freebsd-ports/www/thttpd/files/extra-patch-htaccess

--- config.h.orig	Sun Nov 30 04:40:00 2003
+++ config.h	Sat Oct 16 20:57:30 2004
@@ -138,6 +138,17 @@
 */
 #define AUTH_FILE ".htpasswd"
 
+/* CONFIGURE: The file to use for restricting access on an ip basis. If
+** this is defined then thttpd checks for this file in the local
+** directory before every fetch. If the file exists then thttpd checks
+** whether the client's ip address is allowed to fetch this file, otherwise
+** the fetch is denied.
+**
+** If you undefine this then thttpd will not implement access checks
+** at all and will not check for access files, which saves a bit of CPU time.
+*/
+#define ACCESS_FILE ".htaccess"
+
 /* CONFIGURE: The default character set name to use with text MIME types.
 ** This gets substituted into the MIME types where they have a "%s".
 **
--- libhttpd.c.orig	Thu Dec 25 20:06:05 2003
+++ libhttpd.c	Sat Oct 16 21:14:04 2004
@@ -136,6 +136,10 @@
 static int auth_check( httpd_conn* hc, char* dirname  );
 static int auth_check2( httpd_conn* hc, char* dirname  );
 #endif /* AUTH_FILE */
+#ifdef ACCESS_FILE
+static int access_check (httpd_conn* hc, char* dirname);
+static int access_check2 (httpd_conn* hc, char* dirname);
+#endif /* ACCESS_FILE */
 static void send_dirredirect( httpd_conn* hc );
 static int hexit( char c );
 static void strdecode( char* to, char* from );
@@ -876,6 +880,139 @@
     }
 #endif /* ERR_DIR */
 
