bughz/tinyproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a5381223df
tinyproxy/src/transparent-proxy.c

147 lines
5.5 KiB
C
Raw Normal View History

Moved transparent proxy code into its own file Extracted the transparent proxy logic from reqs.c and placed it into a separate file. Signed-off-by: Robert James Kaes <rjk@wormbytes.ca>
2008-06-09 06:50:23 +08:00
/* tinyproxy - A fast light-weight HTTP proxy
* Copyright (C) 2002 Petr Lampa <lampa@fit.vutbr.cz>
* Copyright (C) 2008 Robert James Kaes <rjk@wormbytes.ca>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
* This section of code is used for the transparent proxy option. You will
* need to configure your firewall to redirect all connections for HTTP
* traffic to tinyproxy for this to work properly.
*/
#include "transparent-proxy.h"
#include "conns.h"
#include "heap.h"
#include "html-error.h"
#include "log.h"
#include "reqs.h"
Use safer string functions
2009-10-02 17:51:42 +08:00
#include "text.h"
Fix the build with --enable-transaparent after conf changes. Michael
2009-12-08 06:42:30 +08:00
#include "conf.h"
Moved transparent proxy code into its own file Extracted the transparent proxy logic from reqs.c and placed it into a separate file. Signed-off-by: Robert James Kaes <rjk@wormbytes.ca>
2008-06-09 06:50:23 +08:00
/*
* Build a URL from parts.
*/
Indent code to Tinyproxy coding style The modified files were indented with GNU indent using the following command: indent -npro -kr -i8 -ts8 -sob -l80 -ss -cs -cp1 -bs -nlps -nprs -pcs \ -saf -sai -saw -sc -cdw -ce -nut -il0 No other changes of any sort were made.
2009-09-15 03:41:25 +08:00
static int build_url (char **url, const char *host, int port, const char *path)
Moved transparent proxy code into its own file Extracted the transparent proxy logic from reqs.c and placed it into a separate file. Signed-off-by: Robert James Kaes <rjk@wormbytes.ca>
2008-06-09 06:50:23 +08:00
{
Indent code to Tinyproxy coding style The modified files were indented with GNU indent using the following command: indent -npro -kr -i8 -ts8 -sob -l80 -ss -cs -cp1 -bs -nlps -nprs -pcs \ -saf -sai -saw -sc -cdw -ce -nut -il0 No other changes of any sort were made.
2009-09-15 03:41:25 +08:00
int len;
Moved transparent proxy code into its own file Extracted the transparent proxy logic from reqs.c and placed it into a separate file. Signed-off-by: Robert James Kaes <rjk@wormbytes.ca>
2008-06-09 06:50:23 +08:00
Indent code to Tinyproxy coding style The modified files were indented with GNU indent using the following command: indent -npro -kr -i8 -ts8 -sob -l80 -ss -cs -cp1 -bs -nlps -nprs -pcs \ -saf -sai -saw -sc -cdw -ce -nut -il0 No other changes of any sort were made.
2009-09-15 03:41:25 +08:00
assert (url != NULL);
assert (host != NULL);
assert (port > 0 && port < 32768);
assert (path != NULL);
Moved transparent proxy code into its own file Extracted the transparent proxy logic from reqs.c and placed it into a separate file. Signed-off-by: Robert James Kaes <rjk@wormbytes.ca>
2008-06-09 06:50:23 +08:00
Indent code to Tinyproxy coding style The modified files were indented with GNU indent using the following command: indent -npro -kr -i8 -ts8 -sob -l80 -ss -cs -cp1 -bs -nlps -nprs -pcs \ -saf -sai -saw -sc -cdw -ce -nut -il0 No other changes of any sort were made.
