summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorRobert James Kaes <rjkaes@users.sourceforge.net>2002-04-12 17:00:42 +0000
committerRobert James Kaes <rjkaes@users.sourceforge.net>2002-04-12 17:00:42 +0000
commitecb249f4247f1afa412bc7cc0acff4d92aa3675a (patch)
tree027729b734a934932e299ff69059a1dcfe2d6dfd /src
parent660e4d5687a92fd44ce5c23a4e3d68a786867551 (diff)
downloadtinyproxy-ecb249f4247f1afa412bc7cc0acff4d92aa3675a.tar.gz
tinyproxy-ecb249f4247f1afa412bc7cc0acff4d92aa3675a.zip
Added code to support the new ConnectPort directive which is needed to
improve security of the tinyproxy system. This new directive allows the admin to block CONNECT methods to illegal ports.
Diffstat (limited to '')
-rw-r--r--src/reqs.c73
-rw-r--r--src/reqs.h3
2 files changed, 74 insertions, 2 deletions
diff --git a/src/reqs.c b/src/reqs.c
index 5244b9d..c57184a 100644
--- a/src/reqs.c
+++ b/src/reqs.c
@@ -1,4 +1,4 @@
-/* $Id: reqs.c,v 1.56 2002-04-12 03:09:04 rjkaes Exp $
+/* $Id: reqs.c,v 1.57 2002-04-12 17:00:42 rjkaes Exp $
*
* This is where all the work in tinyproxy is actually done. Incoming
* connections have a new thread created for them. The thread then
@@ -72,6 +72,64 @@
#define CHECK_CRLF(header, len) ((len == 1 && header[0] == '\n') || (len == 2 && header[0] == '\r' && header[1] == '\n'))
/*
+ * This is a global variable which stores which ports are allowed by
+ * the CONNECT method. It's a security thing.
+ */
+static vector_t ports_allowed_by_connect = NULL;
+
+/*
+ * Now, this routine adds a "port" to the list. It also creates the list if
+ * it hasn't already by done.
+ */
+void
+add_connect_port_allowed(int port)
+{
+ if (!ports_allowed_by_connect) {
+ ports_allowed_by_connect = vector_create();
+ if (!ports_allowed_by_connect) {
+ log_message(LOG_WARNING, "Could not create a list of allowed CONNECT ports");
+ return;
+ }
+ }
+
+ log_message(LOG_INFO, "Adding Port [%d] to the list allowed by CONNECT", port);
+ vector_insert(ports_allowed_by_connect, (void **)&port, sizeof(port));
+}
+
+/*
+ * This routine checks to see if a port is allowed in the CONNECT method.
+ *
+ * Returns: 1 if allowed
+ * 0 if denied
+ * negative upon error
+ */
+static int
+check_allowed_connect_ports(int port)
+{
+ ssize_t i;
+ ssize_t ret;
+ int *data;
+
+ /*
+ * If the port list doesn't exist, allow everything. This might need
+ * to be changed in the future.
+ */
+ if (!ports_allowed_by_connect)
+ return 1;
+
+ for (i = 0; i < vector_length(ports_allowed_by_connect); ++i) {
+ ret = vector_getentry(ports_allowed_by_connect, i, (void **)&data);
+ if (ret < 0)
+ return -1;
+
+ if (*data == port)
+ return 1;
+ }
+
+ return 0;
+}
+
+/*
* Read in the first line from the client (the request line for HTTP
* connections. The request line is allocated from the heap, but it must
* be freed in another function.
@@ -337,6 +395,19 @@ process_request(struct conn_s *connptr)
return NULL;
}
+
+ /* Verify that the port in the CONNECT method is allowed */
+ if (check_allowed_connect_ports(request->port) <= 0) {
+ httperr(connptr, 403,
+ "CONNECT method not allowed with selected port.");
+ log_message(LOG_INFO, "Refused CONNECT method on port %d",
+ request->port);
+
+ safefree(url);
+ free_request_struct(request);
+
+ return NULL;
+ }
connptr->connect_method = TRUE;
} else {
diff --git a/src/reqs.h b/src/reqs.h
index 5b6f1f9..b73ac0e 100644
--- a/src/reqs.h
+++ b/src/reqs.h
@@ -1,4 +1,4 @@
-/* $Id: reqs.h,v 1.2 2000-09-12 00:04:42 rjkaes Exp $
+/* $Id: reqs.h,v 1.3 2002-04-12 17:00:42 rjkaes Exp $
*
* See 'reqs.c' for a detailed description.
*
@@ -20,5 +20,6 @@
#define _TINYPROXY_REQS_H_
extern void handle_connection(int fd);
+extern void add_connect_port_allowed(int port);
#endif