/src/curl/lib/noproxy.c

Source
/***************************************************************************
 *                                  _   _ ____  _
 *  Project                     ___| | | |  _ \| |
 *                             / __| | | | |_) | |
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
 * are also available at https://curl.se/docs/copyright.html.
 *
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 * SPDX-License-Identifier: curl
 *
 ***************************************************************************/
#include "curl_setup.h"

#ifndef CURL_DISABLE_PROXY

#include "curlx/inet_pton.h"
#include "noproxy.h"
#include "curlx/strparse.h"

#ifdef HAVE_NETINET_IN_H
#include <netinet/in.h>
#endif

#ifdef HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif

/*
 * Curl_cidr4_match() returns TRUE if the given IPv4 address is within the
 * specified CIDR address range.
 */
UNITTEST bool Curl_cidr4_match(const char *ipv4,    /* 1.2.3.4 address */
                               const char *network, /* 1.2.3.4 address */
                               unsigned int bits)
{
  unsigned int address = 0;
  unsigned int check = 0;

  if(bits > 32)
    /* strange input */
    return FALSE;

  if(curlx_inet_pton(AF_INET, ipv4, &address) != 1)
    return FALSE;
  if(curlx_inet_pton(AF_INET, network, &check) != 1)
    return FALSE;

  if(bits && (bits != 32)) {
    unsigned int mask = 0xffffffff << (32 - bits);
    unsigned int haddr = htonl(address);
    unsigned int hcheck = htonl(check);
#if 0
    curl_mfprintf(stderr, "Host %s (%x) network %s (%x) "
                  "bits %u mask %x => %x\n",
                  ipv4, haddr, network, hcheck, bits, mask,
                  (haddr ^ hcheck) & mask);
#endif
    if((haddr ^ hcheck) & mask)
      return FALSE;
    return TRUE;
  }
  return address == check;
}

UNITTEST bool Curl_cidr6_match(const char *ipv6,
                               const char *network,
                               unsigned int bits)
{
#ifdef USE_IPV6
  unsigned int bytes;
  unsigned int rest;
  unsigned char address[16];
  unsigned char check[16];

  if(!bits)
    bits = 128;

  bytes = bits / 8;
  rest = bits & 0x07;
  if((bytes > 16) || ((bytes == 16) && rest))
    return FALSE;
  if(curlx_inet_pton(AF_INET6, ipv6, address) != 1)
    return FALSE;
  if(curlx_inet_pton(AF_INET6, network, check) != 1)
    return FALSE;
  if(bytes && memcmp(address, check, bytes))
    return FALSE;
  if(rest && ((address[bytes] ^ check[bytes]) & (0xff << (8 - rest))))
    return FALSE;

  return TRUE;
#else
  (void)ipv6;
  (void)network;
  (void)bits;
  return FALSE;
#endif
}

enum nametype {
  TYPE_HOST,
  TYPE_IPV4,
  TYPE_IPV6
};

static bool match_host(const char *token, size_t tokenlen,
                       const char *name, size_t namelen)
{
  bool match = FALSE;

  /* ignore trailing dots in the token to check */
  if(token[tokenlen - 1] == '.')
    tokenlen--;

  if(tokenlen && (*token == '.')) {
    /* ignore leading token dot as well */
    token++;
    tokenlen--;
  }
  /* A: example.com matches 'example.com'
     B: www.example.com matches 'example.com'
     C: nonexample.com DOES NOT match 'example.com'
  */
  if(tokenlen == namelen)
    /* case A, exact match */
    match = curl_strnequal(token, name, namelen);
  else if(tokenlen < namelen) {
    /* case B, tailmatch domain */
    match = (name[namelen - tokenlen - 1] == '.') &&
            curl_strnequal(token, name + (namelen - tokenlen), tokenlen);
  }
  /* case C passes through, not a match */
  return match;
}

static bool match_ip(int type, const char *token, size_t tokenlen,
                     const char *name)
{
  const char *check = token;
  char *slash;
  unsigned int bits = 0;
  char checkip[128];
  if(tokenlen >= sizeof(checkip))
    /* this cannot match */
    return FALSE;
  /* copy the check name to a temp buffer */
  memcpy(checkip, check, tokenlen);
  checkip[tokenlen] = 0;
  check = checkip;

