diff --git a/src/conf.c b/src/conf.c index 47d8962..13b30d1 100644 --- a/src/conf.c +++ b/src/conf.c @@ -601,7 +601,8 @@ static HANDLE_FUNC (handle_timeout) static HANDLE_FUNC (handle_connectport) { - add_connect_port_allowed (get_int_arg (line, &match[2])); + add_connect_port_allowed (get_int_arg (line, &match[2]), + &conf->connect_ports); return 0; } diff --git a/src/connect-ports.c b/src/connect-ports.c index 045adc9..b002690 100644 --- a/src/connect-ports.c +++ b/src/connect-ports.c @@ -19,24 +19,17 @@ */ #include "connect-ports.h" -#include "vector.h" #include "log.h" -/* - * This is a global variable which stores which ports are allowed by - * the CONNECT method. It's a security thing. - */ -static vector_t ports_allowed_by_connect = NULL; - /* * Now, this routine adds a "port" to the list. It also creates the list if * it hasn't already by done. */ -void add_connect_port_allowed (int port) +void add_connect_port_allowed (int port, vector_t *connect_ports) { - if (!ports_allowed_by_connect) { - ports_allowed_by_connect = vector_create (); - if (!ports_allowed_by_connect) { + if (!*connect_ports) { + *connect_ports = vector_create (); + if (!*connect_ports) { log_message (LOG_WARNING, "Could not create a list of allowed CONNECT ports"); return; @@ -45,8 +38,7 @@ void add_connect_port_allowed (int port) log_message (LOG_INFO, "Adding Port [%d] to the list allowed by CONNECT", port); - vector_append (ports_allowed_by_connect, (void **) &port, - sizeof (port)); + vector_append (*connect_ports, (void **) &port, sizeof (port)); } /* @@ -55,7 +47,7 @@ void add_connect_port_allowed (int port) * Returns: 1 if allowed * 0 if denied */ -int check_allowed_connect_ports (int port) +int check_allowed_connect_ports (int port, vector_t connect_ports) { size_t i; int *data; @@ -64,12 +56,11 @@ int check_allowed_connect_ports (int port) * A port list is REQUIRED for a CONNECT request to function * properly. This closes a potential security hole. */ - if (!ports_allowed_by_connect) + if (!connect_ports) return 0; - for (i = 0; i != (size_t) vector_length (ports_allowed_by_connect); ++i) { - data = - (int *) vector_getentry (ports_allowed_by_connect, i, NULL); + for (i = 0; i != (size_t) vector_length (connect_ports); ++i) { + data = (int *) vector_getentry (connect_ports, i, NULL); if (data && *data == port) return 1; } diff --git a/src/connect-ports.h b/src/connect-ports.h index 6ed6479..09aa350 100644 --- a/src/connect-ports.h +++ b/src/connect-ports.h @@ -22,8 +22,9 @@ #define _TINYPROXY_CONNECT_PORTS_H_ #include "common.h" +#include "vector.h" -extern void add_connect_port_allowed (int port); -int check_allowed_connect_ports (int port); +extern void add_connect_port_allowed (int port, vector_t *connect_ports); +int check_allowed_connect_ports (int port, vector_t connect_ports); #endif /* _TINYPROXY_CONNECT_PORTS_ */ diff --git a/src/main.h b/src/main.h index 1091893..55270bd 100644 --- a/src/main.h +++ b/src/main.h @@ -91,6 +91,11 @@ struct config_s { char *statpage; vector_t access_list; + + /* + * Store the list of port allowed by CONNECT. + */ + vector_t connect_ports; }; /* Global Structures used in the program */ diff --git a/src/reqs.c b/src/reqs.c index c92920f..83873df 100644 --- a/src/reqs.c +++ b/src/reqs.c @@ -419,7 +419,9 @@ BAD_REQUEST_ERROR: } /* Verify that the port in the CONNECT method is allowed */ - if (!check_allowed_connect_ports (request->port)) { + if (!check_allowed_connect_ports (request->port, + config.connect_ports)) + { indicate_http_error (connptr, 403, "Access violation", "detail", "The CONNECT method not allowed "