From c981b246ce2b0b9c3cee5878d0cbefffb8fc2370 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Sun, 6 Dec 2009 23:50:15 +0100 Subject: [PATCH] Move handling of connect_ports list to its own source module. Michael --- src/Makefile.am | 3 +- src/conf.c | 1 + src/connect-ports.c | 78 +++++++++++++++++++++++++++++++++++++++++++++ src/connect-ports.h | 29 +++++++++++++++++ src/reqs.c | 56 +------------------------------- src/reqs.h | 1 - 6 files changed, 111 insertions(+), 57 deletions(-) create mode 100644 src/connect-ports.c create mode 100644 src/connect-ports.h diff --git a/src/Makefile.am b/src/Makefile.am index 27f85dd..7740814 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -42,7 +42,8 @@ tinyproxy_SOURCES = \ main.c main.h \ utils.c utils.h \ vector.c vector.h \ - upstream.c upstream.h + upstream.c upstream.h \ + connect-ports.c connect-ports.h EXTRA_tinyproxy_SOURCES = filter.c filter.h \ reverse-proxy.c reverse-proxy.h \ diff --git a/src/conf.c b/src/conf.c index adc7def..47d8962 100644 --- a/src/conf.c +++ b/src/conf.c @@ -36,6 +36,7 @@ #include "reqs.h" #include "reverse-proxy.h" #include "upstream.h" +#include "connect-ports.h" /* * The configuration directives are defined in the structure below. Each diff --git a/src/connect-ports.c b/src/connect-ports.c new file mode 100644 index 0000000..045adc9 --- /dev/null +++ b/src/connect-ports.c @@ -0,0 +1,78 @@ +/* tinyproxy - A fast light-weight HTTP proxy + * Copyright (C) 1998 Steven Young + * Copyright (C) 1999-2005 Robert James Kaes + * Copyright (C) 2009 Michael Adam + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include "connect-ports.h" +#include "vector.h" +#include "log.h" + +/* + * This is a global variable which stores which ports are allowed by + * the CONNECT method. It's a security thing. + */ +static vector_t ports_allowed_by_connect = NULL; + +/* + * Now, this routine adds a "port" to the list. It also creates the list if + * it hasn't already by done. + */ +void add_connect_port_allowed (int port) +{ + if (!ports_allowed_by_connect) { + ports_allowed_by_connect = vector_create (); + if (!ports_allowed_by_connect) { + log_message (LOG_WARNING, + "Could not create a list of allowed CONNECT ports"); + return; + } + } + + log_message (LOG_INFO, + "Adding Port [%d] to the list allowed by CONNECT", port); + vector_append (ports_allowed_by_connect, (void **) &port, + sizeof (port)); +} + +/* + * This routine checks to see if a port is allowed in the CONNECT method. + * + * Returns: 1 if allowed + * 0 if denied + */ +int check_allowed_connect_ports (int port) +{ + size_t i; + int *data; + + /* + * A port list is REQUIRED for a CONNECT request to function + * properly. This closes a potential security hole. + */ + if (!ports_allowed_by_connect) + return 0; + + for (i = 0; i != (size_t) vector_length (ports_allowed_by_connect); ++i) { + data = + (int *) vector_getentry (ports_allowed_by_connect, i, NULL); + if (data && *data == port) + return 1; + } + + return 0; +} diff --git a/src/connect-ports.h b/src/connect-ports.h new file mode 100644 index 0000000..6ed6479 --- /dev/null +++ b/src/connect-ports.h @@ -0,0 +1,29 @@ +/* tinyproxy - A fast light-weight HTTP proxy + * Copyright (C) 1998 Steven Young + * Copyright (C) 1999 Robert James Kaes + * Copyright (C) 2009 Michael Adam + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifndef _TINYPROXY_CONNECT_PORTS_H_ +#define _TINYPROXY_CONNECT_PORTS_H_ + +#include "common.h" + +extern void add_connect_port_allowed (int port); +int check_allowed_connect_ports (int port); + +#endif /* _TINYPROXY_CONNECT_PORTS_ */ diff --git a/src/reqs.c b/src/reqs.c index 1baab95..c92920f 100644 --- a/src/reqs.c +++ b/src/reqs.c @@ -46,6 +46,7 @@ #include "reverse-proxy.h" #include "transparent-proxy.h" #include "upstream.h" +#include "connect-ports.h" /* * Maximum length of a HTTP line @@ -77,61 +78,6 @@ #define CHECK_LWS(header, len) \ ((len) > 0 && (header[0] == ' ' || header[0] == '\t')) -/* - * This is a global variable which stores which ports are allowed by - * the CONNECT method. It's a security thing. - */ -static vector_t ports_allowed_by_connect = NULL; - -/* - * Now, this routine adds a "port" to the list. It also creates the list if - * it hasn't already by done. - */ -void add_connect_port_allowed (int port) -{ - if (!ports_allowed_by_connect) { - ports_allowed_by_connect = vector_create (); - if (!ports_allowed_by_connect) { - log_message (LOG_WARNING, - "Could not create a list of allowed CONNECT ports"); - return; - } - } - - log_message (LOG_INFO, - "Adding Port [%d] to the list allowed by CONNECT", port); - vector_append (ports_allowed_by_connect, (void **) &port, - sizeof (port)); -} - -/* - * This routine checks to see if a port is allowed in the CONNECT method. - * - * Returns: 1 if allowed - * 0 if denied - */ -static int check_allowed_connect_ports (int port) -{ - size_t i; - int *data; - - /* - * A port list is REQUIRED for a CONNECT request to function - * properly. This closes a potential security hole. - */ - if (!ports_allowed_by_connect) - return 0; - - for (i = 0; i != (size_t) vector_length (ports_allowed_by_connect); ++i) { - data = - (int *) vector_getentry (ports_allowed_by_connect, i, NULL); - if (data && *data == port) - return 1; - } - - return 0; -} - /* * Read in the first line from the client (the request line for HTTP * connections. The request line is allocated from the heap, but it must diff --git a/src/reqs.h b/src/reqs.h index cf40e46..73dd030 100644 --- a/src/reqs.h +++ b/src/reqs.h @@ -44,6 +44,5 @@ struct request_s { }; extern void handle_connection (int fd); -extern void add_connect_port_allowed (int port); #endif