  slash = strchr(check, '/');
  /* if the slash is part of this token, use it */
  if(slash) {
    curl_off_t value;
    const char *p = &slash[1];
    if(curlx_str_number(&p, &value, 128) || *p)
      return FALSE;
    /* a too large value is rejected in the cidr function below */
    bits = (unsigned int)value;
    *slash = 0; /* null-terminate there */
  }
  if(type == TYPE_IPV6)
    return Curl_cidr6_match(name, check, bits);
  else
    return Curl_cidr4_match(name, check, bits);
}

/****************************************************************
 * Checks if the host is in the noproxy list. returns TRUE if it matches and
 * therefore the proxy should NOT be used.
 ****************************************************************/
bool Curl_check_noproxy(const char *name, const char *no_proxy)
{
  /*
   * If we do not have a hostname at all, like for example with a FILE
   * transfer, we have nothing to interrogate the noproxy list with.
   */
  if(!name || name[0] == '\0')
    return FALSE;

  /* no_proxy=domain1.dom,host.domain2.dom
   *   (a comma-separated list of hosts which should
   *   not be proxied, or an asterisk to override
   *   all proxy variables)
   */
  if(no_proxy && no_proxy[0]) {
    const char *p = no_proxy;
    size_t namelen;
    char address[16];
    enum nametype type = TYPE_HOST;
    if(!strcmp("*", no_proxy))
      return TRUE;

    /* NO_PROXY was specified and it was not just an asterisk */

    /* Check if name is an IP address; if not, assume it being a hostname. */
    namelen = strlen(name);
    if(curlx_inet_pton(AF_INET, name, &address) == 1)
      type = TYPE_IPV4;
#ifdef USE_IPV6
    else if(curlx_inet_pton(AF_INET6, name, &address) == 1)
      type = TYPE_IPV6;
#endif
    else {
      /* ignore trailing dots in the hostname */
      if(name[namelen - 1] == '.')
        namelen--;
    }

    while(*p) {
      const char *token;
      size_t tokenlen = 0;

      /* pass blanks */
      curlx_str_passblanks(&p);

      token = p;
      /* pass over the pattern */
      while(*p && !ISBLANK(*p) && (*p != ',')) {
        p++;
        tokenlen++;
      }

      if(tokenlen) {
        bool match = FALSE;
        if(type == TYPE_HOST)
          match = match_host(token, tokenlen, name, namelen);
        else
          match = match_ip(type, token, tokenlen, name);

        if(match)
          return TRUE;
      }

      /* pass blanks after pattern */
      curlx_str_passblanks(&p);
      /* if not a comma, this ends the loop */
      if(*p != ',')
        break;
      /* pass any number of commas */
      while(*p == ',')
        p++;
    } /* while(*p) */
  } /* NO_PROXY was specified and it was not just an asterisk */

