Bug Summary

File:src/usr.sbin/httpd/server_http.c
Warning:line 975, column 7
Access to field 'flags' results in a dereference of a null pointer (loaded from variable 'srv_conf')

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name server_http.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.sbin/httpd/obj -resource-dir /usr/local/lib/clang/13.0.0 -I /usr/src/usr.sbin/httpd -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/usr.sbin/httpd/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/usr.sbin/httpd/server_http.c
1/* $OpenBSD: server_http.c,v 1.149 2021/11/11 15:52:33 claudio Exp $ */
2
3/*
4 * Copyright (c) 2020 Matthias Pressfreund <mpfr@fn.de>
5 * Copyright (c) 2006 - 2018 Reyk Floeter <reyk@openbsd.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20#include <sys/types.h>
21#include <sys/queue.h>
22#include <sys/socket.h>
23#include <sys/tree.h>
24#include <sys/stat.h>
25
26#include <netinet/in.h>
27#include <arpa/inet.h>
28
29#include <errno(*__errno()).h>
30#include <stdlib.h>
31#include <string.h>
32#include <unistd.h>
33#include <limits.h>
34#include <fnmatch.h>
35#include <stdio.h>
36#include <time.h>
37#include <resolv.h>
38#include <event.h>
39#include <ctype.h>
40#include <vis.h>
41#include <fcntl.h>
42
43#include "httpd.h"
44#include "http.h"
45#include "patterns.h"
46
47static int server_httpmethod_cmp(const void *, const void *);
48static int server_httperror_cmp(const void *, const void *);
49void server_httpdesc_free(struct http_descriptor *);
50int server_http_authenticate(struct server_config *,
51 struct client *);
52static int http_version_num(char *);
53char *server_expand_http(struct client *, const char *,
54 char *, size_t);
55char *replace_var(char *, const char *, const char *);
56char *read_errdoc(const char *, const char *);
57
58static struct http_method http_methods[] = HTTP_METHODS{ { HTTP_METHOD_GET, "GET" }, { HTTP_METHOD_HEAD, "HEAD" }, {
HTTP_METHOD_POST, "POST" }, { HTTP_METHOD_PUT, "PUT" }, { HTTP_METHOD_DELETE
, "DELETE" }, { HTTP_METHOD_OPTIONS, "OPTIONS" }, { HTTP_METHOD_TRACE
, "TRACE" }, { HTTP_METHOD_CONNECT, "CONNECT" }, { HTTP_METHOD_PROPFIND
, "PROPFIND" }, { HTTP_METHOD_PROPPATCH, "PROPPATCH" }, { HTTP_METHOD_MKCOL
, "MKCOL" }, { HTTP_METHOD_COPY, "COPY" }, { HTTP_METHOD_MOVE
, "MOVE" }, { HTTP_METHOD_LOCK, "LOCK" }, { HTTP_METHOD_UNLOCK
, "UNLOCK" }, { HTTP_METHOD_VERSION_CONTROL, "VERSION-CONTROL"
}, { HTTP_METHOD_REPORT, "REPORT" }, { HTTP_METHOD_CHECKOUT,
"CHECKOUT" }, { HTTP_METHOD_CHECKIN, "CHECKIN" }, { HTTP_METHOD_UNCHECKOUT
, "UNCHECKOUT" }, { HTTP_METHOD_MKWORKSPACE, "MKWORKSPACE" },
{ HTTP_METHOD_UPDATE, "UPDATE" }, { HTTP_METHOD_LABEL, "LABEL"
}, { HTTP_METHOD_MERGE, "MERGE" }, { HTTP_METHOD_BASELINE_CONTROL
, "BASELINE-CONTROL" }, { HTTP_METHOD_MKACTIVITY, "MKACTIVITY"
}, { HTTP_METHOD_ORDERPATCH, "ORDERPATCH" }, { HTTP_METHOD_ACL
, "ACL" }, { HTTP_METHOD_MKREDIRECTREF, "MKREDIRECTREF" }, { HTTP_METHOD_UPDATEREDIRECTREF
, "UPDATEREDIRECTREF" }, { HTTP_METHOD_SEARCH, "SEARCH" }, { HTTP_METHOD_PATCH
, "PATCH" }, { HTTP_METHOD_NONE, ((void*)0) } };
59static struct http_error http_errors[] = HTTP_ERRORS{ { 100, "Continue" }, { 101, "Switching Protocols" }, { 102,
"Processing" }, { 200, "OK" }, { 201, "Created" }, { 202, "Accepted"
}, { 203, "Non-Authoritative Information" }, { 204, "No Content"
}, { 205, "Reset Content" }, { 206, "Partial Content" }, { 207
, "Multi-Status" }, { 208, "Already Reported" }, { 226, "IM Used"
}, { 300, "Multiple Choices" }, { 301, "Moved Permanently" }
, { 302, "Found" }, { 303, "See Other" }, { 304, "Not Modified"
}, { 305, "Use Proxy" }, { 306, "Switch Proxy" }, { 307, "Temporary Redirect"
}, { 308, "Permanent Redirect" }, { 400, "Bad Request" }, { 401
, "Unauthorized" }, { 402, "Payment Required" }, { 403, "Forbidden"
}, { 404, "Not Found" }, { 405, "Method Not Allowed" }, { 406
, "Not Acceptable" }, { 407, "Proxy Authentication Required" }
, { 408, "Request Timeout" }, { 409, "Conflict" }, { 410, "Gone"
}, { 411, "Length Required" }, { 412, "Precondition Failed" }
, { 413, "Payload Too Large" }, { 414, "URI Too Long" }, { 415
, "Unsupported Media Type" }, { 416, "Range Not Satisfiable" }
, { 417, "Expectation Failed" }, { 418, "I'm a teapot" }, { 420
, "Enhance Your Calm" }, { 422, "Unprocessable Entity" }, { 423
, "Locked" }, { 424, "Failed Dependency" }, { 426, "Upgrade Required"
}, { 428, "Precondition Required" }, { 429, "Too Many Requests"
}, { 431, "Request Header Fields Too Large" }, { 451, "Unavailable For Legal Reasons"
}, { 500, "Internal Server Error" }, { 501, "Not Implemented"
}, { 502, "Bad Gateway" }, { 503, "Service Unavailable" }, {
504, "Gateway Timeout" }, { 505, "HTTP Version Not Supported"
}, { 506, "Variant Also Negotiates" }, { 507, "Insufficient Storage"
}, { 508, "Loop Detected" }, { 510, "Not Extended" }, { 511,
"Network Authentication Required" }, { 0, ((void*)0) } };
60
61void
62server_http(void)
63{
64 DPRINTF("%s: sorting lookup tables, pid %d", __func__, getpid())do {} while(0);
65
66 /* Sort the HTTP lookup arrays */
67 qsort(http_methods, sizeof(http_methods) /
68 sizeof(http_methods[0]) - 1,
69 sizeof(http_methods[0]), server_httpmethod_cmp);
70 qsort(http_errors, sizeof(http_errors) /
71 sizeof(http_errors[0]) - 1,
72 sizeof(http_errors[0]), server_httperror_cmp);
73}
74
75void
76server_http_init(struct server *srv)
77{
78 /* nothing */
79}
80
81int
82server_httpdesc_init(struct client *clt)
83{
84 struct http_descriptor *desc;
85
86 if ((desc = calloc(1, sizeof(*desc))) == NULL((void*)0))
87 return (-1);
88 RB_INIT(&desc->http_headers)do { (&desc->http_headers)->rbh_root = ((void*)0); }
while (0);
89 clt->clt_descreq = desc;
90
91 if ((desc = calloc(1, sizeof(*desc))) == NULL((void*)0)) {
92 /* req will be cleaned up later */
93 return (-1);
94 }
95 RB_INIT(&desc->http_headers)do { (&desc->http_headers)->rbh_root = ((void*)0); }
while (0);
96 clt->clt_descresp = desc;
97
98 return (0);
99}
100
101void
102server_httpdesc_free(struct http_descriptor *desc)
103{
104 if (desc == NULL((void*)0))
105 return;
106
107 free(desc->http_pathhttp_pathquery.kv_key);
108 desc->http_pathhttp_pathquery.kv_key = NULL((void*)0);
109 free(desc->http_path_orig);
110 desc->http_path_orig = NULL((void*)0);
111 free(desc->http_path_alias);
112 desc->http_path_alias = NULL((void*)0);
113 free(desc->http_queryhttp_pathquery.kv_value);
114 desc->http_queryhttp_pathquery.kv_value = NULL((void*)0);
115 free(desc->http_query_alias);
116 desc->http_query_alias = NULL((void*)0);
117 free(desc->http_version);
118 desc->http_version = NULL((void*)0);
119 free(desc->http_host);
120 desc->http_host = NULL((void*)0);
121
122 kv_purge(&desc->http_headers);
123 desc->http_lastheader = NULL((void*)0);
124 desc->http_method = 0;
125 desc->http_chunked = 0;
126}
127
128int
129server_http_authenticate(struct server_config *srv_conf, struct client *clt)
130{
131 char decoded[1024];
132 FILE *fp = NULL((void*)0);
133 struct http_descriptor *desc = clt->clt_descreq;
134 const struct auth *auth = srv_conf->auth;
135 struct kv *ba, key;
136 size_t linesize = 0;
137 ssize_t linelen;
138 int ret = -1;
139 char *line = NULL((void*)0), *user = NULL((void*)0), *pass = NULL((void*)0);
140 char *clt_user = NULL((void*)0), *clt_pass = NULL((void*)0);
141
142 memset(decoded, 0, sizeof(decoded));
143 key.kv_key = "Authorization";
144
145 if ((ba = kv_find(&desc->http_headers, &key)) == NULL((void*)0) ||
146 ba->kv_value == NULL((void*)0))
147 goto done;
148
149 if (strncmp(ba->kv_value, "Basic ", strlen("Basic ")) != 0)
150 goto done;
151
152 if (b64_pton__b64_pton(strchr(ba->kv_value, ' ') + 1, (uint8_t *)decoded,
153 sizeof(decoded)) <= 0)
154 goto done;
155
156 if ((clt_pass = strchr(decoded, ':')) == NULL((void*)0))
157 goto done;
158
159 clt_user = decoded;
160 *clt_pass++ = '\0';
161 if ((clt->clt_remote_user = strdup(clt_user)) == NULL((void*)0))
162 goto done;
163
164 if ((fp = fopen(auth->auth_htpasswd, "r")) == NULL((void*)0))
165 goto done;
166
167 while ((linelen = getline(&line, &linesize, fp)) != -1) {
168 if (line[linelen - 1] == '\n')
169 line[linelen - 1] = '\0';
170 user = line;
171 pass = strchr(line, ':');
172
173 if (pass == NULL((void*)0)) {
174 explicit_bzero(line, linelen);
175 continue;
176 }
177
178 *pass++ = '\0';
179
180 if (strcmp(clt_user, user) != 0) {
181 explicit_bzero(line, linelen);
182 continue;
183 }
184
185 if (crypt_checkpass(clt_pass, pass) == 0) {
186 explicit_bzero(line, linelen);
187 ret = 0;
188 break;
189 }
190 }
191done:
192 free(line);
193 if (fp != NULL((void*)0))
194 fclose(fp);
195
196 if (ba != NULL((void*)0) && ba->kv_value != NULL((void*)0)) {
197 explicit_bzero(ba->kv_value, strlen(ba->kv_value));
198 explicit_bzero(decoded, sizeof(decoded));
199 }
200
201 return (ret);
202}
203
204static int
205http_version_num(char *version)
206{
207 if (strlen(version) != 8 || strncmp(version, "HTTP/", 5) != 0
208 || !isdigit((unsigned char)version[5]) || version[6] != '.'
