noproxy.c 7.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at https://curl.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. * SPDX-License-Identifier: curl
  22. *
  23. ***************************************************************************/
  24. #include "curl_setup.h"
  25. #ifndef CURL_DISABLE_PROXY
  26. #include "inet_pton.h"
  27. #include "strcase.h"
  28. #include "noproxy.h"
  29. #ifdef HAVE_NETINET_IN_H
  30. #include <netinet/in.h>
  31. #endif
  32. #ifdef HAVE_ARPA_INET_H
  33. #include <arpa/inet.h>
  34. #endif
  35. /*
  36. * Curl_cidr4_match() returns TRUE if the given IPv4 address is within the
  37. * specified CIDR address range.
  38. */
  39. UNITTEST bool Curl_cidr4_match(const char *ipv4, /* 1.2.3.4 address */
  40. const char *network, /* 1.2.3.4 address */
  41. unsigned int bits)
  42. {
  43. unsigned int address = 0;
  44. unsigned int check = 0;
  45. if(bits > 32)
  46. /* strange input */
  47. return FALSE;
  48. if(1 != Curl_inet_pton(AF_INET, ipv4, &address))
  49. return FALSE;
  50. if(1 != Curl_inet_pton(AF_INET, network, &check))
  51. return FALSE;
  52. if(bits && (bits != 32)) {
  53. unsigned int mask = 0xffffffff << (32 - bits);
  54. unsigned int haddr = htonl(address);
  55. unsigned int hcheck = htonl(check);
  56. #if 0
  57. fprintf(stderr, "Host %s (%x) network %s (%x) bits %u mask %x => %x\n",
  58. ipv4, haddr, network, hcheck, bits, mask,
  59. (haddr ^ hcheck) & mask);
  60. #endif
  61. if((haddr ^ hcheck) & mask)
  62. return FALSE;
  63. return TRUE;
  64. }
  65. return (address == check);
  66. }
  67. UNITTEST bool Curl_cidr6_match(const char *ipv6,
  68. const char *network,
  69. unsigned int bits)
  70. {
  71. #ifdef ENABLE_IPV6
  72. int bytes;
  73. int rest;
  74. unsigned char address[16];
  75. unsigned char check[16];
  76. if(!bits)
  77. bits = 128;
  78. bytes = bits/8;
  79. rest = bits & 0x07;
  80. if(1 != Curl_inet_pton(AF_INET6, ipv6, address))
  81. return FALSE;
  82. if(1 != Curl_inet_pton(AF_INET6, network, check))
  83. return FALSE;
  84. if((bytes > 16) || ((bytes == 16) && rest))
  85. return FALSE;
  86. if(bytes && memcmp(address, check, bytes))
  87. return FALSE;
  88. if(rest && !((address[bytes] ^ check[bytes]) & (0xff << (8 - rest))))
  89. return FALSE;
  90. return TRUE;
  91. #else
  92. (void)ipv6;
  93. (void)network;
  94. (void)bits;
  95. return FALSE;
  96. #endif
  97. }
  98. enum nametype {
  99. TYPE_HOST,
  100. TYPE_IPV4,
  101. TYPE_IPV6
  102. };
  103. /****************************************************************
  104. * Checks if the host is in the noproxy list. returns TRUE if it matches and
  105. * therefore the proxy should NOT be used.
  106. ****************************************************************/
  107. bool Curl_check_noproxy(const char *name, const char *no_proxy,
  108. bool *spacesep)
  109. {
  110. char hostip[128];
  111. *spacesep = FALSE;
  112. /*
  113. * If we don't have a hostname at all, like for example with a FILE
  114. * transfer, we have nothing to interrogate the noproxy list with.
