From 3a2f7567f8d8103ab86f6933f7b9d7997c26ce14 Mon Sep 17 00:00:00 2001 From: Jesse Young Date: Fri, 3 Aug 2018 22:14:57 -0500 Subject: [PATCH 01/10] Create .gitignore --- .gitignore | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..59ea2b3 --- /dev/null +++ b/.gitignore @@ -0,0 +1,28 @@ +*.a +*.o +*.lib + +auto_home.c + +direntry.h +hasdevtcp.h +hassgact.h +hassgprm.h +hasshsgr.h +select.h +uint64.h + +auto-str +chkshsgr +choose +compile +configure +ftpd +httpd +install +instcheck +load +makelib +rts +systype +utime -- 2.18.0 From 44864efa9f805a24771c73e61e72a7e5126c1957 Mon Sep 17 00:00:00 2001 From: Jesse Young Date: Fri, 3 Aug 2018 22:15:16 -0500 Subject: [PATCH 02/10] Fix errno references --- error.h | 2 +- leapsecs_read.c | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/error.h b/error.h index a09cb2b..9a38862 100644 --- a/error.h +++ b/error.h @@ -1,7 +1,7 @@ #ifndef ERROR_H #define ERROR_H -extern int errno; +#include extern int error_intr; extern int error_nomem; diff --git a/leapsecs_read.c b/leapsecs_read.c index 62c8712..c8f975f 100644 --- a/leapsecs_read.c +++ b/leapsecs_read.c @@ -2,7 +2,6 @@ #include #include #include -extern int errno; #include "tai.h" #include "leapsecs.h" -- 2.18.0 From db582a2dac299b7d21139c6298b0022b7028f16d Mon Sep 17 00:00:00 2001 From: Jesse Young Date: Fri, 3 Aug 2018 22:17:38 -0500 Subject: [PATCH 03/10] Fix assignment to errno in if condition Original copied from https://svnweb.freebsd.org/ports/head/www/publicfile/files/patch-fetch.c --- fetch.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fetch.c b/fetch.c index f4a3a01..148cbfa 100644 --- a/fetch.c +++ b/fetch.c @@ -82,7 +82,7 @@ static void list(char *fn,int flaglong) substdio_puts(&ss,"\r\n"); } -static int doit(char *fn,int fddata,int fdfile,int how) +static void doit(char *fn,int fddata,int fdfile,int how) { DIR *dir; direntry *d; @@ -122,7 +122,7 @@ static int doit(char *fn,int fddata,int fdfile,int how) for (;;) { r = read(fdfile,inbuf,sizeof inbuf); if (r == -1) { - if (errno = error_intr) continue; + if (errno == error_intr) continue; _exit(23); } if (r == 0) -- 2.18.0 From d78848854684937accfa9cb6d0a0cbf1092f519e Mon Sep 17 00:00:00 2001 From: Jesse Young Date: Fri, 3 Aug 2018 22:31:20 -0500 Subject: [PATCH 04/10] Support https schemes and SSLREMOTEIP env Original patch copied from https://svnweb.freebsd.org/ports/head/www/publicfile/files/publicfile.sslserver --- file.c | 6 +++++- httpd.c | 12 ++++++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/file.c b/file.c index 5d80e24..5cafd53 100644 --- a/file.c +++ b/file.c @@ -15,7 +15,11 @@ static void log(char *fn,char *result1,char *result2,int flagread) char *x; x = env_get("TCPREMOTEIP"); - if (!x) x = "0"; + if (!x) { + x = env_get("SSLREMOTEIP"); + if (!x) + x = "0"; + } substdio_puts(subfderr,x); substdio_puts(subfderr,flagread ? " read ": " dir "); diff --git a/httpd.c b/httpd.c index d04d154..6353750 100644 --- a/httpd.c +++ b/httpd.c @@ -271,8 +271,16 @@ void doit() if (!stralloc_copyb(&path,host.s + i,host.len - i)) _exit(21); host.len = i; } - else - if (!stralloc_copy(&path,&url)) _exit(21); + else { + if (case_startb(url.s,url.len,"https://")) { + if (!stralloc_copyb(&host,url.s + 8,url.len - 8)) _exit(21); + i = byte_chr(host.s,host.len,'/'); + if (!stralloc_copyb(&path,host.s + i,host.len - i)) _exit(21); + host.len = i; + } + else + if (!stralloc_copy(&path,&url)) _exit(21); + } if (!path.len || (path.s[path.len - 1] == '/')) if (!stralloc_cats(&path,"index.html")) _exit(21); -- 2.18.0 From 5e42ba605be98ed73ba0a00b361288c7c8a9f923 Mon Sep 17 00:00:00 2001 From: Jesse Young Date: Fri, 3 Aug 2018 22:33:56 -0500 Subject: [PATCH 05/10] Set installation directory modes to 0755 Original patch from https://svnweb.freebsd.org/ports/head/www/publicfile/files/patch-hier.c --- hier.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hier.c b/hier.c index 9a30128..6056178 100644 --- a/hier.c +++ b/hier.c @@ -2,9 +2,9 @@ void hier() { - h(auto_home,-1,-1,02755); + h(auto_home,-1,-1,0755); - d(auto_home,"bin",-1,-1,02755); + d(auto_home,"bin",-1,-1,0755); c(auto_home,"bin","configure",-1,-1,0755); c(auto_home,"bin","httpd",-1,-1,0755); -- 2.18.0 From 2a187e9c8b5057dbfa9ff1b635466f500733c8b3 Mon Sep 17 00:00:00 2001 From: Jesse Young Date: Fri, 3 Aug 2018 22:39:44 -0500 Subject: [PATCH 06/10] Install to destdir --- .gitignore | 1 + Makefile | 16 ++++++++++++---- conf-destdir | 0 3 files changed, 13 insertions(+), 4 deletions(-) create mode 100644 conf-destdir diff --git a/.gitignore b/.gitignore index 59ea2b3..dc320f0 100644 --- a/.gitignore +++ b/.gitignore @@ -3,6 +3,7 @@ *.lib auto_home.c +auto_destdir.c direntry.h hasdevtcp.h diff --git a/Makefile b/Makefile index e7b093a..5c5b59f 100644 --- a/Makefile +++ b/Makefile @@ -32,6 +32,14 @@ auto_home.o: \ compile auto_home.c ./compile auto_home.c +auto_destdir.c: \ +auto-str conf-destdir + ./auto-str auto_home `head -1 conf-destdir``head -1 conf-home` > auto_destdir.c + +auto_destdir.o: \ +compile auto_destdir.c + ./compile auto_destdir.c + byte_chr.o: \ compile byte_chr.c byte.h ./compile byte_chr.c @@ -257,9 +265,9 @@ gen_alloc.h tai.h uint64.h ./compile httpdate.c install: \ -load install.o hier.o auto_home.o strerr.a substdio.a open.a error.a \ +load install.o hier.o auto_destdir.o strerr.a substdio.a open.a error.a \ str.a - ./load install hier.o auto_home.o strerr.a substdio.a \ + ./load install hier.o auto_destdir.o strerr.a substdio.a \ open.a error.a str.a install.o: \ @@ -268,8 +276,8 @@ exit.h ./compile install.c instcheck: \ -load instcheck.o hier.o auto_home.o strerr.a substdio.a error.a str.a - ./load instcheck hier.o auto_home.o strerr.a substdio.a \ +load instcheck.o hier.o auto_destdir.o strerr.a substdio.a error.a str.a + ./load instcheck hier.o auto_destdir.o strerr.a substdio.a \ error.a str.a instcheck.o: \ diff --git a/conf-destdir b/conf-destdir new file mode 100644 index 0000000..e69de29 -- 2.18.0 From 4e53520478986cf6dc8b4205e3f528066a47e372 Mon Sep 17 00:00:00 2001 From: Jesse Young Date: Fri, 3 Aug 2018 22:43:33 -0500 Subject: [PATCH 07/10] Lookup file suffix to MIME type in the environment Original patch by https://www.ohse.de/uwe/patches/publicfile-0.52-filetype-diff --- filetype.