/src/curl/lib/noproxy.c

Source (jump to first uncovered line)
/***************************************************************************
 *                                  _   _ ____  _
 *  Project                     ___| | | |  _ \| |
 *                             / __| | | | |_) | |
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
 * are also available at https://curl.se/docs/copyright.html.
 *
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 * SPDX-License-Identifier: curl
 *
 ***************************************************************************/

#include "curl_setup.h"

#ifndef CURL_DISABLE_PROXY

#include <curl/curl.h>  /* for curl_strnequal() */
#include "curlx/inet_pton.h"
#include "noproxy.h"
#include "curlx/strparse.h"

#ifdef HAVE_NETINET_IN_H
#include <netinet/in.h>
#endif

#ifdef HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif

/*
 * Curl_cidr4_match() returns TRUE if the given IPv4 address is within the
 * specified CIDR address range.
 */
UNITTEST bool Curl_cidr4_match(const char *ipv4,    /* 1.2.3.4 address */
                               const char *network, /* 1.2.3.4 address */
                               unsigned int bits)
{
  unsigned int address = 0;
  unsigned int check = 0;

  if(bits > 32)
    /* strange input */
    return FALSE;

  if(curlx_inet_pton(AF_INET, ipv4, &address) != 1)
    return FALSE;
  if(curlx_inet_pton(AF_INET, network, &check) != 1)
    return FALSE;

  if(bits && (bits != 32)) {
    unsigned int mask = 0xffffffff << (32 - bits);
    unsigned int haddr = htonl(address);
    unsigned int hcheck = htonl(check);
#if 0
    fprintf(stderr, "Host %s (%x) network %s (%x) bits %u mask %x => %x\n",
            ipv4, haddr, network, hcheck, bits, mask,
            (haddr ^ hcheck) & mask);
#endif
    if((haddr ^ hcheck) & mask)
      return FALSE;
    return TRUE;
  }
  return address == check;
}

UNITTEST bool Curl_cidr6_match(const char *ipv6,
                               const char *network,
                               unsigned int bits)
{
#ifdef USE_IPV6
  unsigned int bytes;
  unsigned int rest;
  unsigned char address[16];
  unsigned char check[16];

  if(!bits)
    bits = 128;

  bytes = bits / 8;
  rest = bits & 0x07;
  if((bytes > 16) || ((bytes == 16) && rest))
    return FALSE;
  if(curlx_inet_pton(AF_INET6, ipv6, address) != 1)
    return FALSE;
  if(curlx_inet_pton(AF_INET6, network, check) != 1)
    return FALSE;
  if(bytes && memcmp(address, check, bytes))
    return FALSE;
  if(rest && !((address[bytes] ^ check[bytes]) & (0xff << (8 - rest))))
    return FALSE;

  return TRUE;
#else
  (void)ipv6;
  (void)network;
  (void)bits;
  return FALSE;
#endif
}

enum nametype {
  TYPE_HOST,
  TYPE_IPV4,
  TYPE_IPV6
};

/****************************************************************
* Checks if the host is in the noproxy list. returns TRUE if it matches and
* therefore the proxy should NOT be used.
****************************************************************/
bool Curl_check_noproxy(const char *name, const char *no_proxy)
{
  char hostip[128];

  /*
   * If we do not have a hostname at all, like for example with a FILE
   * transfer, we have nothing to interrogate the noproxy list with.
   */
  if(!name || name[0] == '\0')
    return FALSE;

  /* no_proxy=domain1.dom,host.domain2.dom
   *   (a comma-separated list of hosts which should
   *   not be proxied, or an asterisk to override
   *   all proxy variables)
   */
  if(no_proxy && no_proxy[0]) {
    const char *p = no_proxy;
    size_t namelen;
    enum nametype type = TYPE_HOST;
    if(!strcmp("*", no_proxy))
      return TRUE;