2009-09-15 03:41:25 +08:00
len = strlen (host) + strlen (path) + 14;
fix possible memory leak
2018-02-25 12:18:46 +08:00
*url = (char *) saferealloc (*url, len);
Indent code to Tinyproxy coding style The modified files were indented with GNU indent using the following command: indent -npro -kr -i8 -ts8 -sob -l80 -ss -cs -cp1 -bs -nlps -nprs -pcs \ -saf -sai -saw -sc -cdw -ce -nut -il0 No other changes of any sort were made.
2009-09-15 03:41:25 +08:00
if (*url == NULL)
return -1;
Moved transparent proxy code into its own file Extracted the transparent proxy logic from reqs.c and placed it into a separate file. Signed-off-by: Robert James Kaes <rjk@wormbytes.ca>
2008-06-09 06:50:23 +08:00
Indent code to Tinyproxy coding style The modified files were indented with GNU indent using the following command: indent -npro -kr -i8 -ts8 -sob -l80 -ss -cs -cp1 -bs -nlps -nprs -pcs \ -saf -sai -saw -sc -cdw -ce -nut -il0 No other changes of any sort were made.
2009-09-15 03:41:25 +08:00
return snprintf (*url, len, "http://%s:%d%s", host, port, path);
Moved transparent proxy code into its own file Extracted the transparent proxy logic from reqs.c and placed it into a separate file. Signed-off-by: Robert James Kaes <rjk@wormbytes.ca>
2008-06-09 06:50:23 +08:00
}
int
save headers in an ordered dictionary due to the usage of a hashmap to store headers, when relaying them to the other side the order was not prevented. even though correct from a standards point-of-view, this caused issues with various programs, and it allows to fingerprint the use of tinyproxy. to implement this, i imported the MIT-licensed hsearch.[ch] from https://github.com/rofl0r/htab which was originally taken from musl libc. it's a simple and efficient hashtable implementation with far better performance characteristic than the one previously used by tinyproxy. additionally it has an API much more well-suited for this purpose. orderedmap.[ch] was implemented from scratch to address this issue. behind the scenes it uses an sblist to store string values, and a htab to store keys and the indices into the sblist. this allows us to iterate linearly over the sblist and then find the corresponding key in the hash table, so the headers can be reproduced in the order they were received. closes #73
2020-09-12 20:49:10 +08:00
do_transparent_proxy (struct conn_s *connptr, orderedmap hashofheaders,
Convert tabs to spaces
2008-12-08 21:39:44 +08:00
struct request_s *request, struct config_s *conf,
[BB#95] Fix FilterURLs with transparent proxy support. Pass a pointer to a char pointer to do_transparent_proxy so the reassembled URL will actually end up back in the caller where it is needed for filtering decisions. This fixes the problem that a tinyproxy configured with the transparent proxy functionality and "FilterURLs Yes" would filter on everything but the domain. Signed-off-by: daniel.egger@sphairon.com Signed-off-by: Michael Adam <obnox@samba.org>
2010-08-17 04:36:20 +08:00
char **url)
Moved transparent proxy code into its own file Extracted the transparent proxy logic from reqs.c and placed it into a separate file. Signed-off-by: Robert James Kaes <rjk@wormbytes.ca>
2008-06-09 06:50:23 +08:00
{
Indent code to Tinyproxy coding style The modified files were indented with GNU indent using the following command: indent -npro -kr -i8 -ts8 -sob -l80 -ss -cs -cp1 -bs -nlps -nprs -pcs \ -saf -sai -saw -sc -cdw -ce -nut -il0 No other changes of any sort were made.
