quark

quark web server
git clone git://git.suckless.org/quark
Log | Files | Refs | LICENSE
commit 3bd49b24561ce3c7be916ab0abbc78288721ddc4
parent 660699492fb2275335d24fb26ec3c6529f623af0
Author: Laslo Hunhold <dev@frign.de>
Date:   Mon, 17 Aug 2020 10:33:55 +0200

Implement RFC 8615 (Well-Known URIs) and refine access errors

We generally rejected any URI that had a path component beginning
with a '.', i.e. a hidden file. RFC 8615 specifies the well-known URI,
which is used, for instance, with the "http-01" challenge type in
acme-client(1) and will probably see more usage in the future.

To support it, we move the hidden target check after the stat(), so we
don't have to worry about canonicalization of dir-URIs (i.e. missing
trailing '/'). This changes the behaviour a bit, as now quark won't
only send out a 403 whenever a hidden target is requested, but only
if it actually exists, and a 404 otherwise.

Given the earlier call to normabspath() ensures that our path begins
with a '/', we don't need the first check "realtarget[0] == '.'"
anymore, so it can be removed.

Thanks to Robert Russell <robertrussell.72001@gmail.com> for reporting
the lack of support of the RFC 8615 in quark.

Signed-off-by: Laslo Hunhold <dev@frign.de>

Diffstat:

Mhttp.c | 14+++++++++-----


1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/http.c b/http.c
@@ -600,11 +600,6 @@ http_send_response(int fd, const struct request *req)
 		return http_send_status(fd, S_BAD_REQUEST);
 	}
 
-	/* reject hidden target */
-	if (realtarget[0] == '.' || strstr(realtarget, "/.")) {
-		return http_send_status(fd, S_FORBIDDEN);
-	}
-
 	/* stat the target */
 	if (stat(RELPATH(realtarget), &st) < 0) {
 		return http_send_status(fd, (errno == EACCES) ?
@@ -623,6 +618,15 @@ http_send_response(int fd, const struct request *req)
 		}
 	}
 
+	/*
+	 * reject hidden target, except if it is a well-known URI
+	 * according to RFC 8615
+	 */
+	if (strstr(realtarget, "/.") && strncmp(realtarget,
+	    "/.well-known/", sizeof("/.well-known/") - 1)) {
+		return http_send_status(fd, S_FORBIDDEN);
+	}
+
 	/* redirect if targets differ, host is non-canonical or we prefixed */
 	if (strcmp(req->target, realtarget) || (s.vhost && vhostmatch &&
 	    strcmp(req->field[REQ_HOST], vhostmatch))) {