[hackers] [quark] Implement RFC 8615 (Well-Known URIs) and refine access errors || Laslo Hunhold

From: <git_AT_suckless.org>
Date: Mon, 17 Aug 2020 10:40:22 +0200 (CEST)

commit 3bd49b24561ce3c7be916ab0abbc78288721ddc4
Author: Laslo Hunhold <dev_AT_frign.de>
AuthorDate: Mon Aug 17 10:33:55 2020 +0200
Commit: Laslo Hunhold <dev_AT_frign.de>
CommitDate: Mon Aug 17 10:39:54 2020 +0200

    Implement RFC 8615 (Well-Known URIs) and refine access errors
    
    We generally rejected any URI that had a path component beginning
    with a '.', i.e. a hidden file. RFC 8615 specifies the well-known URI,
    which is used, for instance, with the "http-01" challenge type in
    acme-client(1) and will probably see more usage in the future.
    
    To support it, we move the hidden target check after the stat(), so we
    don't have to worry about canonicalization of dir-URIs (i.e. missing
    trailing '/'). This changes the behaviour a bit, as now quark won't
    only send out a 403 whenever a hidden target is requested, but only
    if it actually exists, and a 404 otherwise.
    
    Given the earlier call to normabspath() ensures that our path begins
    with a '/', we don't need the first check "realtarget[0] == '.'"
    anymore, so it can be removed.
    
    Thanks to Robert Russell <robertrussell.72001_AT_gmail.com> for reporting
    the lack of support of the RFC 8615 in quark.
    
    Signed-off-by: Laslo Hunhold <dev_AT_frign.de>

diff --git a/http.c b/http.c
index 49b30dc..6bf4264 100644
--- a/http.c
+++ b/http.c
_AT_@ -600,11 +600,6 @@ http_send_response(int fd, const struct request *req)
                 return http_send_status(fd, S_BAD_REQUEST);
         }
 
- /* reject hidden target */
- if (realtarget[0] == '.' || strstr(realtarget, "/.")) {
- return http_send_status(fd, S_FORBIDDEN);
- }
-
         /* stat the target */
         if (stat(RELPATH(realtarget), &st) < 0) {
                 return http_send_status(fd, (errno == EACCES) ?
_AT_@ -623,6 +618,15 @@ http_send_response(int fd, const struct request *req)
                 }
         }
 
+ /*
+ * reject hidden target, except if it is a well-known URI
+ * according to RFC 8615
+ */
+ if (strstr(realtarget, "/.") && strncmp(realtarget,
+ "/.well-known/", sizeof("/.well-known/") - 1)) {
+ return http_send_status(fd, S_FORBIDDEN);
+ }
+
         /* redirect if targets differ, host is non-canonical or we prefixed */
         if (strcmp(req->target, realtarget) || (s.vhost && vhostmatch &&
             strcmp(req->field[REQ_HOST], vhostmatch))) {
Received on Mon Aug 17 2020 - 10:40:22 CEST