1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-09 00:00:04 +01:00
Commit graph

381 commits

Author SHA1 Message Date
Andy Green
ce1f395ead context: add info members to drop privileges using user and group name strings
Up until now if you wanted to drop privs, a numeric uid and gid had to be
given in info to control post-init permissions... this adds info.username
and info.groupname where you can do the same using user and group names.

The internal plat helper lws_plat_drop_app_privileges() is updated to directly use
context instead of info both ways it can be called, and to be able to return fatal
errors.

All failures to lookup non-0 or -1 uid or gid names from uid, or to look up
uid or gid from username or groupnames given, get an err message and fatal exit.
2019-03-26 14:54:49 +08:00
Andy Green
ff71e3cc0d close: after DROP_PROTOCOL no longer report traffic to callback
x
2019-03-23 08:02:53 +08:00
Andy Green
5c3a2be00d http proxy: proxy Authorization header
Sai notifications are signed using Authorization: and "sai" auth type.

After the auth type, the format is, eg, "sha256=<hash>" .
2019-03-22 18:52:08 +08:00
Andy Green
588cf0b8db lws_spa: add CLOSE callback
This should ease the situation where there was creation done in the
callback for LWS_UFS_OPEN
2019-03-22 16:55:51 +08:00
Andy Green
da3d8cb593 http proxy: support POST 2019-03-22 11:25:22 +08:00
Andy Green
f7860b6ac6 spa: allow instantiation with no parse array
If you just want a "file" in multipart, don't care about the length or
anything else, then you don't need any params tables and associated
allocations.
2019-03-22 11:23:06 +08:00
Andy Green
d1d313b4bf ws proxy: also proxy h1 ws to h1 and h2
lws has been able to proxy h2 or h1 inbound connections to an
h1 onward connection for a while now.  It's simple to use just
build with LWS_WITH_HTTP_PROXY and make a mount where the origin
is the onward connection details.  Unix sockets can also be
used as the onward connection.

This patch extends the support to be able to also do the same for
inbound h2 or h1 ws upgrades to an h1 ws onward connection as well.

This allows you to offer completely different services in a
common URL space, including ones that connect back by ws / wss.
2019-03-21 10:26:47 +08:00
Andy Green
462847bb6f lws_dll: remove lws_dll_lws and deprecate lws_dll_remove 2019-03-21 06:19:31 +08:00
Andy Green
4c3146c27c glibc: if malloc_trim() exists, call it periodically 2019-03-16 08:10:47 +08:00
Andy Green
119aa5c0ad lws_dir: wrap dir scanning backend and convert lejp-conf
We use POSIX dir scanning apis normally, but for windows, we require libuv
to do it for us.

Formalize that into a wrapper lws_dir() that hides the backend code.

Make it configurable, ON by default and forced on with lejp-conf that
depends on it.
2019-03-14 20:06:25 +08:00
Andy Green
6a88483f02 lejp: integrate error strings and api to core lejp
lejp-conf isn't the only user that needs to generate human-readable
JSON parsing error stacks.

Build it in with lejp and introduce an error code -> string api
2019-03-12 11:57:43 +08:00
Andy Green
0079099f10 vhost: add pprotocols to vhost info
info.protocols works okay, but it has an annoying problem... you have to know
the type for each protocol's pss at the top level of the code, so you can set
the struct lws_protocols user_data size for it.

Lws already rewrites the protocol tables for a vhost in the case of runtime
protocol plugins... this adapts that already-existing code slightly to give
a new optional way to declare the protocol array.

Everything works as before by default, but now info.protocols may be NULL and
info.pprotocols defined instead (if that's also NULL, as it will be if you
just ignore it after memsetting to 0, then it continues to fall back to the
dummy protocol handler as before).

info.pprotocols is a NULL-termined array of pointers to lws_protocol
structs.  This can be composed at the top level of your code without knowing
anything except the name of the externally-defined lws_protocol struct(s).

