diff -urN thttpd-2.21-15/config.h thttpd-2.21-16/config.h --- thttpd-2.21-15/config.h Sat Dec 15 16:28:16 2001 +++ thttpd-2.21-16/config.h Mon Jan 21 18:33:24 2002 @@ -57,17 +57,17 @@ ** as a security measure that's how you do it, just don't define any ** pattern here and don't run with the -c flag. */ -#ifdef notdef +//#ifdef notdef /* Some sample patterns. Allow programs only in one central directory: */ -#define CGI_PATTERN "/cgi-bin/*" +//#define CGI_PATTERN "/cgi-bin/*" /* Allow programs in a central directory, or anywhere in a trusted ** user's tree: */ -#define CGI_PATTERN "/cgi-bin/*|/jef/**" +//#define CGI_PATTERN "/cgi-bin/*|/jef/**" /* Allow any program ending with a .cgi: */ #define CGI_PATTERN "**.cgi" /* When virtual hosting, enable the central directory on every host: */ -#define CGI_PATTERN "/*/cgi-bin/*" -#endif +//#define CGI_PATTERN "/*/cgi-bin/*" +//#endif /* CONFIGURE: How many seconds to allow CGI programs to run before killing ** them. This is in case someone writes a CGI program that goes into an @@ -237,13 +237,36 @@ #define ADVCOUNTER /* CONFIGURE: +** Use banners +*/ + +#define USE_BANNERS + + +/* CONFIGURE: ** Define custom error 404 file name */ -#define ERR404FILENAME "/banners/404.html" +#undef ERR404FILENAME "/banners/404.html" +/* CONFIGURE: +** Define if there are peruser 404 pages +*/ +#define ERR404PERUSER + +#if (defined ERR404FILENAME) && (defined ERR404PERUSER) +#error "Define either ERR404FILENAME or ERR404PERUSER!" +#endif /* CONFIGURE: ** Define redirection based on referer domain */ #define REFERER_REDIR + +/* CONFIGURE: +** Define this if you want to use the secure cgi environment +*/ + +#define SECURE_CGI_WRAPPER "/usr/local/bin/wrap" + + #endif /* CONFIGURE: Define this if you want to always use a global passwd file, ** without having to give the -P command line flag. You can still disable diff -urN thttpd-2.21-15/libhttpd.c thttpd-2.21-16/libhttpd.c --- thttpd-2.21-15/libhttpd.c Sat Dec 15 16:28:16 2001 +++ thttpd-2.21-16/libhttpd.c Mon Jan 21 18:33:24 2002 @@ -678,7 +678,7 @@ } if ( partial_content ) { -#ifdef VHOST_MYSQL +#ifdef USE_BANNERS (void) my_snprintf( buf, sizeof(buf), "Content-Range: bytes %ld-%ld/%d\r\nContent-Length: %ld\r\n", (long) hc->init_byte_loc, (long) hc->end_byte_loc, length, @@ -693,7 +693,7 @@ } else if ( length >= 0 ) { -#ifdef VHOST_MYSQL +#ifdef USE_BANNERS (void) my_snprintf( buf, sizeof(buf), "Content-Length: %d\r\n", length +hc->ban+hc->ban_u ); #else @@ -872,9 +872,24 @@ { #ifdef ERR_DIR - static char filename[1000]; + static char filename[1000]; #endif #ifdef VHOST_MYSQL +#ifdef ERR404PERUSER + static char* header; + static int maxheader = 0; + static char headstr[] = "Location: "; + if (status==404) + { + if (hc->err404[0]!='\0') + { + httpd_realloc_str( &header, &maxheader, sizeof(headstr) + strlen( hc->err404 )); + (void) my_snprintf( header, maxheader,"%s%s\r\n", headstr, hc->err404 ); + send_response( hc, 302, err302title, header, err302form, hc->err404 ); + return; + } + } +#endif #ifdef ERR404FILENAME /* We want our own err404... @@ -1481,7 +1496,11 @@ { httpd_realloc_str(&hc->hostdir,&hc->maxhostdir,strlen(vh_list[tmp].path)); (void) strcpy (hc->hostdir,vh_list[tmp].path); - + if( hc->err404!