Mercurial > hg > nginx
annotate src/http/modules/ngx_http_secure_link_module.c @ 7094:c7d4017c8876
Secure link: fixed stack buffer overflow.
When secure link checksum has length of 23 or 24 bytes, decoded base64 value
could occupy 17 or 18 bytes which is more than 16 bytes previously allocated
for it on stack. The buffer overflow does not have any security implications
since only one local variable was corrupted and this variable was not used in
this case.
The fix is to increase buffer size up to 18 bytes. Useless buffer size
initialization is removed as well.
| author | Roman Arutyunyan <arut@nginx.com> |
|---|---|
| date | Tue, 22 Aug 2017 21:22:59 +0300 |
| parents | d89442dab4d1 |
| children | bdd4d89370a7 |
| rev | line source |
|---|---|
| 2260 | 1 |
| 2 /* | |
| 3 * Copyright (C) Igor Sysoev | |
| 4412 | 4 * Copyright (C) Nginx, Inc. |
| 2260 | 5 */ |
| 6 | |
| 7 | |
| 8 #include <ngx_config.h> | |
| 9 #include <ngx_core.h> | |
| 10 #include <ngx_http.h> | |
| 11 #include <ngx_md5.h> | |
| 12 | |
| 13 | |
| 14 typedef struct { | |
|
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
15 ngx_http_complex_value_t *variable; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
16 ngx_http_complex_value_t *md5; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
17 ngx_str_t secret; |
| 2260 | 18 } ngx_http_secure_link_conf_t; |
| 19 | |
| 20 | |
|
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
21 typedef struct { |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
22 ngx_str_t expires; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
23 } ngx_http_secure_link_ctx_t; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
24 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
25 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
26 static ngx_int_t ngx_http_secure_link_old_variable(ngx_http_request_t *r, |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
27 ngx_http_secure_link_conf_t *conf, ngx_http_variable_value_t *v, |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
28 uintptr_t data); |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
29 static ngx_int_t ngx_http_secure_link_expires_variable(ngx_http_request_t *r, |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
30 ngx_http_variable_value_t *v, uintptr_t data); |
| 2260 | 31 static void *ngx_http_secure_link_create_conf(ngx_conf_t *cf); |
| 32 static char *ngx_http_secure_link_merge_conf(ngx_conf_t *cf, void *parent, | |
| 33 void *child); | |
| 34 static ngx_int_t ngx_http_secure_link_add_variables(ngx_conf_t *cf); | |
| 35 | |
| 36 | |
| 37 static ngx_command_t ngx_http_secure_link_commands[] = { | |
| 38 | |
|
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
39 { ngx_string("secure_link"), |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
40 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, |
| 3761 | 41 ngx_http_set_complex_value_slot, |
|
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
42 NGX_HTTP_LOC_CONF_OFFSET, |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
43 offsetof(ngx_http_secure_link_conf_t, variable), |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
44 NULL }, |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
45 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
46 { ngx_string("secure_link_md5"), |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
47 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, |
| 3761 | 48 ngx_http_set_complex_value_slot, |
|
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
49 NGX_HTTP_LOC_CONF_OFFSET, |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
50 offsetof(ngx_http_secure_link_conf_t, md5), |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
51 NULL }, |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
52 |
| 2260 | 53 { ngx_string("secure_link_secret"), |
| 54 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, | |
| 55 ngx_conf_set_str_slot, | |
| 56 NGX_HTTP_LOC_CONF_OFFSET, | |
| 57 offsetof(ngx_http_secure_link_conf_t, secret), | |
| 58 NULL }, | |
| 59 | |
| 60 ngx_null_command | |
| 61 }; | |
| 62 | |
| 63 | |
| 64 static ngx_http_module_t ngx_http_secure_link_module_ctx = { | |
| 65 ngx_http_secure_link_add_variables, /* preconfiguration */ | |
| 66 NULL, /* postconfiguration */ | |
| 67 | |
| 68 NULL, /* create main configuration */ | |
| 69 NULL, /* init main configuration */ | |
| 70 | |
| 71 NULL, /* create server configuration */ | |
| 72 NULL, /* merge server configuration */ | |
| 73 | |
| 74 ngx_http_secure_link_create_conf, /* create location configuration */ | |
| 75 ngx_http_secure_link_merge_conf /* merge location configuration */ | |
| 76 }; | |
| 77 | |
| 78 | |
| 79 ngx_module_t ngx_http_secure_link_module = { | |
| 80 NGX_MODULE_V1, | |
| 81 &ngx_http_secure_link_module_ctx, /* module context */ | |
| 82 ngx_http_secure_link_commands, /* module directives */ | |
| 83 NGX_HTTP_MODULE, /* module type */ | |
| 84 NULL, /* init master */ | |
| 85 NULL, /* init module */ | |
| 86 NULL, /* init process */ | |
| 87 NULL, /* init thread */ | |
| 88 NULL, /* exit thread */ | |
| 89 NULL, /* exit process */ | |
| 90 NULL, /* exit master */ | |
| 91 NGX_MODULE_V1_PADDING | |
| 92 }; | |
| 93 | |
| 94 | |
|
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