209 || !isdigit((unsigned char)version[7]))
210 return (-1);
211 if (version[5] == '0' && version[7] == '9')
212 return (9);
213 if (version[5] == '1') {
214 if (version[7] == '0')
215 return (10);
216 else
217 /* any other version 1.x gets downgraded to 1.1 */
218 return (11);
219 }
220 return (0);
221}
222
223void
224server_read_http(struct bufferevent *bev, void *arg)
225{
226 struct client *clt = arg;
227 struct http_descriptor *desc = clt->clt_descreq;
228 struct evbuffer *src = EVBUFFER_INPUT(bev)(bev)->input;
229 char *line = NULL((void*)0), *key, *value;
230 const char *errstr;
231 char *http_version, *query;
232 size_t size, linelen;
233 int version;
234 struct kv *hdr = NULL((void*)0);
235
236 getmonotime(&clt->clt_tv_last);
237
238 size = EVBUFFER_LENGTH(src)(src)->off;
239 DPRINTF("%s: session %d: size %lu, to read %lld",do {} while(0)
1
Loop condition is false. Exiting loop
240 __func__, clt->clt_id, size, clt->clt_toread)do {} while(0);
241 if (!size) {
2
Assuming 'size' is not equal to 0
3
Taking false branch
242 clt->clt_toread = TOREAD_HTTP_HEADER;
243 goto done;
244 }
245
246 while (!clt->clt_headersdone) {
4
Assuming field 'clt_headersdone' is not equal to 0
5
Loop condition is false. Execution continues on line 427
247 if (!clt->clt_line) {
248 /* Peek into the buffer to see if it looks like HTTP */
249 key = EVBUFFER_DATA(src)(src)->buffer;
250 if (!isalpha((unsigned char)*key)) {
251 server_abort_http(clt, 400,
252 "invalid request line");
253 goto abort;
254 }
255 }
256
257 if ((line = evbuffer_readln(src,
258 &linelen, EVBUFFER_EOL_CRLF_STRICT)) == NULL((void*)0)) {
259 /* No newline found after too many bytes */
260 if (size > SERVER_MAXHEADERLENGTH8192) {
261 server_abort_http(clt, 413,
262 "request line too long");
263 goto abort;
264 }
265 break;
266 }
267
268 /*
269 * An empty line indicates the end of the request.
270 * libevent already stripped the \r\n for us.
271 */
272 if (!linelen) {
273 clt->clt_headersdone = 1;
274 free(line);
275 break;
276 }
277 key = line;
278
279 /* Limit the total header length minus \r\n */
280 clt->clt_headerlen += linelen;
281 if (clt->clt_headerlen > SERVER_MAXHEADERLENGTH8192) {
282 server_abort_http(clt, 413, "request too large");
283 goto abort;
284 }
285
286 /*
287 * The first line is the GET/POST/PUT/... request,
288 * subsequent lines are HTTP headers.
289 */
290 if (++clt->clt_line == 1)
291 value = strchr(key, ' ');
292 else if (*key == ' ' || *key == '\t')
293 /* Multiline headers wrap with a space or tab */
294 value = NULL((void*)0);
295 else {
296 /* Not a multiline header, should have a : */
297 value = strchr(key, ':');
298 if (value == NULL((void*)0)) {
299 server_abort_http(clt, 400, "malformed");
300 goto abort;
301 }
302 }
303 if (value == NULL((void*)0)) {
304 if (clt->clt_line == 1) {
305 server_abort_http(clt, 400, "malformed");
306 goto abort;
307 }
308
309 /* Append line to the last header, if present */
310 if (kv_extend(&desc->http_headers,
311 desc->http_lastheader, line) == NULL((void*)0))
312 goto fail;
313
314 free(line);
315 continue;
316 }
317 if (*value == ':') {
318 *value++ = '\0';
319 value += strspn(value, " \t\r\n");
320 } else {
321 *value++ = '\0';
322 }
323
324 DPRINTF("%s: session %d: header '%s: %s'", __func__,do {} while(0)
325 clt->clt_id, key, value)do {} while(0);
326
327 /*
328 * Identify and handle specific HTTP request methods
329 */
330 if (clt->clt_line == 1) {
331 if ((desc->http_method = server_httpmethod_byname(key))
332 == HTTP_METHOD_NONE) {
333 server_abort_http(clt, 400, "malformed");
334 goto abort;
335 }
336
337 /*
338 * Decode request path and query
339 */
340 desc->http_pathhttp_pathquery.kv_key = strdup(value);
341 if (desc->http_pathhttp_pathquery.kv_key == NULL((void*)0))
342 goto fail;
343
344 http_version = strchr(desc->http_pathhttp_pathquery.kv_key, ' ');
345 if (http_version == NULL((void*)0)) {
346 server_abort_http(clt, 400, "malformed");
347 goto abort;
348 }
349
350 *http_version++ = '\0';
351
352 /*
353 * We have to allocate the strings because they could
354 * be changed independently by the filters later.
355 * Allow HTTP version 0.9 to 1.1.
356 * Downgrade http version > 1.1 <= 1.9 to version 1.1.
357 * Return HTTP Version Not Supported for anything else.
358 */
359
360 version = http_version_num(http_version);
361
362 if (version == -1) {
363 server_abort_http(clt, 400, "malformed");
364 goto abort;
365 } else if (version == 0) {
366 server_abort_http(clt, 505, "bad http version");
367 goto abort;
368 } else if (version == 11) {
369 if ((desc->http_version =
370 strdup("HTTP/1.1")) == NULL((void*)0))
371 goto fail;
372 } else {
373 if ((desc->http_version =
374 strdup(http_version)) == NULL((void*)0))
375 goto fail;
376 }
377
378 query = strchr(desc->http_pathhttp_pathquery.kv_key, '?');
379 if (query != NULL((void*)0)) {
380 *query++ = '\0';
381
382 if ((desc->http_queryhttp_pathquery.kv_value = strdup(query)) == NULL((void*)0))
383 goto fail;
384 }
385
386 } else if (desc->http_method != HTTP_METHOD_NONE &&
387 strcasecmp("Content-Length", key) == 0) {
388 if (desc->http_method == HTTP_METHOD_TRACE ||
389 desc->http_method == HTTP_METHOD_CONNECT) {
390 /*
391 * These method should not have a body
392 * and thus no Content-Length header.
393 */
394 server_abort_http(clt, 400, "malformed");
395 goto abort;
396 }
397
398 /*
399 * Need to read data from the client after the
400 * HTTP header.
401 * XXX What about non-standard clients not using
402 * the carriage return? And some browsers seem to
403 * include the line length in the content-length.
404 */
405 clt->clt_toread = strtonum(value, 0, LLONG_MAX9223372036854775807LL,
406 &errstr);
407 if (errstr) {
408 server_abort_http(clt, 500, errstr);
409 goto abort;
410 }
411 }
412
413 if (strcasecmp("Transfer-Encoding", key) == 0 &&
414 strcasecmp("chunked", value) == 0)
415 desc->http_chunked = 1;
416
417 if (clt->clt_line != 1) {
418 if ((hdr = kv_add(&desc->http_headers, key,
419 value)) == NULL((void*)0))
420 goto fail;
421
422 desc->http_lastheader = hdr;
423 }
424
425 free(line);
426 }
427 if (clt->clt_headersdone
5.1
Field 'clt_headersdone' is not equal to 0
) {
6
Taking true branch
428 if (desc->http_method == HTTP_METHOD_NONE) {
7
Assuming field 'http_method' is not equal to HTTP_METHOD_NONE
8
Taking false branch
429 server_abort_http(clt, 406, "no method");
430 return;
431 }
432
433 switch (desc->http_method) {
9
Control jumps to 'case HTTP_METHOD_DELETE:' at line 446
434 case HTTP_METHOD_CONNECT:
435 /* Data stream */
436 clt->clt_toread = TOREAD_UNLIMITED;
437 bev->readcb = server_read;
438 break;
439 case HTTP_METHOD_GET:
440 case HTTP_METHOD_HEAD:
441 /* WebDAV methods */
442 case HTTP_METHOD_COPY:
443 case HTTP_METHOD_MOVE:
444 clt->clt_toread = 0;
445 break;
446 case HTTP_METHOD_DELETE:
447 case HTTP_METHOD_OPTIONS:
448 case HTTP_METHOD_POST:
449 case HTTP_METHOD_PUT:
450 case HTTP_METHOD_RESPONSE:
451 /* WebDAV methods */
452 case HTTP_METHOD_PROPFIND:
453 case HTTP_METHOD_PROPPATCH:
454 case HTTP_METHOD_MKCOL:
455 case HTTP_METHOD_LOCK:
456 case HTTP_METHOD_UNLOCK:
457 case HTTP_METHOD_VERSION_CONTROL:
458 case HTTP_METHOD_REPORT:
459 case HTTP_METHOD_CHECKOUT:
460 case HTTP_METHOD_CHECKIN:
461 case HTTP_METHOD_UNCHECKOUT:
462 case HTTP_METHOD_MKWORKSPACE:
463 case HTTP_METHOD_UPDATE:
464 case HTTP_METHOD_LABEL:
465 case HTTP_METHOD_MERGE:
466 case HTTP_METHOD_BASELINE_CONTROL:
467 case HTTP_METHOD_MKACTIVITY:
468 case HTTP_METHOD_ORDERPATCH:
469 case HTTP_METHOD_ACL:
470 case HTTP_METHOD_MKREDIRECTREF:
471 case HTTP_METHOD_UPDATEREDIRECTREF:
472 case HTTP_METHOD_SEARCH:
473 case HTTP_METHOD_PATCH:
474 /* HTTP request payload */
475 if (clt->clt_toread > 0)
10
Assuming field 'clt_toread' is <= 0
11
Taking false branch
476 bev->readcb = server_read_httpcontent;
477
478 /* Single-pass HTTP body */
479 if (clt->clt_toread < 0) {
12
Assuming field 'clt_toread' is >= 0
13
Taking false branch
480 clt->clt_toread = TOREAD_UNLIMITED;
481 bev->readcb = server_read;
482 }
483 break;
14
 Execution continues on line 488
484 default:
485 server_abort_http(clt, 405, "method not allowed");
486 return;
487 }
488 if (desc->http_chunked) {
15
Assuming field 'http_chunked' is 0
16
Taking false branch
489 /* Chunked transfer encoding */
490 clt->clt_toread = TOREAD_HTTP_CHUNK_LENGTH;
491 bev->readcb = server_read_httpchunks;
492 }
493
494 done:
495 if (clt->clt_toread
16.1
Field 'clt_toread' is equal to 0
 != 0)
17
Taking false branch
496 bufferevent_disable(bev, EV_READ0x02);
497 server_response(httpd_env, clt);
18
Calling 'server_response'
