[mod_userdir] split policy from userdir path build

This commit is contained in:
Glenn Strauss 2019-10-26 17:27:20 -04:00
parent 5fd8e1940e
commit 28b7d0b656
1 changed files with 146 additions and 153 deletions

View File

@ -18,7 +18,6 @@
# include <pwd.h>
#endif
/* plugin config for all request/connections */
typedef struct {
array *exclude_user;
array *include_user;
@ -31,27 +30,19 @@ typedef struct {
typedef struct {
PLUGIN_DATA;
buffer *username;
buffer *temp_path;
plugin_config **config_storage;
plugin_config conf;
} plugin_data;
/* init the plugin data */
INIT_FUNC(mod_userdir_init) {
plugin_data *p;
p = calloc(1, sizeof(*p));
p->username = buffer_init();
p->temp_path = buffer_init();
return p;
}
/* detroy the plugin data */
FREE_FUNC(mod_userdir_free) {
plugin_data *p = p_d;
@ -75,16 +66,11 @@ FREE_FUNC(mod_userdir_free) {
free(p->config_storage);
}
buffer_free(p->username);
buffer_free(p->temp_path);
free(p);
return HANDLER_GO_ON;
}
/* handle plugin config and check values */
SETDEFAULTS_FUNC(mod_userdir_set_defaults) {
plugin_data *p = p_d;
size_t i;
@ -190,147 +176,154 @@ static int mod_userdir_patch_connection(server *srv, connection *con, plugin_dat
}
#undef PATCH
URIHANDLER_FUNC(mod_userdir_docroot_handler) {
plugin_data *p = p_d;
size_t k;
char *rel_url;
#ifdef HAVE_PWD_H
struct passwd *pwd = NULL;
#endif
if (buffer_is_empty(con->uri.path)) return HANDLER_GO_ON;
mod_userdir_patch_connection(srv, con, p);
/* enforce the userdir.path to be set in the config, ugly fix for #1587;
* should be replaced with a clean .enabled option in 1.5
*/
if (!p->conf.active || buffer_is_empty(p->conf.path)) return HANDLER_GO_ON;
/* /~user/foo.html -> /home/user/public_html/foo.html */
if (con->uri.path->ptr[0] != '/' ||
con->uri.path->ptr[1] != '~') return HANDLER_GO_ON;
if (NULL == (rel_url = strchr(con->uri.path->ptr + 2, '/'))) {
/* / is missing -> redirect to .../ as we are a user - DIRECTORY ! :) */
http_response_redirect_to_directory(srv, con, 301);
return HANDLER_FINISHED;
}
/* /~/ is a empty username, catch it directly */
if (0 == rel_url - (con->uri.path->ptr + 2)) {
return HANDLER_GO_ON;
}
buffer_copy_string_len(p->username, con->uri.path->ptr + 2, rel_url - (con->uri.path->ptr + 2));
if (buffer_string_is_empty(p->conf.basepath)
#ifdef HAVE_PWD_H
&& NULL == (pwd = getpwnam(p->username->ptr))
#endif
) {
/* user not found */
return HANDLER_GO_ON;
}
for (k = 0; k < p->conf.exclude_user->used; k++) {
data_string *ds = (data_string *)p->conf.exclude_user->data[k];
if (buffer_is_equal(&ds->value, p->username)) {
/* user in exclude list */
return HANDLER_GO_ON;
}
}
if (p->conf.include_user->used) {
int found_user = 0;
for (k = 0; k < p->conf.include_user->used; k++) {
data_string *ds = (data_string *)p->conf.include_user->data[k];
if (buffer_is_equal(&ds->value, p->username)) {
/* user in include list */
found_user = 1;
break;
}
}
if (!found_user) return HANDLER_GO_ON;
}
/* we build the physical path */
buffer_clear(p->temp_path);
if (buffer_string_is_empty(p->conf.basepath)) {
#ifdef HAVE_PWD_H
buffer_copy_string(p->temp_path, pwd->pw_dir);
#endif
} else {
char *cp = p->username->ptr;
/* check if the username is valid
* a request for /~../ should lead to a directory traversal
* limiting to [-_a-z0-9.] should fix it */
if (cp[0] == '.' && (cp[1] == '\0' || (cp[1] == '.' && cp[2] == '\0'))) {
return HANDLER_GO_ON;
}
