README.md: Fix CMake build instructions

The previous instructions were simply wrong because `cmake ..` would attempt to configure the project from the parent directory, instead of the build directory.
page.c: Do not get filename on previews
2024-05-05 01:07:01 +02:00 · 2024-03-01 00:06:03 +01:00 · 2024-02-24 08:39:25 +01:00 · 2024-02-20 21:44:53 +01:00 · 2024-02-20 21:24:17 +01:00 · 2024-02-20 08:18:11 +01:00
6 changed files with 197 additions and 75 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -13,7 +13,7 @@ add_executable(${PROJECT_NAME}
 target_compile_options(${PROJECT_NAME} PRIVATE -Wall)
 target_compile_definitions(${PROJECT_NAME} PRIVATE _FILE_OFFSET_BITS=64)
 set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} ${CMAKE_CURRENT_LIST_DIR}/cmake)
-find_package(web 0.2.0)
+find_package(web 0.3.0)

 if(WEB_FOUND)
    find_package(dynstr 0.1.0)
--- a/README.md
+++ b/README.md
@ -59,13 +59,13 @@ to `slcl`. If required, encryption should be done before uploading e.g.: using
 #### Mandatory packages

 ```sh
-sudo apt install build-essential libcjson-dev libssl-dev
+sudo apt install build-essential libcjson-dev libssl-dev m4 jq
 ```

 #### Optional packages

 ```sh
-sudo apt install cmake xxd jq
+sudo apt install cmake
 ```

 ## How to use
@ -90,9 +90,8 @@ $ make
 #### CMake

 ```sh
-$ mkdir build/
-$ cmake ..
-$ cmake --build .
+$ cmake -B build
+$ cmake --build build/
 ```

 ### Setting up
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 6ceae16a20175edb77fb2ffab0d3d6648d011221
+Subproject commit b4930f72bb9026c5a0871f4fa4cabe20cb0e6a9f
--- a/main.c
+++ b/main.c
@ -393,14 +393,24 @@ end:

 static bool path_isrel(const char *const path)
 {
-    if (!strcmp(path, "..") || !strcmp(path, ".") || strstr(path, "/../"))
+    if (!strcmp(path, "..")
+        || !strcmp(path, ".")
+        || !strncmp(path, "./", strlen("./"))
+        || !strncmp(path, "../", strlen("../"))
+        || strstr(path, "/./")
+        || strstr(path, "/../"))
        return true;

-    static const char suffix[] = "/..";
-    const size_t n = strlen(path), sn = strlen(suffix);
+    static const char *const suffixes[] = {"/.", "/.."};

-    if (n >= sn && !strcmp(path + n - sn, suffix))
-        return true;
+    for (size_t i = 0; i < sizeof suffixes / sizeof *suffixes; i++)
+    {
+        const char *const suffix = suffixes[i];
+        const size_t n = strlen(path), sn = strlen(suffix);
+
+        if (n >= sn && !strcmp(path + n - sn, suffix))
+            return true;
+    }

    return false;
 }
@ -425,7 +435,8 @@ static int getpublic(const struct http_payload *const p,
 {
    int ret = -1;
    struct auth *const a = user;
-    const char *const adir = auth_dir(a);
+    const char *const adir = auth_dir(a),
+        *const file = p->resource + strlen("/public/");
    struct dynstr d;

    dynstr_init(&d);
@ -435,6 +446,13 @@ static int getpublic(const struct http_payload *const p,
        fprintf(stderr, "%s: auth_dir failed\n", __func__);
        goto end;
    }
+    else if (!*file || filename_invalid(file))
+    {
+        fprintf(stderr, "%s: invalid filename %s\n",
+            __func__, p->resource);
+        ret = page_forbidden(r);
+        goto end;
+    }
    else if (path_invalid(p->resource))
    {
        fprintf(stderr, "%s: illegal relative path %s\n",
@ -893,7 +911,16 @@ static int check_length(const unsigned long long len,
    bool has_quota;
    unsigned long long quota;

-    if (auth_quota(a, username, &has_quota, &quota))
+    if (auth_cookie(a, c))
+    {
+        fprintf(stderr, "%s: auth_cookie failed\n", __func__);
+
+        if (page_forbidden(r))
+            return -1;
+
+        return 1;
+    }
+    else if (auth_quota(a, username, &has_quota, &quota))
    {
        fprintf(stderr, "%s: auth_quota failed\n", __func__);
        return -1;
@ -1053,23 +1080,23 @@ end:
 static int move_file(const char *const old, const char *const new)
 {
    int ret = -1;
-    FILE *const f = fopen(old, "rb");
-    const int fd = open(new, O_WRONLY | O_CREAT, 0600);
+    const int fd_old = open(old, O_RDONLY),
+        fd_new = open(new, O_WRONLY | O_CREAT, 0600);
    struct stat sb;