498 return;
499 }
500 if (clt->clt_done) {
501 server_close(clt, "done");
502 return;
503 }
504 if (EVBUFFER_LENGTH(src)(src)->off && bev->readcb != server_read_http)
505 bev->readcb(bev, arg);
506 bufferevent_enable(bev, EV_READ0x02);
507 return;
508 fail:
509 server_abort_http(clt, 500, strerror(errno(*__errno())));
510 abort:
511 free(line);
512}
513
514void
515server_read_httpcontent(struct bufferevent *bev, void *arg)
516{
517 struct client *clt = arg;
518 struct evbuffer *src = EVBUFFER_INPUT(bev)(bev)->input;
519 size_t size;
520
521 getmonotime(&clt->clt_tv_last);
522
523 size = EVBUFFER_LENGTH(src)(src)->off;
524 DPRINTF("%s: session %d: size %lu, to read %lld", __func__,do {} while(0)
525 clt->clt_id, size, clt->clt_toread)do {} while(0);
526 if (!size)
527 return;
528
529 if (clt->clt_toread > 0) {
530 /* Read content data */
531 if ((off_t)size > clt->clt_toread) {
532 size = clt->clt_toread;
533 if (fcgi_add_stdin(clt, src) == -1)
534 goto fail;
535 clt->clt_toread = 0;
536 } else {
537 if (fcgi_add_stdin(clt, src) == -1)
538 goto fail;
539 clt->clt_toread -= size;
540 }
541 DPRINTF("%s: done, size %lu, to read %lld", __func__,do {} while(0)
542 size, clt->clt_toread)do {} while(0);
543 }
544 if (clt->clt_toread == 0) {
545 fcgi_add_stdin(clt, NULL((void*)0));
546 clt->clt_toread = TOREAD_HTTP_HEADER;
547 bufferevent_disable(bev, EV_READ0x02);
548 bev->readcb = server_read_http;
549 return;
550 }
551 if (clt->clt_done)
552 goto done;
553 if (bev->readcb != server_read_httpcontent)
554 bev->readcb(bev, arg);
555
556 return;
557 done:
558 return;
559 fail:
560 server_close(clt, strerror(errno(*__errno())));
561}
562
563void
564server_read_httpchunks(struct bufferevent *bev, void *arg)
565{
566 struct client *clt = arg;
567 struct evbuffer *src = EVBUFFER_INPUT(bev)(bev)->input;
568 char *line;
569 long long llval;
570 size_t size;
571
572 getmonotime(&clt->clt_tv_last);
573
574 size = EVBUFFER_LENGTH(src)(src)->off;
575 DPRINTF("%s: session %d: size %lu, to read %lld", __func__,do {} while(0)
576 clt->clt_id, size, clt->clt_toread)do {} while(0);
577 if (!size)
578 return;
579
580 if (clt->clt_toread > 0) {
581 /* Read chunk data */
582 if ((off_t)size > clt->clt_toread) {
583 size = clt->clt_toread;
584 if (server_bufferevent_write_chunk(clt, src, size)
585 == -1)
586 goto fail;
587 clt->clt_toread = 0;
588 } else {
589 if (server_bufferevent_write_buffer(clt, src) == -1)
590 goto fail;
591 clt->clt_toread -= size;
592 }
593 DPRINTF("%s: done, size %lu, to read %lld", __func__,do {} while(0)
594 size, clt->clt_toread)do {} while(0);
595 }
596 switch (clt->clt_toread) {
597 case TOREAD_HTTP_CHUNK_LENGTH:
598 line = evbuffer_readln(src, NULL((void*)0), EVBUFFER_EOL_CRLF_STRICT);
599 if (line == NULL((void*)0)) {
600 /* Ignore empty line, continue */
601 bufferevent_enable(bev, EV_READ0x02);
602 return;
603 }
604 if (strlen(line) == 0) {
605 free(line);
606 goto next;
607 }
608
609 /*
610 * Read prepended chunk size in hex, ignore the trailer.
611 * The returned signed value must not be negative.
612 */
613 if (sscanf(line, "%llx", &llval) != 1 || llval < 0) {
614 free(line);
615 server_close(clt, "invalid chunk size");
616 return;
617 }
618
619 if (server_bufferevent_print(clt, line) == -1 ||
620 server_bufferevent_print(clt, "\r\n") == -1) {
621 free(line);
622 goto fail;
623 }
624 free(line);
625
626 if ((clt->clt_toread = llval) == 0) {
627 DPRINTF("%s: last chunk", __func__)do {} while(0);
628 clt->clt_toread = TOREAD_HTTP_CHUNK_TRAILER;
629 }
630 break;
631 case TOREAD_HTTP_CHUNK_TRAILER:
632 /* Last chunk is 0 bytes followed by trailer and empty line */
633 line = evbuffer_readln(src, NULL((void*)0), EVBUFFER_EOL_CRLF_STRICT);
634 if (line == NULL((void*)0)) {
635 /* Ignore empty line, continue */
636 bufferevent_enable(bev, EV_READ0x02);
637 return;
638 }
639 if (server_bufferevent_print(clt, line) == -1 ||
640 server_bufferevent_print(clt, "\r\n") == -1) {
641 free(line);
642 goto fail;
643 }
644 if (strlen(line) == 0) {
645 /* Switch to HTTP header mode */
646 clt->clt_toread = TOREAD_HTTP_HEADER;
647 bev->readcb = server_read_http;
648 }
649 free(line);
650 break;
651 case 0:
652 /* Chunk is terminated by an empty newline */
653 line = evbuffer_readln(src, NULL((void*)0), EVBUFFER_EOL_CRLF_STRICT);
654 free(line);
655 if (server_bufferevent_print(clt, "\r\n") == -1)
656 goto fail;
657 clt->clt_toread = TOREAD_HTTP_CHUNK_LENGTH;
658 break;
659 }
660
661 next:
662 if (clt->clt_done)
663 goto done;
664 if (EVBUFFER_LENGTH(src)(src)->off)
665 bev->readcb(bev, arg);
666 bufferevent_enable(bev, EV_READ0x02);
667 return;
668
669 done:
670 server_close(clt, "last http chunk read (done)");
671 return;
672 fail:
673 server_close(clt, strerror(errno(*__errno())));
674}
675
676void
677server_read_httprange(struct bufferevent *bev, void *arg)
678{
679 struct client *clt = arg;
680 struct evbuffer *src = EVBUFFER_INPUT(bev)(bev)->input;
681 size_t size;
682 struct media_type *media;
683 struct range_data *r = &clt->clt_ranges;
684 struct range *range;
685
686 getmonotime(&clt->clt_tv_last);
687
688 if (r->range_toread > 0) {
689 size = EVBUFFER_LENGTH(src)(src)->off;
690 if (!size)
691 return;
692
693 /* Read chunk data */
694 if ((off_t)size > r->range_toread) {
695 size = r->range_toread;
696 if (server_bufferevent_write_chunk(clt, src, size)
697 == -1)
698 goto fail;
699 r->range_toread = 0;
700 } else {
701 if (server_bufferevent_write_buffer(clt, src) == -1)
702 goto fail;
703 r->range_toread -= size;
704 }
705 if (r->range_toread < 1)
706 r->range_toread = TOREAD_HTTP_RANGE;
707 DPRINTF("%s: done, size %lu, to read %lld", __func__,do {} while(0)
708 size, r->range_toread)do {} while(0);
709 }
710
711 switch (r->range_toread) {
712 case TOREAD_HTTP_RANGE:
713 if (r->range_index >= r->range_count) {
714 if (r->range_count > 1) {
715 /* Add end marker */
716 if (server_bufferevent_printf(clt,
717 "\r\n--%llu--\r\n",
718 clt->clt_boundary) == -1)
719 goto fail;
720 }
721 r->range_toread = TOREAD_HTTP_NONE;
722 break;
723 }
724
725 range = &r->range[r->range_index];
726
727 if (r->range_count > 1) {
728 media = r->range_media;
729 if (server_bufferevent_printf(clt,
730 "\r\n--%llu\r\n"
731 "Content-Type: %s/%s\r\n"
732 "Content-Range: bytes %lld-%lld/%zu\r\n\r\n",
733 clt->clt_boundary,
734 media->media_type, media->media_subtype,
735 range->start, range->end, r->range_total) == -1)
736 goto fail;
737 }
738 r->range_toread = range->end - range->start + 1;
739
740 if (lseek(clt->clt_fd, range->start, SEEK_SET0) == -1)
741 goto fail;
742
743 /* Throw away bytes that are already in the input buffer */
744 evbuffer_drain(src, EVBUFFER_LENGTH(src)(src)->off);
745
746 /* Increment for the next part */
747 r->range_index++;
748 break;
749 case TOREAD_HTTP_NONE:
750 goto done;
751 case 0:
752 break;
753 }
754
755 if (clt->clt_done)
756 goto done;
757
758 if (EVBUFFER_LENGTH(EVBUFFER_OUTPUT(clt->clt_bev))((clt->clt_bev)->output)->off > (size_t)
759 SERVER_MAX_PREFETCH256 * clt->clt_sndbufsiz) {
760 bufferevent_disable(clt->clt_srvbev, EV_READ0x02);
761 clt->clt_srvbev_throttled = 1;
762 }
763
764 return;
765 done:
766 (*bev->errorcb)(bev, EVBUFFER_READ0x01, bev->cbarg);
767 return;
768 fail:
769 server_close(clt, strerror(errno(*__errno())));
770}
771
772void
773server_reset_http(struct client *clt)
774{
775 struct server *srv = clt->clt_srv;
776
777 server_log(clt, NULL((void*)0));
778
779 server_httpdesc_free(clt->clt_descreq);
780 server_httpdesc_free(clt->clt_descresp);
781 clt->clt_headerlen = 0;
782 clt->clt_headersdone = 0;
783 clt->clt_done = 0;
784 clt->clt_line = 0;
785 clt->clt_chunk = 0;
786 free(clt->clt_remote_user);
787 clt->clt_remote_user = NULL((void*)0);
788 clt->clt_bev->readcb = server_read_http;
789 clt->clt_srv_conf = &srv->srv_conf;
790 str_match_free(&clt->clt_srv_match);
791}
792
793ssize_t
794server_http_time(time_t t, char *tmbuf, size_t len)
795{
796 struct tm tm;
797
798 /* New HTTP/1.1 RFC 7231 prefers IMF-fixdate from RFC 5322 */
799 if (t == -1 || gmtime_r(&t, &tm) == NULL((void*)0))
800 return (-1);
801 else
802 return (strftime(tmbuf, len, "%a, %d %h %Y %T %Z", &tm));
803}
804
805const char *
806server_http_host(struct sockaddr_storage *ss, char *buf, size_t len)
807{
808 char hbuf[HOST_NAME_MAX255+1];
809 in_port_t port;
810
811 if (print_host(ss, buf, len) == NULL((void*)0))
36
Assuming the condition is false
37
Taking false branch
812 return (NULL((void*)0));
813
814 port = ntohs(server_socket_getport(ss))(__uint16_t)(__builtin_constant_p(server_socket_getport(ss)) ?
