noproxy.c 7.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at https://curl.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. * SPDX-License-Identifier: curl
  22. *
  23. ***************************************************************************/
  24. #include "curl_setup.h"
  25. #ifndef CURL_DISABLE_PROXY
  26. #include "inet_pton.h"
  27. #include "strcase.h"
  28. #include "noproxy.h"
  29. #ifdef HAVE_NETINET_IN_H
  30. #include <netinet/in.h>
  31. #endif
  32. #ifdef HAVE_ARPA_INET_H
  33. #include <arpa/inet.h>
  34. #endif
  35. /*
  36. * Curl_cidr4_match() returns TRUE if the given IPv4 address is within the
  37. * specified CIDR address range.
  38. */
  39. UNITTEST bool Curl_cidr4_match(const char *ipv4, /* 1.2.3.4 address */
  40. const char *network, /* 1.2.3.4 address */
  41. unsigned int bits)
  42. {
  43. unsigned int address = 0;
  44. unsigned int check = 0;
  45. if(bits > 32)
  46. /* strange input */
  47. return FALSE;
  48. if(1 != Curl_inet_pton(AF_INET, ipv4, &address))
  49. return FALSE;
  50. if(1 != Curl_inet_pton(AF_INET, network, &check))
  51. return FALSE;
  52. if(bits && (bits != 32)) {
  53. unsigned int mask = 0xffffffff << (32 - bits);
  54. unsigned int haddr = htonl(address);
  55. unsigned int hcheck = htonl(check);
  56. #if 0
  57. fprintf(stderr, "Host %s (%x) network %s (%x) bits %u mask %x => %x\n",
  58. ipv4, haddr, network, hcheck, bits, mask,
  59. (haddr ^ hcheck) & mask);
  60. #endif
  61. if((haddr ^ hcheck) & mask)
  62. return FALSE;
  63. return TRUE;
  64. }
  65. return (address == check);
  66. }
  67. UNITTEST bool Curl_cidr6_match(const char *ipv6,
  68. const char *network,
  69. unsigned int bits)
  70. {
  71. #ifdef USE_IPV6
  72. unsigned int bytes;
  73. unsigned int rest;
  74. unsigned char address[16];
  75. unsigned char check[16];
  76. if(!bits)
  77. bits = 128;
  78. bytes = bits / 8;
  79. rest = bits & 0x07;
  80. if((bytes > 16) || ((bytes == 16) && rest))
  81. return FALSE;
  82. if(1 != Curl_inet_pton(AF_INET6, ipv6, address))
  83. return FALSE;
  84. if(1 != Curl_inet_pton(AF_INET6, network, check))
  85. return FALSE;
  86. if(bytes && memcmp(address, check, bytes))
  87. return FALSE;
  88. if(rest && !((address[bytes] ^ check[bytes]) & (0xff << (8 - rest))))
  89. return FALSE;
  90. return TRUE;
  91. #else
  92. (void)ipv6;
  93. (void)network;
  94. (void)bits;
  95. return FALSE;
  96. #endif
  97. }
  98. enum nametype {
  99. TYPE_HOST,
  100. TYPE_IPV4,
  101. TYPE_IPV6
  102. };
  103. /****************************************************************
  104. * Checks if the host is in the noproxy list. returns TRUE if it matches and
  105. * therefore the proxy should NOT be used.
  106. ****************************************************************/
  107. bool Curl_check_noproxy(const char *name, const char *no_proxy)
  108. {
  109. char hostip[128];
  110. /*
  111. * If we don't have a hostname at all, like for example with a FILE
  112. * transfer, we have nothing to interrogate the noproxy list with.