for (; *cp; cp++) {
char c = *cp;
if (!(light_isalnum(c) || c == '-' || c == '_' || c == '.')) {
return HANDLER_GO_ON;
}
}
if (con->conf.force_lowercase_filenames) {
buffer_to_lower(p->username);
}
buffer_copy_buffer(p->temp_path, p->conf.basepath);
if (p->conf.letterhomes) {
if (p->username->ptr[0] == '.') return HANDLER_GO_ON;
buffer_append_path_len(p->temp_path, p->username->ptr, 1);
}
buffer_append_path_len(p->temp_path, CONST_BUF_LEN(p->username));
}
buffer_append_path_len(p->temp_path, CONST_BUF_LEN(p->conf.path));
if (buffer_string_is_empty(p->conf.basepath)) {
struct stat st;
int ret;
ret = stat(p->temp_path->ptr, &st);
if (ret < 0 || S_ISDIR(st.st_mode) != 1) {
return HANDLER_GO_ON;
}
}
buffer_copy_buffer(con->physical.basedir, p->temp_path);
/* the physical rel_path is basically the same as uri.path;
* but it is converted to lowercase in case of force_lowercase_filenames and some special handling
* for trailing '.', ' ' and '/' on windows
* we assume that no docroot/physical handler changed this
* (docroot should only set the docroot/server name, phyiscal should only change the phyiscal.path;
* the exception mod_secdownload doesn't work with userdir anyway)
*/
buffer_append_slash(p->temp_path);
/* if no second '/' is found, we assume that it was stripped from the uri.path for the special handling
* on windows.
* we do not care about the trailing slash here on windows, as we already ensured it is a directory
*
* TODO: what to do with trailing dots in usernames on windows? they may result in the same directory
* as a username without them.
*/
if (NULL != (rel_url = strchr(con->physical.rel_path->ptr + 2, '/'))) {
buffer_append_string(p->temp_path, rel_url + 1); /* skip the / */
}
buffer_copy_buffer(con->physical.path, p->temp_path);
return HANDLER_GO_ON;
static int mod_userdir_in_vlist_nc(const array * const a, const char * const k, const size_t klen) {
for (uint32_t i = 0, used = a->used; i < used; ++i) {
const data_string * const ds = (const data_string *)a->data[i];
if (buffer_eq_icase_slen(&ds->value, k, klen)) return 1;
}
return 0;
}
static int mod_userdir_in_vlist(const array * const a, const char * const k, const size_t klen) {
for (uint32_t i = 0, used = a->used; i < used; ++i) {
const data_string * const ds = (const data_string *)a->data[i];
if (buffer_eq_slen(&ds->value, k, klen)) return 1;
}
return 0;
}
__attribute_noinline__
static handler_t mod_userdir_docroot_construct(connection * const con, plugin_data * const p, const char * const uptr, const size_t ulen) {
char u[256];
if (ulen >= sizeof(u)) return HANDLER_GO_ON;
memcpy(u, uptr, ulen);
u[ulen] = '\0';
/* we build the physical path */
buffer * const b = con->srv->tmp_buf;
if (buffer_string_is_empty(p->conf.basepath)) {
#ifdef HAVE_PWD_H
/* XXX: future: might add cache; getpwnam() lookup is expensive */
struct passwd *pwd = getpwnam(u);
if (pwd) {
struct stat st;
buffer_copy_string(b, pwd->pw_dir);
buffer_append_path_len(b, CONST_BUF_LEN(p->conf.path));
if (0 != stat(b->ptr, &st) || !S_ISDIR(st.st_mode)) {
return HANDLER_GO_ON;
}
}
else /* user not found */
#endif
return HANDLER_GO_ON;
} else {
/* check if the username is valid
* a request for /~../ should lead to a directory traversal
* limiting to [-_a-z0-9.] should fix it */
if (ulen <= 2 && (u[0] == '.' && (1 == ulen || u[1] == '.'))) {
return HANDLER_GO_ON;
}
for (size_t i = 0; i < ulen; ++i) {