  115. */
  116. if(!name || name[0] == '\0')
  117. return FALSE;
  118. /* no_proxy=domain1.dom,host.domain2.dom
  119. * (a comma-separated list of hosts which should
  120. * not be proxied, or an asterisk to override
  121. * all proxy variables)
  122. */
  123. if(no_proxy && no_proxy[0]) {
  124. const char *p = no_proxy;
  125. size_t namelen;
  126. enum nametype type = TYPE_HOST;
  127. if(!strcmp("*", no_proxy))
  128. return TRUE;
  129. /* NO_PROXY was specified and it wasn't just an asterisk */
  130. if(name[0] == '[') {
  131. char *endptr;
  132. /* IPv6 numerical address */
  133. endptr = strchr(name, ']');
  134. if(!endptr)
  135. return FALSE;
  136. name++;
  137. namelen = endptr - name;
  138. if(namelen >= sizeof(hostip))
  139. return FALSE;
  140. memcpy(hostip, name, namelen);
  141. hostip[namelen] = 0;
  142. name = hostip;
  143. type = TYPE_IPV6;
  144. }
  145. else {
  146. unsigned int address;
  147. namelen = strlen(name);
  148. if(1 == Curl_inet_pton(AF_INET, name, &address))
  149. type = TYPE_IPV4;
  150. else {
  151. /* ignore trailing dots in the host name */
  152. if(name[namelen - 1] == '.')
  153. namelen--;
  154. }
  155. }
  156. while(*p) {
  157. const char *token;
  158. size_t tokenlen = 0;
  159. bool match = FALSE;
  160. /* pass blanks */
  161. while(*p && ISBLANK(*p))
  162. p++;
  163. token = p;
  164. /* pass over the pattern */
  165. while(*p && !ISBLANK(*p) && (*p != ',')) {
  166. p++;
  167. tokenlen++;
  168. }
  169. if(tokenlen) {
  170. switch(type) {
  171. case TYPE_HOST:
  172. /* ignore trailing dots in the token to check */
  173. if(token[tokenlen - 1] == '.')
  174. tokenlen--;
  175. if(tokenlen && (*token == '.')) {
  176. /* ignore leading token dot as well */
  177. token++;
  178. tokenlen--;
  179. }
  180. /* A: example.com matches 'example.com'
  181. B: www.example.com matches 'example.com'
  182. C: nonexample.com DOES NOT match 'example.com'
  183. */
  184. if(tokenlen == namelen)
  185. /* case A, exact match */
  186. match = strncasecompare(token, name, namelen);
  187. else if(tokenlen < namelen) {
  188. /* case B, tailmatch domain */
  189. match = (name[namelen - tokenlen - 1] == '.') &&
  190. strncasecompare(token, name + (namelen - tokenlen),
  191. tokenlen);
  192. }
  193. /* case C passes through, not a match */
  194. break;
  195. case TYPE_IPV4:
  196. /* FALLTHROUGH */
  197. case TYPE_IPV6: {
  198. const char *check = token;
  199. char *slash;
  200. unsigned int bits = 0;
  201. char checkip[128];
  202. if(tokenlen >= sizeof(checkip))
  203. /* this cannot match */
  204. break;
  205. /* copy the check name to a temp buffer */
  206. memcpy(checkip, check, tokenlen);
  207. checkip[tokenlen] = 0;
  208. check = checkip;
  209. slash = strchr(check, '/');
  210. /* if the slash is part of this token, use it */
  211. if(slash) {
  212. bits = atoi(slash + 1);
  213. *slash = 0; /* null terminate there */
  214. }
  215. if(type == TYPE_IPV6)
  216. match = Curl_cidr6_match(name, check, bits);
  217. else
  218. match = Curl_cidr4_match(name, check, bits);
  219. break;
  220. }
  221. }
  222. if(match)
  223. return TRUE;
  224. } /* if(tokenlen) */
  225. /* pass blanks after pattern */
  226. while(ISBLANK(*p))
  227. p++;
  228. /* if not a comma! */
  229. if(*p && (*p != ',')) {
  230. *spacesep = TRUE;
  231. continue;
  232. }
  233. /* pass any number of commas */
  234. while(*p == ',')
  235. p++;
  236. } /* while(*p) */
  237. } /* NO_PROXY was specified and it wasn't just an asterisk */
  238. return FALSE;
  239. }
  240. #endif /* CURL_DISABLE_PROXY */