cgi

cgi_access.c

Go to the documentation of this file.
00001 /******************************************************************************/
00002 /* cgi_access.c © Copyright 2005 by Raosoft Inc. All Rights Reserved.         */
00003 /*                                                                            */
00004 /* You may use and modify this file for your own use, but may not distribute  */
00005 /* it or derivative works without the prior written consent of Raosoft, Inc.  */
00006 /*                                                                            */
00007 /* If you choose to share your modifications with Raosoft, Inc. the company   */
00008 /* will attempt to incorporate them into future versions of this file.        */
00009 /*                                                                            */
00010 /* This software is provided "as is," and Raosoft makes no warranty, express  */
00011 /* or implied, of fitness for a particular application. Every measure has been*/
00012 /* taken to anticipate risks inherent to computer networks, but we cannot     */
00013 /* guarantee safety or reliability of this program in every situation.        */
00014 /*                                                                            */
00015 /******************************************************************************/
00016 
00017 #include "cgi.h"
00018 extern int CGILogLevel;
00019 
00020 /************************ Security *****************************/
00021 
00022 #ifdef CGI_ALLOW
00023 int MatchesList(char * host, char * list)
00024 {
00025  if (!stricmp(list,"all")) return 1; /* matches all */
00026  if (!stricmp(list,"(all)")) return 1; /* matches all */
00027  if (list[0] == 0) return 0;
00028  if (stristr(list,host)) return 1;
00029  return 0;
00030 }
00031 
00032 int CheckAllowDeny(char * host, char * allow,char * deny)
00033 {
00034  if (host==NULL || !host[0]) return 0; /* localhost */
00035  if (allow==NULL) allow = "";
00036  if (deny==NULL) deny = "";
00037 
00038  if (!stricmp(allow,"all")||!stricmp(allow,"(all)")) return 1;
00039  if (!stricmp(deny,"all")||!stricmp(deny,"(all)")) return 0;
00040 
00041  if (allow[0]==0) /* check for denial */
00042   {
00043     if (deny[0] == 0) return 2; /* anything goes */
00044     if (MatchesList(host,deny)) return 0; /* more restrictive list */
00045     return 1;
00046   }
00047  /* else */
00048  if (MatchesList(host,allow))
00049   {
00050     if (deny[0] == 0) return 1; /* anything goes */
00051     if (MatchesList(host,deny)) return 0; /* more restrictive list */
00052     return 1;                             /* passed */
00053   }
00054  else return 0; /* wasn't allowed in */
00055 }
00056 
00057 int CheckAllow(char* host,CGINameValue* n,char*allow,char*deny,int value,int *i)
00058 {
00059   if ((*i & value)
00060        && CheckAllowDeny(host,GetFieldValue(n,allow),
00061                               GetFieldValue(n,deny)) == 0)
00062     *i &= ~value;
00063   return (*i & value);
00064 }
00065 
00066 #endif
00067 
00068 void CheckPass(CGINameValue* n,int *i,int value,char*pwd,char* field)
00069 {
00070   char * comp= GetFieldValue(n,field);
00071 
00072   if (!*comp) return; /* default is to deny */
00073 
00074   if (!stricmp(comp,"(allow)"))
00075    *i |= value;/* grant all */
00076   else if (!stricmp(comp,"(deny)"))
00077    return;
00078 
00079   if (GetField(n,field))
00080    if (HasToken(pwd,comp,0))
00081     *i |= value;
00082 }
00083 
00084 int GetSecurityFlags(char* argv0,char* host,char* database,char* pwd)
00085 {
00086  int i = CGI_ALLOW_NONE; /* default settings for a database */
00087  CGINameValue *n;
00088 #ifdef CGI_ALLOW
00089  CGINameValue *m;
00090 #endif
00091 
00092  int j = strcspn(database,"/.\\*?$|'\"<>~");
