1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
|
/*
Weborf
Copyright (C) 2007-2020 Salvo "LtWorf" Tomaselli
Weborf is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
@author Salvo "LtWorf" Tomaselli <tiposchi@tiscali.it>
*/
#include "options.h"
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <fcntl.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <time.h>
#include <stdbool.h>
#include <netdb.h>
#include <dirent.h>
#include <unistd.h>
#include <syslog.h>
#include <signal.h>
#include <string.h>
#include "mystring.h"
#include "utils.h"
#include "embedded_auth.h"
/**
* This function creates an URI encoded version of the string origin
**/
static void uri_encode(char *dest, size_t size, const char *origin) {
if (size == 0 || dest == NULL || origin == NULL)
return;
dest[0] = '\0';
size_t len = strlen(origin);
size_t rlen = 0;
char *format;
for (size_t i = 0; i < len; i++) {
//Encode forbidden characters
switch (origin[i]) {
case '!':
case '*':
case '\'':
case '(':
case ')':
case ';':
case ':':
case '@':
case '&':
case '=':
case '+':
case '$':
case ',':
case '/':
case '?':
case '#':
case '[':
case ']':
case '%':
case '>':
case '<':
case '"':
case ' ':
case '\\':
format = "%%%02x";
break;
default:
format = "%c";
break;
}
if (size - rlen <= 2)
return;
rlen += sprintf(dest + rlen, format, origin[i]);
}
}
/**
* This function encodes the characters in 'origin' to &code; form into 'encoded'
**/
static void html_encode(char *dest, size_t size, const char *origin) {
if (size == 0 || dest == NULL || origin == NULL) return;
dest[0] = '\0';
size_t len = 0;
char *code;
size_t codesize;
char ni[2] = "X";
size_t origin_len = strlen(origin);
for (size_t i = 0; i < origin_len; i++) {
ni[0] = origin[i];
switch (origin[i]) {
case '&':
code = "&";
codesize = strlen("&");
break;
case '<':
code = "<";
codesize = strlen("<");
break;
case '>':
code = ">";
codesize = strlen(">");
break;
case ' ':
code = " ";
codesize = strlen(" ");
break;
case '"':
code = """;
codesize = strlen(""");
break;
default:
code = ni;
codesize = 1;
break;
}
if (len + codesize >= size)
return;
strcpy(dest + len, code);
len += codesize;
}
}
/**
This function reads the directory dir, putting inside the html string an html
page with links to all the files within the directory.
Buffer for html must be allocated by the calling function.
bufsize is the size of the buffer allocated for html
parent is true when the dir has a parent dir
Returns the size of the HTML.
-1: unable to open the file
-2: out of memory
*/
int list_dir(connection_t *connection_prop, char *html, unsigned int bufsize, bool parent) {
int pagesize=0; //Written bytes on the page
int maxsize = bufsize - 1; //String's max size
int printf_s;
char *color; //Depending on row count chooses a background color
char *measure; //contains measure unit for file's size (B, KiB, MiB)
int counter = 0;
int errcode = 0;
char path[INBUFFER]; //Buffer to contain element's absolute path
struct dirent **namelist = NULL;
counter = scandir(connection_prop->strfile, &namelist, 0, alphasort);
char *name_html = malloc(ESCAPED_FNAME_LEN);
char *escaped_dname = malloc(ESCAPED_FNAME_LEN);
if (counter <0) { //Open not succesfull
errcode = -1;
goto escape;
}
//Specific header table)
pagesize=printf_s=snprintf(html+pagesize,maxsize, "%s", HTMLHEAD "<table><tr><td></td><td>Name</td><td>Size</td><td>Last Modified</td></tr>");
maxsize-=printf_s;
//Cycles trough dir's elements
int i;
struct tm ts;
struct stat f_prop; //File's property
char last_modified[URI_LEN];
//Print link to parent directory, if there is any
if (parent) {
