From 3bd49b24561ce3c7be916ab0abbc78288721ddc4 Mon Sep 17 00:00:00 2001 From: Laslo Hunhold Date: Mon, 17 Aug 2020 10:33:55 +0200 Subject: [PATCH] Implement RFC 8615 (Well-Known URIs) and refine access errors We generally rejected any URI that had a path component beginning with a '.', i.e. a hidden file. RFC 8615 specifies the well-known URI, which is used, for instance, with the "http-01" challenge type in acme-client(1) and will probably see more usage in the future. To support it, we move the hidden target check after the stat(), so we don't have to worry about canonicalization of dir-URIs (i.e. missing trailing '/'). This changes the behaviour a bit, as now quark won't only send out a 403 whenever a hidden target is requested, but only if it actually exists, and a 404 otherwise. Given the earlier call to normabspath() ensures that our path begins with a '/', we don't need the first check "realtarget[0] == '.'" anymore, so it can be removed. Thanks to Robert Russell for reporting the lack of support of the RFC 8615 in quark. Signed-off-by: Laslo Hunhold --- http.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/http.c b/http.c index 49b30dc..6bf4264 100644 --- a/http.c +++ b/http.c @@ -600,11 +600,6 @@ http_send_response(int fd, const struct request *req) return http_send_status(fd, S_BAD_REQUEST); } - /* reject hidden target */ - if (realtarget[0] == '.' || strstr(realtarget, "/.")) { - return http_send_status(fd, S_FORBIDDEN); - } - /* stat the target */ if (stat(RELPATH(realtarget), &st) < 0) { return http_send_status(fd, (errno == EACCES) ? @@ -623,6 +618,15 @@ http_send_response(int fd, const struct request *req) } } + /* + * reject hidden target, except if it is a well-known URI + * according to RFC 8615 + */ + if (strstr(realtarget, "/.") && strncmp(realtarget, + "/.well-known/", sizeof("/.well-known/") - 1)) { + return http_send_status(fd, S_FORBIDDEN); + } + /* redirect if targets differ, host is non-canonical or we prefixed */ if (strcmp(req->target, realtarget) || (s.vhost && vhostmatch && strcmp(req->field[REQ_HOST], vhostmatch))) {