(__uint16_t)(((__uint16_t)(server_socket_getport(ss)) & 0xffU
) << 8 | ((__uint16_t)(server_socket_getport(ss)) &
0xff00U) >> 8) : __swap16md(server_socket_getport(ss))
);
38
'?' condition is false
39
Value assigned to field 'clt_srv_conf'
815 if (port == HTTP_PORT80)
40
Assuming 'port' is not equal to HTTP_PORT
41
Taking false branch
816 return (buf);
817
818 switch (ss->ss_family) {
42
'Default' branch taken. Execution continues on line 831
819 case AF_INET2:
820 if ((size_t)snprintf(hbuf, sizeof(hbuf),
821 "%s:%u", buf, port) >= sizeof(hbuf))
822 return (NULL((void*)0));
823 break;
824 case AF_INET624:
825 if ((size_t)snprintf(hbuf, sizeof(hbuf),
826 "[%s]:%u", buf, port) >= sizeof(hbuf))
827 return (NULL((void*)0));
828 break;
829 }
830
831 if (strlcpy(buf, hbuf, len) >= len)
43
Assuming the condition is false
44
Taking false branch
832 return (NULL((void*)0));
833
834 return (buf);
835}
836
837char *
838server_http_parsehost(char *host, char *buf, size_t len, int *portval)
839{
840 char *start, *end, *port;
841 const char *errstr = NULL((void*)0);
842
843 if (strlcpy(buf, host, len) >= len) {
844 log_debug("%s: host name too long", __func__);
845 return (NULL((void*)0));
846 }
847
848 start = buf;
849 end = port = NULL((void*)0);
850
851 if (*start == '[' && (end = strchr(start, ']')) != NULL((void*)0)) {
852 /* Address enclosed in [] with port, eg. [2001:db8::1]:80 */
853 start++;
854 *end++ = '\0';
855 if ((port = strchr(end, ':')) == NULL((void*)0) || *port == '\0')
856 port = NULL((void*)0);
857 else
858 port++;
859 memmove(buf, start, strlen(start) + 1);
860 } else if ((end = strchr(start, ':')) != NULL((void*)0)) {
861 /* Name or address with port, eg. www.example.com:80 */
862 *end++ = '\0';
863 port = end;
864 } else {
865 /* Name or address with default port, eg. www.example.com */
866 port = NULL((void*)0);
867 }
868
869 if (port != NULL((void*)0)) {
870 /* Save the requested port */
871 *portval = strtonum(port, 0, 0xffff, &errstr);
872 if (errstr != NULL((void*)0)) {
873 log_debug("%s: invalid port: %s", __func__,
874 strerror(errno(*__errno())));
875 return (NULL((void*)0));
876 }
877 *portval = htons(*portval)(__uint16_t)(__builtin_constant_p(*portval) ? (__uint16_t)(((
__uint16_t)(*portval) & 0xffU) << 8 | ((__uint16_t)
(*portval) & 0xff00U) >> 8) : __swap16md(*portval));
878 } else {
879 /* Port not given, indicate the default port */
880 *portval = -1;
881 }
882
883 return (start);
884}
885
886void
887server_abort_http(struct client *clt, unsigned int code, const char *msg)
888{
889 struct server_config *srv_conf = clt->clt_srv_conf;
62
'srv_conf' initialized to a null pointer value
890 struct bufferevent *bev = clt->clt_bev;
891 struct http_descriptor *desc = clt->clt_descreq;
892 const char *httperr = NULL((void*)0), *style;
893 char *httpmsg, *body = NULL((void*)0), *extraheader = NULL((void*)0);
894 char tmbuf[32], hbuf[128], *hstsheader = NULL((void*)0);
895 char *clenheader = NULL((void*)0);
896 char buf[IBUF_READ_SIZE65535];
897 char *escapedmsg = NULL((void*)0);
898 char cstr[5];
899 ssize_t bodylen;
900
901 if (code
62.1
'code' is not equal to 0
 == 0) {
63
Taking false branch
902 server_close(clt, "dropped");
903 return;
904 }
905
906 if ((httperr = server_httperror_byid(code)) == NULL((void*)0))
64
Assuming the condition is false
65
Taking false branch
907 httperr = "Unknown Error";
908
909 if (bev == NULL((void*)0))
66
Assuming 'bev' is not equal to NULL
67
Taking false branch
910 goto done;
911
912 if (server_log_http(clt, code, 0) == -1)
68
Assuming the condition is false
69
Taking false branch
913 goto done;
914
915 /* Some system information */
916 if (print_host(&srv_conf->ss, hbuf, sizeof(hbuf)) == NULL((void*)0))
70
Assuming the condition is false
71
Taking false branch
917 goto done;
918
919 if (server_http_time(time(NULL((void*)0)), tmbuf, sizeof(tmbuf)) <= 0)
72
Assuming the condition is false
73
Taking false branch
920 goto done;
921
922 /* Do not send details of the Internal Server Error */
923 switch (code) {
74
Control jumps to the 'default' case at line 962
924 case 301:
925 case 302:
926 case 303:
927 case 307:
928 case 308:
929 if (msg == NULL((void*)0))
930 break;
931 memset(buf, 0, sizeof(buf));
932 if (server_expand_http(clt, msg, buf, sizeof(buf)) == NULL((void*)0))
933 goto done;
934 if (asprintf(&extraheader, "Location: %s\r\n", buf) == -1) {
935 code = 500;
936 extraheader = NULL((void*)0);
937 }
938 msg = buf;
939 break;
940 case 401:
941 if (msg == NULL((void*)0))
942 break;
943 if (stravis(&escapedmsg, msg, VIS_DQ0x200) == -1) {
944 code = 500;
945 extraheader = NULL((void*)0);
946 } else if (asprintf(&extraheader,
947 "WWW-Authenticate: Basic realm=\"%s\"\r\n", escapedmsg)
948 == -1) {
949 code = 500;
950 extraheader = NULL((void*)0);
951 }
952 break;
953 case 416:
954 if (msg == NULL((void*)0))
955 break;
956 if (asprintf(&extraheader,
957 "Content-Range: %s\r\n", msg) == -1) {
958 code = 500;
959 extraheader = NULL((void*)0);
960 }
961 break;
962 default:
963 /*
964 * Do not send details of the error. Traditionally,
965 * web servers responsed with the request path on 40x
966 * errors which could be abused to inject JavaScript etc.
967 * Instead of sanitizing the path here, we just don't
968 * reprint it.
969 */
970 break;
75
 Execution continues on line 973
971 }
972
973 free(escapedmsg);
974
975 if ((srv_conf->flags & SRVFLAG_ERRDOCS0x00000400) == 0)
76
Access to field 'flags' results in a dereference of a null pointer (loaded from variable 'srv_conf')
976 goto builtin; /* errdocs not enabled */
977 if ((size_t)snprintf(cstr, sizeof(cstr), "%03u", code) >= sizeof(cstr))
978 goto builtin;
979
980 if ((body = read_errdoc(srv_conf->errdocroot, cstr)) == NULL((void*)0) &&
981 (body = read_errdoc(srv_conf->errdocroot, HTTPD_ERRDOCTEMPLATE"err"))
982 == NULL((void*)0))
983 goto builtin;
984
985 body = replace_var(body, "$HTTP_ERROR", httperr);
986 body = replace_var(body, "$RESPONSE_CODE", cstr);
987 body = replace_var(body, "$SERVER_SOFTWARE", HTTPD_SERVERNAME"OpenBSD httpd");
988 bodylen = strlen(body);
989 goto send;
990
991 builtin:
992 /* A CSS stylesheet allows minimal customization by the user */
993 style = "body { background-color: white; color: black; font-family: "
994 "'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }\n"
995 "hr { border: 0; border-bottom: 1px dashed; }\n"
996 "@media (prefers-color-scheme: dark) {\n"
997 "body { background-color: #1E1F21; color: #EEEFF1; }\n"
998 "a { color: #BAD7FF; }\n}";
999
1000 /* Generate simple HTML error document */
1001 if ((bodylen = asprintf(&body,
1002 "<!DOCTYPE html>\n"
1003 "<html>\n"
1004 "<head>\n"
1005 "<meta charset=\"utf-8\">\n"
1006 "<title>%03d %s</title>\n"
1007 "<style type=\"text/css\"><!--\n%s\n--></style>\n"
1008 "</head>\n"
1009 "<body>\n"
1010 "<h1>%03d %s</h1>\n"
1011 "<hr>\n<address>%s</address>\n"
1012 "</body>\n"
1013 "</html>\n",
1014 code, httperr, style, code, httperr, HTTPD_SERVERNAME"OpenBSD httpd")) == -1) {
1015 body = NULL((void*)0);
1016 goto done;
1017 }
1018
1019 send:
1020 if (srv_conf->flags & SRVFLAG_SERVER_HSTS0x00400000 &&
1021 srv_conf->flags & SRVFLAG_TLS0x00002000) {
1022 if (asprintf(&hstsheader, "Strict-Transport-Security: "
1023 "max-age=%d%s%s\r\n", srv_conf->hsts_max_age,
1024 srv_conf->hsts_flags & HSTSFLAG_SUBDOMAINS0x01 ?
1025 "; includeSubDomains" : "",
1026 srv_conf->hsts_flags & HSTSFLAG_PRELOAD0x02 ?
