• src/sbbs3/websrvr.c

    From rswindell@VERT to CVS commit on Friday, April 06, 2018 02:23:00
    src/sbbs3 websrvr.c 1.665 1.666
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/home/rswindell/sbbs/src/sbbs3

    Modified Files:
    websrvr.c
    Log Message:
    Enabled GCC-assisted printf-style format/arg checking for lprintf() and
    fix the resulting warnings.



    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From deuce@VERT to CVS commit on Tuesday, May 01, 2018 06:00:00
    src/sbbs3 websrvr.c 1.667 1.668
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv20001

    Modified Files:
    websrvr.c
    Log Message:
    Break the loop when failed is set to true.
    Also, use a stack pointer if the passed failed pointer is NULL.




    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From rswindell@VERT to CVS commit on Saturday, October 06, 2018 22:34:00
    src/sbbs3 websrvr.c 1.668 1.669
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv14230

    Modified Files:
    websrvr.c
    Log Message:
    zero-initialize the msg-scan (subscan) allocated array, so if an uninitialized is ever written to disk, it'll be zeroes not garbage.
    Also, NULL the subscan pointer after freeing (and don't free if it's NULL).



    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From rswindell@VERT to CVS commit on Thursday, December 06, 2018 02:17:00
    src/sbbs3 websrvr.c 1.670 1.671
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv2663

    Modified Files:
    websrvr.c
    Log Message:
    Added TODO comment regarding apparent RFC 2145 violation in the Status-Line HTTP-Version value we send (no functional change). My intepretation is we should be sending either nothing or "HTTP/1.1" here, never "HTTP/1.0". This interpretation appears to match the behavior of other web servers
    (e.g. Apache httpd).



    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From rswindell@VERT to CVS commit on Thursday, December 06, 2018 23:29:00
    src/sbbs3 websrvr.c 1.671 1.672
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv23667

    Modified Files:
    websrvr.c
    Log Message:
    Added TODO comment regarding the lack of a Content-Length header field
    in GET responses when Connection: Keep-Alive is not enabled.



    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From deuce@VERT to CVS commit on Tuesday, December 18, 2018 18:25:00
    src/sbbs3 websrvr.c 1.672 1.673
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv9577

    Modified Files:
    websrvr.c
    Log Message:
    1xx, 204, and 304 responses don't include an entity.

    If we get one of these statuses from via a CGI, assume we have good headers.



    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From rswindell@VERT to CVS commit on Tuesday, December 18, 2018 20:53:00
    src/sbbs3 websrvr.c 1.673 1.674
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv1995

    Modified Files:
    websrvr.c
    Log Message:
    Header field values may (usually do) have leading linear white-space, so
    skip any spaces before parsing the value (for CGI supplied headers).



    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From rswindell@VERT to CVS commit on Tuesday, January 01, 2019 04:38:00
    src/sbbs3 websrvr.c 1.674 1.675
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv25689

    Modified Files:
    websrvr.c
    Log Message:
    Fixed typo: deprecated, not depreciated.



    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From rswindell@VERT to CVS commit on Friday, January 04, 2019 23:18:00
    src/sbbs3 websrvr.c 1.675 1.676
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv29102

    Modified Files:
    websrvr.c
    Log Message:
    Fixed typo in error message.



    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From rswindell@VERT to CVS commit on Wednesday, May 22, 2019 22:39:00
    src/sbbs3 websrvr.c 1.680 1.681
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv23025

    Modified Files:
    websrvr.c
    Log Message:
    open_post_file(): if post_data is NULL, just log an error and return NULL (don't pass a NULL pointer to fwrite() which can assert or crash).



    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From rswindell@VERT to CVS commit on Thursday, May 23, 2019 00:40:00
    src/sbbs3 websrvr.c 1.681 1.682
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv8139

    Modified Files:
    websrvr.c
    Log Message:
    Increase MAX_POST_LEN from 1MB to 4MB (QWK REP packets can be > 1MB) -
    I think that > 1MB post data is supported, but the http_request.post_data
    property won't be created if the length > MAX_POST_LEN. Perhaps would just
    store the post data in a file (uh, it already is?) and expose the filename to
    JS scripts? It'd be a lot cleaner than storing the data in a file and then
    reading (or mem-mapping) the file and then copying the contents into a JS
    property.