2009-09-15 03:41:25 +08:00
socklen_t length;
char *data;
[BB#95] Fix FilterURLs with transparent proxy support. Pass a pointer to a char pointer to do_transparent_proxy so the reassembled URL will actually end up back in the caller where it is needed for filtering decisions. This fixes the problem that a tinyproxy configured with the transparent proxy functionality and "FilterURLs Yes" would filter on everything but the domain. Signed-off-by: daniel.egger@sphairon.com Signed-off-by: Michael Adam <obnox@samba.org>
2010-08-17 04:36:20 +08:00
size_t ulen = strlen (*url);
transparent: make transparent support compile after introduction of multi Listen I seem to have forgotten to compile with transparent support enabled... This belongs to the fix for bug BB#63. Signed-off-by: Michael Adam <obnox@samba.org>
2013-11-23 07:15:48 +08:00
ssize_t i;
Moved transparent proxy code into its own file Extracted the transparent proxy logic from reqs.c and placed it into a separate file. Signed-off-by: Robert James Kaes <rjk@wormbytes.ca>
2008-06-09 06:50:23 +08:00
save headers in an ordered dictionary due to the usage of a hashmap to store headers, when relaying them to the other side the order was not prevented. even though correct from a standards point-of-view, this caused issues with various programs, and it allows to fingerprint the use of tinyproxy. to implement this, i imported the MIT-licensed hsearch.[ch] from https://github.com/rofl0r/htab which was originally taken from musl libc. it's a simple and efficient hashtable implementation with far better performance characteristic than the one previously used by tinyproxy. additionally it has an API much more well-suited for this purpose. orderedmap.[ch] was implemented from scratch to address this issue. behind the scenes it uses an sblist to store string values, and a htab to store keys and the indices into the sblist. this allows us to iterate linearly over the sblist and then find the corresponding key in the hash table, so the headers can be reproduced in the order they were received. closes #73
2020-09-12 20:49:10 +08:00
data = orderedmap_find (hashofheaders, "host");
if (!data) {
transparent: remove usage of inet_ntoa(), make IPv6 ready inet_ntoa() uses a static buffer and is therefore not threadsafe. additionally it has been deprecated by POSIX. by using inet_ntop() instead the code has been made ipv6 aware. note that this codepath was only entered in the unlikely event that no hosts header was being passed to the proxy, i.e. pre-HTTP/1.1.
2020-09-06 23:22:11 +08:00
union sockaddr_union dest_addr;
const void *dest_inaddr;
char namebuf[INET6_ADDRSTRLEN+1];
int af;
transparent: fix invalid memory access getsockname() requires addrlen to be set to the size of the sockaddr struct passed as the addr, and a check whether the returned addrlen exceeds the initially passed size (to determine whether the address returned is truncated). with a request like "GET /\r\n\r\n" where length is 0 this caused the code to assume success and use the values of the uninitialized sockaddr struct.
2020-03-18 20:31:13 +08:00
length = sizeof(dest_addr);
Reformat code to GNU coding style This is a commit which simply ran all C source code files through GNU indent. No other modifications were made.
2008-12-01 23:01:11 +08:00
Indent code to Tinyproxy coding style The modified files were indented with GNU indent using the following command: indent -npro -kr -i8 -ts8 -sob -l80 -ss -cs -cp1 -bs -nlps -nprs -pcs \ -saf -sai -saw -sc -cdw -ce -nut -il0 No other changes of any sort were made.
2009-09-15 03:41:25 +08:00
if (getsockname
transparent: remove usage of inet_ntoa(), make IPv6 ready inet_ntoa() uses a static buffer and is therefore not threadsafe. additionally it has been deprecated by POSIX. by using inet_ntop() instead the code has been made ipv6 aware. note that this codepath was only entered in the unlikely event that no hosts header was being passed to the proxy, i.e. pre-HTTP/1.1.
2020-09-06 23:22:11 +08:00
(connptr->client_fd, (void *) &dest_addr,
transparent: fix invalid memory access getsockname() requires addrlen to be set to the size of the sockaddr struct passed as the addr, and a check whether the returned addrlen exceeds the initially passed size (to determine whether the address returned is truncated). with a request like "GET /\r\n\r\n" where length is 0 this caused the code to assume success and use the values of the uninitialized sockaddr struct.