00093 
00094  if (database[j] != 0 || strlen(database) > 128 || strlen(pwd) > 128)
00095   {
00096    LogError("\nSecurity breach attempted\tHOST=");
00097    LogError(host);
00098    return CGI_ALLOW_NONE;
00099   }
00100  /* stop buffer overflow attacks */
00101 
00102 #ifdef CGI_ALLOW
00103  {
00104     char fn[MAXPATH];
00105     ExpandLocalPath(argv0,fn,"cgi",".ini");
00106     m = ReadINIFileSection(fn,"access",0);
00107 
00108     /*m = LoadSettings(argv0,"cgi","access");*/
00109  }
00110 #endif
00111 
00112  n = NULL;
00113  if (database != NULL)
00114   if (database[0] != 0)
00115   {
00116       char fn[MAXPATH];
00117       ExpandLocalPath(argv0,fn,database,".ini");
00118       n = ReadINIFileSection(fn,"access",0);
00119    /*n = LoadSettings(argv0, database, "access");*/
00120   }
00121 
00122  if (n != NULL)
00123  {
00124   CheckPass(n,&i,CGI_ALLOW_READ,pwd,"PWDREAD");
00125   CheckPass(n,&i,CGI_ALLOW_UPDATE,pwd,"PWDUPDATE");
00126   CheckPass(n,&i,CGI_ALLOW_APPEND,pwd,"PWDAPPEND");
00127   CheckPass(n,&i,CGI_ALLOW_DELETE,pwd,"PWDDELETE");
00128   CheckPass(n,&i,CGI_ALLOW_WRITE,pwd,"PWDWRITE");
00129   CheckPass(n,&i,CGI_ALLOW_ADMIN,pwd,"PWDADMIN");
00130   CheckPass(n,&i,CGI_ALLOW_REPORT,pwd,"PWDREPORT");
00131   CheckPass(n,&i,CGI_ALLOW_ALL,pwd,"PWD");
00132  }
00133 
00134 #ifdef CGI_ALLOW
00135  if (n != NULL)
00136  {
00137   if (CheckAllowDeny(host,GetFieldValue(n,"ALLOW"),
00138                           GetFieldValue(n,"DENY")) ==0) i = CGI_ALLOW_NONE;
00139 
00140   if (i && m != NULL)
00141     if (CheckAllowDeny(host,GetFieldValue(m,"ALLOW"),
00142                             GetFieldValue(m,"DENY")) ==0) i = CGI_ALLOW_NONE;
00143 
00144   if (i) CheckAllow(host,n,"ALLOWREAD","DENYREAD",CGI_ALLOW_READ,&i);
00145   if (i) CheckAllow(host,n,"ALLOWUPDATE","DENYUPDATE",CGI_ALLOW_UPDATE,&i);
00146   if (i) CheckAllow(host,n,"ALLOWAPPEND","DENYAPPEND",CGI_ALLOW_APPEND,&i);
00147   if (i) CheckAllow(host,n,"ALLOWWRITE","DENYWRITE",CGI_ALLOW_WRITE,&i);
00148   if (i) CheckAllow(host,n,"ALLOWDELETE","DENYDELETE",CGI_ALLOW_DELETE,&i);
00149   if (i) CheckAllow(host,n,"ALLOWREPORT","DENYREPORT",CGI_ALLOW_REPORT,&i);
00150   if (i) CheckAllow(host,n,"ALLOWADMIN","DENYADMIN",CGI_ALLOW_ADMIN,&i);
00151  }
00152 
00153  /* if access is granted by the password, check domains */
00154  if (m != NULL)
00155  {
00156   if (i) CheckAllow(host,m,"ALLOWREAD","DENYREAD",CGI_ALLOW_READ,&i);
00157   if (i) CheckAllow(host,m,"ALLOWUPDATE","DENYUPDATE",CGI_ALLOW_UPDATE,&i);
00158   if (i) CheckAllow(host,m,"ALLOWAPPEND","DENYAPPEND",CGI_ALLOW_APPEND,&i);
00159   if (i) CheckAllow(host,m,"ALLOWWRITE","DENYWRITE",CGI_ALLOW_WRITE,&i);
00160   if (i) CheckAllow(host,m,"ALLOWDELETE","DENYDELETE",CGI_ALLOW_DELETE,&i);
00161   if (i) CheckAllow(host,m,"ALLOWREPORT","DENYREPORT",CGI_ALLOW_REPORT,&i);
00162   if (i) CheckAllow(host,m,"ALLOWADMIN","DENYADMIN",CGI_ALLOW_ADMIN,&i);
00163  }
00164 
00165  if (m != NULL) DeleteNVP(m);
00166 #endif
00167 
00168  if (n != NULL) DeleteNVP(n);
00169  return i;
00170 }


Raosoft, Inc.
Raosoft EZReport, EZSurvey, InterForm, RapidReport, Raosoft, and SurveyWin are registered trademarks of Raosoft, Inc. Page contents © 1996-2007 by Raosoft, Inc. You may use and modify this file for your own use, but may not distribute it or derivative works without the prior written consent of Raosoft, Inc. This software is provided "as is," and Raosoft makes no warranty, express or implied, of fitness for a particular application. Every measure has been taken to anticipate risks inherent to computer networks, but we cannot guarantee safety or reliability of this program in every situation.
Tel: 206-525-4025 (US) Email: raosoft@raosoft.com
http://www.raosoft.com/