    /* NO_PROXY was specified and it was not just an asterisk */

    if(name[0] == '[') {
      char *endptr;
      /* IPv6 numerical address */
      endptr = strchr(name, ']');
      if(!endptr)
        return FALSE;
      name++;
      namelen = endptr - name;
      if(namelen >= sizeof(hostip))
        return FALSE;
      memcpy(hostip, name, namelen);
      hostip[namelen] = 0;
      name = hostip;
      type = TYPE_IPV6;
    }
    else {
      unsigned int address;
      namelen = strlen(name);
      if(curlx_inet_pton(AF_INET, name, &address) == 1)
        type = TYPE_IPV4;
      else {
        /* ignore trailing dots in the hostname */
        if(name[namelen - 1] == '.')
          namelen--;
      }
    }

    while(*p) {
      const char *token;
      size_t tokenlen = 0;
      bool match = FALSE;

      /* pass blanks */
      curlx_str_passblanks(&p);

      token = p;
      /* pass over the pattern */
      while(*p && !ISBLANK(*p) && (*p != ',')) {
        p++;
        tokenlen++;
      }

      if(tokenlen) {
        switch(type) {
        case TYPE_HOST:
          /* ignore trailing dots in the token to check */
          if(token[tokenlen - 1] == '.')
            tokenlen--;

          if(tokenlen && (*token == '.')) {
            /* ignore leading token dot as well */
            token++;
            tokenlen--;
          }
          /* A: example.com matches 'example.com'
             B: www.example.com matches 'example.com'
             C: nonexample.com DOES NOT match 'example.com'
          */
          if(tokenlen == namelen)
            /* case A, exact match */
            match = curl_strnequal(token, name, namelen);
          else if(tokenlen < namelen) {
            /* case B, tailmatch domain */
            match = (name[namelen - tokenlen - 1] == '.') &&
              curl_strnequal(token, name + (namelen - tokenlen),
                             tokenlen);
          }
          /* case C passes through, not a match */
          break;
        case TYPE_IPV4:
        case TYPE_IPV6: {
          const char *check = token;
          char *slash;
          unsigned int bits = 0;
          char checkip[128];
          if(tokenlen >= sizeof(checkip))
            /* this cannot match */
            break;
          /* copy the check name to a temp buffer */
          memcpy(checkip, check, tokenlen);
          checkip[tokenlen] = 0;
          check = checkip;

          slash = strchr(check, '/');
          /* if the slash is part of this token, use it */
          if(slash) {
            /* if the bits variable gets a crazy value here, that is fine as
               the value will then be rejected in the cidr function */
            bits = (unsigned int)atoi(slash + 1);
            *slash = 0; /* null-terminate there */
          }
          if(type == TYPE_IPV6)
            match = Curl_cidr6_match(name, check, bits);
          else
            match = Curl_cidr4_match(name, check, bits);
          break;
        }
        }
        if(match)
          return TRUE;
      } /* if(tokenlen) */
      /* pass blanks after pattern */
      curlx_str_passblanks(&p);
      /* if not a comma, this ends the loop */
      if(*p != ',')
        break;
      /* pass any number of commas */
      while(*p == ',')
        p++;
    } /* while(*p) */
  } /* NO_PROXY was specified and it was not just an asterisk */