    Allow the JS http_request.post_data property to contain NULs.

    open_post_file() will now open the post file (and return the FILE*) even if
    session->req.post_data is NULL, it just won't try to write to the file if the
    post_data is NULL.

    mem-map the large post data files using XPMAP_WRITE (read/write) rather than
    XPMAP_READ (read-only) - without this change, this line in read_post_data()
    would cause an exception:
    session->req.post_data[session->req.post_len]=0;
    Now, we seem to have the potential of an off-by-one here (if the length
    mem-mapped is not post_len + 1), but that isn't happening. <shrug>

    Fixed a couple of FILE pointer/descriptor leaks if post_to_file() failed.

    Changed name of post data file to SBBS_POST.*.*.data (it's not necessarily html).

    So now, uploads > 1MB work, but questions remain:
    - wouldn't PUT be a more appropriate method (than POST) for file uploads?
    - how can we support post_data > MAX_POST_LEN (now 4MB) in JS?



    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From rswindell@VERT to CVS commit on Friday, June 07, 2019 19:46:00
    src/sbbs3 websrvr.c 1.682 1.683
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/home/rswindell/sbbs/src/sbbs3

    Modified Files:
    websrvr.c
    Log Message:
    Fix observed segfault (NULL pointer dereference) in parse_headers
    (strtok can return NULL).



    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From deuce@VERT to CVS commit on Friday, June 21, 2019 18:54:31
    src/sbbs3 websrvr.c 1.684 1.685
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv8336

    Modified Files:
    websrvr.c
    Log Message:
    Some RFC nits.

    1) Send Content-Length even if we will be closing the connection.
    2) Send the highest HTTP version in the status line that has the same major version.



    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From deuce@VERT to CVS commit on Thursday, July 04, 2019 01:53:30
    src/sbbs3 websrvr.c 1.687 1.688
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv4323

    Modified Files:
    websrvr.c
    Log Message:
    As with CGI, if a script specifies a Content-Length or Transfer-Encoding header, don't calculate either one and let the script shoot itself in the
    foot.

    Also, if a Location header is set, try an internal redirect rather than
    forcing the client to handle it.

    Now scripts can avoid chunked mode by specifying a correct content-length
    if the content-length is wrong though, Bad Things will happen.




    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From deuce@VERT to CVS commit on Thursday, July 04, 2019 01:57:42
    src/sbbs3 websrvr.c 1.688 1.689
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv4962

    Modified Files:
    websrvr.c
    Log Message:
    Update to last commit... only allow fiddling with things if the initial
    headers haven't been sent yet.




    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From rswindell@VERT to CVS commit on Wednesday, July 24, 2019 08:52:19
    src/sbbs3 websrvr.c 1.690 1.691
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv15156

    Modified Files:
    websrvr.c
    Log Message:
    Store the configured temp directory for the web server in scfg.temp_dir so that JS scripts using system.temp_dir to store files get a sensible value (and not the hard-coded default of just "temp").
    This should fix the creation of ctrl/tempftelnet.url files.



    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From deuce@VERT to CVS commit on Friday, August 02, 2019 17:10:08
    src/sbbs3 websrvr.c 1.691 1.692
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv18463

    Modified Files:
    websrvr.c
    Log Message:
    Fix an error nobody has ever seen.



    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From deuce@VERT to CVS commit on Friday, August 02, 2019 17:26:09
    src/sbbs3 websrvr.c 1.692 1.693
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv20335

    Modified Files:
    websrvr.c
    Log Message:
    Add a terrible hack to see if the TLS POST issue is what I think it is.




    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From deuce@VERT to CVS commit on Friday, August 02, 2019 17:47:07
    src/sbbs3 websrvr.c 1.693 1.694
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv23121

    Modified Files:
    websrvr.c
    Log Message:
    De-hack and maybe fix?



    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From deuce@VERT to CVS commit on Friday, August 02, 2019 17:50:36
    src/sbbs3 websrvr.c 1.694 1.695
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv23687

    Modified Files:
    websrvr.c
    Log Message:
    Don't crash of rd is NULL.



    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From deuce@VERT to CVS commit on Friday, August 02, 2019 17:52:02
    src/sbbs3 websrvr.c 1.695 1.696
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv23917

    Modified Files:
    websrvr.c
    Log Message:
    Better anti-crash behaviour.




