MyFavMirrors/owntone-server
1
0
Fork 0
mirror of https://github.com/owntone/owntone-server.git synced 2025-07-17 20:52:46 -04:00
Code Issues Packages Projects Releases Wiki Activity

[httpd/conf] Fix serving files from WEB_ROOT folder and enforce setting

Browse Source 
the admin password

Changes the default for the admin password to be unset, by default only
allowing access to the WEB_ROOT files if accessed from localhost.
This commit is contained in:
chme 2017-08-12 19:37:07 +02:00
parent 9b84150f6e
commit 1d49413070
2 changed files with 26 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
forked-daapd.conf.in
View File

@ -21,8 +21,9 @@ general {
logfile = "@localstatedir@/log/@PACKAGE@.log" logfile = "@localstatedir@/log/@PACKAGE@.log"
loglevel = log loglevel = log
# Admin password for the non-existent web interface # Admin password for the web interface
admin_password = "unused" # If not set (default), access to the web interface is only permitted from localhost
# admin_password = ""
# Enable/disable IPv6 # Enable/disable IPv6
ipv6 = yes ipv6 = yes

34
src/httpd.c
View File

@ -86,9 +86,9 @@
* + Does not encode space as + in query string * + Does not encode space as + in query string
*/ */
#define WEB_ROOT DATADIR "/htdocs"
#define STREAM_CHUNK_SIZE (64 * 1024) #define STREAM_CHUNK_SIZE (64 * 1024)
#define WEBFACE_ROOT DATADIR "/webface/"
#define ERR_PAGE "<html>\n<head>\n" \ #define ERR_PAGE "<html>\n<head>\n" \
"<title>%d %s</title>\n" \ "<title>%d %s</title>\n" \
"</head>\n<body>\n" \ "</head>\n<body>\n" \
@ -901,7 +901,7 @@ httpd_send_error(struct evhttp_request* req, int error, const char* reason)
static int static int
path_is_legal(char *path) path_is_legal(char *path)
{ {
return strncmp(WEBFACE_ROOT, path, strlen(WEBFACE_ROOT)); return strncmp(WEB_ROOT, path, strlen(WEB_ROOT));
} }
/* Thread: httpd */ /* Thread: httpd */
@ -945,6 +945,7 @@ serve_file(struct evhttp_request *req, char *uri)
struct stat sb; struct stat sb;
int fd; int fd;
int i; int i;
uint8_t buf[4096];
int ret; int ret;
/* Check authentication */ /* Check authentication */
@ -978,7 +979,7 @@ serve_file(struct evhttp_request *req, char *uri)
return; return;
} }
ret = snprintf(path, sizeof(path), "%s%s", WEBFACE_ROOT, uri + 1); /* skip starting '/' */ ret = snprintf(path, sizeof(path), "%s%s", WEB_ROOT, uri);
if ((ret < 0) || (ret >= sizeof(path))) if ((ret < 0) || (ret >= sizeof(path)))
{ {
DPRINTF(E_LOG, L_HTTPD, "Request exceeds PATH_MAX: %s\n", uri); DPRINTF(E_LOG, L_HTTPD, "Request exceeds PATH_MAX: %s\n", uri);
@ -1069,20 +1070,24 @@ serve_file(struct evhttp_request *req, char *uri)
DPRINTF(E_LOG, L_HTTPD, "Could not open %s: %s\n", path, strerror(errno)); DPRINTF(E_LOG, L_HTTPD, "Could not open %s: %s\n", path, strerror(errno));
httpd_send_error(req, HTTP_NOTFOUND, "Not Found"); httpd_send_error(req, HTTP_NOTFOUND, "Not Found");
evbuffer_free(evbuf);
return; return;
} }
/* FIXME: this is broken, if we ever need to serve files here, ret = evbuffer_expand(evbuf, sb.st_size);
* this must be fixed. if (ret < 0)
*/ {
ret = evbuffer_read(evbuf, fd, sb.st_size); DPRINTF(E_LOG, L_HTTPD, "Out of memory for htdocs-file\n");
close(fd); goto out_fail;
}
while ((ret = read(fd, buf, sizeof(buf))) > 0)
evbuffer_add(evbuf, buf, ret);
if (ret < 0) if (ret < 0)
{ {
DPRINTF(E_LOG, L_HTTPD, "Could not read file into evbuffer\n"); DPRINTF(E_LOG, L_HTTPD, "Could not read file into evbuffer\n");
goto out_fail;
httpd_send_error(req, HTTP_SERVUNAVAIL, "Internal error");
return;
} }
ctype = "application/octet-stream"; ctype = "application/octet-stream";
@ -1105,6 +1110,13 @@ serve_file(struct evhttp_request *req, char *uri)
httpd_send_reply(req, HTTP_OK, "OK", evbuf, HTTPD_SEND_NO_GZIP); httpd_send_reply(req, HTTP_OK, "OK", evbuf, HTTPD_SEND_NO_GZIP);
evbuffer_free(evbuf); evbuffer_free(evbuf);
close(fd);
return;
out_fail:
httpd_send_error(req, HTTP_SERVUNAVAIL, "Internal error");
evbuffer_free(evbuf);
close(fd);
} }
/* Thread: httpd */ /* Thread: httpd */