From 4c9141aac6b60eab1a0113d45ac059a78097b0f7 Mon Sep 17 00:00:00 2001 From: Robert James Kaes Date: Fri, 20 Jun 2003 17:02:13 +0000 Subject: [PATCH] Removed the "ViaHeader" directive and replaced it with the "ViaProxyName" directive. The "Via" HTTP header is _required_ by the HTTP spec, so the code has been changed to always send the header. However, including the proxy's host name could be considered a security threat, so the "ViaProxyName" directive is used to set the token sent in the "Via" header. If the directive is not enabled the proxy's host name will be used. --- doc/tinyproxy.conf | 9 +++++---- src/grammar.y | 20 +++++++++----------- src/reqs.c | 46 +++++++++++++++++++++++----------------------- src/scanner.l | 9 +++++---- src/tinyproxy.h | 7 +++++-- 5 files changed, 47 insertions(+), 44 deletions(-) diff --git a/doc/tinyproxy.conf b/doc/tinyproxy.conf index 9eacb95..6bc9729 100644 --- a/doc/tinyproxy.conf +++ b/doc/tinyproxy.conf @@ -166,11 +166,12 @@ Allow 127.0.0.1 Allow 192.168.1.0/25 # -# Control whether the HTTP Via header should be included in requests or -# responses. The RFC says it should be there, but it could be a security -# concern. The default is off. +# The "Via" header is required by the HTTP RFC, but using the real host name +# is a security concern. If the following directive is enabled, the string +# supplied will be used as the host name in the Via header; otherwise, the +# server's host name will be used. # -#ViaHeader On +ViaProxyName "tinyproxy" # # The location of the filter file. diff --git a/src/grammar.y b/src/grammar.y index 404f450..6d39a53 100644 --- a/src/grammar.y +++ b/src/grammar.y @@ -1,4 +1,4 @@ -/* $Id: grammar.y,v 1.21 2003-05-29 19:43:58 rjkaes Exp $ +/* $Id: grammar.y,v 1.22 2003-06-20 17:02:13 rjkaes Exp $ * * This is the grammar for tinyproxy's configuration file. It needs to be * in sync with scanner.l. If you know more about yacc and lex than I do @@ -51,11 +51,12 @@ int yylex(void); %token KW_FILTER KW_FILTERURLS KW_FILTEREXTENDED KW_FILTER_DEFAULT_DENY %token KW_FILTER_CASESENSITIVE %token KW_UPSTREAM -%token KW_CONNECTPORT KW_BIND KW_HTTP_VIA +%token KW_CONNECTPORT KW_BIND %token KW_STATHOST %token KW_ALLOW KW_DENY %token KW_ERRORPAGE KW_DEFAULT_ERRORPAGE %token KW_STATPAGE +%token KW_VIA_PROXY_NAME /* yes/no switches */ %token KW_YES KW_NO @@ -210,14 +211,10 @@ statement log_message(LOG_WARNING, "The 'Bind' directive can not be used with transparent proxy support. Ignoring the directive."); #endif } - | KW_HTTP_VIA yesno + | KW_VIA_PROXY_NAME string { - if ($2) { - log_message(LOG_INFO, "Enabling HTTP Via header."); - config.via_http_header = TRUE; - } else { - config.via_http_header = FALSE; - } + log_message(LOG_INFO, "Setting \"Via\" proxy name to: %s", $2); + config.via_proxy_name = $2; } | KW_STATHOST string { @@ -258,7 +255,7 @@ string %% -extern unsigned int yylineno; +extern unsigned int scanner_lineno; void yyerror(char *s) @@ -270,5 +267,6 @@ yyerror(char *s) headerdisplayed = 1; } - fprintf(stderr, "\t%s:%d: %s\n", config.config_file, yylineno, s); + fprintf(stderr, "\t%s:%d: %s\n", config.config_file, scanner_lineno, s); + exit(EXIT_FAILURE); } diff --git a/src/reqs.c b/src/reqs.c index a54535c..2a2f603 100644 --- a/src/reqs.c +++ b/src/reqs.c @@ -1,4 +1,4 @@ -/* $Id: reqs.c,v 1.103 2003-06-06 16:14:50 rjkaes Exp $ +/* $Id: reqs.c,v 1.104 2003-06-20 17:02:13 rjkaes Exp $ * * This is where all the work in tinyproxy is actually done. Incoming * connections have a new child created for them. The child then @@ -987,8 +987,8 @@ get_content_length(hashmap_t hashofheaders) } /* - * Search for Via head in a hash of headers and either write a new Via header, - * or append our information to the end of an existing Via header. + * Search for Via header in a