  return FALSE;
}

#endif /* CURL_DISABLE_PROXY */

Coverage Report

Created: 2025-08-24 06:12

Line	Count	Source (jump to first uncovered line)
1		/***************************************************************************
2		* _ _ ____ _
3		* Project ___\| \| \| \| _ \\| \|
4		* / __\| \| \| \| \|_) \| \|
5		* \| (__\| \|_\| \| _ <\| \|___
6		* \___\|\___/\|_\| \_\_____\|
7		*
8		* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9		*
10		* This software is licensed as described in the file COPYING, which
11		* you should have received as part of this distribution. The terms
12		* are also available at https://curl.se/docs/copyright.html.
13		*
14		* You may opt to use, copy, modify, merge, publish, distribute and/or sell
15		* copies of the Software, and permit persons to whom the Software is
16		* furnished to do so, under the terms of the COPYING file.
17		*
18		* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19		* KIND, either express or implied.
20		*
21		* SPDX-License-Identifier: curl
22		*
23		***************************************************************************/
24
25		#include "curl_setup.h"
26
27		#ifndef CURL_DISABLE_PROXY
28
29		#include <curl/curl.h> /* for curl_strnequal() */
30		#include "curlx/inet_pton.h"
31		#include "noproxy.h"
32		#include "curlx/strparse.h"
33
34		#ifdef HAVE_NETINET_IN_H
35		#include <netinet/in.h>
36		#endif
37
38		#ifdef HAVE_ARPA_INET_H
39		#include <arpa/inet.h>
40		#endif
41
42		/*
43		* Curl_cidr4_match() returns TRUE if the given IPv4 address is within the
44		* specified CIDR address range.
45		*/
46		UNITTEST bool Curl_cidr4_match(const char ipv4, / 1.2.3.4 address */
47		const char network, / 1.2.3.4 address */
48		unsigned int bits)
49	7.95k	{
50	7.95k	unsigned int address = 0;
51	7.95k	unsigned int check = 0;
52
53	7.95k	if(bits > 32)
54		/* strange input */
55	692	return FALSE;
56
57	7.26k	if(curlx_inet_pton(AF_INET, ipv4, &address) != 1)
58	0	return FALSE;
59	7.26k	if(curlx_inet_pton(AF_INET, network, &check) != 1)
60	6.60k	return FALSE;
61
62	653	if(bits && (bits != 32)) {
63	132	unsigned int mask = 0xffffffff << (32 - bits);
64	132	unsigned int haddr = htonl(address);
65	132	unsigned int hcheck = htonl(check);
66		#if 0
67		fprintf(stderr, "Host %s (%x) network %s (%x) bits %u mask %x => %x\n",
68		ipv4, haddr, network, hcheck, bits, mask,
69		(haddr ^ hcheck) & mask);
70		#endif
71	132	if((haddr ^ hcheck) & mask)
72	115	return FALSE;
73	17	return TRUE;
74	132	}
75	521	return address == check;
76	653	}
77
78		UNITTEST bool Curl_cidr6_match(const char *ipv6,
79		const char *network,
80		unsigned int bits)
81	0	{
82	0	#ifdef USE_IPV6
83	0	unsigned int bytes;
84	0	unsigned int rest;
85	0	unsigned char address[16];
86	0	unsigned char check[16];
87
88	0	if(!bits)
89	0	bits = 128;
90
91	0	bytes = bits / 8;
92	0	rest = bits & 0x07;
93	0	if((bytes > 16) \|\| ((bytes == 16) && rest))
94	0	return FALSE;
95	0	if(curlx_inet_pton(AF_INET6, ipv6, address) != 1)
96	0	return FALSE;
97	0	if(curlx_inet_pton(AF_INET6, network, check) != 1)
98	0	return FALSE;
99	0	if(bytes && memcmp(address, check, bytes))
100	0	return FALSE;
101	0	if(rest && !((address[bytes] ^ check[bytes]) & (0xff << (8 - rest))))
102	0	return FALSE;
103
104	0	return TRUE;
105		#else
106		(void)ipv6;
107		(void)network;
108		(void)bits;
109		return FALSE;
110		#endif
111	0	}
112
113		enum nametype {
114		TYPE_HOST,
115		TYPE_IPV4,
116		TYPE_IPV6
117		};
118
119		/****************************************************************
120		* Checks if the host is in the noproxy list. returns TRUE if it matches and
121		* therefore the proxy should NOT be used.
122		****************************************************************/
123		bool Curl_check_noproxy(const char name, const char no_proxy)
124	134k	{
125	134k	char hostip[128];
126
127		/*
128		* If we do not have a hostname at all, like for example with a FILE
129		* transfer, we have nothing to interrogate the noproxy list with.