95 static ngx_str_t ngx_http_secure_link_name = ngx_string("secure_link"); |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
96 static ngx_str_t ngx_http_secure_link_expires_name = |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
97 ngx_string("secure_link_expires"); |
| 2260 | 98 |
| 99 | |
| 100 static ngx_int_t | |
| 101 ngx_http_secure_link_variable(ngx_http_request_t *r, | |
|
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
102 ngx_http_variable_value_t *v, uintptr_t data) |
| 2260 | 103 { |
|
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
104 u_char *p, *last; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
105 ngx_str_t val, hash; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
106 time_t expires; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
107 ngx_md5_t md5; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
108 ngx_http_secure_link_ctx_t *ctx; |
| 2260 | 109 ngx_http_secure_link_conf_t *conf; |
|
7094
c7d4017c8876
Secure link: fixed stack buffer overflow.
Roman Arutyunyan <arut@nginx.com>
parents:
5017
diff
changeset
|
110 u_char hash_buf[18], md5_buf[16]; |
| 2260 | 111 |
| 112 conf = ngx_http_get_module_loc_conf(r, ngx_http_secure_link_module); | |
| 113 | |
|
5017
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
114 if (conf->secret.data) { |
|
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
115 return ngx_http_secure_link_old_variable(r, conf, v, data); |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
116 } |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
117 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
118 if (conf->variable == NULL || conf->md5 == NULL) { |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
119 goto not_found; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
120 } |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
121 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
122 if (ngx_http_complex_value(r, conf->variable, &val) != NGX_OK) { |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
123 return NGX_ERROR; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
124 } |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
125 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
126 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
127 "secure link: \"%V\"", &val); |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
128 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
129 last = val.data + val.len; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
130 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
131 p = ngx_strlchr(val.data, last, ','); |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
132 expires = 0; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
133 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
134 if (p) { |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
135 val.len = p++ - val.data; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
136 |
|
3760
38f74d11e5bd
discard "secure_link_expires on|off"
Igor Sysoev <igor@sysoev.ru>
parents:
3756
diff
changeset
|
137 expires = ngx_atotm(p, last - p); |
|
38f74d11e5bd
discard "secure_link_expires on|off"
Igor Sysoev <igor@sysoev.ru>
parents:
3756
diff
changeset
|
138 if (expires <= 0) { |
|
38f74d11e5bd
discard "secure_link_expires on|off"
Igor Sysoev <igor@sysoev.ru>
parents:
3756
diff
changeset
|
139 goto not_found; |
|
38f74d11e5bd
discard "secure_link_expires on|off"
Igor Sysoev <igor@sysoev.ru>
parents:
3756
diff
changeset
|
140 } |
|
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
141 |
|
3760
38f74d11e5bd
discard "secure_link_expires on|off"
Igor Sysoev <igor@sysoev.ru>
parents:
3756
diff
changeset
|
142 ctx = ngx_pcalloc(r->pool, sizeof(ngx_http_secure_link_ctx_t)); |
|
38f74d11e5bd
discard "secure_link_expires on|off"
Igor Sysoev <igor@sysoev.ru>
parents:
3756
diff
changeset
|
143 if (ctx == NULL) { |
|
38f74d11e5bd
discard "secure_link_expires on|off"
Igor Sysoev <igor@sysoev.ru>
parents:
3756
diff
changeset
|
144 return NGX_ERROR; |
|
38f74d11e5bd
discard "secure_link_expires on|off"
Igor Sysoev <igor@sysoev.ru>
parents:
3756
diff
changeset
|
145 } |
|
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
146 |
|
3760
38f74d11e5bd
discard "secure_link_expires on|off"
Igor Sysoev <igor@sysoev.ru>
parents:
3756
diff
changeset
|
147 ngx_http_set_ctx(r, ctx, ngx_http_secure_link_module); |
|
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
148 |
|
3760
38f74d11e5bd
discard "secure_link_expires on|off"
Igor Sysoev <igor@sysoev.ru>
parents:
3756
diff
changeset
|
149 ctx->expires.len = last - p; |
|
38f74d11e5bd
discard "secure_link_expires on|off"
Igor Sysoev <igor@sysoev.ru>
parents:
3756
diff
changeset
|
150 ctx->expires.data = p; |
|
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
151 } |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
152 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
153 if (val.len > 24) { |
| 2260 | 154 goto not_found; |
| 155 } | |
| 156 | |
|
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
157 hash.data = hash_buf; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
158 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
159 if (ngx_decode_base64url(&hash, &val) != NGX_OK) { |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
