src/mod_access.c

   1 #include "first.h"
   2
   3 #include "base.h"
   4 #include "log.h"
   5 #include "buffer.h"
   6
   7 #include "plugin.h"
   8
   9 #include <stdlib.h>
  10 #include <string.h>
  11
  12 typedef struct {
  13         array *access_allow;
  14         array *access_deny;
  15 } plugin_config;
  16
  17 typedef struct {
  18         PLUGIN_DATA;
  19
  20         plugin_config **config_storage;
  21
  22         plugin_config conf;
  23 } plugin_data;
  24
  25 INIT_FUNC(mod_access_init) {
  26         plugin_data *p;
  27
  28         p = calloc(1, sizeof(*p));
  29
  30         return p;
  31 }
  32
  33 FREE_FUNC(mod_access_free) {
  34         plugin_data *p = p_d;
  35
  36         UNUSED(srv);
  37
  38         if (!p) return HANDLER_GO_ON;
  39
  40         if (p->config_storage) {
  41                 size_t i;
  42                 for (i = 0; i < srv->config_context->used; i++) {
  43                         plugin_config *s = p->config_storage[i];
  44
  45                         if (NULL == s) continue;
  46
  47                         array_free(s->access_allow);
  48                         array_free(s->access_deny);
  49
  50                         free(s);
  51                 }
  52                 free(p->config_storage);
  53         }
  54
  55         free(p);
  56
  57         return HANDLER_GO_ON;
  58 }
  59
  60 SETDEFAULTS_FUNC(mod_access_set_defaults) {
  61         plugin_data *p = p_d;
  62         size_t i = 0;
  63
  64         config_values_t cv[] = {
  65                 { "url.access-deny",             NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION },
  66                 { "url.access-allow",            NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION },
  67                 { NULL,                          NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
  68         };
  69
  70         p->config_storage = calloc(1, srv->config_context->used * sizeof(plugin_config *));
  71
  72         for (i = 0; i < srv->config_context->used; i++) {
  73                 data_config const* config = (data_config const*)srv->config_context->data[i];
  74                 plugin_config *s;
  75
  76                 s = calloc(1, sizeof(plugin_config));
  77                 s->access_deny    = array_init();
  78                 s->access_allow   = array_init();
  79
  80                 cv[0].destination = s->access_deny;
  81                 cv[1].destination = s->access_allow;
  82
  83                 p->config_storage[i] = s;
  84
  85                 if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
  86                         return HANDLER_ERROR;
  87                 }
  88
  89                 if (!array_is_vlist(s->access_deny)) {
  90                         log_error_write(srv, __FILE__, __LINE__, "s",
  91                                         "unexpected value for url.access-deny; expected list of \"suffix\"");
  92                         return HANDLER_ERROR;
  93                 }
  94
  95                 if (!array_is_vlist(s->access_allow)) {
  96                         log_error_write(srv, __FILE__, __LINE__, "s",
  97                                         "unexpected value for url.access-allow; expected list of \"suffix\"");
  98                         return HANDLER_ERROR;
  99                 }
 100         }
 101
 102         return HANDLER_GO_ON;
 103 }
 104
 105 #define PATCH(x) \
 106         p->conf.x = s->x;
 107 static int mod_access_patch_connection(server *srv, connection *con, plugin_data *p) {
 108         size_t i, j;
 109         plugin_config *s = p->config_storage[0];
 110
 111         PATCH(access_allow);
 112         PATCH(access_deny);
 113
 114         /* skip the first, the global context */
 115         for (i = 1; i < srv->config_context->used; i++) {
 116                 data_config *dc = (data_config *)srv->config_context->data[i];
 117                 s = p->config_storage[i];
 118
 119                 /* condition didn't match */
 120                 if (!config_check_cond(srv, con, dc)) continue;
 121
 122                 /* merge config */
 123                 for (j = 0; j < dc->value->used; j++) {
 124                         data_unset *du = dc->value->data[j];
 125
 126                         if (buffer_is_equal_string(du->key, CONST_STR_LEN("url.access-deny"))) {
 127                                 PATCH(access_deny);
 128                         } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("url.access-allow"))) {
 129                                 PATCH(access_allow);
 130                         }