130		*/
131	134k	if(!name \|\| name[0] == '\0')
132	2.04k	return FALSE;
133
134		/* no_proxy=domain1.dom,host.domain2.dom
135		* (a comma-separated list of hosts which should
136		* not be proxied, or an asterisk to override
137		* all proxy variables)
138		*/
139	132k	if(no_proxy && no_proxy[0]) {
140	3.32k	const char *p = no_proxy;
141	3.32k	size_t namelen;
142	3.32k	enum nametype type = TYPE_HOST;
143	3.32k	if(!strcmp("*", no_proxy))
144	76	return TRUE;
145
146		/* NO_PROXY was specified and it was not just an asterisk */
147
148	3.25k	if(name[0] == '[') {
149	0	char *endptr;
150		/* IPv6 numerical address */
151	0	endptr = strchr(name, ']');
152	0	if(!endptr)
153	0	return FALSE;
154	0	name++;
155	0	namelen = endptr - name;
156	0	if(namelen >= sizeof(hostip))
157	0	return FALSE;
158	0	memcpy(hostip, name, namelen);
159	0	hostip[namelen] = 0;
160	0	name = hostip;
161	0	type = TYPE_IPV6;
162	0	}
163	3.25k	else {
164	3.25k	unsigned int address;
165	3.25k	namelen = strlen(name);
166	3.25k	if(curlx_inet_pton(AF_INET, name, &address) == 1)
167	1.45k	type = TYPE_IPV4;
168	1.79k	else {
169		/* ignore trailing dots in the hostname */
170	1.79k	if(name[namelen - 1] == '.')
171	867	namelen--;
172	1.79k	}
173	3.25k	}
174
175	28.3k	while(*p) {
176	27.9k	const char *token;
177	27.9k	size_t tokenlen = 0;
178	27.9k	bool match = FALSE;
179
180		/* pass blanks */
181	27.9k	curlx_str_passblanks(&p);
182
183	27.9k	token = p;
184		/* pass over the pattern */
185	768k	while(p && !ISBLANK(p) && (*p != ',')) {
186	740k	p++;
187	740k	tokenlen++;
188	740k	}
189
190	27.9k	if(tokenlen) {
191	26.4k	switch(type) {
192	18.1k	case TYPE_HOST:
193		/* ignore trailing dots in the token to check */
194	18.1k	if(token[tokenlen - 1] == '.')
195	2.23k	tokenlen--;
196
197	18.1k	if(tokenlen && (*token == '.')) {
198		/* ignore leading token dot as well */
199	1.12k	token++;
200	1.12k	tokenlen--;
201	1.12k	}
202		/* A: example.com matches 'example.com'
203		B: www.example.com matches 'example.com'
204		C: nonexample.com DOES NOT match 'example.com'
205		*/
206	18.1k	if(tokenlen == namelen)
207		/* case A, exact match */
208	3.78k	match = curl_strnequal(token, name, namelen);
209	14.3k	else if(tokenlen < namelen) {
210		/* case B, tailmatch domain */
211	7.11k	match = (name[namelen - tokenlen - 1] == '.') &&
212	7.11k	curl_strnequal(token, name + (namelen - tokenlen),
213	1.62k	tokenlen);
214	7.11k	}
215		/* case C passes through, not a match */
216	18.1k	break;
217	8.37k	case TYPE_IPV4:
218	8.37k	case TYPE_IPV6: {
219	8.37k	const char *check = token;
220	8.37k	char *slash;
221	8.37k	unsigned int bits = 0;
222	8.37k	char checkip[128];
223	8.37k	if(tokenlen >= sizeof(checkip))
224		/* this cannot match */
225	423	break;
226		/* copy the check name to a temp buffer */
227	7.95k	memcpy(checkip, check, tokenlen);
228	7.95k	checkip[tokenlen] = 0;
229	7.95k	check = checkip;
230
231	7.95k	slash = strchr(check, '/');
232		/* if the slash is part of this token, use it */
233	7.95k	if(slash) {
234		/* if the bits variable gets a crazy value here, that is fine as
235		the value will then be rejected in the cidr function */
236	2.20k	bits = (unsigned int)atoi(slash + 1);
237	2.20k	slash = 0; / null-terminate there */
238	2.20k	}
239	7.95k	if(type == TYPE_IPV6)
240	0	match = Curl_cidr6_match(name, check, bits);
241	7.95k	else
242	7.95k	match = Curl_cidr4_match(name, check, bits);
243	7.95k	break;
244	8.37k	}
245	26.4k	}
246	26.4k	if(match)
247	106	return TRUE;
248	26.4k	} /* if(tokenlen) */
249		/* pass blanks after pattern */
250	27.8k	curlx_str_passblanks(&p);
251		/* if not a comma, this ends the loop */
252	27.8k	if(*p != ',')
253	2.77k	break;
254		/* pass any number of commas */
255	67.7k	while(*p == ',')
256	42.7k	p++;
257	25.0k	} /* while(p) /
258	3.25k	} /* NO_PROXY was specified and it was not just an asterisk */
259
260	132k	return FALSE;
261	132k	}
262
263		#endif /* CURL_DISABLE_PROXY */