2020-03-18 20:31:13 +08:00
&length) < 0 || length > sizeof(dest_addr)) {
transparent: remove usage of inet_ntoa(), make IPv6 ready inet_ntoa() uses a static buffer and is therefore not threadsafe. additionally it has been deprecated by POSIX. by using inet_ntop() instead the code has been made ipv6 aware. note that this codepath was only entered in the unlikely event that no hosts header was being passed to the proxy, i.e. pre-HTTP/1.1.
2020-09-06 23:22:11 +08:00
addr_err:;
Indent code to Tinyproxy coding style The modified files were indented with GNU indent using the following command: indent -npro -kr -i8 -ts8 -sob -l80 -ss -cs -cp1 -bs -nlps -nprs -pcs \ -saf -sai -saw -sc -cdw -ce -nut -il0 No other changes of any sort were made.
2009-09-15 03:41:25 +08:00
log_message (LOG_ERR,
"process_request: cannot get destination IP for %d",
connptr->client_fd);
indicate_http_error (connptr, 400, "Bad Request",
"detail", "Unknown destination",
[BB#95] Fix FilterURLs with transparent proxy support. Pass a pointer to a char pointer to do_transparent_proxy so the reassembled URL will actually end up back in the caller where it is needed for filtering decisions. This fixes the problem that a tinyproxy configured with the transparent proxy functionality and "FilterURLs Yes" would filter on everything but the domain. Signed-off-by: daniel.egger@sphairon.com Signed-off-by: Michael Adam <obnox@samba.org>
2010-08-17 04:36:20 +08:00
"url", *url, NULL);
Indent code to Tinyproxy coding style The modified files were indented with GNU indent using the following command: indent -npro -kr -i8 -ts8 -sob -l80 -ss -cs -cp1 -bs -nlps -nprs -pcs \ -saf -sai -saw -sc -cdw -ce -nut -il0 No other changes of any sort were made.
2009-09-15 03:41:25 +08:00
return 0;
}
Use safer string functions
2009-10-02 17:51:42 +08:00
transparent: remove usage of inet_ntoa(), make IPv6 ready inet_ntoa() uses a static buffer and is therefore not threadsafe. additionally it has been deprecated by POSIX. by using inet_ntop() instead the code has been made ipv6 aware. note that this codepath was only entered in the unlikely event that no hosts header was being passed to the proxy, i.e. pre-HTTP/1.1.
2020-09-06 23:22:11 +08:00
af = length == sizeof(dest_addr.v4) ? AF_INET : AF_INET6;
if (af == AF_INET) dest_inaddr = &dest_addr.v4.sin_addr;
else dest_inaddr = &dest_addr.v6.sin6_addr;
Use safer string functions
2009-10-02 17:51:42 +08:00
transparent: remove usage of inet_ntoa(), make IPv6 ready inet_ntoa() uses a static buffer and is therefore not threadsafe. additionally it has been deprecated by POSIX. by using inet_ntop() instead the code has been made ipv6 aware. note that this codepath was only entered in the unlikely event that no hosts header was being passed to the proxy, i.e. pre-HTTP/1.1.
2020-09-06 23:22:11 +08:00
if (!inet_ntop(af, dest_inaddr, namebuf, sizeof namebuf))
goto addr_err;
request->host = safestrdup (namebuf);
request->port = ntohs (af == AF_INET ? dest_addr.v4.sin_port
: dest_addr.v6.sin6_port);
Use safer string functions
2009-10-02 17:51:42 +08:00
request->path = (char *) safemalloc (ulen + 1);
[BB#95] Fix FilterURLs with transparent proxy support. Pass a pointer to a char pointer to do_transparent_proxy so the reassembled URL will actually end up back in the caller where it is needed for filtering decisions. This fixes the problem that a tinyproxy configured with the transparent proxy functionality and "FilterURLs Yes" would filter on everything but the domain. Signed-off-by: daniel.egger@sphairon.com Signed-off-by: Michael Adam <obnox@samba.org>
2010-08-17 04:36:20 +08:00
strlcpy (request->path, *url, ulen + 1);
Use safer string functions
2009-10-02 17:51:42 +08:00
[BB#95] Fix FilterURLs with transparent proxy support. Pass a pointer to a char pointer to do_transparent_proxy so the reassembled URL will actually end up back in the caller where it is needed for filtering decisions. This fixes the problem that a tinyproxy configured with the transparent proxy functionality and "FilterURLs Yes" would filter on everything but the domain. Signed-off-by: daniel.egger@sphairon.com Signed-off-by: Michael Adam <obnox@samba.org>
2010-08-17 04:36:20 +08:00
build_url (url, request->host, request->port, request->path);
Indent code to Tinyproxy coding style The modified files were indented with GNU indent using the following command: indent -npro -kr -i8 -ts8 -sob -l80 -ss -cs -cp1 -bs -nlps -nprs -pcs \ -saf -sai -saw -sc -cdw -ce -nut -il0 No other changes of any sort were made.