const int c = u[i];
if (!(light_isalnum(c) || c == '-' || c == '_' || c == '.')) {
return HANDLER_GO_ON;
}
}
if (con->conf.force_lowercase_filenames) {
for (size_t i = 0; i < ulen; ++i) {
if (u[i] >= 'A' && u[i] <= 'Z') u[i] |= 0x20;
}
}
buffer_copy_buffer(b, p->conf.basepath);
if (p->conf.letterhomes) {
if (u[0] == '.') return HANDLER_GO_ON;
buffer_append_path_len(b, u, 1);
}
buffer_append_path_len(b, u, ulen);
buffer_append_path_len(b, CONST_BUF_LEN(p->conf.path));
}
buffer_copy_buffer(con->physical.basedir, b);
buffer_copy_buffer(con->physical.path, b);
/* the physical rel_path is basically the same as uri.path;
* but it is converted to lowercase in case of force_lowercase_filenames
* and some special handling for trailing '.', ' ' and '/' on windows
* we assume that no docroot/physical handler changed this
* (docroot should only set the docroot/server name, phyiscal should only
* change the physical.path;
* the exception mod_secdownload doesn't work with userdir anyway)
*/
buffer_append_slash(con->physical.path);
/* if no second '/' is found, we assume that it was stripped from the
* uri.path for the special handling on windows. we do not care about the
* trailing slash here on windows, as we already ensured it is a directory
*
* TODO: what to do with trailing dots in usernames on windows?
* they may result in the same directory as a username without them.
*/
char *rel_url;
if (NULL != (rel_url = strchr(con->physical.rel_path->ptr + 2, '/'))) {
buffer_append_string(con->physical.path, rel_url + 1); /* skip the / */
}
return HANDLER_GO_ON;
}
URIHANDLER_FUNC(mod_userdir_docroot_handler) {
/* /~user/foo.html -> /home/user/public_html/foo.html */
if (buffer_is_empty(con->uri.path)) return HANDLER_GO_ON;
if (con->uri.path->ptr[0] != '/' ||
con->uri.path->ptr[1] != '~') return HANDLER_GO_ON;
plugin_data * const p = p_d;
mod_userdir_patch_connection(srv, con, p);
/* enforce the userdir.path to be set in the config, ugly fix for #1587;
* should be replaced with a clean .enabled option in 1.5
*/
if (!p->conf.active || buffer_is_empty(p->conf.path)) return HANDLER_GO_ON;
const char * const uptr = con->uri.path->ptr + 2;
const char * const rel_url = strchr(uptr, '/');
if (NULL == rel_url) {
/* / is missing -> redirect to .../ as we are a user - DIRECTORY ! :) */
http_response_redirect_to_directory(srv, con, 301);
return HANDLER_FINISHED;
}
/* /~/ is a empty username, catch it directly */
const size_t ulen = (size_t)(rel_url - uptr);
if (0 == ulen) return HANDLER_GO_ON;
/* vlists could be turned into sorted array at config time,
* but these lists are expected to be relatively short in most cases
* so there is not a huge benefit to doing so in the common case */
if (p->conf.exclude_user) {
/* use case-insensitive comparison for exclude list
* if con->conf.force_lowercase_filenames */
if (!con->conf.force_lowercase_filenames
? mod_userdir_in_vlist(p->conf.exclude_user, uptr, ulen)
: mod_userdir_in_vlist_nc(p->conf.exclude_user, uptr, ulen))
return HANDLER_GO_ON; /* user in exclude list */
}
if (p->conf.include_user) {
if (!mod_userdir_in_vlist(p->conf.include_user, uptr, ulen))
return HANDLER_GO_ON; /* user not in include list */
}
return mod_userdir_docroot_construct(con, p, uptr, ulen);
}
/* this function is called at dlopen() time and inits the callbacks */
int mod_userdir_plugin_init(plugin *p);
int mod_userdir_plugin_init(plugin *p) {