-    if (!f)
+    if (fd_old < 0)
    {
-        fprintf(stderr, "%s: fopen(3): %s\n", __func__, strerror(errno));
+        fprintf(stderr, "%s: open(2) fd_old: %s\n", __func__, strerror(errno));
        goto end;
    }
-    else if (fd < 0)
+    else if (fd_new < 0)
    {
        fprintf(stderr, "%s: open(2): %s\n", __func__, strerror(errno));
        goto end;
    }
-    else if (stat(old, &sb))
+    else if (fstat(fd_old, &sb))
    {
-        fprintf(stderr, "%s: stat(2): %s\n", __func__, strerror(errno));
+        fprintf(stderr, "%s: fstat(2): %s\n", __func__, strerror(errno));
        goto end;
    }

@ -1078,24 +1105,30 @@ static int move_file(const char *const old, const char *const new)
        char buf[BUFSIZ];
        const off_t left = sb.st_size - i;
        const size_t rem = left > sizeof buf ? sizeof buf : left;
-        ssize_t w;
+        const ssize_t r = read(fd_old, buf, rem);

-        if (!fread(buf, rem, 1, f))
+        if (r < 0)
        {
-            fprintf(stderr, "%s: fread(3) failed, feof=%d, ferror=%d\n",
-                __func__, feof(f), ferror(f));
+            fprintf(stderr, "%s: read(2): %s\n", __func__, strerror(errno));
            goto end;
        }
-        else if ((w = write(fd, buf, rem)) < 0)
+
+        size_t wrem = r;
+        const void *p = buf;
+
+        while (wrem)
        {
-            fprintf(stderr, "%s: write(2): %s\n", __func__, strerror(errno));
-            goto end;
-        }
-        else if (w != rem)
-        {
-            fprintf(stderr, "%s: write(2): expected to write %zu bytes, "
-                "only %ju written\n", __func__, rem, (intmax_t)w);
-            goto end;
+            const ssize_t w = write(fd_new, p, wrem);
+
+            if (w < 0)
+            {
+                fprintf(stderr, "%s: write(2): %s\n",
+                    __func__, strerror(errno));
+                goto end;
+            }
+
+            p = (const char *)p + w;
+            wrem -= w;
        }

        i += rem;
@ -1104,15 +1137,15 @@ static int move_file(const char *const old, const char *const new)
    ret = 0;

 end:
-    if (fd >= 0 && close(fd))
+    if (fd_old >= 0 && close(fd_old))
    {
-        fprintf(stderr, "%s: close(2): %s\n", __func__, strerror(errno));
+        fprintf(stderr, "%s: close(2) fd_old: %s\n", __func__, strerror(errno));
        ret = -1;
    }

-    if (f && fclose(f))
+    if (fd_new >= 0 && close(fd_new))
    {
-        fprintf(stderr, "%s: fclose(3): %s\n", __func__, strerror(errno));
+        fprintf(stderr, "%s: close(2) fd_new: %s\n", __func__, strerror(errno));
        ret = -1;
    }

@ -1346,6 +1379,7 @@ static int createdir(const struct http_payload *const p,
    struct dynstr d, userd;
    struct form *forms = NULL;
    size_t n = 0;
+    char *encurl = NULL;

    dynstr_init(&d);
    dynstr_init(&userd);
@ -1372,7 +1406,7 @@ static int createdir(const struct http_payload *const p,
        goto end;
    }

-    char *name = NULL, *dir = NULL;
+    const char *name = NULL, *dir = NULL;

    for (size_t i = 0; i < n; i++)
    {
@ -1459,7 +1493,12 @@ static int createdir(const struct http_payload *const p,
            .status = HTTP_STATUS_SEE_OTHER
        };

-        if (http_response_add_header(r, "Location", userd.str))
+        if (!(encurl = http_encode_url(userd.str)))
+        {
+            fprintf(stderr, "%s: http_encode_url failed\n", __func__);
+            goto end;
+        }
+        else if (http_response_add_header(r, "Location", encurl))
        {
            fprintf(stderr, "%s: http_response_add_header failed\n", __func__);
            goto end;
@ -1472,6 +1511,7 @@ end:
    forms_free(forms, n);
    dynstr_free(&userd);
    dynstr_free(&d);
+    free(encurl);
    return ret;
 }