2009-09-15 03:41:25 +08:00
log_message (LOG_INFO,
"process_request: trans IP %s %s for %d",
[BB#95] Fix FilterURLs with transparent proxy support. Pass a pointer to a char pointer to do_transparent_proxy so the reassembled URL will actually end up back in the caller where it is needed for filtering decisions. This fixes the problem that a tinyproxy configured with the transparent proxy functionality and "FilterURLs Yes" would filter on everything but the domain. Signed-off-by: daniel.egger@sphairon.com Signed-off-by: Michael Adam <obnox@samba.org>
2010-08-17 04:36:20 +08:00
request->method, *url, connptr->client_fd);
Indent code to Tinyproxy coding style The modified files were indented with GNU indent using the following command: indent -npro -kr -i8 -ts8 -sob -l80 -ss -cs -cp1 -bs -nlps -nprs -pcs \ -saf -sai -saw -sc -cdw -ce -nut -il0 No other changes of any sort were made.
2009-09-15 03:41:25 +08:00
} else {
save headers in an ordered dictionary due to the usage of a hashmap to store headers, when relaying them to the other side the order was not prevented. even though correct from a standards point-of-view, this caused issues with various programs, and it allows to fingerprint the use of tinyproxy. to implement this, i imported the MIT-licensed hsearch.[ch] from https://github.com/rofl0r/htab which was originally taken from musl libc. it's a simple and efficient hashtable implementation with far better performance characteristic than the one previously used by tinyproxy. additionally it has an API much more well-suited for this purpose. orderedmap.[ch] was implemented from scratch to address this issue. behind the scenes it uses an sblist to store string values, and a htab to store keys and the indices into the sblist. this allows us to iterate linearly over the sblist and then find the corresponding key in the hash table, so the headers can be reproduced in the order they were received. closes #73
2020-09-12 20:49:10 +08:00
length = strlen (data);
Add explicit casts for c++ mode in transparent-proxy.c
2009-09-23 10:19:06 +08:00
request->host = (char *) safemalloc (length + 1);
Indent code to Tinyproxy coding style The modified files were indented with GNU indent using the following command: indent -npro -kr -i8 -ts8 -sob -l80 -ss -cs -cp1 -bs -nlps -nprs -pcs \ -saf -sai -saw -sc -cdw -ce -nut -il0 No other changes of any sort were made.
2009-09-15 03:41:25 +08:00
if (sscanf (data, "%[^:]:%hu", request->host, &request->port) !=
2) {
Use safer string functions
2009-10-02 17:51:42 +08:00
strlcpy (request->host, data, length + 1);
Indent code to Tinyproxy coding style The modified files were indented with GNU indent using the following command: indent -npro -kr -i8 -ts8 -sob -l80 -ss -cs -cp1 -bs -nlps -nprs -pcs \ -saf -sai -saw -sc -cdw -ce -nut -il0 No other changes of any sort were made.