+#ifdef ACCESS_FILE
+static int err_accessfile (httpd_conn* hc, char* accesspath, char* err, FILE* f)
+{
+  fclose(f);
+
+  syslog(LOG_ERR, "%.80s access file %.80s: invalid line: %s",
+    httpd_ntoa(&hc->client_addr), accesspath, err);
+
+  httpd_send_err(hc, 403, err403title, "", ERROR_FORM(err403form, 
+    "The requested URL '%.80s' is protected by an access file, but the "
+    "access file contains garbage.\n"), hc->encodedurl);
+
+  return -1;
+}
+
+/* Returns -1 == unauthorized, 0 == no access file, 1 = authorized. */
+static int
+access_check( httpd_conn* hc, char* dirname  )
+    {
+    if ( hc->hs->global_passwd )
+	{
+	char* topdir;
+	if ( hc->hs->vhost && hc->hostdir[0] != '\0' )
+	    topdir = hc->hostdir;
+	else
+	    topdir = ".";
+	switch ( access_check2( hc, topdir ) )
+	    {
+	    case -1:
+	    return -1;
+	    case 1:
+	    return 1;
+	    }
+	}
+    return access_check2( hc, dirname );
+    }
+
+/* Returns -1 == unauthorized, 0 == no access file, 1 = authorized. */
+static int access_check2 (httpd_conn* hc, char* dirname)
+{
+  static char* accesspath;
+  static size_t maxaccesspath = 0;
+  struct in_addr ipv4_addr, ipv4_mask = { 0xffffffff };
+  FILE* fp;
+  char line[500];
+  struct stat sb;
+  char *addr, *addr1, *addr2, *mask;
+  unsigned long l;
+
+  /* Construct access filename. */
+  httpd_realloc_str(&accesspath, &maxaccesspath, strlen(dirname) + 1 +
+    sizeof(ACCESS_FILE));
+
+  my_snprintf(accesspath, maxaccesspath, "%s/%s", dirname, ACCESS_FILE);
+
+  /* Does this directory have an access file? */
+  if (lstat(accesspath, &sb) < 0)
+    /* Nope, let the request go through. */
+    return 0;
+
+  /* Open the access file. */
+  fp = fopen(accesspath, "r");
+  if (!fp) {
+    /* The file exists but we can't open it? Disallow access. */
+    syslog(LOG_ERR, "%.80s access file %.80s could not be opened - %m",
+      httpd_ntoa(&hc->client_addr), accesspath);
+
+    httpd_send_err(hc, 403, err403title, "", ERROR_FORM(err403form, 
+      "The requested URL '%.80s' is protected by an access file, but "
+      "the access file cannot be opened.\n"), hc->encodedurl);
+
+    return -1;
+  }
+
+  /* Read it. */
+  while (fgets(line, sizeof(line), fp)) {
+    /* Nuke newline. */
+    l = strlen(line);
+    if (line[l - 1] == '\n') line[l - 1] = '\0';
+
+    addr1 = strrchr(line, ' ');
+    addr2 = strrchr(line, '\t');
+    if (addr1 > addr2) addr = addr1;
+    else addr = addr2;
+    if (!addr) return err_accessfile(hc, accesspath, line, fp);
+
+    mask = strchr(++addr, '/');
+    if (mask) {
+      *mask++ = '\0';
+      if (!*mask) return err_accessfile(hc, accesspath, line, fp);
+      if (!strchr(mask, '.')) {
+        l = atol(mask);
+        if ((l < 0) || (l > 32))
+          return err_accessfile(hc, accesspath, line, fp);
+        for (l = 32 - l; l > 0; --l) ipv4_mask.s_addr ^= 1 << (l - 1);
+        ipv4_mask.s_addr = htonl(ipv4_mask.s_addr);
+      }
+      else {
+        if (!inet_aton(mask, &ipv4_mask))
+          return err_accessfile(hc, accesspath, line, fp);
+      }
+    }
+
+    if (!inet_aton(addr, &ipv4_addr))
+      return err_accessfile(hc, accesspath, line, fp);
+
+    /* Does client addr match this rule? */
+    if ((hc->client_addr.sa_in.sin_addr.s_addr & ipv4_mask.s_addr) ==
+      (ipv4_addr.s_addr & ipv4_mask.s_addr)) {
+      /* Yes. */
+      switch (line[0]) {
+        case 'd':
+        case 'D':
+	  break;
+
+        case 'a':
+        case 'A':
+          fclose(fp);
+          return 1;
+
+        default:
+          return err_accessfile(hc, accesspath, line, fp);
+      }
+    }
+  }
+
+  httpd_send_err(hc, 403, err403title, "", ERROR_FORM(err403form, 
+    "The requested URL '%.80s' is protected by an address restriction."),
+    hc->encodedurl);
+  fclose(fp);
+  return -1;
+}
+#endif /* ACCESS_FILE */
 
 #ifdef AUTH_FILE
 
@@ -1030,7 +1167,7 @@
     (void) my_snprintf( authpath, maxauthpath, "%s/%s", dirname, AUTH_FILE );
 
     /* Does this directory have an auth file? */
-    if ( stat( authpath, &sb ) < 0 )
+    if ( lstat( authpath, &sb ) < 0 )
 	/* Nope, let the request go through. */
 	return 0;
 