  return FALSE;
}

#endif /* CURL_DISABLE_PROXY */

Coverage Report

Created: 2026-01-25 06:10

Line	Count	Source
1		/***************************************************************************
2		* _ _ ____ _
3		* Project ___\| \| \| \| _ \\| \|
4		* / __\| \| \| \| \|_) \| \|
5		* \| (__\| \|_\| \| _ <\| \|___
6		* \___\|\___/\|_\| \_\_____\|
7		*
8		* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9		*
10		* This software is licensed as described in the file COPYING, which
11		* you should have received as part of this distribution. The terms
12		* are also available at https://curl.se/docs/copyright.html.
13		*
14		* You may opt to use, copy, modify, merge, publish, distribute and/or sell
15		* copies of the Software, and permit persons to whom the Software is
16		* furnished to do so, under the terms of the COPYING file.
17		*
18		* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19		* KIND, either express or implied.
20		*
21		* SPDX-License-Identifier: curl
22		*
23		***************************************************************************/
24		#include "curl_setup.h"
25
26		#ifndef CURL_DISABLE_PROXY
27
28		#include "curlx/inet_pton.h"
29		#include "noproxy.h"
30		#include "curlx/strparse.h"
31
32		#ifdef HAVE_NETINET_IN_H
33		#include <netinet/in.h>
34		#endif
35
36		#ifdef HAVE_ARPA_INET_H
37		#include <arpa/inet.h>
38		#endif
39
40		/*
41		* Curl_cidr4_match() returns TRUE if the given IPv4 address is within the
42		* specified CIDR address range.
43		*/
44		UNITTEST bool Curl_cidr4_match(const char ipv4, / 1.2.3.4 address */
45		const char network, / 1.2.3.4 address */
46		unsigned int bits)
47	0	{
48	0	unsigned int address = 0;
49	0	unsigned int check = 0;
50
51	0	if(bits > 32)
52		/* strange input */
53	0	return FALSE;
54
55	0	if(curlx_inet_pton(AF_INET, ipv4, &address) != 1)
56	0	return FALSE;
57	0	if(curlx_inet_pton(AF_INET, network, &check) != 1)
58	0	return FALSE;
59
60	0	if(bits && (bits != 32)) {
61	0	unsigned int mask = 0xffffffff << (32 - bits);
62	0	unsigned int haddr = htonl(address);
63	0	unsigned int hcheck = htonl(check);
64		#if 0
65		curl_mfprintf(stderr, "Host %s (%x) network %s (%x) "
66		"bits %u mask %x => %x\n",
67		ipv4, haddr, network, hcheck, bits, mask,
68		(haddr ^ hcheck) & mask);
69		#endif
70	0	if((haddr ^ hcheck) & mask)
71	0	return FALSE;
72	0	return TRUE;
73	0	}
74	0	return address == check;
75	0	}
76
77		UNITTEST bool Curl_cidr6_match(const char *ipv6,
78		const char *network,
79		unsigned int bits)
80	0	{
81	0	#ifdef USE_IPV6
82	0	unsigned int bytes;
83	0	unsigned int rest;
84	0	unsigned char address[16];
85	0	unsigned char check[16];
86
87	0	if(!bits)
88	0	bits = 128;
89
90	0	bytes = bits / 8;
91	0	rest = bits & 0x07;
92	0	if((bytes > 16) \|\| ((bytes == 16) && rest))
93	0	return FALSE;
94	0	if(curlx_inet_pton(AF_INET6, ipv6, address) != 1)
95	0	return FALSE;
96	0	if(curlx_inet_pton(AF_INET6, network, check) != 1)
97	0	return FALSE;
98	0	if(bytes && memcmp(address, check, bytes))
99	0	return FALSE;
100	0	if(rest && ((address[bytes] ^ check[bytes]) & (0xff << (8 - rest))))
101	0	return FALSE;
102
103	0	return TRUE;
104		#else
105		(void)ipv6;
106		(void)network;
107		(void)bits;
108		return FALSE;
109		#endif
110	0	}
111
112		enum nametype {
113		TYPE_HOST,
114		TYPE_IPV4,
115		TYPE_IPV6
116		};
117
118		static bool match_host(const char *token, size_t tokenlen,
119		const char *name, size_t namelen)
120	0	{
121	0	bool match = FALSE;
122
123		/* ignore trailing dots in the token to check */
124	0	if(token[tokenlen - 1] == '.')
125	0	tokenlen--;
126
127	0	if(tokenlen && (*token == '.')) {
128		/* ignore leading token dot as well */
129	0	token++;
130	0	tokenlen--;
131	0	}
132		/* A: example.com matches 'example.com'
133		B: www.example.com matches 'example.com'