2009-09-15 03:41:25 +08:00
request->port = HTTP_PORT;
}
Use safer string functions
2009-10-02 17:51:42 +08:00
request->path = (char *) safemalloc (ulen + 1);
[BB#95] Fix FilterURLs with transparent proxy support. Pass a pointer to a char pointer to do_transparent_proxy so the reassembled URL will actually end up back in the caller where it is needed for filtering decisions. This fixes the problem that a tinyproxy configured with the transparent proxy functionality and "FilterURLs Yes" would filter on everything but the domain. Signed-off-by: daniel.egger@sphairon.com Signed-off-by: Michael Adam <obnox@samba.org>
2010-08-17 04:36:20 +08:00
strlcpy (request->path, *url, ulen + 1);
Use safer string functions
2009-10-02 17:51:42 +08:00
[BB#95] Fix FilterURLs with transparent proxy support. Pass a pointer to a char pointer to do_transparent_proxy so the reassembled URL will actually end up back in the caller where it is needed for filtering decisions. This fixes the problem that a tinyproxy configured with the transparent proxy functionality and "FilterURLs Yes" would filter on everything but the domain. Signed-off-by: daniel.egger@sphairon.com Signed-off-by: Michael Adam <obnox@samba.org>
2010-08-17 04:36:20 +08:00
build_url (url, request->host, request->port, request->path);
Indent code to Tinyproxy coding style The modified files were indented with GNU indent using the following command: indent -npro -kr -i8 -ts8 -sob -l80 -ss -cs -cp1 -bs -nlps -nprs -pcs \ -saf -sai -saw -sc -cdw -ce -nut -il0 No other changes of any sort were made.
2009-09-15 03:41:25 +08:00
log_message (LOG_INFO,
"process_request: trans Host %s %s for %d",
[BB#95] Fix FilterURLs with transparent proxy support. Pass a pointer to a char pointer to do_transparent_proxy so the reassembled URL will actually end up back in the caller where it is needed for filtering decisions. This fixes the problem that a tinyproxy configured with the transparent proxy functionality and "FilterURLs Yes" would filter on everything but the domain. Signed-off-by: daniel.egger@sphairon.com Signed-off-by: Michael Adam <obnox@samba.org>
2010-08-17 04:36:20 +08:00
request->method, *url, connptr->client_fd);
Convert tabs to spaces
2008-12-08 21:39:44 +08:00
}
transparent: make transparent support compile after introduction of multi Listen I seem to have forgotten to compile with transparent support enabled... This belongs to the fix for bug BB#63. Signed-off-by: Michael Adam <obnox@samba.org>
2013-11-23 07:15:48 +08:00
if (conf->listen_addrs == NULL) {
return 1;
}
for (i = 0; i < vector_length(conf->listen_addrs); i++) {
const char *addr;
addr = (char *)vector_getentry(conf->listen_addrs, i, NULL);
if (addr && strcmp(request->host, addr) == 0) {
log_message(LOG_ERR,
"transparent: destination IP %s is local "
"on socket fd %d",
request->host, connptr->client_fd);
indicate_http_error(connptr, 400, "Bad Request",
"detail",
"You tried to connect to the "
"machine the proxy is running on",
"url", *url, NULL);
return 0;
}
Convert tabs to spaces
2008-12-08 21:39:44 +08:00
}
Reformat code to GNU coding style This is a commit which simply ran all C source code files through GNU indent. No other modifications were made.
2008-12-01 23:01:11 +08:00
Indent code to Tinyproxy coding style The modified files were indented with GNU indent using the following command: indent -npro -kr -i8 -ts8 -sob -l80 -ss -cs -cp1 -bs -nlps -nprs -pcs \ -saf -sai -saw -sc -cdw -ce -nut -il0 No other changes of any sort were made.
2009-09-15 03:41:25 +08:00
return 1;
Moved transparent proxy code into its own file Extracted the transparent proxy logic from reqs.c and placed it into a separate file. Signed-off-by: Robert James Kaes <rjk@wormbytes.ca>
2008-06-09 06:50:23 +08:00
}
Reference in New Issue Copy Permalink