From bc17a662ada1c32a1c9488bd550ba87cb4531420 Mon Sep 17 00:00:00 2001 From: stefanocasazza Date: Tue, 29 Jan 2019 15:34:55 +0100 Subject: [PATCH] add URI_PROTECTED_SSE --- examples/userver/userver.cfg.default | 2 ++ include/ulib/utility/uhttp.h | 3 +- openwrt/package/nodog/x86_64/Makefile | 2 +- src/ulib/net/server/plugin/mod_http.cpp | 12 ++++++++ src/ulib/net/server/plugin/mod_nodog.cpp | 35 ++++++++++++++++-------- src/ulib/utility/uhttp.cpp | 33 ++++++++++++++++------ tests/examples/TSA/tsaserial | 2 +- tests/ulib/README | 4 +-- 8 files changed, 68 insertions(+), 25 deletions(-) diff --git a/examples/userver/userver.cfg.default b/examples/userver/userver.cfg.default index bf3d5254..2c04ccbd 100644 --- a/examples/userver/userver.cfg.default +++ b/examples/userver/userver.cfg.default @@ -192,6 +192,7 @@ userver { # WEBSOCKET_TIMEOUT timeout for websocket request # DIGEST_AUTHENTICATION flag authentication method (yes = digest, no = basic) # +# URI_PROTECTED_SSE SSE needs authentication (/sse_event/) # URI_PROTECTED_MASK mask (DOS regexp) of URI protected from prying eyes (that needs authentication) # URI_PROTECTED_ALLOWED_IP list of comma separated client address for IP-based access control (IPADDR[/MASK]) for URI_PROTECTED_MASK # @@ -260,6 +261,7 @@ http { # WEBSOCKET_TIMEOUT -1 # DIGEST_AUTHENTICATION yes +# URI_PROTECTED_SSE yes # URI_PROTECTED_MASK /RA/admin/cgi-bin/* # URI_PROTECTED_ALLOWED_IP 127.0.0.1,10.30.0.0/16 diff --git a/include/ulib/utility/uhttp.h b/include/ulib/utility/uhttp.h index c61f2150..e1dcc9bb 100644 --- a/include/ulib/utility/uhttp.h +++ b/include/ulib/utility/uhttp.h @@ -714,6 +714,7 @@ public: #ifdef U_SSE_ENABLE // SERVER SENT EVENTS (SSE) typedef UString (*strPF)(); + static bool sse_auth; static strPF sse_func; static int sse_pipe_fd; static const char* sse_corsbase; @@ -1526,7 +1527,7 @@ private: static void putDataInCache(const UString& path, const UString& fmt, UString& content) U_NO_EXPORT; static void addContentLengthToHeader(UString& header, char* ptr, uint32_t size, const char* pEndHeader = U_NULLPTR) U_NO_EXPORT; static void setDataInCache(const UString& fmt, const UString& content, const char* encoding, uint32_t encoding_len) U_NO_EXPORT; - static bool processAuthorization(const char* ptr = U_NULLPTR, uint32_t sz = 0, const char* pattern = U_NULLPTR, uint32_t len = 0) U_NO_EXPORT; + static bool processAuthorization(const char* ptr, uint32_t sz, const char* pattern = U_NULLPTR, uint32_t len = 0) U_NO_EXPORT; static inline void resetFileCache() U_NO_EXPORT; static inline void setUpgrade(const char* ptr) U_NO_EXPORT; diff --git a/openwrt/package/nodog/x86_64/Makefile b/openwrt/package/nodog/x86_64/Makefile index 7dc8eaa7..73388cb2 100644 --- a/openwrt/package/nodog/x86_64/Makefile +++ b/openwrt/package/nodog/x86_64/Makefile @@ -46,7 +46,7 @@ NODOG_OPTIONS:= --disable-examples \ --with-ssl --with-libz --with-libtdb \ --without-expat --without-magic --without-pcre \ --disable-static --disable-new-ldflags --disable-zip --disable-LFS \ - --enable-log --enable-captive-portal --enable-static-server-plugin="nocat http" \ + --enable-log --enable-captive-portal --enable-static-server-plugin="nodog http" \ --disable-stdcpp --disable-thread --disable-HCRS --disable-HPRS --disable-HIS \ $(if $(CONFIG_NODOG_DEBUG),--enable-debug) \ $(if $(CONFIG_NODOG_UUID),--with-libuuid,--without-libuuid) \ diff --git a/src/ulib/net/server/plugin/mod_http.cpp b/src/ulib/net/server/plugin/mod_http.cpp index 9776ae9e..5140aefb 100644 --- a/src/ulib/net/server/plugin/mod_http.cpp +++ b/src/ulib/net/server/plugin/mod_http.cpp @@ -86,6 +86,7 @@ int UHttpPlugIn::handlerConfig(UFileConfig& cfg) // // ENABLE_CACHING_BY_PROXY_SERVERS enable caching by proxy servers (add "Cache control: public" directive) // + // URI_PROTECTED_SSE SSE needs authentication (/sse_event/) // URI_PROTECTED_MASK mask (DOS regexp) of URI protected from prying eyes // URI_PROTECTED_ALLOWED_IP list of comma separated client address for IP-based access control (IPADDR[/MASK]) for URI_PROTECTED_MASK // @@ -338,6 +339,17 @@ int UHttpPlugIn::handlerConfig(UFileConfig& cfg) U_INTERNAL_DUMP("UHTTP::digest_authentication = %b", UHTTP::digest_authentication) +# ifdef U_SSE_ENABLE // SERVER SENT EVENTS (SSE) + x = cfg.at(U_CONSTANT_TO_PARAM("URI_PROTECTED_SSE")); + + if (x) + { + U_INTERNAL_ASSERT_EQUALS(UHTTP::sse_auth, false) + + UHTTP::sse_auth = x.strtob(); + } +# endif + # ifdef USE_LIBSSL x = cfg.at(U_CONSTANT_TO_PARAM("URI_PROTECTED_MASK")); diff --git a/src/ulib/net/server/plugin/mod_nodog.cpp b/src/ulib/net/server/plugin/mod_nodog.cpp index af4b8613..e05dd147 100644 --- a/src/ulib/net/server/plugin/mod_nodog.cpp +++ b/src/ulib/net/server/plugin/mod_nodog.cpp @@ -257,14 +257,6 @@ U_NO_EXPORT void UNoDogPlugIn::makeInfoData(UFlatBuffer* pfb, void* param) if (U_peer_allowed) continue; - if (peer->ctraffic && - U_peer_permit == false) - { - U_SRV_LOG("WARNING: Peer IP %v MAC %v has made traffic(%u bytes) but it has status DENY", peer->ip.rep, peer->mac.rep, peer->ctraffic); - - continue; - } - // ----------------------------------------------------------------------------------------------------------------------------------------- // $1 -> mac // $2 -> ip @@ -286,10 +278,22 @@ U_NO_EXPORT void UNoDogPlugIn::makeInfoData(UFlatBuffer* pfb, void* param) if (peer->ctraffic) { - pfb->UInt(peer->ctraffic); - peer->ctraffic = 0; + if (U_peer_permit) + { + pfb->UInt(peer->ctraffic); - peer->time_no_traffic = 0U; + peer->time_no_traffic = 0U; + } + else + { + pfb->UInt(0U); + + peer->time_no_traffic += _ctime; + + U_SRV_LOG("WARNING: Peer IP %v MAC %v has made traffic(%u bytes) but it has status DENY", peer->ip.rep, peer->mac.rep, peer->ctraffic); + } + + peer->ctraffic = 0; /* pfb->UInt(_ctime); @@ -1419,6 +1423,15 @@ next: eraseTimer(); goto end; } + /** + if ((peer->_ctime + U_ONE_HOUR_IN_SECOND) < u_now->tv_sec) // if too old change as NEW user... + { + U_SRV_LOG("request from OLD USER but it has status very OLD"); + + goto log; + } + */ + goto welcome; } diff --git a/src/ulib/utility/uhttp.cpp b/src/ulib/utility/uhttp.cpp index 17a4cdf3..f7ad364c 100644 --- a/src/ulib/utility/uhttp.cpp +++ b/src/ulib/utility/uhttp.cpp @@ -176,6 +176,7 @@ URDBObjectHandler* UHTTP::db_session_ssl; #endif #ifdef