123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335 |
- #include <u.h>
- #include <libc.h>
- #include <ctype.h>
- #include <bio.h>
- #include <regexp.h>
- #include <fcall.h>
- #include "httpd.h"
- #include "httpsrv.h"
- static Hio *hout;
- static Hio houtb;
- static HConnect *connect;
- static int vermaj, gidwidth, uidwidth, lenwidth, devwidth;
- static Biobuf *aio, *dio;
- static void
- doctype(void)
- {
- hprint(hout, "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n");
- hprint(hout, " \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n");
- }
- void
- error(char *title, char *fmt, ...)
- {
- va_list arg;
- char buf[1024], *out;
- va_start(arg, fmt);
- out = vseprint(buf, buf+sizeof(buf), fmt, arg);
- va_end(arg);
- *out = 0;
- hprint(hout, "%s 404 %s\r\n", hversion, title);
- hprint(hout, "Date: %D\r\n", time(nil));
- hprint(hout, "Server: Plan9\r\n");
- hprint(hout, "Content-type: text/html\r\n");
- hprint(hout, "\r\n");
- doctype();
- hprint(hout, "<html xmlns=\"http://www.w3.org/1999/xhtml\">\n");
- hprint(hout, "<head><title>%s</title></head>\n", title);
- hprint(hout, "<body>\n");
- hprint(hout, "<h1>%s</h1>\n", title);
- hprint(hout, "%s\n", buf);
- hprint(hout, "</body>\n");
- hprint(hout, "</html>\n");
- hflush(hout);
- writelog(connect, "Reply: 404\nReason: %s\n", title);
- exits(nil);
- }
- /*
- * Are we actually allowed to look in here?
- *
- * Rules:
- * 1) If neither allowed nor denied files exist, access is granted.
- * 2) If allowed exists and denied does not, dir *must* be in allowed
- * for access to be granted, otherwise, access is denied.
- * 3) If denied exists and allowed does not, dir *must not* be in
- * denied for access to be granted, otherwise, access is enied.
- * 4) If both exist, okay if either (a) file is not in denied, or
- * (b) in denied and in allowed. Otherwise, access is denied.
- */
- static Reprog *
- getre(Biobuf *buf)
- {
- Reprog *re;
- char *p, *t;
- char *bbuf;
- int n;
- if (buf == nil)
- return(nil);
- for ( ; ; free(p)) {
- p = Brdstr(buf, '\n', 0);
- if (p == nil)
- return(nil);
- t = strchr(p, '#');
- if (t != nil)
- *t = '\0';
- t = p + strlen(p);
- while (--t > p && isspace(*t))
- *t = '\0';
- n = strlen(p);
- if (n == 0)
- continue;
- /* root the regular expresssion */
- bbuf = malloc(n+2);
- if(bbuf == nil)
- sysfatal("out of memory");
- bbuf[0] = '^';
- strcpy(bbuf+1, p);
- re = regcomp(bbuf);
- free(bbuf);
- if (re == nil)
- continue;
- free(p);
- return(re);
- }
- }
- static int
- allowed(char *dir)
- {
- Reprog *re;
- int okay;
- Resub match;
- if (strcmp(dir, "..") == 0 || strncmp(dir, "../", 3) == 0)
- return(0);
- if (aio == nil)
- return(0);
- if (aio != nil)
- Bseek(aio, 0, 0);
- if (dio != nil)
- Bseek(dio, 0, 0);
- /* if no deny list, assume everything is denied */
- okay = (dio != nil);
- /* go through denials till we find a match */
- while (okay && (re = getre(dio)) != nil) {
- memset(&match, 0, sizeof(match));
- okay = (regexec(re, dir, &match, 1) != 1);
- free(re);
- }
- /* go through accepts till we have a match */
- if (aio == nil)
- return(okay);
- while (!okay && (re = getre(aio)) != nil) {
- memset(&match, 0, sizeof(match));
- okay = (regexec(re, dir, &match, 1) == 1);
- free(re);
- }
- return(okay);
- }
- /*
- * Comparison routine for sorting the directory.
- */
- static int
- compar(Dir *a, Dir *b)
- {
- return(strcmp(a->name, b->name));
- }
- /*
- * These is for formating; how wide are variable-length
- * fields?
- */
- static void
- maxwidths(Dir *dp, long n)
- {
- long i;
- char scratch[64];
- for (i = 0; i < n; i++) {
- if (snprint(scratch, sizeof scratch, "%ud", dp[i].dev) > devwidth)
- devwidth = strlen(scratch);
- if (strlen(dp[i].uid) > uidwidth)
- uidwidth = strlen(dp[i].uid);
- if (strlen(dp[i].gid) > gidwidth)
- gidwidth = strlen(dp[i].gid);
- if (snprint(scratch, sizeof scratch, "%lld", dp[i].length) > lenwidth)
- lenwidth = strlen(scratch);
- }
- }
- /*
- * Do an actual directory listing.
- * asciitime is lifted directly out of ls.