The minimal example http-server-dynamic is changed to use the new scheme as
an example.
2019-03-10 08:02:02 +08:00
Andy Green
09fe212432 bzero: replace all with memset
lws_explicit_bzero() is available if the goal is to have volatile zeroing.
2019-03-10 08:02:02 +08:00
Andy Green
b31ab02786 ipv6: force ipv4 if iface bind uses ipv4 address 2019-03-10 08:02:02 +08:00
Andy Green
986bb37c88 ah: custom headers for h1
Until now lws only parses headers it knows at build-time from its
prebuilt lexical analyzer.

This adds an on-by-default cmake option and a couple of apis
to also store and query "custom", ie, unknown-to-lws headers.

A minimal example is also provided.

At the moment it only works on h1, h2 support needs improvements
to the hpack implementation.

Since it bloats ah memory usage compared to without it if custom
headers are present, the related code and ah footprint can be
disabled with the cmake option LWS_WITH_CUSTOM_HEADERS, but it's
on by default normally.  ESP32 platform disables it.

https://github.com/warmcat/libwebsockets/pull/1499
2019-03-10 08:02:02 +08:00
Andy Green
3a31c47fcd ws: setting default protocol index to an illegal index disables default ws binding
On lwsws, incoming ws connections to the default vhost
are not rejected by the dummy protocol handler and not
really serviced either, leading to bots connecting to it to
get immortal, idle ws connections with no timeout (since it's an
established ws connection).

Rejecting these connections by default by adding a handler
for ESTABLISHED in the dummy handler will solve it nicely,
but it will break an unknown number of dumb. protocol-less
user implementations that rely on this behaviour by using
break; from their own ESTABLISHED handler and calling
through to the currently NOP dummy handler one.

Add support to assertively disable the default protocol
index used for subprotocol-less ws connections instead.
2019-03-10 08:02:02 +08:00
Andy Green
572ffb4a7c http: log ws upgrades 2019-03-10 08:02:02 +08:00
JoonCheol Park
281d2a7fc2 socks5: fix remain dst buffer length when calls lws_strncpy 2019-03-10 08:02:02 +08:00
fanc
32cb5e1466 client: confirm sin_zero actual size for platform
in some platform, the size of sa46.sa4.sin_zero is not 8, but 6, so use 8 will cause coredump.
2019-03-10 08:02:02 +08:00
Andy Green
0b3c32c086 sse: drop the ah when the sse connection starts 2019-01-30 14:38:11 +08:00
Andy Green
043700a4b0 optee: remove build system 2019-01-15 06:59:48 +08:00
Andy Green
84a57540ab LWS_WITH_NETWORK: cmake option for no network code 2019-01-13 07:54:57 +08:00
Andy Green
9b5e45d383 client: typo in client-handshake 2019-01-13 07:54:57 +08:00
pblemel
39e19c85f1 qnx: qnx6.5 compatibility 2019-01-11 17:14:14 +08:00
Andy Green
c8987a14bc adaptations 2019-01-11 13:13:19 +08:00
Andy Green
eda102e397 jwe 2018-12-27 06:45:32 +08:00
Andy Green
08b5ad9299 role: raw-proxy 2018-12-01 11:05:59 +08:00
Andy Green
43cf8bb391 wsi: opaque_user_data and accessors
Under some circumstances it's useful to tag a wsi with user
data, while still having an lws-allocated and destroyed pss.
2018-12-01 11:05:59 +08:00
Andy Green
b318877cd9 adopt: allow associated accepted vhost connections to specific role
Normalize the vhost options around optionally handling noncompliant
traffic at the listening socket for both non-tls and tls cases.

By default everything is as before.

However it's now possible to tell the vhost to allow noncompliant
connects to fall back to a specific role and protocol, both set
by name in the vhost creation info struct.

The original vhost flags allowing http redirect to https and
direct http serving from https server (which is a security
downgrade if enabled) are cleaned up and tested.

A minimal example minimal-raw-fallback-http-server is added with
switches to confirm operation of all the valid possibilities (see
the readme on that).
2018-12-01 11:05:59 +08:00
Andy Green
531ad7ee2b minimal example deaddrop 2018-12-01 11:05:59 +08:00
Andy Green
a74a966fbf ws: support basic auth
Until now basic auth only protected http actions in the protected
mount.