160 goto not_found; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
161 } |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
162 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
163 if (hash.len != 16) { |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
164 goto not_found; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
165 } |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
166 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
167 if (ngx_http_complex_value(r, conf->md5, &val) != NGX_OK) { |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
168 return NGX_ERROR; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
169 } |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
170 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
171 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
172 "secure link md5: \"%V\"", &val); |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
173 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
174 ngx_md5_init(&md5); |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
175 ngx_md5_update(&md5, val.data, val.len); |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
176 ngx_md5_final(md5_buf, &md5); |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
177 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
178 if (ngx_memcmp(hash_buf, md5_buf, 16) != 0) { |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
179 goto not_found; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
180 } |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
181 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
182 v->data = (u_char *) ((expires && expires < ngx_time()) ? "0" : "1"); |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
183 v->len = 1; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
184 v->valid = 1; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
185 v->no_cacheable = 0; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
186 v->not_found = 0; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
187 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
188 return NGX_OK; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
189 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
190 not_found: |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
191 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
192 v->not_found = 1; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
193 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
194 return NGX_OK; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
195 } |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
196 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
197 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
198 static ngx_int_t |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
199 ngx_http_secure_link_old_variable(ngx_http_request_t *r, |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
200 ngx_http_secure_link_conf_t *conf, ngx_http_variable_value_t *v, |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
201 uintptr_t data) |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
202 { |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
203 u_char *p, *start, *end, *last; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
204 size_t len; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
205 ngx_int_t n; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
206 ngx_uint_t i; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
207 ngx_md5_t md5; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
208 u_char hash[16]; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
209 |
| 2260 | 210 p = &r->unparsed_uri.data[1]; |
| 211 last = r->unparsed_uri.data + r->unparsed_uri.len; | |
| 212 | |
| 213 while (p < last) { | |
| 214 if (*p++ == '/') { | |
| 215 start = p; | |
| 216 goto md5_start; | |
| 217 } | |
| 218 } | |
| 219 | |
| 220 goto not_found; | |
| 221 | |
| 222 md5_start: | |
| 223 | |
| 224 while (p < last) { | |
| 225 if (*p++ == '/') { | |
| 226 end = p - 1; | |
| 227 goto url_start; | |
| 228 } | |
| 229 } | |
| 230 | |
| 231 goto not_found; | |
| 232 | |
| 233 url_start: | |
| 234 | |
| 235 len = last - p; | |
| 236 | |
| 2279 | 237 if (end - start != 32 || len == 0) { |
| 2260 | 238 goto not_found; |
| 239 } | |
| 240 | |
| 241 ngx_md5_init(&md5); | |
| 242 ngx_md5_update(&md5, p, len); | |
| 243 ngx_md5_update(&md5, conf->secret.data, conf->secret.len); | |
| 244 ngx_md5_final(hash, &md5); | |
| 245 | |
| 246 for (i = 0; i < 16; i++) { | |
| 247 n = ngx_hextoi(&start[2 * i], 2); | |
| 248 if (n == NGX_ERROR || n != hash[i]) { | |
| 249 goto not_found; | |
| 250 } | |
| 251 } | |
| 252 | |
| 253 v->len = len; | |
| 254 v->valid = 1; | |
| 255 v->no_cacheable = 0; | |
| 256 v->not_found = 0; | |
| 257 v->data = p; | |
| 258 | |
| 259 return NGX_OK; | |
| 260 | |
| 261 not_found: | |
| 262 | |
| 263 v->not_found = 1; | |
| 264 | |
| 265 return NGX_OK; | |
| 266 } | |
| 267 | |
| 268 | |
|
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
269 static ngx_int_t |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
270 ngx_http_secure_link_expires_variable(ngx_http_request_t *r, |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
271 ngx_http_variable_value_t *v, uintptr_t data) |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