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/filetype.c b/filetype.c index 4f58986..a9b179f 100644 --- a/filetype.c +++ b/filetype.c @@ -1,5 +1,6 @@ #include "filetype.h" #include "str.h" +#include "env.h" void filetype(char *fn,stralloc *contenttype) { @@ -22,7 +23,7 @@ void filetype(char *fn,stralloc *contenttype) if (!stralloc_append(contenttype,&ch)) _exit(21); } else { - result = "text/plain"; + result = 0; if (str_equal(x,".html")) result = "text/html"; else if (str_equal(x,".gz")) result = "application/x-gzip"; else if (str_equal(x,".dvi")) result = "application/x-dvi"; @@ -32,6 +33,15 @@ void filetype(char *fn,stralloc *contenttype) else if (str_equal(x,".jpeg")) result = "image/jpeg"; else if (str_equal(x,".png")) result = "image/png"; else if (str_equal(x,".mpeg")) result = "video/mpeg"; + if (!result) { + stralloc envname = {0}; + if (!stralloc_copys(&envname,"CT_")) _exit(21); + if (!stralloc_cats(&envname,x+1)) _exit(21); + if (!stralloc_0(&envname)) _exit(21); + result=env_get(envname.s); + alloc_free(envname.s); /* is this the right function */ + } + if (!result) result="text/plain"; if (!stralloc_cats(contenttype,result)) _exit(21); } -- 2.18.0 From 5db18beaccbc146cb0fba7836b3bb39e1e86db9c Mon Sep 17 00:00:00 2001 From: Jesse Young Date: Sat, 4 Aug 2018 00:59:27 -0500 Subject: [PATCH 08/10] Add security and charset headers --- filetype.c | 4 ++-- httpd.c | 32 ++++++++++++++++++++++++++++++-- 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/filetype.c b/filetype.c index a9b179f..961476b 100644 --- a/filetype.c +++ b/filetype.c @@ -24,7 +24,7 @@ void filetype(char *fn,stralloc *contenttype) } else { result = 0; - if (str_equal(x,".html")) result = "text/html"; + if (str_equal(x,".html")) result = "text/html; charset=utf-8"; else if (str_equal(x,".gz")) result = "application/x-gzip"; else if (str_equal(x,".dvi")) result = "application/x-dvi"; else if (str_equal(x,".ps")) result = "application/postscript"; @@ -41,7 +41,7 @@ void filetype(char *fn,stralloc *contenttype) result=env_get(envname.s); alloc_free(envname.s); /* is this the right function */ } - if (!result) result="text/plain"; + if (!result) result="text/plain; charset=utf-8"; if (!stralloc_cats(contenttype,result)) _exit(21); } diff --git a/httpd.c b/httpd.c index 6353750..858a258 100644 --- a/httpd.c +++ b/httpd.c @@ -69,7 +69,35 @@ void header(char *code,char *message) out_puts("HTTP/1.1 "); out_puts(code); out_puts(message); - out_puts("\r\nServer: publicfile\r\nDate:"); + out_puts( + "\r\nStrict-Transport-Security: max-age=300; includeSubDomains" + "\r\nContent-Security-Policy:" + " default-src 'self';" + " style-src 'self' 'unsafe-inline';" + "\r\nX-Frame-Options: DENY" + "\r\nX-XSS-Protection: 1; mode=block" + "\r\nX-Content-Type-Options: nosniff" + "\r\nReferrer-Policy: strict-origin-when-cross-origin" + "\r\nFeature-Policy:" + " vibrate 'none';" + " camera 'none';" + " encrypted-media 'none';" + " fullscreen 'none';" + " geolocation 'none';" + " gyroscope 'none';" + " magnetometer 'none';" + " microphone 'none';" + " midi 'none';" + " payment 'none';" + " speaker 'none';" + " sync-xhr 'none';" + " usb 'none';" + " vr 'none';" + " picture-in-picture 'none';" + " document-write 'none';" + " animations 'none';" + " autoplay 'none'" + "\r\nDate:"); if (!httpdate(&nowstr,&now)) _exit(21); out_put(nowstr.s,nowstr.len); out_puts("\r\n"); @@ -85,7 +113,7 @@ void barf(char *code,char *message) out_puts("\r\n"); if (protocolnum == 2) out_puts("Connection: close\r\n"); - out_puts("Content-Type: text/html\r\n\r\n"); + out_puts("Content-Type: text/html; charset=utf-8\r\n\r\n"); } if (flagbody) { out_puts(""); -- 2.18.0 From 1df537de4e1598177fdf6a60b0006850d9626535 Mon Sep 17 00:00:00 2001 From: Jesse Young Date: Sat, 4 Aug 2018 01:53:33 -0500 Subject: [PATCH 09/10] Use XHTML 1.1 in error reports --- filetype.c | 2 +- httpd.c | 19 +++++++++++++++---- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/filetype.c b/filetype.c index 961476b..f04c7b2 100644 --- a/filetype.c +++ b/filetype.c @@ -24,7 +24,7 @@ void filetype(char *fn,stralloc *contenttype) } else { result = 0; - if (str_equal(x,".html")) result = "text/html; charset=utf-8"; + if (str_equal(x,".html")) result = "application/xhtml+xml; charset=utf-8"; else if (str_equal(x,".gz")) result = "application/x-gzip"; else if (str_equal(x,".dvi")) result = "application/x-dvi"; else if (str_equal(x,".ps")) result = "application/postscript"; diff --git a/httpd.c b/httpd.c index 858a258..5247fb5 100644 --- a/httpd.c +++ b/httpd.c @@ -105,20 +105,31 @@ void header(char *code,char *message) void barf(char *code,char *message) { + static char HEADER[] = + "\r\n" + "\r\n" + "\r\n" + "Error\r\n" + "\r\n" + "

"; + static char FOOTER[] = + "

\r\n" + "\r\n" + "\r\n"; if (protocolnum > 0) { tai_now(&now); header(code,message); out_puts("Content-Length: "); - out_put(strnum,fmt_ulong(strnum,str_len(message) + 28)); + out_put(strnum,fmt_ulong(strnum,str_len(message) + sizeof(HEADER) + sizeof(FOOTER) - 2)); out_puts("\r\n"); if (protocolnum == 2) out_puts("Connection: close\r\n"); - out_puts("Content-Type: text/html; charset=utf-8\r\n\r\n"); + out_puts("Content-Type: application/xhtml+xml; charset=utf-8\r\n\r\n"); } if (flagbody) { - out_puts(""); + out_puts(HEADER); out_puts(message); - out_puts("\r\n"); + out_puts(FOOTER); } out_flush(); if (protocolnum >= 2) { -- 2.18.0 From f579885311b0b44814ef1e5fc69a511704901392 Mon Sep 17 00:00:00 2001 From: Jesse Young Date: Sat, 4 Aug 2018 13:08:24 -0500 Subject: [PATCH 10/10] Add some modern MIME types --- filetype.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/filetype.c b/filetype.c index f04c7b2..60bfba3 100644 --- a/filetype.c +++ b/filetype.c @@ -25,6 +25,12 @@ void filetype(char *fn,stralloc *contenttype) else { result = 0; if (str_equal(x,".html")) result = "application/xhtml+xml; charset=utf-8"; + else if (str_equal(x,".css")) result = "text/css"; + else if (str_equal(x,".js")) result = "application/javascript"; + else if (str_equal(x,".json")) result = "application/json"; + else if (str_equal(x,".xml")) result = "application/xml; charset=utf-8"; + else if (str_equal(x,".rss")) result = "application/rss+xml; charset=utf-8"; + else if (str_equal(x,".atom")) result = "application/atom+xml; charset=utf-8"; else if (str_equal(x,".gz")) result = "application/x-gzip"; else if (str_equal(x,".dvi")) result = "application/x-dvi"; else if (str_equal(x,".ps")) result = "application/postscript"; -- 2.18.0