This extends the existing basic auth scheme to also be consulted for
ws upgrades if a "basic-auth" pvo exists on the selected protocol for
the vhost.  The value of the pvo is the usual basic auth credentials
file same as for the http case.
2018-11-28 15:06:10 +08:00
Andy Green
9bed6d6fc6 clean: general whitespace cleanup 2018-11-23 08:47:56 +08:00
Andy Green
cdd8ad702c bind: treat EADDRINUSE as fatal
The retry stuff for bind failures is actually aimed at the scenarios the interface
either doesn't exist yet, or is not configured enough (having an IP) to be bindable yet.

This patch treats EADDRINUSE as fatal at vhost init.
2018-11-22 17:58:30 +08:00
Andy Green
c027c3db28 docs: cleanups 2018-11-21 17:03:29 +08:00
Andy Green
d9f982a055 minimal examples: update for CSP best practices
1) update the logos to svg

2) add svg icon for strict security policy where used

3) define new vhost option flag to enforce sending CSP headers
   with the result code

4) add vhost option flag to minimal examples to
   enforce sending CSP where applicable

5) Go through all the affecting examples confirming they
   still work

6) add LWS_RECOMMENDED_MIN_HEADER_SPACE constant (currently
   2048) to clarify when we need a buffer to hold headers...
   with CSP the headers have become potentially a lot
   larger.
2018-11-21 17:03:29 +08:00
Andy Green
3eb329bb32 reverse proxy: correct scan length so NUL goes in right place 2018-11-15 20:16:54 +08:00
Andy Green
b2b58b5b14 smp: lws_timed_callback_vh_protocol: request sets handler tsi and other fixes 2018-11-15 16:37:55 +08:00
Wei Zhang
8750582fc6 lws_hdr_total_length: match lws_hdr_copy actual length also for COOKIE 2018-11-15 16:37:53 +08:00
Andy Green
3fc4be005d hdr frag conacatenation already has separator for COOKIE 2018-11-14 06:42:35 +08:00
Andy Green
59837cdf06 coverity 192911/2: set NUL on access log after malloc fail check 2018-11-13 17:20:34 +08:00
Andy Green
f6ae0edf8d strict host check vhost flag
https://github.com/warmcat/libwebsockets/issues/1423

If you vhost->options has the flag LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK,
then if the server is sent an upgrade request, the content of the Host: header is
required to match the vhost name + port.  The port is set to the well-known values
of 80 and 443 if no :port on the host: value, depending on tls or not on the
connection.

minimal-ws-server can now take a -h flag to set this.  lejp-conf (eg, lwsws) can now take
a flag strict-host-check on the vhost to enable it as well.
2018-11-13 09:55:06 +08:00
Andy Green
aa4143aebd lws_diskcache: split generic parts from gitohashi into lws 2018-11-12 15:24:42 +08:00
Andy Green
47579b5306 gcc 8.2.0: ensure port always defined to something 2018-11-07 19:30:37 +08:00
Andy Green
79ea44704c server: check lws_hdr_copy return and cleanup 2018-11-07 17:02:09 +08:00
Andy Green
27ae132e7b http: add callback to allow upgrade reject
https://github.com/warmcat/libwebsockets/issues/1415
2018-10-31 13:45:00 +08:00
Andy Green
ba612c3df6 http: return 415 instead of hang up if no mimetype for fileserve
Change the err log for this to info, since it makes clear what the problem is now at the client.
2018-10-31 13:44:45 +08:00
Andy Green
93d4e186c2 openssl tls1.3: allow setting ciphersuites at context creation time
https://github.com/warmcat/libwebsockets/issues/1440
2018-10-27 08:05:21 +08:00
Andy Green
1f1314160a lws_hdr_copy: ensure enough extra space
Audit all lws_hdr_copy() usages inside lws and make sure we
take care about it failing.

Also since the patch around aggregation of headers by ',',
lws_hdr_copy() needs a little more space in the output buffer,
adjust one place where that caused it to start failing in an
exact-sized buffer.
2018-10-26 16:14:30 +08:00
Andy Green
20fb55934b client vhost OpenSSL set and clear options
https://github.com/warmcat/libwebsockets/issues/1438
2018-10-26 13:55:36 +08:00
Andy Green
d3bc2c3f4f fulltext search 2018-10-26 13:53:28 +08:00