Date:2010-08-11 02:05:34 (13 years 7 months ago)
Author:jow
Commit:fd370b69471a6202bd521a2c885389e17f275a65
Message:[package] uhttpd: add option to reject requests from RFC1918 IPs to public server IPs (DNS rebinding countermeasure)

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@22589 3c298f89-4303-0410-b956-a3cf2f4a3e73
Files: package/uhttpd/Makefile (1 diff)
package/uhttpd/files/uhttpd.config (1 diff)
package/uhttpd/files/uhttpd.init (1 diff)
package/uhttpd/src/uhttpd-utils.c (1 diff)
package/uhttpd/src/uhttpd-utils.h (1 diff)
package/uhttpd/src/uhttpd.c (4 diffs)
package/uhttpd/src/uhttpd.h (1 diff)

Change Details

package/uhttpd/Makefile
88include $(TOPDIR)/rules.mk
99
1010PKG_NAME:=uhttpd
11PKG_RELEASE:=12
11PKG_RELEASE:=13
1212
1313PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
1414PKG_BUILD_DEPENDS := libcyassl liblua
package/uhttpd/files/uhttpd.config
1212    # Server document root
1313    option home /www
1414
15    # Reject requests from RFC1918 IP addresses
16    # directed to the servers public IP(s).
17    # This is a DNS rebinding countermeasure.
18    option rfc1918_filter 1
19
1520    # Certificate and private key for HTTPS.
1621    # If no listen_https addresses are given,
1722    # the key options are ignored.
package/uhttpd/files/uhttpd.init
7575
7676    append_bool "$cfg" no_symlinks "-S" 0
7777    append_bool "$cfg" no_dirlists "-D" 0
78    append_bool "$cfg" rfc1918_filter "-R" 0
7879
7980    config_get http "$cfg" listen_http
8081    for listen in $http; do
package/uhttpd/src/uhttpd-utils.c
5959    return ntohs(((struct sockaddr_in6 *)sa)->sin6_port);
6060}
6161
62int sa_rfc1918(void *sa)
63{
64    struct sockaddr_in *v4 = (struct sockaddr_in *)sa;
65    unsigned long a = htonl(v4->sin_addr.s_addr);
66
67    if( v4->sin_family == AF_INET )
68    {
69        return ((a >= 0x0A000000) && (a <= 0x0AFFFFFF)) ||
70               ((a >= 0xAC100000) && (a <= 0xAC1FFFFF)) ||
71               ((a >= 0xC0A80000) && (a <= 0xC0A8FFFF));
72    }
73
74    return 0;
75}
76
6277/* Simple strstr() like function that takes len arguments for both haystack and needle. */
6378char *strfind(char *haystack, int hslen, const char *needle, int ndlen)
6479{
package/uhttpd/src/uhttpd-utils.h
4949const char * sa_straddr(void *sa);
5050const char * sa_strport(void *sa);
5151int sa_port(void *sa);
52int sa_rfc1918(void *sa);
5253
5354char *strfind(char *haystack, int hslen, const char *needle, int ndlen);
5455
package/uhttpd/src/uhttpd.c
524524#endif
525525
526526    while( (opt = getopt(argc, argv,
527        "fSDC:K:E:I:p:s:h:c:l:L:d:r:m:x:t:T:")) > 0
527        "fSDRC:K:E:I:p:s:h:c:l:L:d:r:m:x:t:T:")) > 0
528528    ) {
529529        switch(opt)
530530        {
...... 
648648                conf.no_dirlists = 1;
649649                break;
650650
651            case 'R':
652                conf.rfc1918_filter = 1;
653                break;
654
651655#ifdef HAVE_CGI
652656            /* cgi prefix */
653657            case 'x':
...... 
728732                    " -I string Use given filename as index page for directories\n"
729733                    " -S Do not follow symbolic links outside of the docroot\n"
730734                    " -D Do not allow directory listings, send 403 instead\n"
735                    " -R Enable RFC1918 filter\n"
731736#ifdef HAVE_LUA
732737                    " -l string URL prefix for Lua handler, default is '/lua'\n"
733738                    " -L file Lua handler script, omit to disable Lua\n"
...... 
932937                    /* parse message header */
933938                    if( (req = uh_http_header_recv(cl)) != NULL )
934939                    {
940                        /* RFC1918 filtering required? */
941                        if( conf.rfc1918_filter && sa_rfc1918(&cl->peeraddr) &&
942                            !sa_rfc1918(&cl->servaddr) )
943                        {
944                            uh_http_sendhf(cl, 403, "Forbidden",
945                                "Rejected request from RFC1918 IP to public server address");
946                        }
947                        else
935948#ifdef HAVE_LUA
936949                        /* Lua request? */
937950                        if( L && uh_path_match(conf.lua_prefix, req->url) )
package/uhttpd/src/uhttpd.h
6969    int no_symlinks;
7070    int no_dirlists;
7171    int network_timeout;
72    int rfc1918_filter;
7273#ifdef HAVE_CGI
7374    char *cgi_prefix;
7475#endif

Archive Download the corresponding diff file



interactive