Age | Commit message (Collapse) | Author |
|
When we're starting a deferred request, the related input ustream might
have gone into read_blocked mode because incoming client request data
exhausted the ustreams internal buffer space. When this happens, edge
triggered uloop read events are "lost" and never re-triggered causing
the script input to never complete.
In order to avoid that deadlock situation, manually poke the input
ustream using ustream_poll() after invoking client_poll_post_data()
which should have drained (some) of the buffered input ustream contents.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
An invalid data access can be triggered with an HTTP POST request to a CGI
script specifying both `Transfer-Encoding: chunked` and a large negative
`Content-Length`.
The negative content length is assigned to `r->content_length` in
`client_parse_header` and passed as a negative read length to
`ustream_consume` in `client_poll_post_data` which will set the internal
ustream buffer pointer to an invalid address, causing out of bounds memory
reads later on in the code flow.
A similar implicit unsigned to signed conversion happens when parsing
chunk sizes emitted by a CGI program.
Address these issues by rejecting negative values in `r->content_length`
after assigning the `strtoul()` result.
Reported-by: Jan-Niklas Sohn <jan-niklas.sohn@gmx.de>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
After format string checks were activated in libubox the compiler
started to complain about multiple missuses in uhttpd. This fixes the
format strings without changing the behavior.
blobmsg_get_string() just checks if the parameter is not NULL and then
calls blobmsg_data() and casts the result.
I think non of these problem is security relevant.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
|
Escape the untrusted request URL input in the permission denied HTML output.
This fixes certain XSS vulnerabilities which can be leveraged to further
exploit the system.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Adds ifdefs to fix building without TLS and Lua support
Signed-off-by: Paul Willoughby <paulw@spacemonkey.com>
|
|
It's one of the parameters used by default in LuCI, so it should be
included in the help output.
Signed-off-by: Karl Palsson <karlp@etactica.com>
|
|
Fixes: 77b774b ("build: avoid redefining _DEFAULT_SOURCE")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Work around further glibc toolchain annoyances.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Allow -l / -L arguments to be repeated to register multiple Lua prefix
handlers in the same process.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Add _DEFAULT_SOURCE FTM in order to avoid warnings with recent glibc.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
When the outer SSL ustream triggers a change notification due to
encountering EOF, the inner connection ustream might still have
pending data buffered.
Previously, such a condition led to truncated files delivered by
uhttpd via HTTPS and could be triggered by requesting large resources
via slow network links.
Mitigate the problem by propagating the EOF status indicator from
the outer ustream to the inner one and by deferring the client
connection shutdown until the inner ustream output buffer has been
completely drained.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Map the "Origin:" header as $HTTP_ORIGIN environment variable for use by
request handling processes.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Escape untrusted input like the request URL or filesystem paths in HTML
outputs such as the directory listing or 404 error messages.
This fixes certain XSS vulnerabilities which can be leveraged to further
exploit the system.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
The uh_htmlescape() function returns a copy of the given string with the
HTML special characters `<`, `>`, `"` and `'` replaced by HTML entities in
hexadecimal notation.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
This reverts commit ccd9717ba5d501b45fda957f0ea41c4660ef414c.
|
|
When a request handler accepting post data is too slow in consuming stdin,
uhttpd might deadlock with the master process stuck in a blocking write()
to the child and the child stuck with a blocking write() to the master.
Avoid this issue by putting the master side write end of the child pipe
into nonblocking mode right away and by raising the data_blocked flag
when attempts to write to the child yield EAGAIN.
Setting the flag ensures that client_poll_post_data() does not immediately
trigger a write attempt again, which effectively yields the master write
cycle so that the relay ustream has a chance to consume output of the
client process, thus solving the deadlock.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
The existing implementation incorrectly attempted to read the entire stdin
instead of fetching at most the given amount of bytes.
While we're at it, also make the size argument optional and let it default
to Luas internal buffer size.
Suggested-by: Bryan Mayland <bmayland+lede@capnbry.net>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Instead of storing a pointer to the beginning of the query string within the
request url, store a copy in a static buffer instead. This aligns handling
the query string portion of the url with other elements like physical path
or path info information.
