| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
libweb has introduced several breaking changes:
- Add optional expiration date to http_cookie_create
- Replace Makefile with configure script
|
| |
|
|
|
|
| |
If users send no payload data to a POST request, libweb sets a null
pointer as part of the payload. Therefore, null pointers must always be
checked as a sanity check.
|
| | |
|
| |
|
|
|
| |
This functionality was moved from slcl to libweb since it can be shared
with other web applications.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The SHA256-based password hashing algorithm used by slcl(1) and
usergen(1) is considered insecure against several kinds of attacks,
including brute force attacks. [1]
Therefore, a stronger password hashing algorithm based on the Argon2id
key derivation function is now used by default. While OpenSSL does
support Argon2id, it is only supported by very recent versions [2],
which are still not packaged by most distributions as of the time of
this writing. [3]
As an alternative to OpenSSL, libsodium [4] had several benefits:
- It provides easy-to-use functions for password hashing, base64
encoding/decoding and other cryptographic primitives used by slcl(1)
and usergen(1).
- It is packaged by most distributions [5], and most often only the patch
version differs, which ensures good compatibility across distributions.
Unfortunately, and as opposed to OpenSSL, libsodium does not come with
command-line tools. Therefore, usergen(1) had to be rewritten in C.
In order to maintain backwards compatiblity with existing databases,
slcl(1) and usergen(1) shall support the insecure, SHA256-based password
hashing algorithm. However, Argon2id shall now be the default choice for
usergen(1).
[1]: https://security.stackexchange.com/questions/195563/why-is-sha-256-not-good-for-passwords
[2]: https://docs.openssl.org/3.3/man7/EVP_KDF-ARGON2/
[3]: https://repology.org/project/openssl/versions
[4]: https://www.libsodium.org/
[5]: https://repology.org/project/libsodium/versions
|
| |
|
|
|
|
| |
libweb now supports deallocating user-defined data whenever an error
occurs during a chunked transfer or an asynchronous HTTP response, thus
avoiding memory leaks.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Thanks to the fdzipstream library [1] and zlib [2], it is possible to
generate ZIP files on-the-fly, therefore requiring no extra disk space
usage and only a small amount of memory.
Unfortunately, as of the time of this writing fdzipstream is not
packaged by any distributions yet [3], so it had to be imported as a git
submodule as a workaround.
While libarchive [4] could be an interesting alternative, writing ZIP
files is only supported by very recent versions (>= 3.8.0), which are
still not packaged by many distributions [5], either.
Moreover, libarchive is a package with several dependencies other than
zlib and is significantly larger compared to fdzipstreams, so
fdzipstreams was ultimately considered a better fit for this purpose.
[1]: https://github.com/CTrabant/fdzipstream.git
[2]: http://zlib.net/
[3]: https://repology.org/projects/?search=fdzipstream
[4]: https://www.libarchive.org/
[5]: https://repology.org/project/libarchive/versions
|
| |
|
|
|
| |
libweb now allows to set up a custom value for the backlog argument in
the internal call to listen(2).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 4fa1b3e8 missed to update other calls to cftw that were still
relying on the older interface, causing unexpected errors.
As a side effect, user quotas are now calculated asynchronously i.e.,
without blocking other clients.
While the same improvement was planned for the /rm endpoint, it proved
too challenging to implement for a first refactor: on one hand, /rm
takes one or more key-value pairs involving the top-level directories
and/or files to remove. On the other hand, every directory must be
traversed recursively as rmdir(2) must be used on empty directories.
While certainly possible, it was considered to keep a synchronous
behaviour for do_rm for the sake of simplicity.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Thanks to a new feature in libweb, it is now possible to generate HTTP
responses asynchronously i.e., without blocking other clients if the
response takes a long time to generate.
This now allow users to search for files or directories without blocking
other users, regardless how much time the search operation takes.
This required cftw to deviate from the POSIX-like, blocking interface it
had so far, and has been replaced now with a non-blocking interface, so
that directories are inspected one entry at a time.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This write-only named pipe is meant to inform other processes about
files that have been added/removed to/from the user/ directory.
The syntax is line-oriented and is described below.
For added files:
+<space ...><path><LF>
For removed files:
-<space ...><path><LF>
Paths shall always be absolute.
