Roxen.git / server / base_server / roxen.pike

version» Context lines:

Roxen.git/server/base_server/roxen.pike:1:   // This file is part of Roxen WebServer.   // Copyright © 1996 - 2004, Roxen IS.   //   // The Roxen WebServer main program.   //   // Per Hedbor, Henrik Grubbström, Pontus Hagland, David Hedbor and others.   // ABS and suicide systems contributed freely by Francesco Chemolli    - constant cvs_version="$Id: roxen.pike,v 1.917 2006/03/15 15:45:40 wellhard Exp $"; + constant cvs_version="$Id: roxen.pike,v 1.918 2006/04/18 17:24:48 grubba Exp $";      //! @appears roxen   //!   //! The Roxen WebServer main program.      // The argument cache. Used by the image cache.   ArgCache argcache;      // Some headerfiles   #define IN_ROXEN
Roxen.git/server/base_server/roxen.pike:3530:    }    }    res->stat = ({ 0, 0, 0, 900000000, 0, 0, 0, 0, 0 });       // Setting the cacheable flag is done in order to get headers sent which    // cause the image to be cached in the client even when using https    // sessions. However, this flag also controls whether the file should    // be placed in the protocol-level cache, so we'll counter by setting a    // separate flag.    RAISE_CACHE(INITIAL_CACHEABLE); + #if 0    NO_PROTO_CACHE(); -  + #endif    return res;    }       mapping metadata( array|string|mapping data,    RequestID id,    int|void nodraw )    //! Returns a mapping of image metadata for an image generated from    //! the data given (as sent to @[store()]). If a non-zero    //! @[nodraw] parameter is given and the image was not in the cache,    //! it will not be rendered on the fly to get the correct data.
Roxen.git/server/base_server/roxen.pike:5599:    string enc = encode_value(res, master()->MyCodec(res));    object con = dbm_cached_get("local");       con->query("REPLACE INTO compiled_formats (md5,full,enc) VALUES (%s,%s,%s)",    kmd5, fmt, enc);    con = 0;       return compiled_formats[ fmt ] = res()->log;   }    - // This array contains the compilation information for the different - // security checks for e.g. htaccess. The layout of the top array is - // triplet of sscanf string that the security command should match, - // the number of arguments that it takes and an array with the actual - // compilation information. - // - // ({ command_sscanf_string, number_of_arguments, actual_tests, - // state_symbol_string, - // }) - // -  - // In the tests array the following types has the following meaning: - // function - // The function will be run during compilation. It gets the values - // acquired through sscanf-ing the command as input and should return - // an array with corresponding data. - // string - // The string will be compiled into the actual test code. It is - // first modified as - // str = sprintf(str, @args) - // where args are the arguments from the command after it has been - // processed by the provided function, if any. - // multiset - // Strings in a multiset will be added before the string above. - // should typically be used for variable declarations. - // int - // Signals that an authentication request should be sent to the user - // upon failure. - // - // - // NOTE: It's up to the security checks in this file to ensure that - // nothing is overcached. All patterns that perform checks using - // information from the client (such as remote address, referer etc) - // _have_ to use NOCACHE() or NO_PROTO_CACHE(). It's not necessary, however, - // to do that for checks that use the authentication module API, since - // then it's up to the user database and authentication modules to ensure - // that nothing is overcached in that case. + //! This array contains the compilation information for the different + //! security checks for e.g. @tt{htaccess@}. The layout of the top array is + //! a quadruple of sscanf string that the security command should match, + //! the number of arguments that it takes, an array with the actual + //! compilation information, and a symbol identifying the class of tests + //! the test belongs to. + //! + //! @array + //! @elem string command_sscanf_string + //! String to be passed as second argument to @[array_sscanf()] + //! to perform the match for the pattern. + //! @elem int(0..) number_of_arguments + //! Number of elements expected in the array returned by + //! @[array_sscanf()] for a proper match. + //! @elem array(function|string|int|multiset) actual_tests + //! In the tests array the following types has the following meaning: + //! @mixed + //! @type function + //! The function will be run during compilation. It gets the values + //! acquired through sscanf-ing the command as input and should return + //! an array with corresponding data. + //! @type string + //! The string will be compiled into the actual test code. It is + //! first modified as + //! @expr{str = sprintf(str, @@args)@} + //! where args are the arguments from the command after it has been + //! processed by the provided function, if any. + //! @type multiset + //! Strings in a multiset will be added before the string above. + //! should typically be used for variable declarations. + //! @type int + //! Signals that an authentication request should be sent to the user + //! upon failure. + //! @endmixed + //! @elem string state_symbol_string + //! Used to group the results from a class of tests. + //! Currently the following values are used: + //! @string + //! @value "ip" + //! @value "user" + //! @value "group" + //! @value "time" + //! @value "referer" + //! @value "day" + //! @value "language" + //! @value "luck" + //! @endstring + //! @endarray + //! + //! @note + //! It's up to the security checks in this file to ensure that + //! nothing is overcached. All patterns that perform checks using + //! information from the client (such as remote address, referer etc) + //! @b{have@} to use @[RequestID()->register_vary_callback()] (preferred), + //! or @[NOCACHE()] or @[NO_PROTO_CACHE()]. It's not necessary, however, + //! to do this for checks that use the authentication module API, since + //! then it's up to the user database and authentication modules to ensure + //! that nothing is overcached. + //! + //! @seealso + //! @[RequestID()->register_vary_callback()], @[NOCACHE()], + //! @[NO_PROTO_CACHE()], @[array_sscanf()]   array(array(string|int|array)) security_checks = ({    ({ "ip=%s:%s",2,({    lambda( string a, string b ){    int net = Roxen.ip_to_int( a );    int mask = Roxen.ip_to_int( b );    net &= mask;    return ({ net, sprintf("%c",mask)[0] });    },    " if ((Roxen.ip_to_int(id->remoteaddr) & %[1]d) == %[0]d)", -  (<" NO_PROTO_CACHE()" >), +  (<" id->register_vary_callback(0, Roxen.get_remoteaddr);">),    }), "ip" }),    ({ "ip=%s/%d",2,({    lambda( string a, int b ){    int net = Roxen.ip_to_int( a );    int mask = ((~0<<(32-b))&0xffffffff);    net &= mask;    return ({ net, sprintf("%c",mask)[0] });    },    " if ((Roxen.ip_to_int(id->remoteaddr) & %[1]d) == %[0]d) ", -  (<" NO_PROTO_CACHE()" >), +  (<" id->register_vary_callback(0, Roxen.get_remoteaddr);">),    }), "ip", }),    ({ "ip=%s",1,({    " if (sizeof(filter(%[0]O/\",\",\n"    " lambda(string q){\n"    " return glob(q,id->remoteaddr);\n"    " })))", -  (<" NO_PROTO_CACHE()" >), +  (<" id->register_vary_callback(0, Roxen.get_remoteaddr);">),    }), "ip", }),    ({ "user=%s",1,({ 1,    lambda( string x ) {    return ({sprintf("(< %{%O, %}>)", x/"," )});    },       " if ((user || (user = authmethod->authenticate(id, userdb_module)))\n"    " && ((%[0]s->any) || (%[0]s[user->name()]))) ",    (<" User user" >),    // No need to NOCACHE () here, since it's up to the
Roxen.git/server/base_server/roxen.pike:5693:    // auth-modules to do that.    }), "group", }),    ({ "dns=%s",1,({    " if(!dns && \n"    " ((dns=roxen.quick_ip_to_host(id->remoteaddr))==id->remoteaddr))\n"    " if( (id->misc->delayed+=0.1) < 1.0 )\n"    " return Roxen.http_try_again( 0.1 );\n"    " if (sizeof(filter(%[0]O/\",\",\n"    " lambda(string q){return glob(lower_case(q),lower_case(dns));})))",    (< " string dns" >), -  (<" NO_PROTO_CACHE()" >), +  (<" id->register_vary_callback(0, Roxen.get_remoteaddr);">),    }), "ip", }),    ({ "time=%d:%d-%d:%d",4,({    (< " mapping l = localtime(time(1))" >),    (< " int th = l->hour, tm = l->min" >),    // No need to NOCACHE() here, does not depend on client.    " if (((th >= %[0]d) && (tm >= %[1]d)) &&\n"    " ((th <= %[2]d) && (tm <= %[3]d)))",    }), "time", }),    ({ "referer=%s", 1, ({    (< -  " string referer = sizeof(id->referer||({}))?" -  "id->referer[0]:\"\"; " +  " string referer = sizeof(id->referer||({}))?id->referer[0]:\"\"; "    >),    " if( sizeof(filter(%[0]O/\",\",\n"    " lambda(string q){return glob(q,referer);})))", -  (<" NO_PROTO_CACHE()" >), +  (<" id->register_vary_callback(\"referer\");">),    }), "referer", }),    ({ "day=%s",1,({    lambda( string q ) {    multiset res = (<>);    foreach( q/",", string w ) if( (int)w )    res[((int)w % 7)] = 1;    else    res[ (["monday":1,"thuesday":2,"wednesday":3,"thursday":4,"friday":5,    "saturday":6,"sunday":0,"mon":1, "thu":2, "wed":3, "thu":4,    "fri":5, "sat":6, "sun":0, ])[ lower_case(w) ] ] = 1;