libexec/httpd/tilde-luzah-bozo.c

   1 /*      $NetBSD: tilde-luzah-bozo.c,v 1.11 2015/07/16 12:19:23 shm Exp $        */
   2
   3 /*      $eterna: tilde-luzah-bozo.c,v 1.16 2011/11/18 09:21:15 mrg Exp $        */
   4
   5 /*
   6  * Copyright (c) 1997-2014 Matthew R. Green
   7  * All rights reserved.
   8  *
   9  * Redistribution and use in source and binary forms, with or without
  10  * modification, are permitted provided that the following conditions
  11  * are met:
  12  * 1. Redistributions of source code must retain the above copyright
  13  *    notice, this list of conditions and the following disclaimer.
  14  * 2. Redistributions in binary form must reproduce the above copyright
  15  *    notice, this list of conditions and the following disclaimer and
  16  *    dedication in the documentation and/or other materials provided
  17  *    with the distribution.
  18  *
  19  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  20  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  21  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  22  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  23  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
  24  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  25  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
  26  * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
  27  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  28  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  29  * SUCH DAMAGE.
  30  *
  31  */
  32
  33 /* this code implements ~user support for bozohttpd */
  34
  35 #ifndef NO_USER_SUPPORT
  36
  37 #include <sys/param.h>
  38
  39 #include <assert.h>
  40 #include <errno.h>
  41 #include <pwd.h>
  42 #include <stdlib.h>
  43 #include <string.h>
  44 #include <unistd.h>
  45
  46 #include "bozohttpd.h"
  47
  48 /*
  49  * bozo_user_transform does this:
  50  *      - chdir's /~user/public_html
  51  *      - returns the rest of the file, index.html appended if required
  52  *      - returned malloced file to serve in request->hr_file,
  53  *        ala transform_request().
  54  *
  55  * transform_request() is supposed to check that we have user support
  56  * enabled.
  57  */
  58 int
  59 bozo_user_transform(bozo_httpreq_t *request, int *isindex)
  60 {
  61         bozohttpd_t *httpd = request->hr_httpd;
  62         char    c, *s, *file = NULL, *user;
  63         struct  passwd *pw;
  64
  65         *isindex = 0;
  66
  67         /* find username */
  68         user = strchr(request->hr_file + 2, '~');
  69
  70         /* this shouldn't happen, but "better paranoid than sorry" */
  71         assert(user != NULL);
  72
  73         user++;
  74
  75         if ((s = strchr(user, '/')) != NULL) {
  76                 *s++ = '\0';
  77                 c = s[strlen(s)-1];
  78                 *isindex = (c == '/' || c == '\0');
  79         }
  80
  81         debug((httpd, DEBUG_OBESE, "looking for user %s",
  82                 user));
  83         pw = getpwnam(user);
  84         /* fix this up immediately */
  85         if (s)
  86                 s[-1] = '/';
  87         if (pw == NULL) {
  88                 (void)bozo_http_error(httpd, 404, request, "no such user");
  89                 return 0;
  90         }
  91
  92         debug((httpd, DEBUG_OBESE, "user %s dir %s/%s uid %d gid %d",
  93               pw->pw_name, pw->pw_dir, httpd->public_html,
  94               pw->pw_uid, pw->pw_gid));
  95
  96         if (chdir(pw->pw_dir) < 0) {
  97                 bozo_warn(httpd, "chdir1 error: %s: %s", pw->pw_dir,
  98                         strerror(errno));
  99                 (void)bozo_http_error(httpd, 404, request,
 100                         "can't chdir to homedir");
 101                 return 0;
 102         }
 103         if (chdir(httpd->public_html) < 0) {
 104                 bozo_warn(httpd, "chdir2 error: %s: %s", httpd->public_html,
 105                         strerror(errno));
 106                 (void)bozo_http_error(httpd, 404, request,
 107                         "can't chdir to public_html");
 108                 return 0;
 109         }
 110         if (s == NULL || *s == '\0') {
 111                 file = bozostrdup(httpd, httpd->index_html);
 112         } else {
 113                 file = bozomalloc(httpd, strlen(s) +
 114                     (*isindex ? strlen(httpd->index_html) + 1 : 1));
 115                 strcpy(file, s);
 116                 if (*isindex)
 117                         strcat(file, httpd->index_html);
 118         }
 119
 120         /* see transform_request() */
 121         if (*file == '/' || strcmp(file, "..") == 0 ||
 122             strstr(file, "/..") || strstr(file, "../")) {
 123                 (void)bozo_http_error(httpd, 403, request, "illegal request");
 124                 free(file);
 125                 return 0;
 126         }
 127
 128         if (bozo_auth_check(request, file)) {
 129                 free(file);
 130                 return 0;
 131         }
 132
 133         free(request->hr_file);
 134         request->hr_file = file;
 135
 136         debug((httpd, DEBUG_FAT, "transform_user returning %s under %s", file,
 137             pw->pw_dir));
 138         return 1;
 139 }
 140 #endif /* NO_USER_SUPPORT */