20 years ago · 4cf2ce4ed4
--- a/dist/replica/plan9.db
+++ b/dist/replica/plan9.db
@@ -273,7 +273,7 @@
 
				 386/bin/ip/httpd/imagemap - 775 sys sys 1064598228 113413
			
 
				 386/bin/ip/httpd/man2html - 775 sys sys 1064598229 121681
			
 
				 386/bin/ip/httpd/save - 775 sys sys 1064598231 130742
			
 
				-386/bin/ip/httpd/webls - 775 sys sys 1064887865 129644
			
 
				+386/bin/ip/httpd/webls - 775 sys sys 1065646626 129996
			
 
				 386/bin/ip/httpd/wikipost - 775 sys sys 1064598232 111102
			
 
				 386/bin/ip/imap4d - 775 sys sys 1064598233 234268
			
 
				 386/bin/ip/ipconfig - 775 sys sys 1064598234 128285
			
@@ -4955,7 +4955,7 @@ sys/man/8/drawterm - 664 sys sys 958419689 2458
 
				 sys/man/8/fossilcons - 664 sys sys 1063855784 14700
			
 
				 sys/man/8/fs - 664 sys sys 1055701170 15029
			
 
				 sys/man/8/fsconfig - 664 sys sys 1045501600 8142
			
 
				-sys/man/8/httpd - 664 sys sys 1064887873 6230
			
 
				+sys/man/8/httpd - 664 sys sys 1065640802 6426
			
 
				 sys/man/8/init - 664 sys sys 944959679 1430
			
 
				 sys/man/8/ipconfig - 664 sys sys 1060189415 5050
			
 
				 sys/man/8/ipserv - 664 sys sys 1063855796 4337
			
@@ -9193,7 +9193,7 @@ sys/src/cmd/ip/httpd/netlib_history.c - 664 sys sys 1015096252 4744
 
				 sys/src/cmd/ip/httpd/redirect.c - 664 sys sys 1042522766 2978
			
 
				 sys/src/cmd/ip/httpd/save.c - 664 sys sys 1015090172 3175
			
 
				 sys/src/cmd/ip/httpd/sendfd.c - 664 sys sys 1017679317 12134
			
 
				-sys/src/cmd/ip/httpd/webls.c - 664 sys sys 1064887840 6940
			
 
				+sys/src/cmd/ip/httpd/webls.c - 664 sys sys 1065646625 7233
			
 
				 sys/src/cmd/ip/httpd/webls.denied - 664 sys sys 1064887847 3
			
 
				 sys/src/cmd/ip/httpd/wikipost.c - 664 sys sys 1019678647 5917
			
 
				 sys/src/cmd/ip/imap4d - 20000000775 sys sys 988249981 0
			
--- a/dist/replica/plan9.log
+++ b/dist/replica/plan9.log
@@ -13846,3 +13846,8 @@
 
				 1065571217 0 c lib/ndb/common - 664 sys sys 1065569740 5261
			
 
				 1065576622 0 c 386/lib/libip.a - 664 sys sys 1065576349 33976
			
 
				 1065576622 1 c sys/src/libip/mkfile - 664 sys sys 1065576347 320
			
 
				+1065641510 0 c 386/bin/ip/httpd/webls - 775 sys sys 1065640770 129752
			
 
				+1065641510 1 c sys/man/8/httpd - 664 sys sys 1065640802 6426
			
 
				+1065641510 2 c sys/src/cmd/ip/httpd/webls.c - 664 sys sys 1065640769 7232
			
 
				+1065646915 0 c 386/bin/ip/httpd/webls - 775 sys sys 1065646626 129996
			
 
				+1065646915 1 c sys/src/cmd/ip/httpd/webls.c - 664 sys sys 1065646625 7233
			
--- a/sys/man/8/httpd
+++ b/sys/man/8/httpd
@@ -203,20 +203,27 @@ It includes some abilities to search the manuals.
 
				 produces directory listings on the fly, with
			
 
				 output in the style of
			
 
				 .IR ls (1).
			