- */
- char *
- asciitime(long l)
- {
- ulong clk;
- static char buf[32];
- char *t;
- clk = time(nil);
- t = ctime(l);
- /* 6 months in the past or a day in the future */
- if(l<clk-180L*24*60*60 || clk+24L*60*60<l){
- memmove(buf, t+4, 7); /* month and day */
- memmove(buf+7, t+23, 5); /* year */
- }else
- memmove(buf, t+4, 12); /* skip day of week */
- buf[12] = 0;
- return buf;
- }
- static void
- dols(char *dir)
- {
- Dir *d;
- char *f, *p,*nm;
- long i, n;
- int fd;
- cleanname(dir); // expands "" to "."; ``dir+1'' access below depends on that
- if (!allowed(dir)) {
- error("Permission denied", "<p>Cannot list directory %s: Access prohibited</p>", dir);
- return;
- }
- fd = open(dir, OREAD);
- if (fd < 0) {
- error("Cannot read directory", "<p>Cannot read directory %s: %r</p>", dir);
- return;
- }
- if (vermaj) {
- hokheaders(connect);
- hprint(hout, "Content-type: text/html\r\n");
- hprint(hout, "\r\n");
- }
- doctype();
- hprint(hout, "<html xmlns=\"http://www.w3.org/1999/xhtml\">\n");
- hprint(hout, "<head><title>Index of %s</title></head>\n", dir);
- hprint(hout, "<body>\n");
- hprint(hout, "<h1>Index of ");
- nm = dir;
- while((p = strchr(nm, '/')) != nil){
- *p = '\0';
- f = (*dir == '\0') ? "/" : dir;
- if (!(*dir == '\0' && *(dir+1) == '\0') && allowed(f))
- hprint(hout, "<a href=\"/magic/webls?dir=%H\">%s/</a>", f, nm);
- else
- hprint(hout, "%s/", nm);
- *p = '/';
- nm = p+1;
- }
- hprint(hout, "%s</h1>\n", nm);
- n = dirreadall(fd, &d);
- close(fd);
- maxwidths(d, n);
- qsort(d, n, sizeof(Dir), (int (*)(void *, void *))compar);
- hprint(hout, "<pre>\n");
- for (i = 0; i < n; i++) {
- f = smprint("%s/%s", dir, d[i].name);
- cleanname(f);
- if (d[i].mode & DMDIR) {
- p = smprint("/magic/webls?dir=%H", f);
- free(f);
- f = p;
- }
- hprint(hout, "%M %C %*ud %-*s %-*s %*lld %s <a href=\"%s\">%s</a>\n",
- d[i].mode, d[i].type,
- devwidth, d[i].dev,
- uidwidth, d[i].uid,
- gidwidth, d[i].gid,
- lenwidth, d[i].length,
- asciitime(d[i].mtime), f, d[i].name);
- free(f);
- }
- f = smprint("%s/..", dir);
- cleanname(f);
- if (strcmp(f, dir) != 0 && allowed(f))
- hprint(hout, "\nGo to <a href=\"/magic/webls?dir=%H\">parent</a> directory\n", f);
- else
- hprint(hout, "\nEnd of directory listing\n");
- free(f);
- hprint(hout, "</pre>\n</body>\n</html>\n");
- hflush(hout);
- free(d);
- }
- /*
- * Handle unpacking the request in the URI and
- * invoking the actual handler.
- */
- static void
- dosearch(char *search)
- {
- if (strncmp(search, "dir=", 4) == 0){
- search = hurlunesc(connect, search+4);
- dols(search);
- return;
- }
- /*
- * Otherwise, we've gotten an illegal request.
- * spit out a non-apologetic error.
- */
- search = hurlunesc(connect, search);
- error("Bad directory listing request",
- "<p>Illegal formatted directory listing request:</p>\n"
- "<p>%H</p>", search);
- }
- void
- main(int argc, char **argv)
- {
- fmtinstall('H', httpfmt);
- fmtinstall('U', hurlfmt);
- fmtinstall('M', dirmodefmt);
- aio = Bopen("/sys/lib/webls.allowed", OREAD);
- dio = Bopen("/sys/lib/webls.denied", OREAD);
- if(argc == 2){
- hinit(&houtb, 1, Hwrite);
- hout = &houtb;
- dols(argv[1]);
- exits(nil);
- }
- close(2);
- connect = init(argc, argv);
- hout = &connect->hout;
- vermaj = connect->req.vermaj;
- if(hparseheaders(connect, HSTIMEOUT) < 0)
- exits("failed");
- if(strcmp(connect->req.meth, "GET") != 0 && strcmp(connect->req.meth, "HEAD") != 0){
- hunallowed(connect, "GET, HEAD");
- exits("not allowed");
- }
- if(connect->head.expectother || connect->head.expectcont){
- hfail(connect, HExpectFail, nil);
- exits("failed");
- }
- bind("/usr/web", "/", MREPL);
- if(connect->req.search != nil)
- dosearch(connect->req.search);
- else
- error("Bad argument", "<p>Need a search argument</p>");
- hflush(hout);
- writelog(connect, "200 webls %ld %ld\n", hout->seek, hout->seek);
- exits(nil);
- }
|