272 { |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
273 ngx_http_secure_link_ctx_t *ctx; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
274 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
275 ctx = ngx_http_get_module_ctx(r, ngx_http_secure_link_module); |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
276 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
277 if (ctx) { |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
278 v->len = ctx->expires.len; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
279 v->valid = 1; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
280 v->no_cacheable = 0; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
281 v->not_found = 0; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
282 v->data = ctx->expires.data; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
283 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
284 } else { |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
285 v->not_found = 1; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
286 } |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
287 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
288 return NGX_OK; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
289 } |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
290 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
291 |
| 2260 | 292 static void * |
| 293 ngx_http_secure_link_create_conf(ngx_conf_t *cf) | |
| 294 { | |
| 295 ngx_http_secure_link_conf_t *conf; | |
| 296 | |
| 297 conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_secure_link_conf_t)); | |
| 298 if (conf == NULL) { | |
|
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2279
diff
changeset
|
299 return NULL; |
| 2260 | 300 } |
| 301 | |
| 302 /* | |
| 303 * set by ngx_pcalloc(): | |
| 304 * | |
|
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
305 * conf->variable = NULL; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
306 * conf->md5 = NULL; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
307 * conf->secret = { 0, NULL }; |
| 2260 | 308 */ |
| 309 | |
| 310 return conf; | |
| 311 } | |
| 312 | |
| 313 | |
| 314 static char * | |
| 315 ngx_http_secure_link_merge_conf(ngx_conf_t *cf, void *parent, void *child) | |
| 316 { | |
| 317 ngx_http_secure_link_conf_t *prev = parent; | |
| 318 ngx_http_secure_link_conf_t *conf = child; | |
| 319 | |
|
5017
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
320 if (conf->secret.data) { |
|
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
321 if (conf->variable || conf->md5) { |
|
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
322 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
|
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
323 "\"secure_link_secret\" cannot be mixed with " |
|
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
324 "\"secure_link\" and \"secure_link_md5\""); |
|
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
325 return NGX_CONF_ERROR; |
|
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
326 } |
|
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
327 |
|
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
328 return NGX_CONF_OK; |
|
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
329 } |
| 2260 | 330 |
|
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
331 if (conf->variable == NULL) { |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
332 conf->variable = prev->variable; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
333 } |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
334 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
335 if (conf->md5 == NULL) { |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
336 conf->md5 = prev->md5; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
337 } |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
338 |
|
5017
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
339 if (conf->variable == NULL && conf->md5 == NULL) { |
|
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
340 conf->secret = prev->secret; |
|
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
341 } |
|
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
342 |
| 2260 | 343 return NGX_CONF_OK; |
| 344 } | |
| 345 | |
| 346 | |
| 347 static ngx_int_t | |
| 348 ngx_http_secure_link_add_variables(ngx_conf_t *cf) | |
| 349 { | |
| 350 ngx_http_variable_t *var; | |
| 351 | |
|
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
352 var = ngx_http_add_variable(cf, &ngx_http_secure_link_name, 0); |
| 2260 | 353 if (var == NULL) { |
| 354 return NGX_ERROR; | |
| 355 } | |
| 356 | |
| 357 var->get_handler = ngx_http_secure_link_variable; | |
| 358 | |
|
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
359 var = ngx_http_add_variable(cf, &ngx_http_secure_link_expires_name, 0); |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
360 if (var == NULL) { |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
361 return NGX_ERROR; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
362 } |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
363 |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
364 var->get_handler = ngx_http_secure_link_expires_variable; |
|
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
365 |
| 2260 | 366 return NGX_OK; |
| 367 } |