134		C: nonexample.com DOES NOT match 'example.com'
135		*/
136	0	if(tokenlen == namelen)
137		/* case A, exact match */
138	0	match = curl_strnequal(token, name, namelen);
139	0	else if(tokenlen < namelen) {
140		/* case B, tailmatch domain */
141	0	match = (name[namelen - tokenlen - 1] == '.') &&
142	0	curl_strnequal(token, name + (namelen - tokenlen), tokenlen);
143	0	}
144		/* case C passes through, not a match */
145	0	return match;
146	0	}
147
148		static bool match_ip(int type, const char *token, size_t tokenlen,
149		const char *name)
150	0	{
151	0	const char *check = token;
152	0	char *slash;
153	0	unsigned int bits = 0;
154	0	char checkip[128];
155	0	if(tokenlen >= sizeof(checkip))
156		/* this cannot match */
157	0	return FALSE;
158		/* copy the check name to a temp buffer */
159	0	memcpy(checkip, check, tokenlen);
160	0	checkip[tokenlen] = 0;
161	0	check = checkip;
162
163	0	slash = strchr(check, '/');
164		/* if the slash is part of this token, use it */
165	0	if(slash) {
166	0	curl_off_t value;
167	0	const char *p = &slash[1];
168	0	if(curlx_str_number(&p, &value, 128) \|\| *p)
169	0	return FALSE;
170		/* a too large value is rejected in the cidr function below */
171	0	bits = (unsigned int)value;
172	0	slash = 0; / null-terminate there */
173	0	}
174	0	if(type == TYPE_IPV6)
175	0	return Curl_cidr6_match(name, check, bits);
176	0	else
177	0	return Curl_cidr4_match(name, check, bits);
178	0	}
179
180		/****************************************************************
181		* Checks if the host is in the noproxy list. returns TRUE if it matches and
182		* therefore the proxy should NOT be used.
183		****************************************************************/
184		bool Curl_check_noproxy(const char name, const char no_proxy)
185	0	{
186		/*
187		* If we do not have a hostname at all, like for example with a FILE
188		* transfer, we have nothing to interrogate the noproxy list with.
189		*/
190	0	if(!name \|\| name[0] == '\0')
191	0	return FALSE;
192
193		/* no_proxy=domain1.dom,host.domain2.dom
194		* (a comma-separated list of hosts which should
195		* not be proxied, or an asterisk to override
196		* all proxy variables)
197		*/
198	0	if(no_proxy && no_proxy[0]) {
199	0	const char *p = no_proxy;
200	0	size_t namelen;
201	0	char address[16];
202	0	enum nametype type = TYPE_HOST;
203	0	if(!strcmp("*", no_proxy))
204	0	return TRUE;
205
206		/* NO_PROXY was specified and it was not just an asterisk */
207
208		/* Check if name is an IP address; if not, assume it being a hostname. */
209	0	namelen = strlen(name);
210	0	if(curlx_inet_pton(AF_INET, name, &address) == 1)
211	0	type = TYPE_IPV4;
212	0	#ifdef USE_IPV6
213	0	else if(curlx_inet_pton(AF_INET6, name, &address) == 1)
214	0	type = TYPE_IPV6;
215	0	#endif
216	0	else {
217		/* ignore trailing dots in the hostname */
218	0	if(name[namelen - 1] == '.')
219	0	namelen--;
220	0	}
221
222	0	while(*p) {
223	0	const char *token;
224	0	size_t tokenlen = 0;
225
226		/* pass blanks */
227	0	curlx_str_passblanks(&p);
228
229	0	token = p;
230		/* pass over the pattern */
231	0	while(p && !ISBLANK(p) && (*p != ',')) {
232	0	p++;
233	0	tokenlen++;
234	0	}
235
236	0	if(tokenlen) {
237	0	bool match = FALSE;
238	0	if(type == TYPE_HOST)
239	0	match = match_host(token, tokenlen, name, namelen);
240	0	else
241	0	match = match_ip(type, token, tokenlen, name);
242
243	0	if(match)
244	0	return TRUE;
245	0	}
246
247		/* pass blanks after pattern */
248	0	curlx_str_passblanks(&p);
249		/* if not a comma, this ends the loop */
250	0	if(*p != ',')
251	0	break;
252		/* pass any number of commas */
253	0	while(*p == ',')
254	0	p++;
255	0	} /* while(p) /
256	0	} /* NO_PROXY was specified and it was not just an asterisk */
257
258	0	return FALSE;
259	0	}
260
261		#endif /* CURL_DISABLE_PROXY */