libbase/URLAccessManager.cpp

   1 //
   2 //   Copyright (C) 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012
   3 //   Free Software Foundation, Inc
   4 //
   5 // This program is free software; you can redistribute it and/or modify
   6 // it under the terms of the GNU General Public License as published by
   7 // the Free Software Foundation; either version 3 of the License, or
   8 // (at your option) any later version.
   9 //
  10 // This program is distributed in the hope that it will be useful,
  11 // but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 // GNU General Public License for more details.
  14 //
  15 // You should have received a copy of the GNU General Public License
  16 // along with this program; if not, write to the Free Software
  17 // Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
  18
  19 #include "URLAccessManager.h"
  20 #include "URL.h"
  21 #include "log.h"
  22 #include "StringPredicates.h"
  23 #include "rc.h" // for rcfile
  24 #include "GnashSystemNetHeaders.h"
  25
  26 #include <cerrno>
  27 #include <algorithm> // for find / find_if
  28 #include <cstring> // for strerror
  29 #include <cstdio>
  30 #include <map>
  31 #include <string>
  32 #include <vector>
  33 #include <cassert>
  34
  35 // Android fails to define this constant
  36 #ifndef MAXHOSTNAMELEN
  37 # define MAXHOSTNAMELEN 256
  38 #endif
  39
  40 namespace gnash {
  41 namespace URLAccessManager {
  42
  43 /// Possible access policies for URLs
  44 enum AccessPolicy {
  45
  46         /// Forbid access
  47         BLOCK,
  48
  49         /// Allow access
  50         GRANT
  51 };
  52
  53 const char*
  54 accessPolicyString(AccessPolicy policy)
  55 {
  56         switch(policy)
  57         {
  58                 case BLOCK:
  59                         return "BLOCKED";
  60                 case GRANT:
  61                         return "GRANTED";
  62                 default:
  63                         return "UNKNOWN";
  64         }
  65 }
  66
  67 // The default AccessPolicy when prompting user is not possible
  68 // (this happens when input is not a tty, at the moment)
  69 //static AccessPolicy defaultAccessPolicy = GRANT;
  70
  71 /// A cache of AccessPolicy defined for URLs
  72 typedef std::map<std::string, AccessPolicy> AccessPolicyCache;
  73
  74 /// A global AccessPolicyCache
  75 static AccessPolicyCache policyCache;
  76
  77 // check host against black/white lists
  78 // return true if we allow load from host, false otherwise
  79 // it is assumed localhost/localdomain was already checked
  80 static bool
  81 host_check_blackwhite_lists(const std::string& host)
  82 {
  83         using std::vector;
  84         using std::string;
  85
  86         RcInitFile& rcfile = RcInitFile::getDefaultInstance();
  87
  88
  89         const std::vector<std::string>& whitelist = rcfile.getWhiteList();
  90         if (!whitelist.empty()) {
  91                 // TODO: case-insensitive matching ?
  92         std::vector<std::string>::const_iterator it =
  93             std::find(whitelist.begin(), whitelist.end(), host);
  94                 if (it != whitelist.end()) {
  95                         log_security(_("Load from host %s granted (whitelisted)"),
  96                                 host);
  97                         return true;
  98                 }
  99
 100                 // if there is a whitelist, anything NOT listed is denied
 101                 log_security(_("Load from host %s forbidden "
 102                         "(not in non-empty whitelist)"),
 103                         host);
 104
 105                 return false;
 106         }
 107
 108     const std::vector<std::string>& blacklist = rcfile.getBlackList();
 109
 110         // TODO: case-insensitive matching ?
 111     std::vector<std::string>::const_iterator it =
 112         std::find(blacklist.begin(), blacklist.end(), host);
 113
 114         if (it != blacklist.end()) {
 115                 log_security(_("Load from host %s forbidden (blacklisted)"),
 116                         host);
 117                 return false;
 118         }
 119
 120         log_security(_("Load from host %s granted (default)"), host);
 121         return true;
 122 }
 123
 124 static bool
 125 pathIsUnderDir(const std::string& path, const std::string& dir)
 126 {
 127     size_t dirLen = dir.length();
 128     if ( dirLen > path.length() ) return false; // can't contain it, right ?
 129
 130     // Path must be equal to dir for the whole dir length
 131     //
 132     // TODO: this is pretty lame, can do better with some normalization
 133     //       we'd need a generic splitPathInComponents.. maybe as a static
 134     //       public method of gnash::URL ?
 135     //
 136     if ( path.compare(0, dirLen, dir) ) return false;
 137
 138     return true;
 139 }
 140
 141 /// Return true if we allow load of the local resource, false otherwise.
 142 //
 143 static bool
 144 local_check(const std::string& path, const URL& baseUrl)
 145 {
 146 //    GNASH_REPORT_FUNCTION;
 147
 148     assert( ! path.empty() );
 149
 150     // Don't allow local access if starting movie is a network resource.
