[httpd/conf] Fix serving files from WEB_ROOT folder and enforce setting

the admin password Changes the default for the admin password to be unset, by default only allowing access to the WEB_ROOT files if accessed from localhost.
2017-08-12 19:37:07 +02:00 · 2017-08-12 19:37:07 +02:00 · 1d49413070
parent 9b84150f6e
commit 1d49413070
2 changed files with 26 additions and 13 deletions
--- a/forked-daapd.conf.in
+++ b/forked-daapd.conf.in
@ -21,8 +21,9 @@ general {
 	logfile = "@localstatedir@/log/@PACKAGE@.log"
 	loglevel = log

-	# Admin password for the non-existent web interface
-	admin_password = "unused"
+	# Admin password for the web interface
+	# If not set (default), access to the web interface is only permitted from localhost
+#	admin_password = ""

 	# Enable/disable IPv6
 	ipv6 = yes
--- a/src/httpd.c
+++ b/src/httpd.c
@ -86,9 +86,9 @@
 *   + Does not encode space as + in query string
 */

+#define WEB_ROOT DATADIR "/htdocs"

 #define STREAM_CHUNK_SIZE (64 * 1024)
-#define WEBFACE_ROOT   DATADIR "/webface/"
 #define ERR_PAGE "<html>\n<head>\n" \
  "<title>%d %s</title>\n" \
  "</head>\n<body>\n" \
@ -901,7 +901,7 @@ httpd_send_error(struct evhttp_request* req, int error, const char* reason)
 static int
 path_is_legal(char *path)
 {
-  return strncmp(WEBFACE_ROOT, path, strlen(WEBFACE_ROOT));
+  return strncmp(WEB_ROOT, path, strlen(WEB_ROOT));
 }

 /* Thread: httpd */
@ -945,6 +945,7 @@ serve_file(struct evhttp_request *req, char *uri)
  struct stat sb;
  int fd;
  int i;
+  uint8_t buf[4096];
  int ret;

  /* Check authentication */
@ -978,7 +979,7 @@ serve_file(struct evhttp_request *req, char *uri)
      return;
    }

-  ret = snprintf(path, sizeof(path), "%s%s", WEBFACE_ROOT, uri + 1); /* skip starting '/' */
+  ret = snprintf(path, sizeof(path), "%s%s", WEB_ROOT, uri);
  if ((ret < 0) || (ret >= sizeof(path)))
    {
      DPRINTF(E_LOG, L_HTTPD, "Request exceeds PATH_MAX: %s\n", uri);
@ -1069,20 +1070,24 @@ serve_file(struct evhttp_request *req, char *uri)
      DPRINTF(E_LOG, L_HTTPD, "Could not open %s: %s\n", path, strerror(errno));

      httpd_send_error(req, HTTP_NOTFOUND, "Not Found");
+      evbuffer_free(evbuf);
      return;
    }

-  /* FIXME: this is broken, if we ever need to serve files here,
-   * this must be fixed.
-   */
-  ret = evbuffer_read(evbuf, fd, sb.st_size);
-  close(fd);
+  ret = evbuffer_expand(evbuf, sb.st_size);
+  if (ret < 0)
+    {
+      DPRINTF(E_LOG, L_HTTPD, "Out of memory for htdocs-file\n");
+      goto out_fail;
+    }
+
+  while ((ret = read(fd, buf, sizeof(buf))) > 0)
+    evbuffer_add(evbuf, buf, ret);
+
  if (ret < 0)
    {
      DPRINTF(E_LOG, L_HTTPD, "Could not read file into evbuffer\n");
-
-      httpd_send_error(req, HTTP_SERVUNAVAIL, "Internal error");
-      return;
+      goto out_fail;
    }

  ctype = "application/octet-stream";
@ -1105,6 +1110,13 @@ serve_file(struct evhttp_request *req, char *uri)
  httpd_send_reply(req, HTTP_OK, "OK", evbuf, HTTPD_SEND_NO_GZIP);

  evbuffer_free(evbuf);
+  close(fd);
+  return;
+
+ out_fail:
+  httpd_send_error(req, HTTP_SERVUNAVAIL, "Internal error");
+  evbuffer_free(evbuf);
+  close(fd);
 }

 /* Thread: httpd */