From d32c2d6fd9d6970ad2cde1b29fefff445dc98fb1 Mon Sep 17 00:00:00 2001 From: Brett Bryant Date: Fri, 23 May 2008 21:19:42 +0000 Subject: [PATCH] Add new functionality to http server that requires manager authentication for any path that includes a directory named 'private'. This patch also requires manager authentication for any POST's being sent to the server as well to help secure uploads. git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@118161 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- include/asterisk/manager.h | 3 +++ main/http.c | 24 ++++++++++++++++++++++-- main/manager.c | 21 ++++++++++++++++++--- 3 files changed, 43 insertions(+), 5 deletions(-) diff --git a/include/asterisk/manager.h b/include/asterisk/manager.h index e654b7a582..ecc0478293 100644 --- a/include/asterisk/manager.h +++ b/include/asterisk/manager.h @@ -203,6 +203,9 @@ void astman_send_listack(struct mansession *s, const struct message *m, char *ms void __attribute__ ((format (printf, 2, 3))) astman_append(struct mansession *s, const char *fmt, ...); +/*! \brief Determinie if a manager session ident is authenticated */ +int astman_is_authed(uint32_t ident); + /*! \brief Called by Asterisk initialization */ int init_manager(void); diff --git a/main/http.c b/main/http.c index 5ab4d27ca0..405f65d9d9 100644 --- a/main/http.c +++ b/main/http.c @@ -131,6 +131,18 @@ static const char *ftype2mtype(const char *ftype, char *wkspace, int wkspacelen) return wkspace; } +static uint32_t manid_from_vars(struct ast_variable *sid) { + uint32_t mngid; + + while (sid && strcmp(sid->name, "mansession_id")) + sid = sid->next; + + if (!sid || sscanf(sid->value, "%x", &mngid) != 1) + return 0; + + return mngid; +} + static struct ast_str *static_callback(struct ast_tcptls_session_instance *ser, const struct ast_http_uri *urih, const char *uri, enum ast_http_method method, struct ast_variable *vars, struct ast_variable *headers, int *status, char **title, int *contentlength) { char *path; @@ -178,12 +190,16 @@ static struct ast_str *static_callback(struct ast_tcptls_session_instance *ser, if (S_ISDIR(st.st_mode)) { goto out404; - } + } if ((fd = open(path, O_RDONLY)) < 0) { goto out403; } + if (strstr(path, "/private/") && !astman_is_authed(manid_from_vars(vars))) { + goto out403; + } + ast_strftime(buf, sizeof(buf), "%a, %d %b %Y %H:%M:%S %Z", ast_localtime(&tv, &tm, "GMT")); fprintf(ser->f, "HTTP/1.1 200 OK\r\n" "Server: Asterisk/%s\r\n" @@ -514,7 +530,11 @@ static struct ast_str *handle_uri(struct ast_tcptls_session_instance *ser, char } } - if (urih) { + if (method == AST_HTTP_POST && !astman_is_authed(manid_from_vars(vars))) { + out = ast_http_error((*status = 403), + (*title = ast_strdup("Access Denied")), + NULL, "Sorry, I cannot let you do that, Dave."); + } else if (urih) { *static_content = urih->static_content; out = urih->callback(ser, urih, uri, method, vars, headers, status, title, contentlength); AST_RWLIST_UNLOCK(&uris); diff --git a/main/manager.c b/main/manager.c index e0d9f1d022..c922973987 100644 --- a/main/manager.c +++ b/main/manager.c @@ -3292,7 +3292,7 @@ static char *contenttype[] = { * the value of the mansession_id cookie (0 is not valid and means * a session on the AMI socket). */ -static struct mansession *find_session(uint32_t ident) +static struct mansession *find_session(uint32_t ident, int incinuse) { struct mansession *s; @@ -3303,7 +3303,7 @@ static struct mansession *find_session(uint32_t ident) AST_LIST_TRAVERSE(&sessions, s, list) { ast_mutex_lock(&s->__lock); if (s->managerid == ident && !s->needdestroy) { - ast_atomic_fetchadd_int(&s->inuse, 1); + ast_atomic_fetchadd_int(&s->inuse, incinuse ? 1 : 0); break; } ast_mutex_unlock(&s->__lock); @@ -3313,6 +3313,21 @@ static struct mansession *find_session(uint32_t ident) return s; } +int astman_is_authed(uint32_t ident) +{ + int authed; + struct mansession *s; + + if (!(s = find_session(ident, 0))) + return 0; + + authed = (s->authenticated != 0); + + ast_mutex_unlock(&s->__lock); + + return authed; +} + int astman_verify_session_readpermissions(uint32_t ident, int perm) { int result = 0; @@ -3603,7 +3618,7 @@ static struct ast_str *generic_http_callback(enum output_format format, } } - if (!(s = find_session(ident))) { + if (!(s = find_session(ident, 1))) { /* Create new session. * While it is not in the list we don't need any locking */