    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From Nightfox@VERT/DIGDIST to deuce on Friday, August 02, 2019 19:56:33
    Re: src/sbbs3/websrvr.c
    By: deuce to CVS commit on Fri Aug 02 2019 10:10 am

    websrvr.c
    Log Message:
    Fix an error nobody has ever seen.

    Thanks for fixing that. I was waiting for that fix. ;)

    Nightfox

    ---
    Synchronet Digital Distortion: digitaldistortionbbs.com
  • From rswindell@VERT to CVS commit on Friday, August 02, 2019 22:20:38
    src/sbbs3 websrvr.c 1.696 1.697
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/home/rswindell/sbbs/src/sbbs3

    Modified Files:
    websrvr.c
    Log Message:
    Remove unused variable in session_check()



    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From rswindell@VERT to CVS commit on Friday, August 23, 2019 21:08:22
    src/sbbs3 websrvr.c 1.697 1.698
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv13821

    Modified Files:
    websrvr.c
    Log Message:
    login() naw calls badlogin() upon login failure.



    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From rswindell@VERT to CVS commit on Tuesday, September 03, 2019 02:19:01
    src/sbbs3 websrvr.c 1.698 1.699
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv18232

    Modified Files:
    websrvr.c
    Log Message:
    Alterego reported a scenario where the web server's cleanup() would wait forever for 1 child thread (presumably the http_logging_thread) to terminate:

    8/27 02:39:43p Waiting for HTTP logging thread to terminate...
    8/27 02:39:43p HTTP logging thread started
    8/27 02:39:43p HTTP logging thread received NULL linked list log entry
    8/27 02:40:44p !TIMEOUT waiting for HTTP logging thread to terminate
    8/27 02:40:44p Done waiting for HTTP logging thread to terminate
    8/27 02:40:44p 0000 Waiting for 1 child threads to terminate

    <infinite wait loop here>

    - Add an extra terminate_http_logging_thread check to the top of the loop in
    http_logging_thread().
    - Signal the log_list semaphore in the "Waiting for HTTP logging thread" and
    "Waiting for x child threads" loops.



    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From rswindell@VERT to CVS commit on Monday, October 21, 2019 06:32:30
    src/sbbs3 websrvr.c 1.699 1.700
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/home/rswindell/sbbs/src/sbbs3

    Modified Files:
    websrvr.c
    Log Message:
    Fix buffer (stack memory) overflow observed in parse_headers(). This is what brought down [cvs.]synchro.net this weekend. It's hard to believe we still
    have unchecked calls sprintf() around, but we do.



    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From deuce@VERT to CVS commit on Friday, January 03, 2020 20:35:42
    src/sbbs3 websrvr.c 1.700 1.701
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv23416

    Modified Files:
    websrvr.c
    Log Message:
    Allow redirects from non-existant URLs.
    This allows redirect targets from paths that don't exist. Required to implement hard-coded API endpoints via ssjs.




    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From deuce@VERT to CVS commit on Thursday, January 23, 2020 17:27:47
    src/sbbs3 websrvr.c 1.701 1.702
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv16639

    Modified Files:
    websrvr.c
    Log Message:
    While we're making ssllabs happy, disable TLS 1.0 and 1.1 in the web server only (you can still use them from JS etc).




    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From deuce@VERT to CVS commit on Friday, January 24, 2020 18:38:37
    src/sbbs3 websrvr.c 1.702 1.703
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv13539

    Modified Files:
    websrvr.c
    Log Message:
    Comment out TLS 1.2 minver. Too many existing things don't support 1.2.

    We don't need PCI DSS compliance I hope, we just want people doing things.




    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From Tracker1@VERT/TRN to deuce on Sunday, January 26, 2020 16:10:02
    Re: src/sbbs3/websrvr.c
    By: deuce to CVS commit on Thu Jan 23 2020 09:27:47

    For what it's worth, we've been using the following list of ciphers where I work... seems to have decent security/compatibility currently.