@ -2086,7 +2126,14 @@ int main(int argc, char *argv[])
    {
        .length = check_length,
        .tmpdir = tmpdir,
-        .user = a
+        .user = a,
+        .post =
+        {
+            /* Arbitrary limit. */
+            .max_files = 10000,
+            /* File upload only requires one pair. */
+            .max_pairs = 1
+        }
    };

    unsigned short outport;
--- a/page.c
+++ b/page.c
@ -108,6 +108,7 @@ static int prepare_name(struct html_node *const n, struct stat *const sb,
    struct html_node *a;
    struct dynstr d, dname;
    const char *const sep = S_ISDIR(sb->st_mode) ? "/" : "";
+    char *encurl = NULL;

    dynstr_init(&d);
    dynstr_init(&dname);
@ -122,7 +123,12 @@ static int prepare_name(struct html_node *const n, struct stat *const sb,
        fprintf(stderr, "%s: html_node_add_child failed\n", __func__);
        goto end;
    }
-    else if (html_node_add_attr(a, "href", d.str))
+    else if (!(encurl = http_encode_url(d.str)))
+    {
+        fprintf(stderr, "%s: http_encode_url failed\n", __func__);
+        goto end;
+    }
+    else if (html_node_add_attr(a, "href", encurl))
    {
        fprintf(stderr, "%s: html_node_add_attr href failed\n", __func__);
        goto end;
@ -143,6 +149,7 @@ static int prepare_name(struct html_node *const n, struct stat *const sb,
 end:
    dynstr_free(&d);
    dynstr_free(&dname);
+    free(encurl);
    return ret;
 }

@ -303,6 +310,7 @@ static int prepare_preview(struct html_node *const n,
    const struct stat *const sb, const char *const dir, const char *const name)
 {
    int ret = -1;
+    char *encurl = NULL;
    struct html_node *a;
    struct dynstr d;

@ -315,9 +323,22 @@ static int prepare_preview(struct html_node *const n,
        fprintf(stderr, "%s: html_node_add_child form failed\n", __func__);
        goto end;
    }
-    else if (dynstr_append(&d, "%s%s?preview=1", dir, name))
+    else if (dynstr_append(&d, "%s%s", dir, name))
    {
-        fprintf(stderr, "%s: dynstr_append failed\n", __func__);
+        fprintf(stderr, "%s: dynstr_append d failed\n", __func__);
+        goto end;
+    }
+    else if (!(encurl = http_encode_url(d.str)))
+    {
+        fprintf(stderr, "%s: http_encode_url failed\n", __func__);
+        goto end;
+    }
+
+    dynstr_free(&d);
+
+    if (dynstr_append(&d, "%s?preview=1", encurl))
+    {
+        fprintf(stderr, "%s: dynstr_append encd failed\n", __func__);
        goto end;
    }
    else if (html_node_add_attr(a, "href", d.str))
@ -335,6 +356,7 @@ static int prepare_preview(struct html_node *const n,

 end:
    dynstr_free(&d);
+    free(encurl);
    return ret;
 }

@ -1272,20 +1294,24 @@ end:
 }

 static int serve_file(struct http_response *const r,
-    const struct stat *const sb, const char *const res, const bool preview)
+    const struct stat *const sb, const char *const res, const bool preview,
+    const int fd, bool *const fdopened)
 {
    int ret = -1;
-    FILE *const f = fopen(res, "rb");
+    FILE *f = NULL;
    struct dynstr b, d;
    char *bn;

    dynstr_init(&b);
    dynstr_init(&d);

-    if (!f)
+    if (preview)
    {
-        fprintf(stderr, "%s: fopen(3): %s\n", __func__, strerror(errno));
-        goto end;
+        if (dynstr_append(&d, "inline"))
+        {
+            fprintf(stderr, "%s: dynstr_append inline failed\n", __func__);
+            goto end;
+        }
    }
    else if (dynstr_append(&b, "%s", res))
    {
@ -1297,20 +1323,20 @@ static int serve_file(struct http_response *const r,
        fprintf(stderr, "%s: basename(3) failed\n", __func__);
        goto end;
    }
-    else if (preview)
-    {
-        if (dynstr_append(&d, "inline"))
-        {
-            fprintf(stderr, "%s: dynstr_append inline failed\n", __func__);
-            goto end;
-        }
-    }
    else if (dynstr_append(&d, "attachment; filename=\"%s\"", bn))
    {
        fprintf(stderr, "%s: dynstr_append attachment failed\n", __func__);
        goto end;
    }

