diff options
| author | bbryant <bbryant@f38db490-d61c-443f-a65b-d21fe96a405b> | 2008-05-23 21:19:42 +0000 |
|---|---|---|
| committer | bbryant <bbryant@f38db490-d61c-443f-a65b-d21fe96a405b> | 2008-05-23 21:19:42 +0000 |
| commit | 3342d99a3004b5d743c3dc210c5c676321db036e (patch) | |
| tree | 7977243582180faf65bdbd4dbf9a5f57655dbb94 /main/http.c | |
| parent | efb66dbfff81a527644c89e13690fb67a6fa7acb (diff) | |
Add new functionality to http server that requires manager authentication for any path that includes a directory named 'private'. This patch also
requires manager authentication for any POST's being sent to the server as well to help secure uploads.
git-svn-id: http://svn.digium.com/svn/asterisk/trunk@118161 f38db490-d61c-443f-a65b-d21fe96a405b
Diffstat (limited to 'main/http.c')
| -rw-r--r-- | main/http.c | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/main/http.c b/main/http.c index 5ab4d27ca..405f65d9d 100644 --- a/main/http.c +++ b/main/http.c @@ -131,6 +131,18 @@ static const char *ftype2mtype(const char *ftype, char *wkspace, int wkspacelen) return wkspace; } +static uint32_t manid_from_vars(struct ast_variable *sid) { + uint32_t mngid; + + while (sid && strcmp(sid->name, "mansession_id")) + sid = sid->next; + + if (!sid || sscanf(sid->value, "%x", &mngid) != 1) + return 0; + + return mngid; +} + static struct ast_str *static_callback(struct ast_tcptls_session_instance *ser, const struct ast_http_uri *urih, const char *uri, enum ast_http_method method, struct ast_variable *vars, struct ast_variable *headers, int *status, char **title, int *contentlength) { char *path; @@ -178,12 +190,16 @@ static struct ast_str *static_callback(struct ast_tcptls_session_instance *ser, if (S_ISDIR(st.st_mode)) { goto out404; - } + } if ((fd = open(path, O_RDONLY)) < 0) { goto out403; } + if (strstr(path, "/private/") && !astman_is_authed(manid_from_vars(vars))) { + goto out403; + } + ast_strftime(buf, sizeof(buf), "%a, %d %b %Y %H:%M:%S %Z", ast_localtime(&tv, &tm, "GMT")); fprintf(ser->f, "HTTP/1.1 200 OK\r\n" "Server: Asterisk/%s\r\n" @@ -514,7 +530,11 @@ static struct ast_str *handle_uri(struct ast_tcptls_session_instance *ser, char } } - if (urih) { + if (method == AST_HTTP_POST && !astman_is_authed(manid_from_vars(vars))) { + out = ast_http_error((*status = 403), + (*title = ast_strdup("Access Denied")), + NULL, "Sorry, I cannot let you do that, Dave."); + } else if (urih) { *static_content = urih->static_content; out = urih->callback(ser, urih, uri, method, vars, headers, status, title, contentlength); AST_RWLIST_UNLOCK(&uris); |