) {
indicate_http_error(connptr, 403, "Access violation",
"detail", "The CONNECT method not allowed " \
"with the port you tried to use.",