1027 "; preload" : "") == -1) {
1028 hstsheader = NULL((void*)0);
1029 goto done;
1030 }
1031 }
1032
1033 if ((code >= 100 && code < 200) || code == 204)
1034 clenheader = NULL((void*)0);
1035 else {
1036 if (asprintf(&clenheader,
1037 "Content-Length: %zd\r\n", bodylen) == -1) {
1038 clenheader = NULL((void*)0);
1039 goto done;
1040 }
1041 }
1042
1043 /* Add basic HTTP headers */
1044 if (asprintf(&httpmsg,
1045 "HTTP/1.0 %03d %s\r\n"
1046 "Date: %s\r\n"
1047 "Server: %s\r\n"
1048 "Connection: close\r\n"
1049 "Content-Type: text/html\r\n"
1050 "%s"
1051 "%s"
1052 "%s"
1053 "\r\n"
1054 "%s",
1055 code, httperr, tmbuf, HTTPD_SERVERNAME"OpenBSD httpd",
1056 clenheader == NULL((void*)0) ? "" : clenheader,
1057 extraheader == NULL((void*)0) ? "" : extraheader,
1058 hstsheader == NULL((void*)0) ? "" : hstsheader,
1059 desc->http_method == HTTP_METHOD_HEAD || clenheader == NULL((void*)0) ?
1060 "" : body) == -1)
1061 goto done;
1062
1063 /* Dump the message without checking for success */
1064 server_dump(clt, httpmsg, strlen(httpmsg));
1065 free(httpmsg);
1066
1067 done:
1068 free(body);
1069 free(extraheader);
1070 free(hstsheader);
1071 free(clenheader);
1072 if (msg == NULL((void*)0))
1073 msg = "\"\"";
1074 if (asprintf(&httpmsg, "%s (%03d %s)", msg, code, httperr) == -1) {
1075 server_close(clt, msg);
1076 } else {
1077 server_close(clt, httpmsg);
1078 free(httpmsg);
1079 }
1080}
1081
1082void
1083server_close_http(struct client *clt)
1084{
1085 struct http_descriptor *desc;
1086
1087 desc = clt->clt_descreq;
1088 server_httpdesc_free(desc);
1089 free(desc);
1090 clt->clt_descreq = NULL((void*)0);
1091
1092 desc = clt->clt_descresp;
1093 server_httpdesc_free(desc);
1094 free(desc);
1095 clt->clt_descresp = NULL((void*)0);
1096 free(clt->clt_remote_user);
1097 clt->clt_remote_user = NULL((void*)0);
1098
1099 str_match_free(&clt->clt_srv_match);
1100}
1101
1102char *
1103server_expand_http(struct client *clt, const char *val, char *buf,
1104 size_t len)
1105{
1106 struct http_descriptor *desc = clt->clt_descreq;
1107 struct server_config *srv_conf = clt->clt_srv_conf;
1108 char ibuf[128], *str, *path, *query;
1109 const char *errstr = NULL((void*)0), *p;
1110 size_t size;
1111 int n, ret;
1112
1113 if (strlcpy(buf, val, len) >= len)
1114 return (NULL((void*)0));
1115
1116 /* Find previously matched substrings by index */
1117 for (p = val; clt->clt_srv_match.sm_nmatch &&
1118 (p = strstr(p, "%")) != NULL((void*)0); p++) {
1119 if (!isdigit((unsigned char)*(p + 1)))
1120 continue;
1121
1122 /* Copy number, leading '%' char and add trailing \0 */
1123 size = strspn(p + 1, "0123456789") + 2;
1124 if (size >= sizeof(ibuf))
1125 return (NULL((void*)0));
1126 (void)strlcpy(ibuf, p, size);
1127 n = strtonum(ibuf + 1, 0,
1128 clt->clt_srv_match.sm_nmatch - 1, &errstr);
1129 if (errstr != NULL((void*)0))
1130 return (NULL((void*)0));
1131
1132 /* Expand variable with matched value */
1133 if ((str = url_encode(clt->clt_srv_match.sm_match[n])) == NULL((void*)0))
1134 return (NULL((void*)0));
1135 ret = expand_string(buf, len, ibuf, str);
1136 free(str);
1137 if (ret != 0)
1138 return (NULL((void*)0));
1139 }
1140 if (strstr(val, "$DOCUMENT_URI") != NULL((void*)0)) {
1141 if ((path = url_encode(desc->http_pathhttp_pathquery.kv_key)) == NULL((void*)0))
1142 return (NULL((void*)0));
1143 ret = expand_string(buf, len, "$DOCUMENT_URI", path);
1144 free(path);
1145 if (ret != 0)
1146 return (NULL((void*)0));
1147 }
1148 if (strstr(val, "$QUERY_STRING_ENC") != NULL((void*)0)) {
1149 if (desc->http_queryhttp_pathquery.kv_value == NULL((void*)0)) {
1150 ret = expand_string(buf, len, "$QUERY_STRING_ENC", "");
1151 } else {
1152 if ((query = url_encode(desc->http_queryhttp_pathquery.kv_value)) == NULL((void*)0))
1153 return (NULL((void*)0));
1154 ret = expand_string(buf, len, "$QUERY_STRING_ENC", query);
1155 free(query);
1156 }
1157 if (ret != 0)
1158 return (NULL((void*)0));
1159 }
1160 if (strstr(val, "$QUERY_STRING") != NULL((void*)0)) {
1161 if (desc->http_queryhttp_pathquery.kv_value == NULL((void*)0)) {
1162 ret = expand_string(buf, len, "$QUERY_STRING", "");
1163 } else {
1164 ret = expand_string(buf, len, "$QUERY_STRING",
1165 desc->http_queryhttp_pathquery.kv_value);
1166 }
1167 if (ret != 0)
1168 return (NULL((void*)0));
1169 }
1170 if (strstr(val, "$HTTP_HOST") != NULL((void*)0)) {
1171 if (desc->http_host == NULL((void*)0))
1172 return (NULL((void*)0));
1173 if ((str = url_encode(desc->http_host)) == NULL((void*)0))
1174 return (NULL((void*)0));
1175 expand_string(buf, len, "$HTTP_HOST", str);
1176 free(str);
1177 }
1178 if (strstr(val, "$REMOTE_") != NULL((void*)0)) {
1179 if (strstr(val, "$REMOTE_ADDR") != NULL((void*)0)) {
1180 if (print_host(&clt->clt_ss,
1181 ibuf, sizeof(ibuf)) == NULL((void*)0))
1182 return (NULL((void*)0));
1183 if (expand_string(buf, len,
1184 "$REMOTE_ADDR", ibuf) != 0)
1185 return (NULL((void*)0));
1186 }
1187 if (strstr(val, "$REMOTE_PORT") != NULL((void*)0)) {
1188 snprintf(ibuf, sizeof(ibuf),
1189 "%u", ntohs(clt->clt_port)(__uint16_t)(__builtin_constant_p(clt->clt_port) ? (__uint16_t
)(((__uint16_t)(clt->clt_port) & 0xffU) << 8 | (
(__uint16_t)(clt->clt_port) & 0xff00U) >> 8) : __swap16md
(clt->clt_port)));
1190 if (expand_string(buf, len,
1191 "$REMOTE_PORT", ibuf) != 0)
1192 return (NULL((void*)0));
1193 }
1194 if (strstr(val, "$REMOTE_USER") != NULL((void*)0)) {
1195 if ((srv_conf->flags & SRVFLAG_AUTH0x00010000) &&
1196 clt->clt_remote_user != NULL((void*)0)) {
1197 if ((str = url_encode(clt->clt_remote_user))
1198 == NULL((void*)0))
1199 return (NULL((void*)0));
1200 } else
1201 str = strdup("");
1202 ret = expand_string(buf, len, "$REMOTE_USER", str);
1203 free(str);
1204 if (ret != 0)
1205 return (NULL((void*)0));
1206 }
1207 }
1208 if (strstr(val, "$REQUEST_URI") != NULL((void*)0)) {
1209 if ((path = url_encode(desc->http_pathhttp_pathquery.kv_key)) == NULL((void*)0))
1210 return (NULL((void*)0));
1211 if (desc->http_queryhttp_pathquery.kv_value == NULL((void*)0)) {
1212 str = path;
1213 } else {
1214 ret = asprintf(&str, "%s?%s", path, desc->http_queryhttp_pathquery.kv_value);
1215 free(path);
1216 if (ret == -1)
1217 return (NULL((void*)0));
1218 }
1219
1220 ret = expand_string(buf, len, "$REQUEST_URI", str);
1221 free(str);
1222 if (ret != 0)
1223 return (NULL((void*)0));
1224 }
1225 if (strstr(val, "$REQUEST_SCHEME") != NULL((void*)0)) {
1226 if (srv_conf->flags & SRVFLAG_TLS0x00002000) {
1227 ret = expand_string(buf, len, "$REQUEST_SCHEME", "https");
1228 } else {
1229 ret = expand_string(buf, len, "$REQUEST_SCHEME", "http");
1230 }
1231 if (ret != 0)
1232 return (NULL((void*)0));
1233 }
1234 if (strstr(val, "$SERVER_") != NULL((void*)0)) {
1235 if (strstr(val, "$SERVER_ADDR") != NULL((void*)0)) {
1236 if (print_host(&srv_conf->ss,
1237 ibuf, sizeof(ibuf)) == NULL((void*)0))
1238 return (NULL((void*)0));
1239 if (expand_string(buf, len,
1240 "$SERVER_ADDR", ibuf) != 0)
1241 return (NULL((void*)0));
1242 }
1243 if (strstr(val, "$SERVER_PORT") != NULL((void*)0)) {
1244 snprintf(ibuf, sizeof(ibuf), "%u",
1245 ntohs(srv_conf->port)(__uint16_t)(__builtin_constant_p(srv_conf->port) ? (__uint16_t
)(((__uint16_t)(srv_conf->port) & 0xffU) << 8 | (
(__uint16_t)(srv_conf->port) & 0xff00U) >> 8) : __swap16md
(srv_conf->port)));
1246 if (expand_string(buf, len,
1247 "$SERVER_PORT", ibuf) != 0)
1248 return (NULL((void*)0));
1249 }
1250 if (strstr(val, "$SERVER_NAME") != NULL((void*)0)) {
1251 if ((str = url_encode(srv_conf->name))
1252 == NULL((void*)0))
1253 return (NULL((void*)0));
1254 ret = expand_string(buf, len, "$SERVER_NAME", str);
1255 free(str);
1256 if (ret != 0)
1257 return (NULL((void*)0));
1258 }
1259 }
1260
1261 return (buf);
1262}
1263
1264int
1265server_response(struct httpd *httpd, struct client *clt)
1266{
1267 char path[PATH_MAX1024];
1268 char hostname[HOST_NAME_MAX255+1];
1269 struct http_descriptor *desc = clt->clt_descreq;
1270 struct http_descriptor *resp = clt->clt_descresp;
1271 struct server *srv = clt->clt_srv;
1272 struct server_config *srv_conf = &srv->srv_conf;
1273 struct kv *kv, key, *host;
1274 struct str_find sm;
1275 int portval = -1, ret;
1276 char *hostval, *query;
1277 const char *errstr = NULL((void*)0);
1278
1279 /* Preserve original path */
1280 if (desc->http_pathhttp_pathquery.kv_key == NULL((void*)0) ||
19
Assuming field 'kv_key' is not equal to NULL
21
Taking false branch
1281 (desc->http_path_orig = strdup(desc->http_pathhttp_pathquery.kv_key)) == NULL((void*)0))
20
Assuming the condition is false
1282 goto fail;
1283
1284 /* Decode the URL */
1285 if (url_decode(desc->http_pathhttp_pathquery.kv_key) == NULL((void*)0))
22
Assuming the condition is false
23
Taking false branch
1286 goto fail;
1287
1288 /* Canonicalize the request path */
1289 if (canonicalize_path(desc->http_pathhttp_pathquery.kv_key, path, sizeof(path)) == NULL((void*)0))
24
Assuming the condition is false
25
Taking false branch
1290 goto fail;
1291 free(desc->http_pathhttp_pathquery.kv_key);
1292 if ((desc->http_pathhttp_pathquery.kv_key = strdup(path)) == NULL((void*)0))
26
Assuming the condition is false
27
Taking false branch
1293 goto fail;
1294
1295 key.kv_key = "Host";
1296 if ((host = kv_find(&desc->http_headers, &key)) != NULL((void*)0) &&
28
Assuming the condition is false
1297 host->kv_value == NULL((void*)0))
1298 host = NULL((void*)0);
1299
1300 if (strcmp(desc->http_version, "HTTP/1.1") == 0) {
29
Assuming the condition is false
30
Taking false branch
1301 /* Host header is mandatory */
1302 if (host == NULL((void*)0))
1303 goto fail;
1304
1305 /* Is the connection persistent? */
1306 key.kv_key = "Connection";
1307 if ((kv = kv_find(&desc->http_headers, &key)) != NULL((void*)0) &&
1308 strcasecmp("close", kv->kv_value) == 0)
1309 clt->clt_persist = 0;
1310 else
1311 clt->clt_persist++;
1312 } else {
1313 /* Is the connection persistent? */
1314 key.kv_key = "Connection";
1315 if ((kv = kv_find(&desc->http_headers, &key)) != NULL((void*)0) &&
31
Assuming the condition is false
1316 strcasecmp("keep-alive", kv->kv_value) == 0)
1317 clt->clt_persist++;
1318 else
1319 clt->clt_persist = 0;
1320 }
1321
1322 /*
1323 * Do we have a Host header and matching configuration?