U_SSE_ENABLE // SERVER SENT EVENTS (SSE) int UHTTP::sse_pipe_fd; +bool UHTTP::sse_auth; const char* UHTTP::sse_corsbase = "*"; UHTTP::strPF UHTTP::sse_func; #endif @@ -5143,7 +5144,10 @@ void UHTTP::processRequest() { // check if it's OK to do directory listing via authentication (digest|basic) - if (processAuthorization()) setDynamicResponse(getHTMLDirectoryList()); + uint32_t sz; + const char* ptr = UClientImage_Base::getRequestUri(sz); + + if (processAuthorization(ptr, sz)) setDynamicResponse(getHTMLDirectoryList()); return; } @@ -7172,10 +7176,14 @@ bool UHTTP::isValidationSSE() U_ASSERT_EQUALS(getPathComponent(0), "sse_event") - if (file->getPathRelativLen() > U_CONSTANT_SIZE("sse_event") && // Ex: "sse_event/tutor" - processAuthorization() == false) // check if it's OK to do directory listing via authentication (digest|basic) + if (sse_auth) { - U_RETURN(false); + // check if it's OK to do directory listing via authentication (digest|basic) + + uint32_t sz; + const char* ptr = UClientImage_Base::getRequestUri(sz); + + if (processAuthorization(ptr, sz) == false) U_RETURN(false); } U_RETURN(true); @@ -7812,7 +7820,8 @@ U_NO_EXPORT bool UHTTP::processAuthorization(const char* request, uint32_t sz, c { U_TRACE(0, "UHTTP::processAuthorization(%.*S,%u,%.*S,%u)", sz, request, sz, len, pattern, len) - if (sz == 0) request = UClientImage_Base::getRequestUri(sz); + U_INTERNAL_ASSERT_MAJOR(sz, 0) + U_INTERNAL_ASSERT_POINTER(request) UTokenizer t; const char* ptr; @@ -7845,12 +7854,18 @@ U_NO_EXPORT bool UHTTP::processAuthorization(const char* request, uint32_t sz, c pos = (request + sz) - uri_suffix; } # ifdef U_SSE_ENABLE // SERVER SENT EVENTS (SSE) - else if (sz > U_CONSTANT_SIZE("/sse_event") && - memcmp(request, U_CONSTANT_TO_PARAM("/sse_event")) == 0) // Ex: "/sse_event/tutor" + else { - ptr_file_data = getPasswdDB(request+U_CONSTANT_SIZE("/sse_event"), sz-U_CONSTANT_SIZE("/sse_event"), fpasswd); + if (sz > U_CONSTANT_SIZE("/sse_event/")) // Ex: "/sse_event/tutor" + { + U_INTERNAL_ASSERT_EQUALS(memcmp(request, U_CONSTANT_TO_PARAM("/sse_event/")), 0) - goto next; + ptr_file_data = getPasswdDB(request+U_CONSTANT_SIZE("/sse_event"), sz-U_CONSTANT_SIZE("/sse_event"), fpasswd); + + goto next; + } + + goto end; } # endif } diff --git a/tests/examples/TSA/tsaserial b/tests/examples/TSA/tsaserial index 8b65c930..0bd3b9e7 100644 --- a/tests/examples/TSA/tsaserial +++ b/tests/examples/TSA/tsaserial @@ -1 +1 @@ -049F +04AD diff --git a/tests/ulib/README b/tests/ulib/README index c555634c..917e2296 100644 --- a/tests/ulib/README +++ b/tests/ulib/README @@ -7,8 +7,8 @@ Debian 7.11 was released Saturday, 4th June 2016. Debian 8.11, or jessie. Access this release through dists/oldstable Debian 8.11 was released Saturday, 23rd June 2018. -Debian 9.6, or stretch. Access this release through dists/stable -Debian 9.6 was released Saturday, 10th November 2018. +Debian 9.7, or stretch. Access this release through dists/stable +Debian 9.7 was released Wednesday, 23rd January 2019. Testing, or buster. Access this release through dists/testing. The current tested development snapshot is named buster. Packages which