Dariaceli's Git
Browse code

only send html pages with valid session (except for those in the whitelist)

Dario Rodriguez authored on 26/06/2014 13:41:55
Showing 1 changed files
src/kakumei.c
History View file @ bd31e84
... ... 
@@ -135,6 +135,18 @@ callback_http(wk *web, int connid, wk_uri *uri, void *userptr)
135 135 
         resindex *res;
136 136 
         char partialpath[1024];
137 137 
         char *ptr;
138 
+        struct {
139 
+                char *name;
140 
+        } whitelist[]={{"/index.html"},
141 
+                       {"/newuser.html"}
142 
+                      };
143 
+        int len;
144 
+        int ishtml;
145 
+        int whitelisted;
146 
+        int validsession;
147 
+        char session[SESSIONSIZE];
148 
+        char user[MAXUSERSIZE+1];
149 
+        int i;
138 150 
         if(ka==NULL)
139 151 
                 return(wkact_finished);
140 152 
         /* log without passwords */
... ... 
@@ -144,17 +156,45 @@ callback_http(wk *web, int connid, wk_uri *uri, void *userptr)
144 156 
                 log_write("HTTP","Request: /newuser?...");
145 157 
         else
146 158 
                 log_write("HTTP","Request: %s",uri->path);
147 
-        /* check for an in-memory file */
159 
+
160 
+        /* extract the name */
148 161 
         strncpy(partialpath,uri->path,sizeof(partialpath)-1);
149 162 
         partialpath[sizeof(partialpath)-1]='\0';
163 
+        if(strcmp(uri->path,"/")==0)
164 
+                strcpy(partialpath,"/index.html");
150 165 
         if((ptr=strchr(partialpath,'?'))!=NULL)
151 166 
                 *ptr='\0';
152 
-#warning TODO check if the page is a "protected" one and, in that case, check for correct session id
153 
-        if((strcmp(uri->path,"/")==0 && (res=res_find(resindexdata,"index.html"))!=NULL) ||
154 
-          (partialpath[0]=='/' && (res=res_find(resindexdata,partialpath+1))!=NULL)) {
155 
-                log_write("HTTP","Serving in-memory file %s",partialpath+1);
156 
-                wk_serve_buffer_as_file(web,connid,res->data,res->len,mime_getdefault(res->name,"application/octet-stream"));
157 
-                return(wkact_finished);
167 
+        /* check whitelist */
168 
+        len=strlen(partialpath);
169 
+        ishtml=(len>5 && strcmp(partialpath+len-5,".html")==0)?1:0;
170 
+        if(ishtml) {
171 
+                for(whitelisted=0,i=0;i<(sizeof(whitelist)/sizeof(whitelist[0]));i++) {
172 
+                        if(strcmp(partialpath,whitelist[i].name)==0) {
173 
+                                whitelisted=1;
174 
+                                break;
175 
+                        }
176 
+                }
177 
+        } else
178 
+                whitelisted=1;
179 
+        if(wk_uri_copyvar(uri,"s",session,sizeof(session))==NULL)
180 
+                session[0]='\0';
181 
+        user[0]='\0';
182 
+        validsession=(session_check(ka,session,user,sizeof(user))!=NULL)?1:0;
183 
+        /* serve the page */
184 
+        if(partialpath[0]=='/' && (res=res_find(resindexdata,partialpath+1))!=NULL) {
185 
+                if(whitelisted || validsession) {
186 
+                        log_write("HTTP","Serving in-memory file %s",partialpath+1);
187 
+                        wk_serve_buffer_as_file(web,connid,res->data,res->len,mime_getdefault(res->name,"application/octet-stream"));
188 
+                        return(wkact_finished);
189 
+                } else if((res=res_find(resindexdata,"index.html"))!=NULL) {
190 
+                        log_write("HTTP","Not allowed page, redirecting to login");
191 
+                        wk_serve_buffer_as_file(web,connid,res->data,res->len,mime_getdefault(res->name,"application/octet-stream"));
192 
+                        return(wkact_finished);
193 
+                } else {
194 
+                        log_write("EINT","%s:%i",__FILE__,__LINE__);
195 
+                        wk_serve_error(web,connid,wkerr_internal);
196 
+                        return(wkact_finished); /* internal error */
197 
+                }
158 198 
         }
159 199 
         /* check for actions */
160 200 
         if(memcmp(uri->path,"/login?",7)==0) {
... ... 
@@ -195,6 +235,7 @@ http_login(wk *web, int connid, wk_uri *uri, void *userptr)
195 235 
         kakumei *ka=(kakumei *)userptr;
196 236 
         if(web==NULL || connid<0 || uri==NULL || ka==NULL) {
197 237 
                 log_write("EINT","%s:%i",__FILE__,__LINE__);
238 
+                wk_serve_error(web,connid,wkerr_internal);
198 239 
                 return(wkact_finished); /* internal error */
199 240 
         }
200 241 
         if(wk_uri_copyvar(uri,"u",u,sizeof(u))==NULL)
... ... 
@@ -233,6 +274,7 @@ http_newuser(wk *web, int connid, wk_uri *uri, void *userptr)
233 274 
         kakumei *ka=(kakumei *)userptr;
234 275 
         if(web==NULL || connid<0 || uri==NULL || ka==NULL) {
235 276 
                 log_write("EINT","%s:%i",__FILE__,__LINE__);
277 
+
236 278 
                 return(wkact_finished); /* internal error */
237 279 
         }
238 280 
         /* get vars */