+    if (!(f = fdopen(fd, "rb")))
+    {
+        fprintf(stderr, "%s: fdopen(3): %s\n", __func__, strerror(errno));
+        goto end;
+    }
+
+    *fdopened = true;
+
    *r = (const struct http_response)
    {
        .status = HTTP_STATUS_OK,
@ -1380,28 +1406,63 @@ static bool preview(const struct page_resource *const pr)

 int page_resource(const struct page_resource *const pr)
 {
+    int ret = -1;
    struct stat sb;
+    const int fd = open(pr->res, O_RDONLY);
+    bool fdopened = false;

-    if (stat(pr->res, &sb))
+    if (fd < 0)
    {
-        fprintf(stderr, "%s: stat(2) %s: %s\n",
-            __func__, pr->res, strerror(errno));
-
        if (errno == ENOENT || errno == ENOTDIR)
-            return page_not_found(pr->r);
+            ret = page_not_found(pr->r);
        else
-            return -1;
+            fprintf(stderr, "%s: open(2) %s: %s\n",
+                __func__, pr->res, strerror(errno));
+
+        goto end;
+    }
+    else if (fstat(fd, &sb))
+    {
+        fprintf(stderr, "%s: fstat(2) %s: %s\n",
+            __func__, pr->res, strerror(errno));
+        goto end;
    }

    const mode_t m = sb.st_mode;

    if (S_ISDIR(m))
-        return list_dir(pr);
+    {
+        if (list_dir(pr))
+        {
+            fprintf(stderr, "%s: list_dir failed\n", __func__);
+            goto end;
+        }
+    }
    else if (S_ISREG(m))
-        return serve_file(pr->r, &sb, pr->res, preview(pr));
+    {
+        if (serve_file(pr->r, &sb, pr->res, preview(pr), fd, &fdopened))
+        {
+            fprintf(stderr, "%s: serve_file failed\n", __func__);
+            goto end;
+        }
+    }
+    else
+    {
+        fprintf(stderr, "%s: unexpected st_mode %jo\n", __func__, (intmax_t)m);
+        goto end;
+    }

-    fprintf(stderr, "%s: unexpected st_mode %jd\n", __func__, (intmax_t)m);
-    return -1;
+    ret = 0;
+
+end:
+    if (!fdopened && fd >= 0 && close(fd))
+    {
+        fprintf(stderr, "%s: close(2) %s: %s\n",
+            __func__, pr->res, strerror(errno));
+        ret = -1;
+    }
+
+    return ret;
 }

 static char *resolve_link(const char *const res)
@ -1444,18 +1505,26 @@ static char *resolve_link(const char *const res)
 int page_public(struct http_response *const r, const char *const res)
 {
    int ret = -1;
+    const int fd = open(res, O_RDONLY);
    struct stat sb;
    char *path = NULL;
+    bool fdopened = false;

-    if (stat(res, &sb))
+    if (fd < 0)
    {
-        fprintf(stderr, "%s: stat(2) %s: %s\n",
-            __func__, res, strerror(errno));
-
        if (errno == ENOENT)
-            return page_not_found(r);
+            ret = page_not_found(r);
        else
-            goto end;
+            fprintf(stderr, "%s: stat(2) %s: %s\n",
+                __func__, res, strerror(errno));
+
+        goto end;
+    }
+    else if (fstat(fd, &sb))
+    {
+        fprintf(stderr, "%s: fstat(2) %s: %s\n",
+            __func__, res, strerror(errno));
+        goto end;
    }

    const mode_t m = sb.st_mode;
@ -1470,7 +1539,7 @@ int page_public(struct http_response *const r, const char *const res)
        fprintf(stderr, "%s: resolve_link failed\n", __func__);
        goto end;
    }
-    else if (serve_file(r, &sb, path, false))
+    else if (serve_file(r, &sb, path, false, fd, &fdopened))
    {
        fprintf(stderr, "%s: serve_file failed\n", __func__);
        goto end;
@ -1479,6 +1548,13 @@ int page_public(struct http_response *const r, const char *const res)
    ret = 0;

 end:
+    if (!fdopened && fd >= 0 && close(fd))
+    {
+        fprintf(stderr, "%s: close(2) %s: %s\n",
+            __func__, res, strerror(errno));
+        ret = -1;
+    }
+
    free(path);
    return ret;
 }
--- a/2
+++ b/2
@ -93,5 +93,5 @@ jq ".users += [
    \"quota\": \"$QUOTA\"
 }]" "$DB" > $TMP

