mirror of
https://github.com/jart/cosmopolitan.git
synced 2025-01-31 11:37:35 +00:00
b107d2709f
redbean improvements:
- Explicitly disable corking
- Simulate Python regex API for Lua
- Send warmup requests in main process on startup
- Add Class-A granular IPv4 network classification
- Add /statusz page so you can monitor your redbean's health
- Fix regressions on OpenBSD/NetBSD caused by recent changes
- Plug Authorization header into Lua GetUser and GetPass APIs
- Recognize X-Forwarded-{For,Host} from local reverse proxies
- Add many additional functions to redbean Lua server page API
- Report resource usage of child processes on `/` listing page
- Introduce `-a` flag for logging child process resource usage
- Introduce `-t MILLIS` flag and `ProgramTimeout(ms)` init API
- Introduce `-H "Header: value"` flag and `ProgramHeader(k,v)` API
Cosmopolitan Libc improvements:
- Make strerror() simpler
- Make inet_pton() not depend on sscanf()
- Fix OpenExecutable() which broke .data section earlier
- Fix stdio in cases where it overflows kernel tty buffer
- Fix bugs in crash reporting w/o .com.dbg binary present
- Add polyfills for SO_LINGER, SO_RCVTIMEO, and SO_SNDTIMEO
- Polyfill TCP_CORK on BSD and XNU using TCP_NOPUSH magnums
New netcat clone in examples/nc.c:
While testing some of the failure conditions for redbean, I noticed that
BusyBox's `nc` command is pretty busted, if you use it as an interactive
tool, rather than having it be part of a pipeline. Unfortunately this'll
only work on UNIX since Windows doesn't let us poll on stdio and sockets
at the same time because I don't think they want tools like this running
on their platform. So if you want forbidden fruit, it's here so enjoy it
95 lines
4.6 KiB
C
95 lines
4.6 KiB
C
/*-*- mode:c;indent-tabs-mode:nil;c-basic-offset:2;tab-width:8;coding:utf-8 -*-│
|
|
│vi: set net ft=c ts=2 sts=2 sw=2 fenc=utf-8 :vi│
|
|
╞══════════════════════════════════════════════════════════════════════════════╡
|
|
│ Copyright 2021 Justine Alexandra Roberts Tunney │
|
|
│ │
|
|
│ Permission to use, copy, modify, and/or distribute this software for │
|
|
│ any purpose with or without fee is hereby granted, provided that the │
|
|
│ above copyright notice and this permission notice appear in all copies. │
|
|
│ │
|
|
│ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL │
|
|
│ WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED │
|
|
│ WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE │
|
|
│ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL │
|
|
│ DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR │
|
|
│ PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER │
|
|
│ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR │
|
|
│ PERFORMANCE OF THIS SOFTWARE. │
|
|
╚─────────────────────────────────────────────────────────────────────────────*/
|
|
#include "libc/runtime/gc.internal.h"
|
|
#include "libc/testlib/ezbench.h"
|
|
#include "libc/testlib/testlib.h"
|
|