 151    if (baseUrl.protocol() != "file") {
 152       log_security(_("Load of file %s forbidden"
 153           " (starting URL %s is not a local resource)"),
 154           path, baseUrl.str());
 155       return false;
 156    }
 157
 158     RcInitFile& rcfile = RcInitFile::getDefaultInstance();
 159
 160     typedef RcInitFile::PathList PathList;
 161     const PathList& sandbox = rcfile.getLocalSandboxPath();
 162
 163     for (const std::string& dir : sandbox)
 164     {
 165         if ( pathIsUnderDir(path, dir) )
 166         {
 167             log_security(_("Load of file %s granted (under local sandbox %s)"),
 168                 path, dir);
 169             return true;
 170         }
 171     }
 172
 173     // TODO: dump local sandboxes here ? (or maybe send the info to the GUI properties
 174     //       view
 175     log_security(_("Load of file %s forbidden (not under local sandboxes)"),
 176         path);
 177     return false;
 178
 179 }
 180
 181 /// Return true if we allow load from host, false otherwise.
 182 //
 183 /// This function will check for localhost/localdomain (if requested)
 184 /// and finally call host_check_blackwhitelists
 185 ///
 186 static bool
 187 host_check(const std::string& host)
 188 {
 189 //    GNASH_REPORT_FUNCTION;
 190
 191     //log_security(_("Checking security of host: %s"), host.c_str());
 192
 193     assert( ! host.empty() );
 194
 195     RcInitFile& rcfile = RcInitFile::getDefaultInstance();
 196
 197     bool check_domain = rcfile.useLocalDomain();
 198     bool check_localhost = rcfile.useLocalHost();
 199
 200     // Don't bother gettin hostname if we're not going to need it
 201     if ( ! ( check_domain  || check_localhost ) )
 202     {
 203         return host_check_blackwhite_lists(host);
 204     }
 205
 206     //
 207     // Get hostname
 208     //
 209
 210 //  #define MAXHOSTNAMELEN 200
 211     char name[MAXHOSTNAMELEN];
 212     if (::gethostname(name, MAXHOSTNAMELEN) == -1)
 213     {
 214         // FIXME: strerror is NOT thread-safe
 215         log_error(_("gethostname failed: %s"), std::strerror(errno));
 216         return host_check_blackwhite_lists(host);
 217     }
 218     // From GETHOSTNAME(2):
 219     // In case the NUL-terminated hostname does not fit,
 220     // no  error is returned, but the hostname is truncated. It is unspecified
 221     // whether the truncated hostname will be NUL-terminated.
 222     name[MAXHOSTNAMELEN - 1] = '\0'; // unlikely, still worth making sure...
 223
 224     // ok, let's use std::strings... we're a C++ program after all !
 225     std::string hostname(name); // the hostname
 226     std::string domainname;     // the domainname
 227
 228     // Split hostname/domainname or take it all as an hostname if
 229     // no dot is found
 230     std::string::size_type dotloc = hostname.find('.', 0);
 231     if ( dotloc != std::string::npos ) {
 232         domainname = hostname.substr(dotloc+1);
 233         hostname.erase(dotloc);
 234     }
 235
 236     if ( check_domain && domainname != host ) {
 237         log_security(_("Load from host %s forbidden (not in the local domain)"),
 238                 host);
 239         return false;
 240         }
 241
 242     if ( check_localhost && hostname != host ) {
 243         log_security(_("Load from host %s forbidden (not on the local host)"),
 244                 host);
 245         return false;
 246     }
 247
 248     return host_check_blackwhite_lists(host);
 249
 250 }
 251
 252 bool
 253 allowHost(const std::string& host)
 254 {
 255         if (host.size() == 0) {
 256                 return true;
 257         }
 258         return host_check(host);
 259 }
 260
 261 bool
 262 allowXMLSocket(const std::string& host, short port)
 263 {
 264     if (port < 1024) {
 265         log_security(_("Attempt to connect to disallowed port %s"), port);
 266         return false;
 267     }
 268         return allowHost(host);
 269 }
 270
 271
 272 bool
 273 allow(const URL& url, const URL& baseurl)
 274 {
 275         log_security(_("Checking security of URL '%s'"), url);
 276
 277         // We might reintroduce use of an AccessPolicy cache
 278
 279         std::string host = url.hostname();
 280
 281         // Local resources can be accessed only if they are
 282         // in a directory listed as local sandbox
 283         if (host.size() == 0)
 284         {
 285                 if (url.protocol() != "file")
 286         {
 287             log_error(_("Network connection without hostname requested"));
 288             return false;
 289         }
 290                 return local_check(url.path(), baseurl);
 291         }
 292         return host_check(host);
 293 }
 294
 295
 296 } // AccessManager
 297 } // namespace gnash
 298