Examples:
+ /home/test/db/user/alice/a picture.jpg
- /home/test/db/user/bob/essay.txt
As reported above, this feature has been made completely optional so as
not to introduce breaking changes. A new command line option, namely -m,
is required to enable this feature.
|
| |
|
|
|
| |
When sharing, paths must be expressed as an absolute path e.g.:
/path/to/file .
|
| |
|
|
|
|
|
|
|
|
|
| |
So far, slcl would allow to share literally any directory or file, even
if they did not exist, as long as valid credentials were given.
Now, directories cannot be shared, since this is already restricted by
the web interface. This is now considered an invalid request.
On the other hand, attempting to share non-existing files shall now
return a 404 Not Found response to the user.
|
| |
|
|
|
|
|
| |
Now, libweb (rightfully) forces applications to handle signals and
introduces handler_notify_close(3) to achieve the desired behaviour.
Additionally, libweb 0.4.0 introduces several bugfixes.
|
| |
|
|
|
| |
Otherwise, uploaded files meant to overwrite an existing file would not
be updated accordingly if their newer size was smaller.
|
| |
|
|
|
|
|
|
|
| |
Otherwise, the following resources would be considered valid:
- /user/../test
- /user/./test
- /user/a/.
- /user/a/./test
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Otherwise:
- slcl would accept /public/ (i.e., without a file name) as a valid
resource. This would incorrectly map the public/ directory on the
database, making slcl to return -1 because public/ is not a regular
file.
- slcl would accept directory names (e.g.: /public/dir/), which is never
expected since slcl stores all public files into a single directory.
|
| |
|
|
|
| |
Otherwise, a malicious user could send multipart/form-data requests
without a valid cookie.
|
| |
|
|
|
| |
There was no reason why these should not be const-qualified. It was
probably missed during the implementation.
|
| |
|
|
|
| |
Otherwise, directories with special characters, such as "%", would not
be accessible when performing the redirection.
|
| |
|
|
|
| |
This allows to reuse the same file descriptor to both open(2) and
fstat(2) the file.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following commits fix a couple of security issues on libweb.
Because of afe0681c0b26bb64bad55d7e86770f346cfa043e, slcl had to be
updated to set up its struct http_cfg_post.
commit afe0681c0b26bb64bad55d7e86770f346cfa043e
Author: Xavier Del Campo Romero <xavi.dcr@tutanota.com>
Date: Mon Feb 19 23:00:56 2024 +0100
Limit maximum multipart/form-data pairs and files
A malicious user could inject an infinite number of empty files or
key/value pairs into a request in order to exhaust the device's
resources.
commit 9d9e0c2979f43297b2ebbf84f14f064f3f9ced0e
Author: Xavier Del Campo Romero <xavi.dcr@tutanota.com>
Date: Mon Feb 19 22:49:09 2024 +0100
html.c: Avoid half-init objects on html_node_add_attr
The previous implementation would leave half-initialised objects if one
of the calls to strdup(3) failed. Now, n->attrs is only modified when
all previous memory allocations were successful.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recent commits from libweb brought a few breaking changes. The one below
affected slcl, so it had to be updated according to the new interface:
commit 98f5f52461b0c1ab1ee3331722bd32e2db9e1d41
Author: Xavier Del Campo <xavier.delcampo@midokura.com>
Date: Thu Nov 16 12:23:08 2023 +0100
Split handler_loop from handler_listen
Some applications might set up a struct handler object to listen on any
port i.e., 0, but still need a way to determine which port number was
eventually selected by the implementation.
Therefore, handler_listen has been reduced to the server initialization
bit, whereas the main loop has been split into its own function, namely
handler_loop.
Because of these changes, it no longer made sense for libweb to write
the selected port to standard output, as this is something now
applications can do on their own.
|
| |
|
|
|
|
|
|
|
|
| |
When a user attempts to upload a file into a non-existing directory,
slcl would not check whether the directory exists. Then, rename(3) would
fail and slcl would treat this as a fatal error, effectively closing
itself.
Since this is an example of ill-formed user input, it must be treated as
a non-fatal error, and instead slcl should return a bad request page.
|
| |
|
|
|
|
| |
The new signature allows callers to distinguish decoding errors from
fatal errors. This is important for slcl to avoid crashing when
ill-formed data is received from a client.
|
| |
|
|
|
|
|
|
|
|
| |
According to C99 7.19.1p3:
BUFSIZ is a macro that expands to an integer constant expression that is
the size of the buffer used by the setbuf function.
