Removed the "ViaHeader" directive and replaced it with the

"ViaProxyName" directive.  The "Via" HTTP header is _required_ by the
HTTP spec, so the code has been changed to always send the header.
However, including the proxy's host name could be considered a
security threat, so the "ViaProxyName" directive is used to set the
token sent in the "Via" header.  If the directive is not enabled the
proxy's host name will be used.
This commit is contained in:
Robert James Kaes 2003-06-20 17:02:13 +00:00
parent 0d3962f1f0
commit 4c9141aac6
5 changed files with 47 additions and 44 deletions

View File

@ -166,11 +166,12 @@ Allow 127.0.0.1
Allow 192.168.1.0/25
#
# Control whether the HTTP Via header should be included in requests or
# responses. The RFC says it should be there, but it could be a security
# concern. The default is off.
# The "Via" header is required by the HTTP RFC, but using the real host name
# is a security concern. If the following directive is enabled, the string
# supplied will be used as the host name in the Via header; otherwise, the
# server's host name will be used.
#
#ViaHeader On
ViaProxyName "tinyproxy"
#
# The location of the filter file.

View File

@ -1,4 +1,4 @@
/* $Id: grammar.y,v 1.21 2003-05-29 19:43:58 rjkaes Exp $
/* $Id: grammar.y,v 1.22 2003-06-20 17:02:13 rjkaes Exp $
*
* This is the grammar for tinyproxy's configuration file. It needs to be
* in sync with scanner.l. If you know more about yacc and lex than I do
@ -51,11 +51,12 @@ int yylex(void);
%token KW_FILTER KW_FILTERURLS KW_FILTEREXTENDED KW_FILTER_DEFAULT_DENY
%token KW_FILTER_CASESENSITIVE
%token KW_UPSTREAM
%token KW_CONNECTPORT KW_BIND KW_HTTP_VIA
%token KW_CONNECTPORT KW_BIND
%token KW_STATHOST
%token KW_ALLOW KW_DENY
%token KW_ERRORPAGE KW_DEFAULT_ERRORPAGE
%token KW_STATPAGE
%token KW_VIA_PROXY_NAME
/* yes/no switches */
%token KW_YES KW_NO
@ -210,14 +211,10 @@ statement
log_message(LOG_WARNING, "The 'Bind' directive can not be used with transparent proxy support. Ignoring the directive.");
#endif
}
| KW_HTTP_VIA yesno
| KW_VIA_PROXY_NAME string
{
if ($2) {
log_message(LOG_INFO, "Enabling HTTP Via header.");
config.via_http_header = TRUE;
} else {
config.via_http_header = FALSE;
}
log_message(LOG_INFO, "Setting \"Via\" proxy name to: %s", $2);
config.via_proxy_name = $2;
}
| KW_STATHOST string
{
@ -258,7 +255,7 @@ string
%%
extern unsigned int yylineno;
extern unsigned int scanner_lineno;
void
yyerror(char *s)
@ -270,5 +267,6 @@ yyerror(char *s)
headerdisplayed = 1;
}
fprintf(stderr, "\t%s:%d: %s\n", config.config_file, yylineno, s);
fprintf(stderr, "\t%s:%d: %s\n", config.config_file, scanner_lineno, s);
exit(EXIT_FAILURE);
}