hash of headers and either write a new Via + * header, or append our information to the end of an existing Via header. * * FIXME: Need to add code to "hide" our internal information for security * purposes. @@ -998,11 +998,15 @@ write_via_header(int fd, hashmap_t hashofheaders, unsigned int major, unsigned int minor) { ssize_t len; - char hostname[128]; + char hostname[512]; char *data; int ret; - gethostname(hostname, sizeof(hostname)); + if (config.via_proxy_name) { + strlcpy(hostname, config.via_proxy_name, sizeof(hostname)); + } else if (gethostname(hostname, sizeof(hostname)) < 0) { + strcpy(hostname, "unknown"); + } /* * See if there is a "Via" header. If so, again we need to do a bit @@ -1089,17 +1093,15 @@ process_client_headers(struct conn_s *connptr, hashmap_t hashofheaders) } /* Send, or add the Via header */ - if (config.via_http_header) { - ret = write_via_header(connptr->server_fd, hashofheaders, - connptr->protocol.major, - connptr->protocol.minor); - if (ret < 0) { - indicate_http_error(connptr, 503, - "Could not send data to remote server", - "detail", "A network error occurred while trying to write data to the remote web server.", - NULL); - goto PULL_CLIENT_DATA; - } + ret = write_via_header(connptr->server_fd, hashofheaders, + connptr->protocol.major, + connptr->protocol.minor); + if (ret < 0) { + indicate_http_error(connptr, 503, + "Could not send data to remote server", + "detail", "A network error occurred while trying to write data to the remote web server.", + NULL); + goto PULL_CLIENT_DATA; } /* @@ -1239,13 +1241,11 @@ process_server_headers(struct conn_s *connptr) } /* Send, or add the Via header */ - if (config.via_http_header) { - ret = write_via_header(connptr->client_fd, hashofheaders, - connptr->protocol.major, - connptr->protocol.minor); - if (ret < 0) - goto ERROR_EXIT; - } + ret = write_via_header(connptr->client_fd, hashofheaders, + connptr->protocol.major, + connptr->protocol.minor); + if (ret < 0) + goto ERROR_EXIT; /* * All right, output all the remaining headers to the client. diff --git a/src/scanner.l b/src/scanner.l index f685b23..d1664a8 100644 --- a/src/scanner.l +++ b/src/scanner.l @@ -1,4 +1,4 @@ -/* $Id: scanner.l,v 1.19 2003-03-13 21:42:45 rjkaes Exp $ +/* $Id: scanner.l,v 1.20 2003-06-20 17:02:13 rjkaes Exp $ * * This builds the scanner for the tinyproxy configuration file. This * file needs to stay in sync with grammar.y. If someone knows lex and yacc @@ -54,7 +54,7 @@ static struct keyword keywords[] = { { "deny", KW_DENY }, { "connectport", KW_CONNECTPORT }, { "bind", KW_BIND }, - { "viaheader", KW_HTTP_VIA }, + { "viaproxyname", KW_VIA_PROXY_NAME }, { "stathost", KW_STATHOST }, { "errorfile", KW_ERRORPAGE }, { "defaulterrorfile", KW_DEFAULT_ERRORPAGE }, @@ -81,7 +81,8 @@ static struct keyword keywords[] = { #define MAX_REGEXP_LEN 1024 -unsigned int yylineno = 1; +unsigned int scanner_lineno = 1; + char tiny_buf[MAX_REGEXP_LEN]; char *tiny_str; @@ -103,7 +104,7 @@ word [^ \#'"\(\)\{\}\\;\n\t,|\.] %% \#.*$ ; -\n { yylineno++; return '\n'; } +\n { ++scanner_lineno; return '\n'; } : { return ':'; } {white}+ ; 0x{digit}+ { yylval.num = strtol(yytext, NULL, 16); return NUMBER; } diff --git a/src/tinyproxy.h b/src/tinyproxy.h index 1c21762..d014748 100644 --- a/src/tinyproxy.h +++ b/src/tinyproxy.h @@ -1,4 +1,4 @@ -/* $Id: tinyproxy.h,v 1.40 2003-06-02 21:55:14 rjkaes Exp $ +/* $Id: tinyproxy.h,v 1.41 2003-06-20 17:02:12 rjkaes Exp $ * * See 'tinyproxy.c' for a detailed description. * @@ -61,7 +61,10 @@ struct config_s { unsigned int idletimeout; char* bind_address; - unsigned int via_http_header; /* boolean */ + /* + * The configured name to use in the HTTP "Via" header field. + */ + char* via_proxy_name; /* * Error page support. This is an array of pointers to structures