1324 * XXX the Host can also appear in the URL path.
1325 */
1326 if (host
31.1
'host' is equal to NULL
 != NULL((void*)0)) {
32
Taking false branch
1327 if ((hostval = server_http_parsehost(host->kv_value,
1328 hostname, sizeof(hostname), &portval)) == NULL((void*)0))
1329 goto fail;
1330
1331 TAILQ_FOREACH(srv_conf, &srv->srv_hosts, entry)for((srv_conf) = ((&srv->srv_hosts)->tqh_first); (srv_conf
) != ((void*)0); (srv_conf) = ((srv_conf)->entry.tqe_next)
) {
1332#ifdef DEBUG
1333 if ((srv_conf->flags & SRVFLAG_LOCATION0x00000020) == 0) {
1334 DPRINTF("%s: virtual host \"%s:%u\""do {} while(0)
1335 " host \"%s\" (\"%s\")",do {} while(0)
1336 __func__, srv_conf->name,do {} while(0)
1337 ntohs(srv_conf->port), host->kv_value,do {} while(0)
1338 hostname)do {} while(0);
1339 }
1340#endif
1341 if (srv_conf->flags & SRVFLAG_LOCATION0x00000020)
1342 continue;
1343 else if (srv_conf->flags & SRVFLAG_SERVER_MATCH0x00200000) {
1344 str_find(hostname, srv_conf->name,
1345 &sm, 1, &errstr);
1346 ret = errstr == NULL((void*)0) ? 0 : -1;
1347 } else {
1348 ret = fnmatch(srv_conf->name,
1349 hostname, FNM_CASEFOLD0x10);
1350 }
1351 if (ret == 0 &&
1352 (portval == -1 || portval == srv_conf->port)) {
1353 /* Replace host configuration */
1354 clt->clt_srv_conf = srv_conf;
1355 srv_conf = NULL((void*)0);
1356 break;
1357 }
1358 }
1359 }
1360
1361 if (srv_conf != NULL((void*)0)) {
33
Assuming 'srv_conf' is not equal to NULL
34
Taking true branch
1362 /* Use the actual server IP address */
1363 if (server_http_host(&clt->clt_srv_ss, hostname,
35
Calling 'server_http_host'
45
Returning from 'server_http_host'
46
Taking false branch
1364 sizeof(hostname)) == NULL((void*)0))
1365 goto fail;
1366 } else {
1367 /* Host header was valid and found */
1368 if (strlcpy(hostname, host->kv_value, sizeof(hostname)) >=
1369 sizeof(hostname))
1370 goto fail;
1371 srv_conf = clt->clt_srv_conf;
1372 }
1373
1374 if (clt->clt_persist >= srv_conf->maxrequests)
47
Assuming field 'clt_persist' is < field 'maxrequests'
48
Taking false branch
1375 clt->clt_persist = 0;
1376
1377 /* pipelining should end after the first "idempotent" method */
1378 if (clt->clt_pipelining && clt->clt_toread > 0)
49
Assuming field 'clt_pipelining' is 0
1379 clt->clt_persist = 0;
1380
1381 if ((desc->http_host = strdup(hostname)) == NULL((void*)0))
50
Assuming the condition is false
51
Taking false branch
1382 goto fail;
1383
1384 /* Now fill in the mandatory parts of the response descriptor */
1385 resp->http_method = desc->http_method;
1386 if ((resp->http_version = strdup(desc->http_version)) == NULL((void*)0))
52
Assuming the condition is false
53
Taking false branch
1387 goto fail;
1388
1389 /* Now search for the location */
1390 if ((srv_conf = server_getlocation(clt, desc->http_pathhttp_pathquery.kv_key)) == NULL((void*)0)) {
54
Calling 'server_getlocation'
58
Returning from 'server_getlocation'
59
Assuming pointer value is null
60
Taking true branch
1391 server_abort_http(clt, 500, desc->http_pathhttp_pathquery.kv_key);
61
Calling 'server_abort_http'
1392 return (-1);
1393 }
1394
1395 /* Optional rewrite */
1396 if (srv_conf->flags & SRVFLAG_PATH_REWRITE0x01000000) {
1397 /* Expand macros */
1398 if (server_expand_http(clt, srv_conf->path,
1399 path, sizeof(path)) == NULL((void*)0))
1400 goto fail;
1401
1402 /*
1403 * Reset and update the query. The updated query must already
1404 * be URL encoded - either specified by the user or by using the
1405 * original $QUERY_STRING.
1406 */
1407 free(desc->http_query_alias);
1408 desc->http_query_alias = NULL((void*)0);
1409 if ((query = strchr(path, '?')) != NULL((void*)0)) {
1410 *query++ = '\0';
1411 if ((desc->http_query_alias = strdup(query)) == NULL((void*)0))
1412 goto fail;
1413 }
1414
1415 /* Canonicalize the updated request path */
1416 if (canonicalize_path(path,
1417 path, sizeof(path)) == NULL((void*)0))
1418 goto fail;
1419
1420 log_debug("%s: rewrote %s?%s -> %s?%s", __func__,
1421 desc->http_pathhttp_pathquery.kv_key, desc->http_queryhttp_pathquery.kv_value ? desc->http_queryhttp_pathquery.kv_value : "",
1422 path, query ? query : "");
1423
1424 free(desc->http_path_alias);
1425 if ((desc->http_path_alias = strdup(path)) == NULL((void*)0))
1426 goto fail;
1427
1428 /* Now search for the updated location */
1429 if ((srv_conf = server_getlocation(clt,
1430 desc->http_path_alias)) == NULL((void*)0)) {
1431 server_abort_http(clt, 500, desc->http_path_alias);
1432 return (-1);
1433 }
1434 }
1435
1436 if (clt->clt_toread > 0 && (size_t)clt->clt_toread >
1437 srv_conf->maxrequestbody) {
1438 server_abort_http(clt, 413, "request body too large");
1439 return (-1);
1440 }
1441
1442 if (srv_conf->flags & SRVFLAG_BLOCK0x00040000) {
1443 server_abort_http(clt, srv_conf->return_code,
1444 srv_conf->return_uri);
1445 return (-1);
1446 } else if (srv_conf->flags & SRVFLAG_AUTH0x00010000 &&
1447 server_http_authenticate(srv_conf, clt) == -1) {
1448 server_abort_http(clt, 401, srv_conf->auth_realm);
1449 return (-1);
1450 } else
1451 return (server_file(httpd, clt));
1452 fail:
1453 server_abort_http(clt, 400, "bad request");
1454 return (-1);
1455}
1456
1457const char *
1458server_root_strip(const char *path, int n)
1459{
1460 const char *p;
1461
1462 /* Strip strip leading directories. Leading '/' is ignored. */
1463 for (; n > 0 && *path != '\0'; n--)
1464 if ((p = strchr(++path, '/')) == NULL((void*)0))
1465 path = strchr(path, '\0');
1466 else
1467 path = p;
1468
1469 return (path);
1470}
1471
1472struct server_config *
1473server_getlocation(struct client *clt, const char *path)
1474{
1475 struct server *srv = clt->clt_srv;
1476 struct server_config *srv_conf = clt->clt_srv_conf, *location;
1477 const char *errstr = NULL((void*)0);
1478 int ret;
1479
1480 /* Now search for the location */
1481 TAILQ_FOREACH(location, &srv->srv_hosts, entry)for((location) = ((&srv->srv_hosts)->tqh_first); (location
) != ((void*)0); (location) = ((location)->entry.tqe_next)
) {
55
Assuming 'location' is equal to null
56
Loop condition is false. Execution continues on line 1512
1482#ifdef DEBUG
1483 if (location->flags & SRVFLAG_LOCATION0x00000020) {
1484 DPRINTF("%s: location \"%s\" path \"%s\"",do {} while(0)
1485 __func__, location->location, path)do {} while(0);
1486 }
1487#endif
1488 if ((location->flags & SRVFLAG_LOCATION0x00000020) &&
1489 location->parent_id == srv_conf->parent_id) {
1490 errstr = NULL((void*)0);
1491 if (location->flags & SRVFLAG_LOCATION_MATCH0x00100000) {
1492 ret = str_match(path, location->location,
1493 &clt->clt_srv_match, &errstr);
1494 } else {
1495 ret = fnmatch(location->location,
1496 path, FNM_CASEFOLD0x10);
1497 }
1498 if (ret == 0 && errstr == NULL((void*)0)) {
1499 if ((ret = server_locationaccesstest(location,
1500 path)) == -1)
1501 return (NULL((void*)0));
1502
1503 if (ret)
1504 continue;
1505 /* Replace host configuration */
1506 clt->clt_srv_conf = srv_conf = location;
1507 break;
1508 }
1509 }
1510 }
1511
1512 return (srv_conf);
57
Returning without writing to 'clt->clt_srv_conf'
1513}
1514
1515int
1516server_locationaccesstest(struct server_config *srv_conf, const char *path)
1517{
1518 int rootfd, ret;
1519 struct stat sb;
1520
1521 if (((SRVFLAG_LOCATION_FOUND0x40000000 | SRVFLAG_LOCATION_NOT_FOUND0x80000000) &
1522 srv_conf->flags) == 0)
1523 return (0);
1524
1525 if ((rootfd = open(srv_conf->root, O_RDONLY0x0000)) == -1)
1526 return (-1);
1527
1528 path = server_root_strip(path, srv_conf->strip) + 1;
1529 if ((ret = faccessat(rootfd, path, R_OK0x04, 0)) != -1)