printf_s=snprintf(html+pagesize,maxsize,"<tr style=\"background-color: " HTMLPARENT ";\"><td>d</td><td><a href=\"../\">../</a></td><td>-</td><td>-</td></tr>");
maxsize-=printf_s;
pagesize+=printf_s;
}
for (i=0; i<counter; i++) {
//Skipping hidden files
if (namelist[i]->d_name[0] == '.' || errcode) {
free(namelist[i]);
continue;
}
snprintf(path, INBUFFER,"%s/%s", connection_prop->strfile, namelist[i]->d_name);
//Stat on the entry
stat(path, &f_prop);
int f_mode = f_prop.st_mode; //Get's file's mode
//get last modified
localtime_r(&f_prop.st_mtime,&ts);
strftime(last_modified,URI_LEN, "%a, %d %b %Y %H:%M:%S", &ts);
html_encode(name_html, ESCAPED_FNAME_LEN, namelist[i]->d_name);
uri_encode(escaped_dname, ESCAPED_FNAME_LEN, namelist[i]->d_name);
if (S_ISREG(f_mode)) { //Regular file
//Table row for the file
//Scaling the file's size
unsigned long long int size = f_prop.st_size;
if (size < 1024) {
measure=" B";
} else if ((size = (size / 1024)) < 1024) {
measure=" KiB";
} else if ((size = (size / 1024)) < 1024) {
measure=" MiB";
} else {
size = size / 1024;
measure=" GiB";
}
if (i % 2 == 0)
color = HTMLLIGHT;
else
color = HTMLDARK;
printf_s=snprintf(html+pagesize,maxsize,
"<tr style=\"background-color: %s;\"><td>f</td><td><a href=\"%s\">%s</a></td><td>%llu%s</td><td>%s</td></tr>\n",
color, escaped_dname, name_html, size, measure,last_modified);
maxsize-=printf_s;
pagesize+=printf_s;
} else if (S_ISDIR(f_mode)) { //Directory entry
//Table row for the dir
printf_s=snprintf(html+pagesize,maxsize,
"<tr style=\"background-color: #DFDFDF;\"><td>d</td><td><a href=\"%s/\">%s/</a></td><td>-</td><td>%s</td></tr>\n",
escaped_dname, name_html,last_modified);
maxsize-=printf_s;
pagesize+=printf_s;
}
free(namelist[i]);
if (maxsize <= 0) {
errcode = -2; // Out of memory
}
}
escape:
free(name_html);
free(escaped_dname);
free(namelist);
if (errcode == 0) {
printf_s=snprintf(html+pagesize,maxsize, "%s", "</table>" HTMLFOOT);
pagesize+=printf_s;
return pagesize;
} else
return errcode;
}
/**
Prints version information
*/
void version() {
printf("Weborf %s\n"
"Copyright (C) 2007-2025 Salvo 'LtWorf' Tomaselli.\n"
"This is free software. You may redistribute copies of it under the terms of\n"
"the GNU General Public License <http://www.gnu.org/licenses/gpl.html>.\n"
"There is NO WARRANTY, to the extent permitted by law.\n\n"
"Written by Salvo 'LtWorf' Tomaselli and Salvo Rinaldi.\n"
"Synchronized queue by Prof. Giuseppe Pappalardo.\n\n"
"https://ltworf.codeberg.page/weborf/\n", VERSION);
exit(0);
}
void print_capabilities() {
printf("version:" VERSION "\n");
printf("ipv:"
#ifdef IPV6
"6"
#else
"4"
#endif
"\n"
);
printf("webdav:"
#ifdef WEBDAV
"yes"
#else
"no"
#endif
"\n"
);
printf("mime:"
#ifdef SEND_MIMETYPES
"yes"
#else
"no"
#endif
"\n"
);
printf("embedded_auth:"
#ifdef EMBEDDED_AUTH
"yes"
#else
"no"
#endif
"\n"
);
printf("https:"
#ifdef HAVE_LIBSSL
"yes"
#else
"no"
#endif
"\n"
);
exit(0);
}
/**
Prints command line help
*/
void help() {
printf("\tUsage: weborf [OPTIONS]\n"
"\tStart the weborf webserver\n\n"
#ifdef IPV6
"\tCompiled for IPv6\n"
#else
"\tCompiled for IPv4\n"
#endif
#ifdef WEBDAV
"\tHas webdav support\n"
#endif
#ifdef SEND_MIMETYPES
"\tHas MIME support\n"
#endif
"Default port is %s\n"
"Default base directory %s\n"
"Signature used %s\n\n", PORT,BASEDIR,SIGNATURE);
printf(" -a, --auth followed by absolute path of the program to handle authentication\n"
" -b, --basedir followed by absolute path of basedir\n"
" -C, --cache sets the directory to use for cache files\n"
" -c, --cgi list of cgi files and binary to execute them comma-separated\n"
" -d run as a daemon\n"
" -h, --help display this help and exit\n"