View File

@ -1,4 +1,4 @@
/* $Id: reqs.c,v 1.103 2003-06-06 16:14:50 rjkaes Exp $
/* $Id: reqs.c,v 1.104 2003-06-20 17:02:13 rjkaes Exp $
*
* This is where all the work in tinyproxy is actually done. Incoming
* connections have a new child created for them. The child then
@ -987,8 +987,8 @@ get_content_length(hashmap_t hashofheaders)
}
/*
* Search for Via head in a hash of headers and either write a new Via header,
* or append our information to the end of an existing Via header.
* Search for Via header in a hash of headers and either write a new Via
* header, or append our information to the end of an existing Via header.
*
* FIXME: Need to add code to "hide" our internal information for security
* purposes.
@ -998,11 +998,15 @@ write_via_header(int fd, hashmap_t hashofheaders,
unsigned int major, unsigned int minor)
{
ssize_t len;
char hostname[128];
char hostname[512];
char *data;
int ret;
gethostname(hostname, sizeof(hostname));
if (config.via_proxy_name) {
strlcpy(hostname, config.via_proxy_name, sizeof(hostname));
} else if (gethostname(hostname, sizeof(hostname)) < 0) {
strcpy(hostname, "unknown");
}
/*
* See if there is a "Via" header. If so, again we need to do a bit
@ -1089,17 +1093,15 @@ process_client_headers(struct conn_s *connptr, hashmap_t hashofheaders)
}
/* Send, or add the Via header */
if (config.via_http_header) {
ret = write_via_header(connptr->server_fd, hashofheaders,
connptr->protocol.major,
connptr->protocol.minor);
if (ret < 0) {
indicate_http_error(connptr, 503,
"Could not send data to remote server",
"detail", "A network error occurred while trying to write data to the remote web server.",
NULL);
goto PULL_CLIENT_DATA;
}
ret = write_via_header(connptr->server_fd, hashofheaders,
connptr->protocol.major,
connptr->protocol.minor);
if (ret < 0) {
indicate_http_error(connptr, 503,
"Could not send data to remote server",
"detail", "A network error occurred while trying to write data to the remote web server.",
NULL);
goto PULL_CLIENT_DATA;
}
/*
@ -1239,13 +1241,11 @@ process_server_headers(struct conn_s *connptr)
}
/* Send, or add the Via header */
if (config.via_http_header) {
ret = write_via_header(connptr->client_fd, hashofheaders,
connptr->protocol.major,
connptr->protocol.minor);
if (ret < 0)
goto ERROR_EXIT;
}
ret = write_via_header(connptr->client_fd, hashofheaders,
connptr->protocol.major,
connptr->protocol.minor);
if (ret < 0)
goto ERROR_EXIT;
/*
* All right, output all the remaining headers to the client.

View File

@ -1,4 +1,4 @@
/* $Id: scanner.l,v 1.19 2003-03-13 21:42:45 rjkaes Exp $
/* $Id: scanner.l,v 1.20 2003-06-20 17:02:13 rjkaes Exp $
*
* This builds the scanner for the tinyproxy configuration file. This
* file needs to stay in sync with grammar.y. If someone knows lex and yacc
@ -54,7 +54,7 @@ static struct keyword keywords[] = {
{ "deny", KW_DENY },
{ "connectport", KW_CONNECTPORT },
{ "bind", KW_BIND },
{ "viaheader", KW_HTTP_VIA },
{ "viaproxyname", KW_VIA_PROXY_NAME },
{ "stathost", KW_STATHOST },
{ "errorfile", KW_ERRORPAGE },
{ "defaulterrorfile", KW_DEFAULT_ERRORPAGE },
@ -81,7 +81,8 @@ static struct keyword keywords[] = {
#define MAX_REGEXP_LEN 1024
unsigned int yylineno = 1;
unsigned int scanner_lineno = 1;
char tiny_buf[MAX_REGEXP_LEN];
char *tiny_str;
@ -103,7 +104,7 @@ word [^ \#'"\(\)\{\}\\;\n\t,|\.]
%%
\#.*$ ;
\n { yylineno++; return '\n'; }
\n { ++scanner_lineno; return '\n'; }
: { return ':'; }
{white}+ ;
0x{digit}+ { yylval.num = strtol(yytext, NULL, 16); return NUMBER; }

View File

@ -1,4 +1,4 @@
/* $Id: tinyproxy.h,v 1.40 2003-06-02 21:55:14 rjkaes Exp $
/* $Id: tinyproxy.h,v 1.41 2003-06-20 17:02:12 rjkaes Exp $
*
* See 'tinyproxy.c' for a detailed description.
*
@ -61,7 +61,10 @@ struct config_s {
unsigned int idletimeout;
char* bind_address;
unsigned int via_http_header; /* boolean */
/*
* The configured name to use in the HTTP "Via" header field.
*/
char* via_proxy_name;
/*
* Error page support. This is an array of pointers to structures