Since the URL is usually kept in the per-client blob buffer which might
change its memory location due to reallocations triggered by blobmsg_add_*,
it is not safe to point to it early in the request life cycle.
This fixes invalid memory access usually manifesting itself as corrupted
query string data in CGI scripts.
Reported-by: P. Wassi <p.wassi@gmx.at>
Suggested-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Add "text/cache-manifest" mimetype support to enable the possibility of
using Application Cache.
Signed-off-by: Adrian Panella <ianchi74@outlook.com>
|
|
Previous refactoring of the basic auth handling code broke the logic in
such a way that basic auth was only performed if a client sent an
Authorization header in its request, but it was never prompted for by
the server.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Mimic other web servers like Nginx or Apache and expose the parsed basic
auth information as HTTP_AUTH_USER and HTTP_AUTH_PASS environment variables
to CGI processes.
This also restores login-from-basic-auth functionality in LuCI.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Store the parsed username and password information as HTTP headers in the
clients header blob buffer for later use by proc.c
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
If a HTTP header variable has no corresponding value, then do not set it
to the empty string but to NULL, so that cgi.c will later skip it when
setting up the process environment.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Provides a small speedup when resuming the connection.
Signed-off by: Rosen Penev <rosenp@gmail.com>
|
|
When calculating the matching prefix length, make sure to not take the trailing
slash into account in order to ensure that the resulting PATH_INFO string
always starts with a slash.
This ensures that an url like "/foo" against the matching prefix "/" or
"/foo/bar" against "/foo/" result in "/foo" and "/bar" respectively.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
The special prefix of "/" should match any url by definition but the final
assertion which ensures that the matched prefix ends in '\0' or '/' is causing
matches against the "/" prefix to fail.
Add some extra code to handle this special case to implemented the expected
behaviour.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
The check_cgi_path() function would segfault if we ever support running
uhttpd without any CGI prefix.
Add a check to prevent running uh_patch_match() when the prefix is unset.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
This allows the request handler to add extra headers to the response
even in the redirect case.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
Add a CMake FIND_PATH and INCLUDE_DIRECTORIES searching for libubox/usock.h.
Some external toolchains which do not include standard locations would fail to
find the header otherwise.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
|
|
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
transfer
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
|
|
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
|
|
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
|
|
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
|
|
In a json_script file you can specify rules for rewriting the URL or
redirecting the browser either unconditionally, or as a fallback where
it would otherwise print a 404 error
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
|
|
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
|
|
the path compare return code was not honoured properly
Signed-off-by: John Crispin <blogic@openwrt.org>
|
|
this allows an alias entry inside the root folder point at a cgi-bin script
-y foo=bar will redirect /foo to /cgi-bin/bar
Signed-off-by: John Crispin <blogic@openwrt.org>
|
|
The two commits
5162e3b0ee7bd1d0fd6e75e1ca7993a1834b5291
"allow request handlers to disable chunked reponses"
and
618493e378e2239f0d30902e47adfa134e649fdc
"file: disable chunked encoding for file responses"
broke the chunked transfer encoding handling for proc responses in keep-alive
connections that followed a file response with http status 204 or 304.
The effect of this bug is that cgi responses following a 204 or 304 one where
sent neither in chunked encoding nor with a content-length header, causing
browsers to stall until the keep alive timeout was reached.
Fix the logic flaw by inverting the chunk prevention flag in the client state
and by testing the chunked encoding preconditions every time instead of
once upon client (re-)initialization.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Andrej Krpic <ak77@tnode.com>
|
|
Fixes https://dev.openwrt.org/ticket/20458
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
|
|
As uhttpd doesn't currently support PUT/DELETE/PATCH, allow passing the
commonly used X-HTTP-Method-Override header to CGI scripts.
This is an optional "protocol specific metadata" variable as per rfc
3875 section 4.1.18.
Signed-off-by: Karl Palsson <karlp@remake.is>
|
|
Use the 307 code to force agents to retain the original request method.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|