-mkdir "$DIR/user/$USER"
+mkdir -p "$DIR/user/$USER"
 mv $TMP "$DB"
Author	SHA1	Message	Date
Xavier Del Campo Romero	32af8ddd3d	README.md: Fix CMake build instructions The previous instructions were simply wrong because `cmake ..` would attempt to configure the project from the parent directory, instead of the build directory.	2024-05-05 01:07:01 +02:00
Xavier Del Campo Romero	b4572c6217	page.c: Do not get filename on previews This change should provide the same behaviour, but would avoid unnecessary calls to dynstr_append and basename(3) when a preview is to be served.	2024-03-01 00:06:03 +01:00
Xavier Del Campo Romero	fb8896bccd	README.md: Update dependencies list - jq is required by usergen. - Despite being part of a POSIX.1-2008 environment, m4 is not provided by Debian or Ubuntu by default.	2024-02-24 08:39:25 +01:00
Xavier Del Campo Romero	dd29f9096a	usergen: Do not abort on existing directory Otherwise, it would not be possible to replace user credentials if the directory already exists.	2024-02-20 21:44:53 +01:00
Xavier Del Campo Romero	8bcf0bf855	main.c: Improve relative path detection Otherwise, the following resources would be considered valid: - /user/../test - /user/./test - /user/a/. - /user/a/./test	2024-02-20 21:24:17 +01:00
Xavier Del Campo Romero	afc5cf0dfc	main.c: Reject invalid /public/ requests Otherwise: - slcl would accept /public/ (i.e., without a file name) as a valid resource. This would incorrectly map the public/ directory on the database, making slcl to return -1 because public/ is not a regular file. - slcl would accept directory names (e.g.: /public/dir/), which is never expected since slcl stores all public files into a single directory.	2024-02-20 08:18:11 +01:00
Xavier Del Campo Romero	b7f232366c	main.c: Force valid cookie on check_length Otherwise, a malicious user could send multipart/form-data requests without a valid cookie.	2024-02-20 00:17:40 +01:00
Xavier Del Campo Romero	6c3bfa270b	page.c: Use open(2) fdopen(3) and fstat(2) Now, the same file descriptor can be reused for all of the operations above, instead of calling stat(2) and fopen(3) separately.	2024-02-19 23:35:09 +01:00
Xavier Del Campo Romero	78c8c4dabb	page.c: URL-encode href Otherwise, files with special characters, such as '%', could not be downloaded or previewed.	2024-02-19 23:35:09 +01:00
Xavier Del Campo Romero	55008f2f64	main.c: const-qualify name and dir There was no reason why these should not be const-qualified. It was probably missed during the implementation.	2024-02-19 23:35:08 +01:00
Xavier Del Campo Romero	1f8aa578a4	main.c: URL-encode created directories Otherwise, directories with special characters, such as "%", would not be accessible when performing the redirection.	2024-02-19 23:35:08 +01:00
Xavier Del Campo Romero	a578ad6537	main.c: Use fstat(2) on move_file This allows to reuse the same file descriptor to both open(2) and fstat(2) the file.	2024-02-19 23:35:08 +01:00
Xavier Del Campo Romero	f6b84b765d	Bump libweb to 0.3.0 The following commits fix a couple of security issues on libweb. Because of afe0681c0b26bb64bad55d7e86770f346cfa043e, slcl had to be updated to set up its struct http_cfg_post. commit afe0681c0b26bb64bad55d7e86770f346cfa043e Author: Xavier Del Campo Romero <xavi.dcr@tutanota.com> Date: Mon Feb 19 23:00:56 2024 +0100 Limit maximum multipart/form-data pairs and files A malicious user could inject an infinite number of empty files or key/value pairs into a request in order to exhaust the device's resources. commit 9d9e0c2979f43297b2ebbf84f14f064f3f9ced0e Author: Xavier Del Campo Romero <xavi.dcr@tutanota.com> Date: Mon Feb 19 22:49:09 2024 +0100 html.c: Avoid half-init objects on html_node_add_attr The previous implementation would leave half-initialised objects if one of the calls to strdup(3) failed. Now, n->attrs is only modified when all previous memory allocations were successful.	2024-02-19 23:35:08 +01:00
Xavier Del Campo Romero	0f889b409e	main.c: Add missing relative path check	2024-02-19 16:59:54 +01:00