#include "net/http/escape.h"
|
|
#include "net/http/http.h"
|
|
|
|
TEST(IsAcceptablePath, test) {
|
|
EXPECT_TRUE(IsAcceptablePath("*", 1));
|
|
EXPECT_TRUE(IsAcceptablePath("/", 1));
|
|
EXPECT_TRUE(IsAcceptablePath("index.html", 10));
|
|
EXPECT_TRUE(IsAcceptablePath("/index.html", 11));
|
|
EXPECT_TRUE(IsAcceptablePath("/index.html", -1));
|
|
EXPECT_TRUE(IsAcceptablePath("/redbean.png", -1));
|
|
}
|
|
|
|
TEST(IsAcceptablePath, testEmptyString_allowedIfYouLikeImplicitLeadingSlash) {
|
|
EXPECT_TRUE(IsAcceptablePath(0, 0));
|
|
EXPECT_TRUE(IsAcceptablePath(0, -1));
|
|
EXPECT_TRUE(IsAcceptablePath("", 0));
|
|
}
|
|
|
|
TEST(IsAcceptablePath, testHiddenFiles_notAllowed) {
|
|
EXPECT_FALSE(IsAcceptablePath("/.index.html", 12));
|
|
EXPECT_FALSE(IsAcceptablePath("/x/.index.html", 14));
|
|
}
|
|
|
|
TEST(IsAcceptablePath, testDoubleSlash_notAllowed) {
|
|
EXPECT_FALSE(IsAcceptablePath("//", 2));
|
|
EXPECT_FALSE(IsAcceptablePath("foo//", 5));
|
|
EXPECT_FALSE(IsAcceptablePath("/foo//", 6));
|
|
EXPECT_FALSE(IsAcceptablePath("/foo//bar", 9));
|
|
}
|
|
|
|
TEST(IsAcceptablePath, testNoncanonicalDirectories_areForbidden) {
|
|
EXPECT_FALSE(IsAcceptablePath(".", 1));
|
|
EXPECT_FALSE(IsAcceptablePath("..", 2));
|
|
EXPECT_FALSE(IsAcceptablePath("/.", 2));
|
|
EXPECT_FALSE(IsAcceptablePath("/..", 3));
|
|
EXPECT_FALSE(IsAcceptablePath("./", 2));
|
|
EXPECT_FALSE(IsAcceptablePath("../", 3));
|
|
EXPECT_FALSE(IsAcceptablePath("/./", 3));
|
|
EXPECT_FALSE(IsAcceptablePath("/../", 4));
|
|
EXPECT_FALSE(IsAcceptablePath("x/.", 3));
|
|
EXPECT_FALSE(IsAcceptablePath("x/..", 4));
|
|
EXPECT_FALSE(IsAcceptablePath("x/./", 4));
|
|
EXPECT_FALSE(IsAcceptablePath("x/../", 5));
|
|
EXPECT_FALSE(IsAcceptablePath("/x/./", 5));
|
|
EXPECT_FALSE(IsAcceptablePath("/x/../", 6));
|
|
}
|
|
|
|
TEST(IsAcceptablePath, testNoncanonicalWindowsDirs_areForbidden) {
|
|
EXPECT_FALSE(IsAcceptablePath(".", 1));
|
|
EXPECT_FALSE(IsAcceptablePath("..", 2));
|
|
EXPECT_FALSE(IsAcceptablePath("\\.", 2));
|
|
EXPECT_FALSE(IsAcceptablePath("\\..", 3));
|
|
EXPECT_FALSE(IsAcceptablePath(".\\", 2));
|
|
EXPECT_FALSE(IsAcceptablePath("..\\", 3));
|
|
EXPECT_FALSE(IsAcceptablePath("\\.\\", 3));
|
|
EXPECT_FALSE(IsAcceptablePath("\\..\\", 4));
|
|
EXPECT_FALSE(IsAcceptablePath("x\\.", 3));
|
|
EXPECT_FALSE(IsAcceptablePath("x\\..", 4));
|
|
EXPECT_FALSE(IsAcceptablePath("x\\.\\", 4));
|
|
EXPECT_FALSE(IsAcceptablePath("x\\..\\", 5));
|
|
EXPECT_FALSE(IsAcceptablePath("\\x\\.\\", 5));
|
|
EXPECT_FALSE(IsAcceptablePath("\\x\\..\\", 6));
|
|
}
|
|
|
|
TEST(IsAcceptablePath, testOverlongSlashDot_isDetected) {
|
|
EXPECT_FALSE(IsAcceptablePath("/\300\256", 3));
|
|
EXPECT_FALSE(IsAcceptablePath("/\300\257", 3));
|
|
EXPECT_FALSE(IsAcceptablePath("\300\256\300\256", 4));
|
|
}
|
|
|
|
BENCH(IsAcceptablePath, bench) {
|
|
EZBENCH2("IsAcceptablePath", donothing, IsAcceptablePath("*", 1));
|
|
EZBENCH2("IsAcceptablePath", donothing, IsAcceptablePath("/index.html", 11));
|
|
}
|