  113. */
  114. if(!name || name[0] == '\0')
  115. return FALSE;
  116. /* no_proxy=domain1.dom,host.domain2.dom
  117. * (a comma-separated list of hosts which should
  118. * not be proxied, or an asterisk to override
  119. * all proxy variables)
  120. */
  121. if(no_proxy && no_proxy[0]) {
  122. const char *p = no_proxy;
  123. size_t namelen;
  124. enum nametype type = TYPE_HOST;
  125. if(!strcmp("*", no_proxy))
  126. return TRUE;
  127. /* NO_PROXY was specified and it wasn't just an asterisk */
  128. if(name[0] == '[') {
  129. char *endptr;
  130. /* IPv6 numerical address */
  131. endptr = strchr(name, ']');
  132. if(!endptr)
  133. return FALSE;
  134. name++;
  135. namelen = endptr - name;
  136. if(namelen >= sizeof(hostip))
  137. return FALSE;
  138. memcpy(hostip, name, namelen);
  139. hostip[namelen] = 0;
  140. name = hostip;
  141. type = TYPE_IPV6;
  142. }
  143. else {
  144. unsigned int address;
  145. namelen = strlen(name);
  146. if(1 == Curl_inet_pton(AF_INET, name, &address))
  147. type = TYPE_IPV4;
  148. else {
  149. /* ignore trailing dots in the host name */
  150. if(name[namelen - 1] == '.')
  151. namelen--;
  152. }
  153. }
  154. while(*p) {
  155. const char *token;
  156. size_t tokenlen = 0;
  157. bool match = FALSE;
  158. /* pass blanks */
  159. while(*p && ISBLANK(*p))
  160. p++;
  161. token = p;
  162. /* pass over the pattern */
  163. while(*p && !ISBLANK(*p) && (*p != ',')) {
  164. p++;
  165. tokenlen++;
  166. }
  167. if(tokenlen) {
  168. switch(type) {
  169. case TYPE_HOST:
  170. /* ignore trailing dots in the token to check */
  171. if(token[tokenlen - 1] == '.')
  172. tokenlen--;
  173. if(tokenlen && (*token == '.')) {
  174. /* ignore leading token dot as well */
  175. token++;
  176. tokenlen--;
  177. }
  178. /* A: example.com matches 'example.com'
  179. B: www.example.com matches 'example.com'
  180. C: nonexample.com DOES NOT match 'example.com'
  181. */
  182. if(tokenlen == namelen)
  183. /* case A, exact match */
  184. match = strncasecompare(token, name, namelen);
  185. else if(tokenlen < namelen) {
  186. /* case B, tailmatch domain */
  187. match = (name[namelen - tokenlen - 1] == '.') &&
  188. strncasecompare(token, name + (namelen - tokenlen),
  189. tokenlen);
  190. }
  191. /* case C passes through, not a match */
  192. break;
  193. case TYPE_IPV4:
  194. case TYPE_IPV6: {
  195. const char *check = token;
  196. char *slash;
  197. unsigned int bits = 0;
  198. char checkip[128];
  199. if(tokenlen >= sizeof(checkip))
  200. /* this cannot match */
  201. break;
  202. /* copy the check name to a temp buffer */
  203. memcpy(checkip, check, tokenlen);
  204. checkip[tokenlen] = 0;
  205. check = checkip;
  206. slash = strchr(check, '/');
  207. /* if the slash is part of this token, use it */
  208. if(slash) {
  209. /* if the bits variable gets a crazy value here, that is fine as
  210. the value will then be rejected in the cidr function */
  211. bits = (unsigned int)atoi(slash + 1);
  212. *slash = 0; /* null terminate there */
  213. }
  214. if(type == TYPE_IPV6)
  215. match = Curl_cidr6_match(name, check, bits);
  216. else
  217. match = Curl_cidr4_match(name, check, bits);
  218. break;
  219. }
  220. }
  221. if(match)
  222. return TRUE;
  223. } /* if(tokenlen) */
  224. /* pass blanks after pattern */
  225. while(ISBLANK(*p))
  226. p++;
  227. /* if not a comma, this ends the loop */
  228. if(*p != ',')
  229. break;
  230. /* pass any number of commas */
  231. while(*p == ',')
  232. p++;
  233. } /* while(*p) */
  234. } /* NO_PROXY was specified and it wasn't just an asterisk */
  235. return FALSE;
  236. }
  237. #endif /* CURL_DISABLE_PROXY */