1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
#include <u.h>
#include <libc.h>
#include <auth.h>
#include "httpd.h"
#include "httpsrv.h"
static char* readfile(char*);
/*
* these should be done better; see the response codes in /lib/rfc/rfc2616 for
* more info on what should be included.
*/
#define UNAUTHED "You are not authorized to see this area.\n"
/*
* check for authorization for some parts of the server tree.
* the user name supplied with the authorization request is ignored;
* instead, we authenticate as the realm's user.
*
* authorization should be done before opening any files so that
* unauthorized users don't get to validate file names.
*
* returns 1 if authorized, 0 if unauthorized, -1 for io failure.
*/
int
authorize(HConnect *c, char *file)
{
char *p, *p0;
Hio *hout;
char *buf;
int i, n;
char *t[257];
p0 = halloc(c, strlen(file)+STRLEN("/.httplogin")+1);
strcpy(p0, file);
for(;;){
p = strrchr(p0, '/');
if(p == nil)
return hfail(c, HInternal);
if(*(p+1) != 0)
break;
/* ignore trailing '/'s */
*p = 0;
}
strcpy(p, "/.httplogin");
buf = readfile(p0);
if(buf == nil){
return 1;
}
n = tokenize(buf, t, nelem(t));
if(c->head.authuser != nil && c->head.authpass != 0){
for(i = 1; i+1 < n; i += 2){
if(strcmp(t[i], c->head.authuser) == 0
&& strcmp(t[i+1], c->head.authpass) == 0){
free(buf);
return 1;
}
}
}
hout = &c->hout;
hprint(hout, "%s 401 Unauthorized\r\n", hversion);
hprint(hout, "Server: Plan9\r\n");
hprint(hout, "Date: %D\r\n", time(nil));
hprint(hout, "WWW-Authenticate: Basic realm=\"%s\"\r\n", t[0]);
hprint(hout, "Content-Type: text/html\r\n");
hprint(hout, "Content-Length: %d\r\n", STRLEN(UNAUTHED));
if(c->head.closeit)
hprint(hout, "Connection: close\r\n");
else if(!http11(c))
hprint(hout, "Connection: Keep-Alive\r\n");
hprint(hout, "\r\n");
if(strcmp(c->req.meth, "HEAD") != 0)
hprint(hout, "%s", UNAUTHED);
writelog(c, "Reply: 401 Unauthorized\n");
free(buf);
return hflush(hout);
}
static char*
readfile(char *file)
{
Dir *d;
int fd;
char *buf;
int n, len;
fd = open(file, OREAD);
if(fd < 0)
return nil;
d = dirfstat(fd);
if(d == nil){ /* shouldn't happen */
close(fd);
return nil;
}
len = d->length;
free(d);
buf = malloc(len+1);
if(buf == 0){
close(fd);
return nil;
}
n = readn(fd, buf, len);
close(fd);
if(n <= 0){
free(buf);
return nil;
}
buf[n] = '\0';
return buf;
}
|