 
				-If
			
 
				 .B /sys/lib/webls.allowed
			
 
				-and/or
			
 
				+and
			
 
				 .B /sys/lib/webls.denied
			
 
				-exist, they contain regular expressions describing
			
 
				+contain regular expressions describing
			
 
				 what parts of
			
 
				 .I httpd's
			
 
				 namespace may and may not be listed, respectively.
			
 
				-Security conscious sites will always want
			
 
				+.B Webls.denied
			
 
				+is first searched to see if access is by default
			
 
				+denied.  If so
			
 
				+.B webls.allowed
			
 
				+is then searched to see if access is explicitly allowed.
			
 
				+Thus one can have very general expressions in the
			
 
				+denied list (like
			
 
				+.BR .* ),
			
 
				+yet still allow exceptions.  If
			
 
				 .B webls.denied
			
 
				-to contain `.*', limiting access to only those
			
 
				-directories described in
			
 
				-.BR webls.allowed .
			
 
				-This is the default configuration.
			
 
				+does not exist or is unreadable, 
			
 
				+all accesses are assumed to be denied unless
			
 
				+explicitly allowed in
			
 
				+.B webls.allowed.
			
 
				 .PP
			
 
				 Other sites will note that if neither
			
 
				 .B webls.denied
			
--- a/sys/src/cmd/ip/httpd/webls.c
+++ b/sys/src/cmd/ip/httpd/webls.c
@@ -66,6 +66,8 @@ getre(Biobuf *buf)
 
				 {
			
 
				 	Reprog	*re;
			
 
				 	char	*p, *t;
			
 
				+	char	*bbuf;
			
 
				+	int	n;
			
 
				 
			
 
				 	if (buf == nil)
			
 
				 		return(nil);
			
@@ -79,9 +81,19 @@ getre(Biobuf *buf)
 
				 		t = p + strlen(p);
			
 
				 		while (--t > p && isspace(*t))
			
 
				 			*t = '\0';
			
 
				-		if (strlen(p) == 0)
			
 
				+		n = strlen(p);
			
 
				+		if (n == 0)
			
 
				 			continue;
			
 
				-		re = regcomp(p);
			
 
				+
			
 
				+		/* root the regular expresssion */
			
 
				+		bbuf = malloc(n+2);
			
 
				+		if(bbuf == nil)
			
 
				+			sysfatal("out of memory");
			
 
				+		bbuf[0] = '^';
			
 
				+		strcpy(bbuf+1, p);
			
 
				+		re = regcomp(bbuf);
			
 
				+		free(bbuf);
			
 
				+
			
 
				 		if (re == nil)
			
 
				 			continue;
			
 
				 		free(p);
			
@@ -96,21 +108,27 @@ allowed(char *dir)
 
				 	int	okay;
			
 
				 	Resub	match;
			
 
				 
			
 
				-	if (strcmp(dir, "..") == 0 || strncmp(dir, "../", 3) == 0)
			
 
				+	if (strstr(dir, ".."))
			
 
				+		return(0);
			
 
				+	if (aio == nil)
			
 
				 		return(0);
			
 
				-	if (aio == nil && dio == nil)
			
 
				-		return(1);
			
 
				+
			
 
				 	if (aio != nil)
			
 
				 		Bseek(aio, 0, 0);
			
 
				 	if (dio != nil)
			
 
				 		Bseek(dio, 0, 0);
			
 
				 
			
 
				+	/* if no deny list, assume everything is denied */
			
 
				 	okay = (dio != nil);
			
 
				+
			
 
				+	/* go through denials till we find a match */
			
 
				 	while (okay && (re = getre(dio)) != nil) {
			
 
				 		memset(&match, 0, sizeof(match));
			
 
				 		okay = (regexec(re, dir, &match, 1) != 1);
			
 
				 		free(re);
			
 
				 	}
			
 
				+
			
 
				+	/* go through accepts till we have a match */
			
 
				 	if (aio == nil)
			
 
				 		return(okay);
			
 
				 	while (!okay && (re = getre(aio)) != nil) {