Roxen.git / server / base_server / roxen.pike

version» Context lines:

Roxen.git/server/base_server/roxen.pike:1:   // This file is part of Roxen WebServer.   // Copyright © 1996 - 2009, Roxen IS.   //   // The Roxen WebServer main program.   //   // Per Hedbor, Henrik Grubbström, Pontus Hagland, David Hedbor and others.   // ABS and suicide systems contributed freely by Francesco Chemolli    - constant cvs_version="$Id: roxen.pike,v 1.1068 2010/06/22 12:11:52 noring Exp $"; + constant cvs_version="$Id: roxen.pike,v 1.1069 2010/09/23 15:27:30 grubba Exp $";      //! @appears roxen   //!   //! The Roxen WebServer main program.      // The argument cache. Used by the image cache.   ArgCache argcache;      // Some headerfiles   #define IN_ROXEN
Roxen.git/server/base_server/roxen.pike:6444:   //! @b{have@} to use @[RequestID()->register_vary_callback()] (preferred),   //! or @[NOCACHE()] or @[NO_PROTO_CACHE()]. It's not necessary, however,   //! to do this for checks that use the authentication module API, since   //! then it's up to the user database and authentication modules to ensure   //! that nothing is overcached.   //!   //! @seealso   //! @[RequestID()->register_vary_callback()], @[NOCACHE()],   //! @[NO_PROTO_CACHE()], @[array_sscanf()]   array(array(string|int|array)) security_checks = ({ -  ({ "ip=%s:%s",2,({ -  lambda( string a, string b ){ -  int net = Roxen.ip_to_int( a ); -  int mask = Roxen.ip_to_int( b ); -  net &= mask; -  return ({ net, sprintf("%c",mask)[0] }); +  ({ "ip=%s", 1, ({ +  lambda(string x) { +  mapping(int:array(int)) ip_masks = ([]); +  array(string) globs = ({}); +  string ret; +  foreach(x/",", string ip_mask) { +  if (sscanf(ip_mask, "%s:%s", string ip, string mask) == 2) { +  int m = Roxen.ip_to_int(mask); +  if (m & 0x80000000) m -= 0x100000000; +  ip_masks[m] += ({ Roxen.ip_to_int(ip) }); +  } else if (sscanf(ip_mask, "%s/%d", string ip, int mask) == 2) { +  mask = -1 - (0xffffffff >> mask); +  ip_masks[mask] += ({ Roxen.ip_to_int(ip) }); +  } else { +  globs += ({ ip_mask }); +  } +  } +  if (sizeof(ip_masks)) { +  foreach(ip_masks; int mask; array(int) ip) { +  if (!mask) continue; +  if (ret) ret += " ||\n "; +  else ret = ""; +  if (sizeof(ip) == 1) { +  ret += +  sprintf("((remote_ip & ~0x%08x) == 0x%08x)", +  ~mask, ip[0] & mask); +  } else { +  ret += +  sprintf("(<%{0x%08x,%}>)[remote_ip & ~0x%08x]", +  map(ip, `&, mask), ~mask); +  } +  } +  } +  foreach(globs, string glob) { +  if (ret) ret += " ||\n "; +  else ret = ""; +  ret += sprintf("glob(%O, id->remoteaddr)", glob); +  } +  return ({ +  ret, +  });    }, -  " if ((Roxen.ip_to_int(id->remoteaddr) & %[1]d) == %[0]d)", -  }), "ip" }), -  ({ "ip=%s/%d",2,({ -  lambda( string a, int b ){ -  int net = Roxen.ip_to_int( a ); -  int mask = ((~0<<(32-b))&0xffffffff); -  net &= mask; -  return ({ net, sprintf("%c",mask)[0] }); -  }, -  " if ((Roxen.ip_to_int(id->remoteaddr) & %[1]d) == %[0]d) ", + #if defined(SECURITY_PATTERN_DEBUG) || defined(HTACCESS_DEBUG) +  " report_debug(sprintf(\"Verifying against IP %%O (0x%%08x).\\n\",\n" +  " id->remoteaddr, remote_ip));\n" + #endif /* SECURITY_PATTERN_DEBUG || HTACCESS_DEBUG */ +  " if (%s)", +  (< " int remote_ip = Roxen.ip_to_int(id->remoteaddr)" >),    }), "ip", }), -  ({ "ip=%s",1,({ -  " if (sizeof(filter(%[0]O/\",\",\n" -  " lambda(string q){\n" -  " return glob(q,id->remoteaddr);\n" -  " })))", -  }), "ip", }), +     ({ "user=%s",1,({ 1,    lambda( string x ) {    return ({sprintf("(< %{%O, %}>)", x/"," )});    },       " if (((user || (user = authmethod->authenticate(id, userdb_module)))\n"    " && ((%[0]s->any) || (%[0]s[user->name()]))) || %[0]s->ANY) ",    (<" User user" >),    // No need to NOCACHE () here, since it's up to the    // auth-modules to do that.
Roxen.git/server/base_server/roxen.pike:6594:   //!   //! 'deny' always implies a return, no futher testing is done if a   //! 'deny' match.   {    // Now, this cache is not really all that performance critical, I    // mostly coded it as a proof-of-concept, and because it was more    // fun that trying to find the bug in the image-cache at the moment.       string kmd5 = md5( pattern );    + #if !defined(HTACCESS_DEBUG) && !defined(SECURITY_PATTERN_DEBUG)    array tmp =    dbm_cached_get( "local" )    ->query("SELECT full,enc FROM compiled_formats WHERE md5=%s", kmd5 );       if( sizeof(tmp) && (tmp[0]->full == pattern) )    {    mixed err = catch {    return decode_value( tmp[0]->enc, master()->Decoder() )()->f;    };   // #ifdef DEBUG    report_error("Decoding of dumped log format failed:\n%s",    describe_backtrace(err));   // #endif    } -  + #endif /* !defined(HTACCESS_DEBUG) && !defined(SECURITY_PATTERN_DEBUG) */       -  +     string code = "";    array variables = ({ " object userdb_module",    " object authmethod = id->conf",    " string realm = \"User\"",    " mapping(string:int|mapping) state = ([])",    " id->register_vary_callback(0, vary_cb)",    });       // Some state variables for optimizing.    int all_shorted = 1; // All allow patterns have return.
Roxen.git/server/base_server/roxen.pike:6912: Inside #if defined(SECURITY_PATTERN_DEBUG) || defined(HTACCESS_DEBUG)
  #if defined(SECURITY_PATTERN_DEBUG) || defined(HTACCESS_DEBUG)    report_debug(sprintf("Compiling security pattern:\n"    "%{ %s\n%}\n"    "Code:\n"    "%{ %s\n%}\n",    pattern/"\n",    code/"\n"));   #endif /* SECURITY_PATTERN_DEBUG || HTACCESS_DEBUG */    mixed res = compile_string( code );    + #if !defined(HTACCESS_DEBUG) && !defined(SECURITY_PATTERN_DEBUG)    dbm_cached_get( "local" )    ->query("REPLACE INTO compiled_formats (md5,full,enc) VALUES (%s,%s,%s)",    kmd5,pattern,encode_value( res, master()->Encoder (res) ) ); -  + #endif /* !defined(HTACCESS_DEBUG) && !defined(SECURITY_PATTERN_DEBUG) */ +     return compile_string(code)()->f;   }         protected string cached_hostname = gethostname();      class LogFile(string fname, string|void compressor_program)   {    private Thread.Mutex lock = Thread.Mutex();    private Stdio.File fd;