Line | Count | Source |
1 | | /*************************************************************************** |
2 | | * _ _ ____ _ |
3 | | * Project ___| | | | _ \| | |
4 | | * / __| | | | |_) | | |
5 | | * | (__| |_| | _ <| |___ |
6 | | * \___|\___/|_| \_\_____| |
7 | | * |
8 | | * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. |
9 | | * |
10 | | * This software is licensed as described in the file COPYING, which |
11 | | * you should have received as part of this distribution. The terms |
12 | | * are also available at https://curl.se/docs/copyright.html. |
13 | | * |
14 | | * You may opt to use, copy, modify, merge, publish, distribute and/or sell |
15 | | * copies of the Software, and permit persons to whom the Software is |
16 | | * furnished to do so, under the terms of the COPYING file. |
17 | | * |
18 | | * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY |
19 | | * KIND, either express or implied. |
20 | | * |
21 | | * SPDX-License-Identifier: curl |
22 | | * |
23 | | ***************************************************************************/ |
24 | | #include "curl_setup.h" |
25 | | |
26 | | #ifndef CURL_DISABLE_PROXY |
27 | | |
28 | | #include "curlx/inet_pton.h" |
29 | | #include "noproxy.h" |
30 | | #include "curlx/strparse.h" |
31 | | |
32 | | #ifdef HAVE_NETINET_IN_H |
33 | | #include <netinet/in.h> |
34 | | #endif |
35 | | |
36 | | #ifdef HAVE_ARPA_INET_H |
37 | | #include <arpa/inet.h> |
38 | | #endif |
39 | | |
40 | | /* |
41 | | * Curl_cidr4_match() returns TRUE if the given IPv4 address is within the |
42 | | * specified CIDR address range. |
43 | | */ |
44 | | UNITTEST bool Curl_cidr4_match(const char *ipv4, /* 1.2.3.4 address */ |
45 | | const char *network, /* 1.2.3.4 address */ |
46 | | unsigned int bits); |
47 | | UNITTEST bool Curl_cidr4_match(const char *ipv4, /* 1.2.3.4 address */ |
48 | | const char *network, /* 1.2.3.4 address */ |
49 | | unsigned int bits) |
50 | 8.89k | { |
51 | 8.89k | unsigned int address = 0; |
52 | 8.89k | unsigned int check = 0; |
53 | | |
54 | 8.89k | if(bits > 32) |
55 | | /* strange input */ |
56 | 259 | return FALSE; |
57 | | |
58 | 8.63k | if(curlx_inet_pton(AF_INET, ipv4, &address) != 1) |
59 | 0 | return FALSE; |
60 | 8.63k | if(curlx_inet_pton(AF_INET, network, &check) != 1) |
61 | 8.02k | return FALSE; |
62 | | |
63 | 609 | if(bits && (bits != 32)) { |
64 | 188 | unsigned int mask = 0xffffffff << (32 - bits); |
65 | 188 | unsigned int haddr = htonl(address); |
66 | 188 | unsigned int hcheck = htonl(check); |
67 | | #if 0 |
68 | | curl_mfprintf(stderr, "Host %s (%x) network %s (%x) " |
69 | | "bits %u mask %x => %x\n", |
70 | | ipv4, haddr, network, hcheck, bits, mask, |
71 | | (haddr ^ hcheck) & mask); |
72 | | #endif |
73 | 188 | if((haddr ^ hcheck) & mask) |
74 | 168 | return FALSE; |
75 | 20 | return TRUE; |
76 | 188 | } |
77 | 421 | return address == check; |
78 | 609 | } |
79 | | |
80 | | UNITTEST bool Curl_cidr6_match(const char *ipv6, |
81 | | const char *network, |
82 | | unsigned int bits); |
83 | | UNITTEST bool Curl_cidr6_match(const char *ipv6, |
84 | | const char *network, |
85 | | unsigned int bits) |
86 | 1.20k | { |
87 | 1.20k | #ifdef USE_IPV6 |
