Change Details
package/uhttpd/Makefile |
8 | 8 | include $(TOPDIR)/rules.mk |
9 | 9 | |
10 | 10 | PKG_NAME:=uhttpd |
11 | | PKG_RELEASE:=12 |
| 11 | PKG_RELEASE:=13 |
12 | 12 | |
13 | 13 | PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME) |
14 | 14 | PKG_BUILD_DEPENDS := libcyassl liblua |
package/uhttpd/files/uhttpd.config |
12 | 12 | # Server document root |
13 | 13 | option home /www |
14 | 14 | |
| 15 | # Reject requests from RFC1918 IP addresses |
| 16 | # directed to the servers public IP(s). |
| 17 | # This is a DNS rebinding countermeasure. |
| 18 | option rfc1918_filter 1 |
| 19 | |
15 | 20 | # Certificate and private key for HTTPS. |
16 | 21 | # If no listen_https addresses are given, |
17 | 22 | # the key options are ignored. |
package/uhttpd/files/uhttpd.init |
75 | 75 | |
76 | 76 | append_bool "$cfg" no_symlinks "-S" 0 |
77 | 77 | append_bool "$cfg" no_dirlists "-D" 0 |
| 78 | append_bool "$cfg" rfc1918_filter "-R" 0 |
78 | 79 | |
79 | 80 | config_get http "$cfg" listen_http |
80 | 81 | for listen in $http; do |
package/uhttpd/src/uhttpd-utils.c |
59 | 59 | return ntohs(((struct sockaddr_in6 *)sa)->sin6_port); |
60 | 60 | } |
61 | 61 | |
| 62 | int sa_rfc1918(void *sa) |
| 63 | { |
| 64 | struct sockaddr_in *v4 = (struct sockaddr_in *)sa; |
| 65 | unsigned long a = htonl(v4->sin_addr.s_addr); |
| 66 | |
| 67 | if( v4->sin_family == AF_INET ) |
| 68 | { |
| 69 | return ((a >= 0x0A000000) && (a <= 0x0AFFFFFF)) || |
| 70 | ((a >= 0xAC100000) && (a <= 0xAC1FFFFF)) || |
| 71 | ((a >= 0xC0A80000) && (a <= 0xC0A8FFFF)); |
| 72 | } |
| 73 | |
| 74 | return 0; |
| 75 | } |
| 76 | |
62 | 77 | /* Simple strstr() like function that takes len arguments for both haystack and needle. */ |
63 | 78 | char *strfind(char *haystack, int hslen, const char *needle, int ndlen) |
64 | 79 | { |
package/uhttpd/src/uhttpd-utils.h |
49 | 49 | const char * sa_straddr(void *sa); |
50 | 50 | const char * sa_strport(void *sa); |
51 | 51 | int sa_port(void *sa); |
| 52 | int sa_rfc1918(void *sa); |
52 | 53 | |
53 | 54 | char *strfind(char *haystack, int hslen, const char *needle, int ndlen); |
54 | 55 | |
package/uhttpd/src/uhttpd.c |
524 | 524 | #endif |
525 | 525 | |
526 | 526 | while( (opt = getopt(argc, argv, |
527 | | "fSDC:K:E:I:p:s:h:c:l:L:d:r:m:x:t:T:")) > 0 |
| 527 | "fSDRC:K:E:I:p:s:h:c:l:L:d:r:m:x:t:T:")) > 0 |
528 | 528 | ) { |
529 | 529 | switch(opt) |
530 | 530 | { |
... | ... | |
648 | 648 | conf.no_dirlists = 1; |
649 | 649 | break; |
650 | 650 | |
| 651 | case 'R': |
| 652 | conf.rfc1918_filter = 1; |
| 653 | break; |
| 654 | |
651 | 655 | #ifdef HAVE_CGI |
652 | 656 | /* cgi prefix */ |
653 | 657 | case 'x': |
... | ... | |
728 | 732 | " -I string Use given filename as index page for directories\n" |
729 | 733 | " -S Do not follow symbolic links outside of the docroot\n" |
730 | 734 | " -D Do not allow directory listings, send 403 instead\n" |
| 735 | " -R Enable RFC1918 filter\n" |
731 | 736 | #ifdef HAVE_LUA |
732 | 737 | " -l string URL prefix for Lua handler, default is '/lua'\n" |
733 | 738 | " -L file Lua handler script, omit to disable Lua\n" |
... | ... | |
932 | 937 | /* parse message header */ |
933 | 938 | if( (req = uh_http_header_recv(cl)) != NULL ) |
934 | 939 | { |
| 940 | /* RFC1918 filtering required? */ |
| 941 | if( conf.rfc1918_filter && sa_rfc1918(&cl->peeraddr) && |
| 942 | !sa_rfc1918(&cl->servaddr) ) |
| 943 | { |
| 944 | uh_http_sendhf(cl, 403, "Forbidden", |
| 945 | "Rejected request from RFC1918 IP to public server address"); |
| 946 | } |
| 947 | else |
935 | 948 | #ifdef HAVE_LUA |
936 | 949 | /* Lua request? */ |
937 | 950 | if( L && uh_path_match(conf.lua_prefix, req->url) ) |
package/uhttpd/src/uhttpd.h |
69 | 69 | int no_symlinks; |
70 | 70 | int no_dirlists; |
71 | 71 | int network_timeout; |
| 72 | int rfc1918_filter; |
72 | 73 | #ifdef HAVE_CGI |
73 | 74 | char *cgi_prefix; |
74 | 75 | #endif |
Download the corresponding diff file