" -I, --index list of index files, comma-separated\n"
" -i, --ip followed by IP address to listen (dotted format)\n"
" -k, --caps lists the capabilities of the binary\n"
" -m, --mime sends content type header to clients\n"
" -p, --port followed by port number to listen\n"
" -P, --propfind\n"
" enables the PROPFIND method with no authentication\n"
" -T --inetd must be specified when using weborf with inetd or xinetd\n"
" -t --tar will send the directories as .tar.gz files\n"
" -u --uid followed by a valid uid\n"
" If started by root weborf will use this user to read files and execute scripts\n"
" -g --gid followed by a valid gid\n"
" -V, --virtual list of virtualhosts in the form host=basedir, comma-separated\n"
" -v, --version print program version\n"
" -S, --cert the certificate to use\n"
" -K, --key the private key to use with the certificate\n"
" -Y, --yesexec enables CGI\n"
"\n"
"Report bugs here https://bugs.launchpad.net/weborf\n"
"or to " PACKAGE_BUGREPORT "\n");
exit(0);
}
/**
Searching for easter eggs within the code isn't fair!
*/
void moo() {
printf(" _____________________________________\n"
"< Weborf ha i poteri della supermucca >\n"
" -------------------------------------\n"
" \\ ^__^\n"
" \\ (oo)\\_______\n"
" (__)\\ )\\/\\\n"
" ||----w |\n"
" || ||\n");
exit(0);
}
/**
* This function prints the start disclaimer on stdout.
* It wants the command line parameters
* */
void print_start_disclaimer(int argc, char *argv[]) {
printf("Weborf\n"
"This program comes with ABSOLUTELY NO WARRANTY.\n"
"This is free software, and you are welcome to redistribute it\n"
"under certain conditions.\nFor details see the GPLv3 License.\n"
"Run %s --help to see the options\n", argv[0]);
}
/**
* Detaches the process from the shell,
* it is re-implemented because it is not
* included in POSIX
*
* It shouldn't be executed after launching
* other threads. In that case the effects are
* not specified.
* */
void daemonize() {
if (fork() == 0)
signal(SIGHUP, SIG_IGN);
else
exit(0);
}
/**
This function retrieves the value of an http field within the header
http_param is the string containing the header
parameter is the searched parameter
buf is the buffer where copy the value
size, maximum size of the buffer
param_len =length of the parameter
Returns false if the parameter isn't found, or true otherwise
*/
bool get_param_value(char *http_param, char *parameter, char *buf, ssize_t size,ssize_t param_len) {
char *val = strstr(http_param, parameter); //Locates the requested parameter information
if (val == NULL) { //No such field
return false;
}
/*
* It is very important for this line to be here, for security reasons.
* It moves the pointer forward, assuming "Field: Value\r\n"
* If the field is malformed like "Field0\r\n" the subsequent strstr
* will fail and the function will return false.
* Moving this line after the next strstr would introduce a security
* vulnerability.
* The strstr will not cause a segfault because at this point the header
* string must at least terminate with "\r\n\r", the last '\r' is changed to 0
* so there is enough space to perform the operation
* */
val += param_len + 2; //Moves the begin of the string to exclude the name of the field
char *field_end = strstr(val, "\r\n"); //Searches the end of the parameter
if (field_end==NULL) {
return false;
}
if ((field_end - val + 1) < size) { //If the parameter's length is less than buffer's size
memcpy(buf, val, field_end - val);
} else { //Parameter string is too long for the buffer
return false;
}
buf[field_end - val] = 0; //Ends the string within the destination buffer
return true;
}
|