1530 ret = fstatat(rootfd, path, &sb, 0);
1531 close(rootfd);
1532 return ((ret == -1 && SRVFLAG_LOCATION_FOUND0x40000000 & srv_conf->flags) ||
1533 (ret == 0 && SRVFLAG_LOCATION_NOT_FOUND0x80000000 & srv_conf->flags));
1534}
1535
1536int
1537server_response_http(struct client *clt, unsigned int code,
1538 struct media_type *media, off_t size, time_t mtime)
1539{
1540 struct server_config *srv_conf = clt->clt_srv_conf;
1541 struct http_descriptor *desc = clt->clt_descreq;
1542 struct http_descriptor *resp = clt->clt_descresp;
1543 const char *error;
1544 struct kv *ct, *cl;
1545 char tmbuf[32];
1546
1547 if (desc == NULL((void*)0) || media == NULL((void*)0) ||
1548 (error = server_httperror_byid(code)) == NULL((void*)0))
1549 return (-1);
1550
1551 if (server_log_http(clt, code, size >= 0 ? size : 0) == -1)
1552 return (-1);
1553
1554 /* Add error codes */
1555 if (kv_setkey(&resp->http_pathquery, "%u", code) == -1 ||
1556 kv_set(&resp->http_pathquery, "%s", error) == -1)
1557 return (-1);
1558
1559 /* Add headers */
1560 if (kv_add(&resp->http_headers, "Server", HTTPD_SERVERNAME"OpenBSD httpd") == NULL((void*)0))
1561 return (-1);
1562
1563 /* Is it a persistent connection? */
1564 if (clt->clt_persist) {
1565 if (kv_add(&resp->http_headers,
1566 "Connection", "keep-alive") == NULL((void*)0))
1567 return (-1);
1568 } else if (kv_add(&resp->http_headers, "Connection", "close") == NULL((void*)0))
1569 return (-1);
1570
1571 /* Set media type */
1572 if ((ct = kv_add(&resp->http_headers, "Content-Type", NULL((void*)0))) == NULL((void*)0) ||
1573 kv_set(ct, "%s/%s", media->media_type, media->media_subtype) == -1)
1574 return (-1);
1575
1576 /* Set content length, if specified */
1577 if (size >= 0 && ((cl =
1578 kv_add(&resp->http_headers, "Content-Length", NULL((void*)0))) == NULL((void*)0) ||
1579 kv_set(cl, "%lld", (long long)size) == -1))
1580 return (-1);
1581
1582 /* Set last modification time */
1583 if (server_http_time(mtime, tmbuf, sizeof(tmbuf)) <= 0 ||
1584 kv_add(&resp->http_headers, "Last-Modified", tmbuf) == NULL((void*)0))
1585 return (-1);
1586
1587 /* HSTS header */
1588 if (srv_conf->flags & SRVFLAG_SERVER_HSTS0x00400000 &&
1589 srv_conf->flags & SRVFLAG_TLS0x00002000) {
1590 if ((cl =
1591 kv_add(&resp->http_headers, "Strict-Transport-Security",
1592 NULL((void*)0))) == NULL((void*)0) ||
1593 kv_set(cl, "max-age=%d%s%s", srv_conf->hsts_max_age,
1594 srv_conf->hsts_flags & HSTSFLAG_SUBDOMAINS0x01 ?
1595 "; includeSubDomains" : "",
1596 srv_conf->hsts_flags & HSTSFLAG_PRELOAD0x02 ?
1597 "; preload" : "") == -1)
1598 return (-1);
1599 }
1600
1601 /* Date header is mandatory and should be added as late as possible */
1602 if (server_http_time(time(NULL((void*)0)), tmbuf, sizeof(tmbuf)) <= 0 ||
1603 kv_add(&resp->http_headers, "Date", tmbuf) == NULL((void*)0))
1604 return (-1);
1605
1606 /* Write completed header */
1607 if (server_writeresponse_http(clt) == -1 ||
1608 server_bufferevent_print(clt, "\r\n") == -1 ||
1609 server_headers(clt, resp, server_writeheader_http, NULL((void*)0)) == -1 ||
1610 server_bufferevent_print(clt, "\r\n") == -1)
1611 return (-1);
1612
1613 if (size <= 0 || resp->http_method == HTTP_METHOD_HEAD) {
1614 bufferevent_enable(clt->clt_bev, EV_READ0x02|EV_WRITE0x04);
1615 if (clt->clt_persist)
1616 clt->clt_toread = TOREAD_HTTP_HEADER;
1617 else
1618 clt->clt_toread = TOREAD_HTTP_NONE;
1619 clt->clt_done = 0;
1620 return (0);
1621 }
1622
1623 return (1);
1624}
1625
1626int
1627server_writeresponse_http(struct client *clt)
1628{
1629 struct http_descriptor *desc = clt->clt_descresp;
1630
1631 DPRINTF("version: %s rescode: %s resmsg: %s", desc->http_version,do {} while(0)
1632 desc->http_rescode, desc->http_resmesg)do {} while(0);
1633
1634 if (server_bufferevent_print(clt, desc->http_version) == -1 ||
1635 server_bufferevent_print(clt, " ") == -1 ||
1636 server_bufferevent_print(clt, desc->http_rescodehttp_pathquery.kv_key) == -1 ||
1637 server_bufferevent_print(clt, " ") == -1 ||
1638 server_bufferevent_print(clt, desc->http_resmesghttp_pathquery.kv_value) == -1)
1639 return (-1);
1640
1641 return (0);
1642}
1643
1644int
1645server_writeheader_http(struct client *clt, struct kv *hdr, void *arg)
1646{
1647 char *ptr;
1648 const char *key;
1649
1650 if (hdr->kv_flags & KV_FLAG_INVALID0x01)
1651 return (0);
1652
1653 /* The key might have been updated in the parent */
1654 if (hdr->kv_parent != NULL((void*)0) && hdr->kv_parent->kv_key != NULL((void*)0))
1655 key = hdr->kv_parent->kv_key;
1656 else
1657 key = hdr->kv_key;
1658
1659 ptr = hdr->kv_value;
1660 if (server_bufferevent_print(clt, key) == -1 ||
1661 (ptr != NULL((void*)0) &&
1662 (server_bufferevent_print(clt, ": ") == -1 ||
1663 server_bufferevent_print(clt, ptr) == -1 ||
1664 server_bufferevent_print(clt, "\r\n") == -1)))
1665 return (-1);
1666 DPRINTF("%s: %s: %s", __func__, key,do {} while(0)
1667 hdr->kv_value == NULL ? "" : hdr->kv_value)do {} while(0);
1668
1669 return (0);
1670}
1671
1672int
1673server_headers(struct client *clt, void *descp,
1674 int (*hdr_cb)(struct client *, struct kv *, void *), void *arg)
1675{
1676 struct kv *hdr, *kv;
1677 struct http_descriptor *desc = descp;
1678
1679 RB_FOREACH(hdr, kvtree, &desc->http_headers)for ((hdr) = kvtree_RB_MINMAX(&desc->http_headers, -1)
; (hdr) != ((void*)0); (hdr) = kvtree_RB_NEXT(hdr)) {
1680 if ((hdr_cb)(clt, hdr, arg) == -1)
1681 return (-1);
1682 TAILQ_FOREACH(kv, &hdr->kv_children, kv_entry)for((kv) = ((&hdr->kv_children)->tqh_first); (kv) !=
((void*)0); (kv) = ((kv)->kv_entry.tqe_next)) {
1683 if ((hdr_cb)(clt, kv, arg) == -1)
1684 return (-1);
1685 }
1686 }
1687
1688 return (0);
1689}
1690
1691enum httpmethod
1692server_httpmethod_byname(const char *name)
1693{
1694 enum httpmethod id = HTTP_METHOD_NONE;
1695 struct http_method method, *res = NULL((void*)0);
1696
1697 /* Set up key */
1698 method.method_name = name;
1699
1700 if ((res = bsearch(&method, http_methods,
1701 sizeof(http_methods) / sizeof(http_methods[0]) - 1,
1702 sizeof(http_methods[0]), server_httpmethod_cmp)) != NULL((void*)0))
1703 id = res->method_id;
1704
1705 return (id);
1706}
1707
1708const char *
1709server_httpmethod_byid(unsigned int id)
1710{
1711 const char *name = "<UNKNOWN>";
1712 int i;
1713
1714 for (i = 0; http_methods[i].method_name != NULL((void*)0); i++) {
1715 if (http_methods[i].method_id == id) {
1716 name = http_methods[i].method_name;
1717 break;
1718 }
1719 }
1720
1721 return (name);
1722}
1723
1724static int
1725server_httpmethod_cmp(const void *a, const void *b)
1726{
1727 const struct http_method *ma = a;
1728 const struct http_method *mb = b;
1729
1730 /*
1731 * RFC 2616 section 5.1.1 says that the method is case
1732 * sensitive so we don't do a strcasecmp here.
1733 */
1734 return (strcmp(ma->method_name, mb->method_name));
1735}
1736
1737const char *
1738server_httperror_byid(unsigned int id)
1739{
1740 struct http_error error, *res;
1741
1742 /* Set up key */
1743 error.error_code = (int)id;
1744
1745 if ((res = bsearch(&error, http_errors,
1746 sizeof(http_errors) / sizeof(http_errors[0]) - 1,
1747 sizeof(http_errors[0]), server_httperror_cmp)) != NULL((void*)0))
1748 return (res->error_name);
1749
1750 return (NULL((void*)0));
1751}
1752
1753static int
1754server_httperror_cmp(const void *a, const void *b)
1755{
1756 const struct http_error *ea = a;
1757 const struct http_error *eb = b;
1758 return (ea->error_code - eb->error_code);
1759}
1760
1761/*
1762 * return -1 on failure, strlen() of read file otherwise.