=NULL) + { + httpd_realloc_str(&hc->err404,&hc->maxerr404,strlen(vh_list[tmp].err404)); + (void) strcpy (hc->err404,vh_list[tmp].err404); + } ext=rindex(hc->origfilename,'.'); if ( ext==NULL) ext=hc->origfilename; else ext++; @@ -1494,7 +1513,8 @@ /* Rules: If it ends with / (e.g. dirindex, if exists), .htm or .html,or doesn't have any path ( like http://www.xxx.com ) it should have banners put. - */ + */ +#ifdef USE_BANNERS if ( ( hc->origfilename[strlen(hc->origfilename)-1]=='/') || (strcasecmp(ext,"htm")==0) || (strcasecmp(ext,"html")==0) || @@ -1516,6 +1536,8 @@ } } } + hc->if_modified_since=(time_t) -1; +#endif } /* @@ -1776,7 +1798,7 @@ hc->maxorigfilename = hc->maxexpnfilename = hc->maxencodings = hc->maxpathinfo = hc->maxquery = hc->maxaccept = hc->maxaccepte = hc->maxreqhost = hc->maxhostdir = - hc->maxremoteuser = hc->maxresponse = 0; + hc->maxremoteuser = hc->maxresponse = hc->maxerr404 = 0; #ifdef TILDE_MAP_2 hc->maxaltdir = 0; #endif /* TILDE_MAP_2 */ @@ -1795,6 +1817,9 @@ #ifdef TILDE_MAP_2 httpd_realloc_str( &hc->altdir, &hc->maxaltdir, 0 ); #endif /* TILDE_MAP_2 */ +#ifdef ERR404PERUSER + httpd_realloc_str( &hc->err404, &hc->maxerr404, 0 ); +#endif hc->initialized = 1; } @@ -1872,6 +1897,7 @@ hc->bpos=0; hc->bpos_u=0; hc->fsize=0; + hc->err404[0]='\0'; #endif return GC_OK; } @@ -2965,7 +2991,7 @@ int size; static char *buf; static int maxbuf = 0; - + size = strlen( fmt ) + strlen( arg ); if ( size > maxbuf ) httpd_realloc_str( &buf, &maxbuf, size ); @@ -3103,6 +3129,7 @@ ** one for the filename and one for the NULL, we are guaranteed to ** have enough. We could actually use strlen/2. */ +#ifndef SECURE_CGI_WRAPPER argp = NEW( char*, strlen( hc->query ) + 2 ); if ( argp == (char**) 0 ) return (char**) 0; @@ -3114,6 +3141,27 @@ argp[0] = hc->expnfilename; argn = 1; +#else + syslog(LOG_ERR,"kmq"); + argp = NEW( char*, strlen( hc->query ) + 4 ); + if ( argp == (char**) 0 ) + return (char**) 0; + + /* + XXX: should I alloc, or should i go ... + */ + + argp[0] = SECURE_CGI_WRAPPER; + argp[1] = strrchr( hc->expnfilename, '/' ); + if ( argp[1] != (char*) 0 ) + ++argp[1]; + else + argp[1] = hc->expnfilename; + + argn = 2; + +#endif + /* According to the CGI spec at http://hoohoo.ncsa.uiuc.edu/cgi/cl.html, ** "The server should search the query information for a non-encoded = ** character to determine if the command line is to be used, if it finds @@ -3468,7 +3516,11 @@ (void) signal( SIGPIPE, SIG_DFL ); /* Run the program. */ +#ifndef SECURE_CGI_WRAPPER (void) execve( binary, argp, envp ); +#else + (void) execve( SECURE_CGI_WRAPPER, argp, envp ); +#endif /* Something went wrong. */ syslog( LOG_ERR, "execve %.80s - %m", hc->expnfilename ); diff -urN thttpd-2.21-15/libhttpd.h thttpd-2.21-16/libhttpd.h --- thttpd-2.21-15/libhttpd.h Sat Dec 15 16:28:16 2001 +++ thttpd-2.21-16/libhttpd.h Mon Jan 21 18:33:24 2002 @@ -150,6 +150,8 @@ off_t ban,ban_u; off_t fsize; off_t fpos,bpos,bpos_u; + char* err404; /* Custom error404*/ + int maxerr404; } httpd_conn; /* Methods. */ diff -urN thttpd-2.21-15/vhost.c thttpd-2.21-16/vhost.c --- thttpd-2.21-15/vhost.c Sat Dec 15 16:28:17 2001 +++ thttpd-2.21-16/vhost.c Mon Jan 21 18:33:24 2002 @@ -67,7 +67,12 @@ { tmp[*n].vhost=strdup(row[0]); tmp[*n].path=strdup(row[1]); - tmp[*n].adv=strdup(row[2]); + tmp[*n].adv=strdup(row[2]); +#ifdef ERR404PERUSER + tmp[*n].err404=strdup(row[3]); +#else + tmp[*n].err404=NULL; +#endif (*n)++; row=mysql_fetch_row(result); } diff -urN thttpd-2.21-15/vhostconf.h thttpd-2.21-16/vhostconf.h --- thttpd-2.21-15/vhostconf.h Sat Dec 15 16:28:17 2001 +++ thttpd-2.21-16/vhostconf.h Mon Jan 21 18:33:24 2002 @@ -1,6 +1,11 @@ #include "machineconf.h" +#include "config.h" /* Please, god,root, let mysql sort the results like strcmp.... */ -#define QUERY "select hostname,path,advtype from vhost order by hostname" +#ifdef ERR404PERUSER +# define QUERY "select hostname,path,advtype,err404 from vhost order by hostname" +#else +# define QUERY "select hostname,path,advtype from vhost order by hostname" +#endif #define QUERY_BAN "select advtype,num from numban" #define QUERY_RDR "select umatch, url from redir where type='referer' order by umatch" @@ -14,7 +19,7 @@ char *vhost; char *path; char *adv; - + char *err404; }; /* banners stuff */