88 | 1.20k | unsigned int bytes; |
89 | 1.20k | unsigned int rest; |
90 | 1.20k | unsigned char address[16]; |
91 | 1.20k | unsigned char check[16]; |
92 | | |
93 | 1.20k | if(!bits) |
94 | 1.02k | bits = 128; |
95 | | |
96 | 1.20k | bytes = bits / 8; |
97 | 1.20k | rest = bits & 0x07; |
98 | 1.20k | if((bytes > 16) || ((bytes == 16) && rest)) |
99 | 0 | return FALSE; |
100 | 1.20k | if(curlx_inet_pton(AF_INET6, ipv6, address) != 1) |
101 | 0 | return FALSE; |
102 | 1.20k | if(curlx_inet_pton(AF_INET6, network, check) != 1) |
103 | 919 | return FALSE; |
104 | 288 | if(bytes && memcmp(address, check, bytes)) |
105 | 205 | return FALSE; |
106 | 83 | if(rest && ((address[bytes] ^ check[bytes]) & (0xff << (8 - rest)))) |
107 | 51 | return FALSE; |
108 | | |
109 | 32 | return TRUE; |
110 | | #else |
111 | | (void)ipv6; |
112 | | (void)network; |
113 | | (void)bits; |
114 | | return FALSE; |
115 | | #endif |
116 | 83 | } |
117 | | |
118 | | enum nametype { |
119 | | TYPE_HOST, |
120 | | TYPE_IPV4, |
121 | | TYPE_IPV6 |
122 | | }; |
123 | | |
124 | | static bool match_host(const char *token, size_t tokenlen, |
125 | | const char *name, size_t namelen) |
126 | 25.0k | { |
127 | 25.0k | bool match = FALSE; |
128 | | |
129 | | /* ignore trailing dots in the token to check */ |
130 | 25.0k | if(token[tokenlen - 1] == '.') |
131 | 2.43k | tokenlen--; |
132 | | |
133 | 25.0k | if(tokenlen && (*token == '.')) { |
134 | | /* ignore leading token dot as well */ |
135 | 1.38k | token++; |
136 | 1.38k | tokenlen--; |
137 | 1.38k | } |
138 | | /* A: example.com matches 'example.com' |
139 | | B: www.example.com matches 'example.com' |
140 | | C: nonexample.com DOES NOT match 'example.com' |
141 | | */ |
142 | 25.0k | if(tokenlen == namelen) |
143 | | /* case A, exact match */ |
144 | 3.97k | match = curl_strnequal(token, name, namelen); |
145 | 21.0k | else if(tokenlen < namelen) { |
146 | | /* case B, tailmatch domain */ |
147 | 9.20k | match = (name[namelen - tokenlen - 1] == '.') && |
148 | 2.44k | curl_strnequal(token, name + (namelen - tokenlen), tokenlen); |
149 | 9.20k | } |
150 | | /* case C passes through, not a match */ |
151 | 25.0k | return match; |
152 | 25.0k | } |
153 | | |
154 | | static bool match_ip(int type, const char *token, size_t tokenlen, |
155 | | const char *name) |
156 | 13.3k | { |
157 | 13.3k | char *slash; |
158 | 13.3k | unsigned int bits = 0; |
159 | 13.3k | char checkip[128]; |
160 | 13.3k | if(tokenlen >= sizeof(checkip)) |
161 | | /* this cannot match */ |
162 | 491 | return FALSE; |
163 | | /* copy the check name to a temp buffer */ |
164 | 12.8k | memcpy(checkip, token, tokenlen); |
165 | 12.8k | checkip[tokenlen] = 0; |
166 | | |
167 | 12.8k | slash = strchr(checkip, '/'); |
168 | | /* if the slash is part of this token, use it */ |
169 | 12.8k | if(slash) { |
170 | 3.87k | curl_off_t value; |
171 | 3.87k | const char *p = &slash[1]; |
172 | 3.87k | if(curlx_str_number(&p, &value, 128) || *p) |
173 | 2.77k | return FALSE; |
174 | | /* a too large value is rejected in the cidr function below */ |
175 | 1.10k | bits = (unsigned int)value; |
176 | 1.10k | *slash = 0; /* null-terminate there */ |
177 | 1.10k | } |
178 | 10.1k | if(type == TYPE_IPV6) |