 131                 }
 132         }
 133
 134         return 0;
 135 }
 136 #undef PATCH
 137
 138 /**
 139  * URI handler
 140  *
 141  * we will get called twice:
 142  * - after the clean up of the URL and
 143  * - after the pathinfo checks are done
 144  *
 145  * this handles the issue of trailing slashes
 146  */
 147 URIHANDLER_FUNC(mod_access_uri_handler) {
 148         plugin_data *p = p_d;
 149         int s_len;
 150         size_t k;
 151
 152         if (buffer_is_empty(con->uri.path)) return HANDLER_GO_ON;
 153
 154         mod_access_patch_connection(srv, con, p);
 155
 156         s_len = buffer_string_length(con->uri.path);
 157
 158         if (con->conf.log_request_handling) {
 159                 log_error_write(srv, __FILE__, __LINE__, "s",
 160                                 "-- mod_access_uri_handler called");
 161         }
 162
 163         for (k = 0; k < p->conf.access_allow->used; ++k) {
 164                 data_string *ds = (data_string *)p->conf.access_allow->data[k];
 165                 int ct_len = buffer_string_length(ds->value);
 166                 int allowed = 0;
 167
 168                 if (ct_len > s_len) continue;
 169                 if (buffer_is_empty(ds->value)) continue;
 170
 171                 /* if we have a case-insensitive FS we have to lower-case the URI here too */
 172
 173                 if (con->conf.force_lowercase_filenames) {
 174                         if (0 == strncasecmp(con->uri.path->ptr + s_len - ct_len, ds->value->ptr, ct_len)) {
 175                                 allowed = 1;
 176                         }
 177                 } else {
 178                         if (0 == strncmp(con->uri.path->ptr + s_len - ct_len, ds->value->ptr, ct_len)) {
 179                                 allowed = 1;
 180                         }
 181                 }
 182
 183                 if (allowed) {
 184                         return HANDLER_GO_ON;
 185                 }
 186         }
 187
 188         if (k > 0) { /* have access_allow but none matched */
 189                 con->http_status = 403;
 190                 con->mode = DIRECT;
 191
 192                 if (con->conf.log_request_handling) {
 193                         log_error_write(srv, __FILE__, __LINE__, "sb",
 194                                 "url denied as failed to match any from access_allow", con->uri.path);
 195                 }
 196
 197                 return HANDLER_FINISHED;
 198         }
 199
 200         for (k = 0; k < p->conf.access_deny->used; k++) {
 201                 data_string *ds = (data_string *)p->conf.access_deny->data[k];
 202                 int ct_len = buffer_string_length(ds->value);
 203                 int denied = 0;
 204
 205
 206                 if (ct_len > s_len) continue;
 207                 if (buffer_is_empty(ds->value)) continue;
 208
 209                 /* if we have a case-insensitive FS we have to lower-case the URI here too */
 210
 211                 if (con->conf.force_lowercase_filenames) {
 212                         if (0 == strncasecmp(con->uri.path->ptr + s_len - ct_len, ds->value->ptr, ct_len)) {
 213                                 denied = 1;
 214                         }
 215                 } else {
 216                         if (0 == strncmp(con->uri.path->ptr + s_len - ct_len, ds->value->ptr, ct_len)) {
 217                                 denied = 1;
 218                         }
 219                 }
 220
 221                 if (denied) {
 222                         con->http_status = 403;
 223                         con->mode = DIRECT;
 224
 225                         if (con->conf.log_request_handling) {
 226                                 log_error_write(srv, __FILE__, __LINE__, "sb",
 227                                         "url denied as we match:", ds->value);
 228                         }
 229
 230                         return HANDLER_FINISHED;
 231                 }
 232         }
 233
 234         /* not found */
 235         return HANDLER_GO_ON;
 236 }
 237
 238
 239 int mod_access_plugin_init(plugin *p);
 240 int mod_access_plugin_init(plugin *p) {
 241         p->version     = LIGHTTPD_VERSION_ID;
 242         p->name        = buffer_init_string("access");
 243
 244         p->init        = mod_access_init;
 245         p->set_defaults = mod_access_set_defaults;
 246         p->handle_uri_clean = mod_access_uri_handler;
 247         p->handle_subrequest_start  = mod_access_uri_handler;
 248         p->cleanup     = mod_access_free;
 249
 250         p->data        = NULL;
 251
 252         return 0;
 253 }