diff options
-rw-r--r-- | .indent.pro | 1 | ||||
-rw-r--r-- | Makefile | 2 | ||||
-rw-r--r-- | browse.c | 83 | ||||
-rw-r--r-- | browse.h | 2 | ||||
-rw-r--r-- | config.h | 37 | ||||
-rw-r--r-- | error.h | 5 | ||||
-rw-r--r-- | main.c | 2 | ||||
-rw-r--r-- | url.c | 70 | ||||
-rw-r--r-- | url.h | 42 |
9 files changed, 228 insertions, 16 deletions
diff --git a/.indent.pro b/.indent.pro index 1f1db9f..5be652a 100644 --- a/.indent.pro +++ b/.indent.pro @@ -3,6 +3,7 @@ -ce -ci4 -cli0 +-di8 -d0 -i8 -ip @@ -38,7 +38,7 @@ all: main .c.o: $(CC) -o $@ -c $< $(CFLAGS) -main: http.o browse.o main.o +main: url.o http.o browse.o main.o $(CC) -o $@ $> $(LDFLAGS) env: env.o @@ -31,21 +31,78 @@ #include <dirent.h> #include <kcgi.h> #include <kcgihtml.h> +#include <stdbool.h> #include <string.h> #include "browse.h" #include "config.h" #include "error.h" #include "http.h" +#include "url.h" + +#define URL_LENGTH_MAX 8192 + +/* + * Checks that the path can be safely processed. Namely, it should not contain "..", which denotes an attempt to get out of the DATA_DIR root folder. + */ +static bool +check_request_path(char *path) +{ + char *p_found; + + p_found = strstr(path, "/.."); + if (p_found != NULL) + return false; + + p_found = strstr(path, "../"); + return p_found == NULL; +} + +/* + * file url = r->pname / r->pagename / r->path / file_name + */ +static size_t +build_browse_url(struct kreq * r, char *url, size_t url_size, const char *file) +{ + char *page_name; + + page_name = strlen(r->pagename) == 0 ? BROWSE_URL : r->pagename; + return url_build(url, url_size, 4, r->pname, page_name, r->path, file); +} int browse(struct kreq * r) { - struct dirent *current_dir; - DIR *data_dir; - char *dir_name; + struct dirent *dir; + DIR *data_dir; + char *file_name; + size_t url_size; + char url[URL_LENGTH_MAX], current_dir[URL_LENGTH_MAX]; struct khtmlreq html; + /* check that the requested URL can be safely processed */ + if (strlen(r->path) >= URL_LENGTH_MAX) { + http_open(r, KHTTP_414); + return VAULT_URI_ERROR; + } + if (!check_request_path(r->path)) { + http_open(r, KHTTP_400); + return VAULT_URI_ERROR; + } + /* list requested directory content */ + url_size = url_build(current_dir, URL_LENGTH_MAX, 2, DATA_DIR, r->path); + if (url_size == 0) { + http_open(r, KHTTP_404); + return VAULT_IO_ERROR; + } else if (url_size >= URL_LENGTH_MAX) { + http_open(r, KHTTP_414); + return VAULT_URI_ERROR; + } + data_dir = opendir(current_dir); + if (NULL == data_dir) { + http_open(r, KHTTP_404); + return VAULT_IO_ERROR; + } http_open(r, KHTTP_200); if (KCGI_OK != khtml_open(&html, r, 0)) @@ -53,25 +110,27 @@ browse(struct kreq * r) /* build basic html page */ khtml_elem(&html, KELEM_DOCTYPE); + khtml_elem(&html, KELEM_HEAD); + khtml_attr(&html, KELEM_META, KATTR_CHARSET, "utf-8", KATTR__MAX); khtml_elem(&html, KELEM_HTML); khtml_elem(&html, KELEM_BODY); khtml_elem(&html, KELEM_P); khtml_puts(&html, "/"); khtml_closeelem(&html, 1); - /* list data directory content */ - data_dir = opendir(DATA_DIR); - if (NULL == data_dir) - return VAULT_IO_ERROR; khtml_elem(&html, KELEM_UL); - while ((current_dir = readdir(data_dir)) != NULL) { + while ((dir = readdir(data_dir)) != NULL) { /* ignore special . and .. folders */ - dir_name = current_dir->d_name; - if (strcmp(".", dir_name) == 0 || strcmp("..", dir_name) == 0) + file_name = dir->d_name; + if (strcmp(".", file_name) == 0 || strcmp("..", file_name) == 0) + continue; + url_size = build_browse_url(r, url, URL_LENGTH_MAX, file_name); + if (url_size == 0 || url_size >= URL_LENGTH_MAX) continue; khtml_elem(&html, KELEM_LI); - khtml_puts(&html, current_dir->d_name); - khtml_closeelem(&html, 1); + khtml_attr(&html, KELEM_A, KATTR_HREF, url, KATTR__MAX); + khtml_puts(&html, dir->d_name); + khtml_closeelem(&html, 2); } khtml_close(&html); closedir(data_dir); @@ -33,6 +33,8 @@ #include <kcgi.h> +#define BROWSE_URL "browse" + /* * browse page allows to browse through the folder hierarchy under DATA_DIR, * returns 0 in case of success, an error code otherwise @@ -0,0 +1,37 @@ +/* + * Copyright 2023, Vincent Douillet <vincent@vdouillet.fr> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. Neither the name of the copyright holder nor the names of its contributors + * may be used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef VAULT_CONFIG_H +#define VAULT_CONFIG_H + +#define DATA_DIR "/var/www/vault-data" + +#endif /* VAULT_CONFIG_H */ + @@ -32,7 +32,8 @@ #define VAULT_ERROR_H #define VAULT_SUCCESS 0 -#define VAULT_CGI_ERROR -1 -#define VAULT_IO_ERROR -2 +#define VAULT_CGI_ERROR 1 +#define VAULT_IO_ERROR 2 +#define VAULT_URI_ERROR 3 #endif /* VAULT_ERROR_H */ @@ -41,7 +41,7 @@ enum page { }; static const char *const pages[PAGE__MAX] = { - "browse", + BROWSE_URL }; int @@ -0,0 +1,70 @@ +/* + * Copyright 2023, Vincent Douillet <vincent@vdouillet.fr> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. Neither the name of the copyright holder nor the names of its contributors + * may be used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include <assert.h> +#include <stdarg.h> +#include <string.h> + +#include "url.h" + +size_t +url_build(char *dst, size_t dst_size, int count,...) +{ + va_list path_list; + const char *path; + int path_index; + size_t w_size; + + dst[0] = '\0'; + w_size = 0; + va_start(path_list, count); + for (path_index = 0; path_index < count; path_index++) { + /* no more space in dst buffer */ + if (w_size >= dst_size) + break; + + path = va_arg(path_list, char *); + + assert(path != NULL); + if (path[0] == '\0') + continue; + + if (path[0] == '.' && path[1] == '\0') + continue; + + if (path[0] != '/' && dst[w_size - 1] != '/') + w_size = strlcat(dst, "/", dst_size); + + w_size = strlcat(dst, path, dst_size); + } + + va_end(path_list); + return w_size; +} @@ -0,0 +1,42 @@ +/* + * Copyright 2023, Vincent Douillet <vincent@vdouillet.fr> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. Neither the name of the copyright holder nor the names of its contributors + * may be used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef VAULT_URL_H +#define VAULT_URL_H + +#include <stdio.h> + +/* + * Build an URL from the provided components. + */ +size_t +url_build(char *, size_t, int,...); + +#endif /* VAULT_URL_H */ |