@@ -3683,6 +3820,11 @@
 		hc->encodedurl );
 	    return -1;
 	    }
+#ifdef ACCESS_FILE
+	/* Check access file for this directory. */
+	if ( access_check( hc, hc->expnfilename ) == -1 )
+	    return -1;
+#endif /* ACCESS_FILE */
 #ifdef AUTH_FILE
 	/* Check authorization for this directory. */
 	if ( auth_check( hc, hc->expnfilename ) == -1 )
@@ -3732,6 +3874,50 @@
 	    return -1;
 	    }
 	}
+
+#ifdef ACCESS_FILE
+    /* Check access for this directory. */
+    httpd_realloc_str( &dirname, &maxdirname, expnlen );
+    (void) strcpy( dirname, hc->expnfilename );
+    cp = strrchr( dirname, '/' );
+    if ( cp == (char*) 0 )
+	(void) strcpy( dirname, "." );
+    else
+	*cp = '\0';
+    if ( access_check( hc, dirname ) == -1 )
+	return -1;
+
+    /* Check if the filename is the ACCESS_FILE itself - that's verboten. */
+    if ( expnlen == sizeof(ACCESS_FILE) - 1 )
+	{
+	if ( strcmp( hc->expnfilename, ACCESS_FILE ) == 0 )
+	    {
+	    syslog(
+		LOG_NOTICE,
+		"%.80s URL \"%.80s\" tried to retrieve an access file",
+		httpd_ntoa( &hc->client_addr ), hc->encodedurl );
+	    httpd_send_err(
+		hc, 403, err403title, "",
+		ERROR_FORM( err403form, "The requested URL '%.80s' is an access file, retrieving it is not permitted.\n" ),
+		hc->encodedurl );
+	    return -1;
+	    }
+	}
+    else if ( expnlen >= sizeof(ACCESS_FILE) &&
+	      strcmp( &(hc->expnfilename[expnlen - sizeof(ACCESS_FILE) + 1]), ACCESS_FILE ) == 0 &&
+	      hc->expnfilename[expnlen - sizeof(ACCESS_FILE)] == '/' )
+	{
+	syslog(
+	    LOG_NOTICE,
+	    "%.80s URL \"%.80s\" tried to retrieve an access file",
+	    httpd_ntoa( &hc->client_addr ), hc->encodedurl );
+	httpd_send_err(
+	    hc, 403, err403title, "",
+	    ERROR_FORM( err403form, "The requested URL '%.80s' is an access file, retrieving it is not permitted.\n" ),
+	    hc->encodedurl );
+	return -1;
+	}
+#endif /* ACCESS_FILE */
 
 #ifdef AUTH_FILE
     /* Check authorization for this directory. */
--- thttpd.8.orig	Sat Nov 15 00:43:51 2003
+++ thttpd.8	Sat Oct 16 21:19:13 2004
@@ -100,14 +100,15 @@
 and the config.h option is ALWAYS_VHOST.
 .TP
 .B -g
-Use a global passwd file.
+Use global passwd/access files.
 This means that every file in the entire document tree is protected by
-the single .htpasswd file at the top of the tree.
-Otherwise the semantics of the .htpasswd file are the same.
-If this option is set but there is no .htpasswd file in
+a single .htpasswd or .htaccess file at the top of the tree.
+Otherwise the semantics of the .htpasswd and .htaccess files are the same.
+If this option is set but there are no .htpasswd and no .htaccess files in
 the top-level directory, then thttpd proceeds as if the option was
-not set - first looking for a local .htpasswd file, and if that doesn't
-exist either then serving the file without any password.
+not set - first looking for local .htpasswd and .htaccess files, and if that doesn't
+exist either then serving the file without any password and without any access
+restriction.
 If -g is the compiled-in default, then -nog disables it.
 The config-file option names for this flag are "globalpasswd" and
 "noglobalpasswd",
@@ -274,6 +275,42 @@
 modify .htpasswd files.
 .PP
 Relevant config.h option: AUTH_FILE
+.SH "ACCESS RESTRICTION"
+.PP
+Access restriction is available as an option at compile time.
+If enabled, it uses an access file in the directory to be protected,
+called .htaccess by default.
+This file consists of a rule and a host address or a network range per
+line.
+Valid rules are:
+.TP
+.B allow from
+The following host address or network range is allowed to access the requested
+directory and its files.
+.TP
+.B deny from
+The following host address or network range is not allowed to access the
+requested directory and its files.
+.PP
+The protection does not carry over to subdirectories.
+There are three ways to specify a valid host address or network range:
+.TP
+.B IPv4 host address
+eg. 10.2.3.4
+.TP
+.B IPv4 network with subnet mask
+eg. 10.0.0.0/255.255.0.0
+.TP
+.B IPv4 network using CIDR notation
+eg. 10.0.0.0/16
+.PP
+Note that rules are processed in the same order as they are listed in the
+access file and that the first rule which matches the client's address is
+applied (there is no order clause).
+So if there is no allow from 0.0.0.0/0 at the end of the file the default
+action is to deny access.
+.PP
+Relevant config.h option: ACCESS_FILE
 .SH "THROTTLING"
 .PP
 The throttle file lets you set maximum byte rates on URLs or URL groups.