179 | 1.20k | return Curl_cidr6_match(name, checkip, bits); |
180 | 8.89k | else |
181 | 8.89k | return Curl_cidr4_match(name, checkip, bits); |
182 | 10.1k | } |
183 | | |
184 | | /**************************************************************** |
185 | | * Checks if the host is in the noproxy list. returns TRUE if it matches and |
186 | | * therefore the proxy should NOT be used. |
187 | | ****************************************************************/ |
188 | | bool Curl_check_noproxy(const char *name, const char *no_proxy) |
189 | 126k | { |
190 | | /* |
191 | | * If we do not have a hostname at all, like for example with a FILE |
192 | | * transfer, we have nothing to interrogate the noproxy list with. |
193 | | */ |
194 | 126k | if(!name || name[0] == '\0') |
195 | 1.47k | return FALSE; |
196 | | |
197 | | /* no_proxy=domain1.dom,host.domain2.dom |
198 | | * (a comma-separated list of hosts which should |
199 | | * not be proxied, or an asterisk to override |
200 | | * all proxy variables) |
201 | | */ |
202 | 124k | if(no_proxy && no_proxy[0]) { |
203 | 2.83k | const char *p = no_proxy; |
204 | 2.83k | size_t namelen; |
205 | 2.83k | char address[16]; |
206 | 2.83k | enum nametype type = TYPE_HOST; |
207 | 2.83k | if(!strcmp("*", no_proxy)) |
208 | 40 | return TRUE; |
209 | | |
210 | | /* NO_PROXY was specified and it was not only an asterisk */ |
211 | | |
212 | | /* Check if name is an IP address; if not, assume it being a hostname. */ |
213 | 2.79k | namelen = strlen(name); |
214 | 2.79k | if(curlx_inet_pton(AF_INET, name, &address) == 1) |
215 | 1.13k | type = TYPE_IPV4; |
216 | 1.66k | #ifdef USE_IPV6 |
217 | 1.66k | else if(curlx_inet_pton(AF_INET6, name, &address) == 1) |
218 | 273 | type = TYPE_IPV6; |
219 | 1.39k | #endif |
220 | 1.39k | else { |
221 | | /* ignore trailing dots in the hostname */ |
222 | 1.39k | if(name[namelen - 1] == '.') |
223 | 551 | namelen--; |
224 | 1.39k | } |
225 | | |
226 | 39.9k | while(*p) { |
227 | 39.6k | const char *token; |
228 | 39.6k | size_t tokenlen = 0; |
229 | | |
230 | | /* pass blanks */ |
231 | 39.6k | curlx_str_passblanks(&p); |
232 | | |
233 | 39.6k | token = p; |
234 | | /* pass over the pattern */ |
235 | 1.47M | while(*p && !ISBLANK(*p) && (*p != ',')) { |
236 | 1.43M | p++; |
237 | 1.43M | tokenlen++; |
238 | 1.43M | } |
239 | | |
240 | 39.6k | if(tokenlen) { |
241 | 38.4k | bool match = FALSE; |
242 | 38.4k | if(type == TYPE_HOST) |
243 | 25.0k | match = match_host(token, tokenlen, name, namelen); |
244 | 13.3k | else |
245 | 13.3k | match = match_ip(type, token, tokenlen, name); |
246 | | |
247 | 38.4k | if(match) |
248 | 104 | return TRUE; |
249 | 38.4k | } |
250 | | |
251 | | /* pass blanks after pattern */ |
252 | 39.5k | curlx_str_passblanks(&p); |
253 | | /* if not a comma, this ends the loop */ |
254 | 39.5k | if(*p != ',') |
255 | 2.37k | break; |
256 | | /* pass any number of commas */ |
257 | 86.3k | while(*p == ',') |
258 | 49.1k | p++; |
259 | 37.1k | } /* while(*p) */ |
260 | 2.79k | } /* NO_PROXY was specified and it was not only an asterisk */ |
261 | | |
262 | 124k | return FALSE; |
263 | 124k | } |
264 | | |
265 | | #endif /* CURL_DISABLE_PROXY */ |