    ECDHE-ECDSA-AES128-GCM-SHA256

    ECDHE-RSA-AES128-GCM-SHA256

    ECDHE-ECDSA-AES256-GCM-SHA384

    ECDHE-RSA-AES256-GCM-SHA384

    ECDHE-ECDSA-CHACHA20-POLY1305

    ECDHE-RSA-CHACHA20-POLY1305

    DHE-RSA-AES128-GCM-SHA256

    DHE-RSA-AES256-GCM-SHA384

    --
    Michael J. Ryan
    +o roughneckbbs.com
    bbs@tracker1.dev

    ---
    Synchronet Roughneck BBS - coming back 2/2/20
  • From rswindell@VERT to CVS commit on Saturday, August 08, 2020 19:04:58
    src/sbbs3 websrvr.c 1.719 1.720
    Update of /cvsroot/sbbs/src/sbbs3
    In directory cvs:/tmp/cvs-serv17800

    Modified Files:
    websrvr.c
    Log Message:
    The problem: the sysop (me) is not notified of critical errors (e.g. synchro.net zone file problems) in a timely manner.
    Part of the solution: notify a configured user (e.g. user #1) via short-message/telegram and email/netmail logged-errors when messages of a configured severity (e.g. "Critical") are logged.
    The second part of the solution (coming next) will be allowing timed events to log a message of a configurable severity logged when the event fails (returns a non-zero error level to sbbs).

    I'm saving the error-notification-user-number and log-severity as part of the node.cnf file because:
    - that's where the validation user number is already set
    - I can conceive of a large system were certain node ranges (different instances of sbbs) might want different operators to be notified of logged-errors

    This also means I eliminated all the legacy com port/modem stuff from the end of the node.cnf file. None of that is used in sbbs v3.

    Also included in this commit are improvements around logging:
    - reduce the severity of UDP recvfrom failures in services
    - a more detailed log message when the mail server successfully delivers an email (via SMTP) - easier to answer the question: was that email you/they sent delivered successfully?


    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From Rob Swindell@VERT to Git commit to sbbs/master on Monday, October 12, 2020 18:31:22
    https://gitlab.synchro.net/sbbs/sbbs/-/commit/c9db48cec8efd56f8291443d
    Modified Files:
    src/sbbs3/websrvr.c
    Log Message:
    Fix requests to the webserver using IPv6 address http://[1234:1234::] requests. The host portion contains ":" after split_port_part(), resulting in a 400 error.
    Renaming is_legal_hostname() to is_legal_host(), since requests to webservers are to
    "hosts" not "hostnames".

    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From Rob Swindell@VERT to Git commit to sbbs/master on Monday, October 12, 2020 18:31:22
    https://gitlab.synchro.net/sbbs/sbbs/-/commit/d17a5ce0ba8d80a29f136c9e
    Modified Files:
    src/sbbs3/websrvr.c
    Log Message:
    Merge branch 'leenooks/sbbs-master'

    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From Rob Swindell@VERT to Git commit to sbbs/master on Saturday, October 17, 2020 03:53:45
    https://gitlab.synchro.net/sbbs/sbbs/-/commit/37a23fea45bbdb3589e7d909
    Modified Files:
    src/sbbs3/websrvr.c
    Log Message:
    Fix heap corruption that could occur when HSTS feature is enabled

    At least on Windows, when realloc() is used to allocate a new buffer,
    guess what's in that buffer initially? undefined values. So you can't
    strcat() onto the end of that! Ouch. This was a fun one to track down.

    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From Rob Swindell@VERT to Git commit to sbbs/master on Thursday, November 05, 2020 07:28:33
    https://gitlab.synchro.net/sbbs/sbbs/-/commit/987c1129e127fe9a7b67d430
    Modified Files:
    src/sbbs3/websrvr.c
    Log Message:
    Fix 32-bit GCC warning on rPi about printf format

    format '%ld' expects argument of type 'long int', but argument 7 has type '__off64_t'

    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From Stephen Hurd@VERT to Git commit to sbbs/master on Tuesday, November 17, 2020 07:25:24
    https://gitlab.synchro.net/sbbs/sbbs/-/commit/c399ca73f145f7e8dc625ec6
    Modified Files:
    src/sbbs3/websrvr.c
    Log Message:
    Some CGI programs know they're not running from a console because
    QUERY_STRING is defined (even if blank).

    Always define it.

    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From Rob Swindell@VERT to Git commit to sbbs/master on Tuesday, November 17, 2020 07:39:04
    https://gitlab.synchro.net/sbbs/sbbs/-/commit/2c66387d8a91bc26d226430a
    Modified Files:
    src/sbbs3/websrvr.c
    Log Message:
    Merge remote-tracking branch 'origin/master'

    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net