In other words, this means BUFSIZ is the most optimal length for a
buffer that reads a file into memory in chunks using fread(3).
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
slweb now assumes application/x-www-form-urlencoded-data as text, so it
now returns a null-terminated string on struct http_post member "data".
This removes the need for slcl to call strdup(3) in order to obtain a
null-terminated string.
|
| |
|
|
|
|
|
|
|
| |
For historical reasons, slweb used to check for a name called "dir" on
multipart/form-data POST requests. However, stricly speaking this is
application logic, so it has been now moved from slweb to slcl.
This has resulted in a couple of breaking changes in slweb that had to
be updated on slcl.
|
| |
|
|
|
| |
Malformed POST requests might include no payload data. However, this is
not considered a fatal error, but wrong user input.
|
| |
|
|
|
| |
slweb puts its header files into its own directory in order to avoid
potential name clashing.
|
| |
|
|
|
|
|
|
|
|
| |
When a user enters a search term that is too generic, slcl would
generate a long list of search results, where this generation could have
a big impact on the server performance and its available resources.
Therefore, it is reasonable to limit the number of search results to an
arbitrary limit, so that users are forced to enter a more specific
search term in order to achieve more relevant results.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
So far, cftw would search through all directories and files recursively,
until all objects are processed. However, it is interesting for the user
callback to be able to stop this process under specific circumstances.
Now, cftw will pass a pointer to a bool, initialised to false by
default, that can be optionally assigned to true by the user
callback.
Future commits will make use of this feature. For example, this will be
used to limit the number of search results when a user enters a search
term that is too generic and would otherwise generate a large amount of
search results.
|
| |
|
|
|
|
| |
Search terms cannot use the same strict rules used for filenames or
directory names, as otherwise examples such as "*folder*/*IMG*" would
not work.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
slcl used to provide a hardcoded stylesheet. However, it would be
desirable for some admins to provide a custom stylesheet without having
to rebuild the application.
Now, slcl creates a default stylesheet, namely style.css, into the
target directory, that can be later modified by admins.
While this might contradict the suckless philosophy a bit, hopefully
some admins might find this new feature useful.
|
| |
|
|
|
|
|
| |
- Relative paths must not be used for filenames or directory names,
such as "..", "." or "dir/..".
- Paths with asterisks ('*') must not be allowed, to avoid confusion
with wildcard expressions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following workflow has been implemented:
- A new checkbox for each object inside a directory is shown.
- When one or more objects are selected, the user submits a request
through a HTML5 form.
- Then, slcl will ask the user for confirmation, listing the selected
objects, while reminding the user about the effects.
- The user confirms the selection.
- slcl removes the selected objects. All objects from non-empty
directories are removed, too.
- Finally, slcl redirects the user to the directory the request was
made from.
|
| |
|
|
|
|
|
|
| |
This provides a few benefits:
- This will allow searching for directories by name.
- Future commits will allow to remove files and directories, so this
change was also required for cftw.
|
| |
|
|
|
|
|
|
| |
When search_fn fails, it must free `r` before `results`, as the former
is assigned based on the latter - otherwise, it would lead to undefined
behaviour.
So far, only memory allocation errors would make search_fn to fail.
|
| |
|
|
|
|
|
|
|
|
|
| |
C99 ยง5.1.2.2.1 only defines the following declarations for main:
- int main(void)
- int main(int argc, char *argv[])
While the use of equivalent types (e.g.: char **argv) is allowed, const
char ** would not be considered equivalent, and thus an invalid
declaration depending on the implementation.
|
| |
|
|
|
|
| |
This new feature adds a HTML form on each directory listing that allows
to search files recursively, starting from the current user directory.
Wildcard patterns are also allowed.
|
| |
|
|
| |
Future commits will make use of this function outside handler.c.
|
| |
|
|
|
|
|
|
|
| |
Given the following contrived example request:
/example%FB%DC&arg%DE1=examplevalue%AA
slcl must decode each token separately, so that percent-encoded
characters '&', '=' or '?' do not get accidently intepreted.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When using HTTP "Content-Disposition: attachment;", users are forced to
download files in order to use them, whereas others might prefer to open
them in the browser.
Therefore, now that URL parameters are supported by http.h, previews can
be forced by adding "preview=1" or "preview=true" (case-insensitive) as
a URL parameters. Any other parameters are ignored by slcl.
For users, a "Preview" link has been added next to the "Share" button
for each file.
|