1763 * body is NULL on failure, contents of file with trailing \0 otherwise.
1764 */
1765char *
1766read_errdoc(const char *root, const char *file)
1767{
1768 struct stat sb;
1769 char *path;
1770 int fd;
1771 char *ret = NULL((void*)0);
1772
1773 if (asprintf(&path, "%s/%s.html", root, file) == -1)
1774 fatal("asprintf");
1775 if ((fd = open(path, O_RDONLY0x0000)) == -1) {
1776 free(path);
1777 log_warn("%s: open", __func__);
1778 return (NULL((void*)0));
1779 }
1780 free(path);
1781 if (fstat(fd, &sb) < 0) {
1782 log_warn("%s: stat", __func__);
1783 return (NULL((void*)0));
1784 }
1785
1786 if ((ret = calloc(1, sb.st_size + 1)) == NULL((void*)0))
1787 fatal("calloc");
1788 if (sb.st_size == 0)
1789 return (ret);
1790 if (read(fd, ret, sb.st_size) != sb.st_size) {
1791 log_warn("%s: read", __func__);
1792 close(fd);
1793 free(ret);
1794 ret = NULL((void*)0);
1795 return (ret);
1796 }
1797 close(fd);
1798
1799 return (ret);
1800}
1801
1802char *
1803replace_var(char *str, const char *var, const char *repl)
1804{
1805 char *iv, *r;
1806 size_t vlen;
1807
1808 vlen = strlen(var);
1809 while ((iv = strstr(str, var)) != NULL((void*)0)) {
1810 *iv = '\0';
1811 if (asprintf(&r, "%s%s%s", str, repl, &iv[vlen]) == -1)
1812 fatal("asprintf");
1813 free(str);
1814 str = r;
1815 }
1816 return (str);
1817}
1818
1819int
1820server_log_http(struct client *clt, unsigned int code, size_t len)
1821{
1822 static char tstamp[64];
1823 static char ip[INET6_ADDRSTRLEN46];
1824 time_t t;
1825 struct kv key, *agent, *referrer, *xff, *xfp;
1826 struct tm *tm;
1827 struct server_config *srv_conf;
1828 struct http_descriptor *desc;
1829 int ret = -1;
1830 char *user = NULL((void*)0);
1831 char *path = NULL((void*)0);
1832 char *version = NULL((void*)0);
1833 char *referrer_v = NULL((void*)0);
1834 char *agent_v = NULL((void*)0);
1835 char *xff_v = NULL((void*)0);
1836 char *xfp_v = NULL((void*)0);
1837
1838 if ((srv_conf = clt->clt_srv_conf) == NULL((void*)0))
1839 return (-1);
1840 if ((srv_conf->flags & SRVFLAG_LOG0x00000100) == 0)
1841 return (0);
1842 if ((desc = clt->clt_descreq) == NULL((void*)0))
1843 return (-1);
1844
1845 if ((t = time(NULL((void*)0))) == -1)
1846 return (-1);
1847 if ((tm = localtime(&t)) == NULL((void*)0))
1848 return (-1);
1849 if (strftime(tstamp, sizeof(tstamp), "%d/%b/%Y:%H:%M:%S %z", tm) == 0)
1850 return (-1);
1851
1852 if (print_host(&clt->clt_ss, ip, sizeof(ip)) == NULL((void*)0))
1853 return (-1);
1854
1855 /*
1856 * For details on common log format, see:
1857 * https://httpd.apache.org/docs/current/mod/mod_log_config.html
1858 *
1859 * httpd's format is similar to these Apache LogFormats:
1860 * "%v %h %l %u %t \"%r\" %>s %B"
1861 * "%v %h %l %u %t \"%r\" %>s %B \"%{Referer}i\" \"%{User-agent}i\""
1862 */
1863 switch (srv_conf->logformat) {
1864 case LOG_FORMAT_COMMON:
1865 /* Use vis to encode input values from the header */
1866 if (clt->clt_remote_user &&
1867 stravis(&user, clt->clt_remote_user, HTTPD_LOGVIS0x10|0x08|0x02) == -1)
1868 goto done;
1869 if (desc->http_version &&
1870 stravis(&version, desc->http_version, HTTPD_LOGVIS0x10|0x08|0x02) == -1)
1871 goto done;
1872
1873 /* The following should be URL-encoded */
1874 if (desc->http_pathhttp_pathquery.kv_key &&
1875 (path = url_encode(desc->http_pathhttp_pathquery.kv_key)) == NULL((void*)0))
1876 goto done;
1877
1878 ret = evbuffer_add_printf(clt->clt_log,
1879 "%s %s - %s [%s] \"%s %s%s%s%s%s\" %03d %zu\n",
1880 srv_conf->name, ip, clt->clt_remote_user == NULL((void*)0) ? "-" :
1881 user, tstamp,
1882 server_httpmethod_byid(desc->http_method),
1883 desc->http_pathhttp_pathquery.kv_key == NULL((void*)0) ? "" : path,
1884 desc->http_queryhttp_pathquery.kv_value == NULL((void*)0) ? "" : "?",
1885 desc->http_queryhttp_pathquery.kv_value == NULL((void*)0) ? "" : desc->http_queryhttp_pathquery.kv_value,
1886 desc->http_version == NULL((void*)0) ? "" : " ",
1887 desc->http_version == NULL((void*)0) ? "" : version,
1888 code, len);
1889
1890 break;
1891
1892 case LOG_FORMAT_COMBINED:
1893 case LOG_FORMAT_FORWARDED:
1894 key.kv_key = "Referer"; /* sic */
1895 if ((referrer = kv_find(&desc->http_headers, &key)) != NULL((void*)0) &&
1896 referrer->kv_value == NULL((void*)0))
1897 referrer = NULL((void*)0);
1898
1899 key.kv_key = "User-Agent";
1900 if ((agent = kv_find(&desc->http_headers, &key)) != NULL((void*)0) &&
1901 agent->kv_value == NULL((void*)0))
1902 agent = NULL((void*)0);
1903
1904 /* Use vis to encode input values from the header */
1905 if (clt->clt_remote_user &&
1906 stravis(&user, clt->clt_remote_user, HTTPD_LOGVIS0x10|0x08|0x02) == -1)
1907 goto done;
1908 if (clt->clt_remote_user == NULL((void*)0) &&
1909 clt->clt_tls_ctx != NULL((void*)0) &&
1910 (srv_conf->tls_flags & TLSFLAG_CA0x01) &&
1911 tls_peer_cert_subject(clt->clt_tls_ctx) != NULL((void*)0) &&
1912 stravis(&user, tls_peer_cert_subject(clt->clt_tls_ctx),
1913 HTTPD_LOGVIS0x10|0x08|0x02) == -1)
1914 goto done;
1915 if (desc->http_version &&
1916 stravis(&version, desc->http_version, HTTPD_LOGVIS0x10|0x08|0x02) == -1)
1917 goto done;
1918 if (agent &&
1919 stravis(&agent_v, agent->kv_value, HTTPD_LOGVIS0x10|0x08|0x02) == -1)
1920 goto done;
1921
1922 /* The following should be URL-encoded */
1923 if (desc->http_pathhttp_pathquery.kv_key &&
1924 (path = url_encode(desc->http_pathhttp_pathquery.kv_key)) == NULL((void*)0))
1925 goto done;
1926 if (referrer &&
1927 (referrer_v = url_encode(referrer->kv_value)) == NULL((void*)0))
1928 goto done;
1929
1930 if ((ret = evbuffer_add_printf(clt->clt_log,
1931 "%s %s - %s [%s] \"%s %s%s%s%s%s\""
1932 " %03d %zu \"%s\" \"%s\"",
1933 srv_conf->name, ip, user == NULL((void*)0) ? "-" :
1934 user, tstamp,
1935 server_httpmethod_byid(desc->http_method),
1936 desc->http_pathhttp_pathquery.kv_key == NULL((void*)0) ? "" : path,
1937 desc->http_queryhttp_pathquery.kv_value == NULL((void*)0) ? "" : "?",
1938 desc->http_queryhttp_pathquery.kv_value == NULL((void*)0) ? "" : desc->http_queryhttp_pathquery.kv_value,
1939 desc->http_version == NULL((void*)0) ? "" : " ",
1940 desc->http_version == NULL((void*)0) ? "" : version,
1941 code, len,
1942 referrer == NULL((void*)0) ? "" : referrer_v,
1943 agent == NULL((void*)0) ? "" : agent_v)) == -1)
1944 break;
1945
1946 if (srv_conf->logformat == LOG_FORMAT_COMBINED)
1947 goto finish;
1948
1949 xff = xfp = NULL((void*)0);
1950
1951 key.kv_key = "X-Forwarded-For";
1952 if ((xff = kv_find(&desc->http_headers, &key)) != NULL((void*)0)
1953 && xff->kv_value == NULL((void*)0))
1954 xff = NULL((void*)0);
1955
1956 if (xff &&
1957 stravis(&xff_v, xff->kv_value, HTTPD_LOGVIS0x10|0x08|0x02) == -1)
1958 goto finish;
1959
1960 key.kv_key = "X-Forwarded-Port";
1961 if ((xfp = kv_find(&desc->http_headers, &key)) != NULL((void*)0) &&
1962 (xfp->kv_value == NULL((void*)0)))
1963 xfp = NULL((void*)0);
1964
1965 if (xfp &&
1966 stravis(&xfp_v, xfp->kv_value, HTTPD_LOGVIS0x10|0x08|0x02) == -1)
1967 goto finish;
1968
1969 if ((ret = evbuffer_add_printf(clt->clt_log, " %s %s",
1970 xff == NULL((void*)0) ? "-" : xff_v,
1971 xfp == NULL((void*)0) ? "-" : xfp_v)) == -1)
1972 break;
1973finish:
1974 ret = evbuffer_add_printf(clt->clt_log, "\n");
1975
1976 break;
1977
1978 case LOG_FORMAT_CONNECTION:
1979 /* URL-encode the path */
1980 if (desc->http_pathhttp_pathquery.kv_key &&
1981 (path = url_encode(desc->http_pathhttp_pathquery.kv_key)) == NULL((void*)0))
1982 goto done;
1983
1984 ret = evbuffer_add_printf(clt->clt_log, " [%s]",
1985 desc->http_pathhttp_pathquery.kv_key == NULL((void*)0) ? "" : path);
1986
1987 break;
1988 }
1989
1990done:
1991 free(user);
1992 free(path);
1993 free(version);
1994 free(referrer_v);
1995 free(agent_v);
1996 free(xff_v);
1997 free(xfp_v);
1998
1999 return (ret);
2000}