Line | Count | Source |
1 | | /*************************************************************************** |
2 | | * _ _ ____ _ |
3 | | * Project ___| | | | _ \| | |
4 | | * / __| | | | |_) | | |
5 | | * | (__| |_| | _ <| |___ |
6 | | * \___|\___/|_| \_\_____| |
7 | | * |
8 | | * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. |
9 | | * |
10 | | * This software is licensed as described in the file COPYING, which |
11 | | * you should have received as part of this distribution. The terms |
12 | | * are also available at https://curl.se/docs/copyright.html. |
13 | | * |
14 | | * You may opt to use, copy, modify, merge, publish, distribute and/or sell |
15 | | * copies of the Software, and permit persons to whom the Software is |
16 | | * furnished to do so, under the terms of the COPYING file. |
17 | | * |
18 | | * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY |
19 | | * KIND, either express or implied. |
20 | | * |
21 | | * SPDX-License-Identifier: curl |
22 | | * |
23 | | ***************************************************************************/ |
24 | | #include "curl_setup.h" |
25 | | |
26 | | #ifndef CURL_DISABLE_PROXY |
27 | | |
28 | | #include "curlx/inet_pton.h" |
29 | | #include "noproxy.h" |
30 | | #include "curlx/strparse.h" |
31 | | |
32 | | #ifdef HAVE_NETINET_IN_H |
33 | | #include <netinet/in.h> |
34 | | #endif |
35 | | |
36 | | #ifdef HAVE_ARPA_INET_H |
37 | | #include <arpa/inet.h> |
38 | | #endif |
39 | | |
40 | | /* |
41 | | * cidr4_match() returns TRUE if the given IPv4 address is within the |
42 | | * specified CIDR address range. |
43 | | * |
44 | | * @unittest 1614 |
45 | | */ |
46 | | UNITTEST bool cidr4_match(const char *ipv4, /* 1.2.3.4 address */ |
47 | | const char *network, /* 1.2.3.4 address */ |
48 | | unsigned int bits); |
49 | | UNITTEST bool cidr4_match(const char *ipv4, /* 1.2.3.4 address */ |
50 | | const char *network, /* 1.2.3.4 address */ |
51 | | unsigned int bits) |
52 | 8.51k | { |
53 | 8.51k | unsigned int address = 0; |
54 | 8.51k | unsigned int check = 0; |
55 | | |
56 | 8.51k | if(bits > 32) |
57 | | /* strange input */ |
58 | 241 | return FALSE; |
59 | | |
60 | 8.27k | if(curlx_inet_pton(AF_INET, ipv4, &address) != 1) |
61 | 0 | return FALSE; |
62 | 8.27k | if(curlx_inet_pton(AF_INET, network, &check) != 1) |
63 | 7.72k | return FALSE; |
64 | | |
65 | 549 | if(bits && (bits != 32)) { |
66 | 137 | unsigned int mask = 0xffffffff << (32 - bits); |
67 | 137 | unsigned int haddr = htonl(address); |
68 | 137 | unsigned int hcheck = htonl(check); |
69 | | #if 0 |
70 | | curl_mfprintf(stderr, "Host %s (%x) network %s (%x) " |
71 | | "bits %u mask %x => %x\n", |
72 | | ipv4, haddr, network, hcheck, bits, mask, |
73 | | (haddr ^ hcheck) & mask); |
74 | | #endif |
75 | 137 | if((haddr ^ hcheck) & mask) |
76 | 110 | return FALSE; |
77 | 27 | return TRUE; |
78 | 137 | } |
79 | 412 | return address == check; |
80 | 549 | } |
81 | | |
82 | | /* @unittest 1614 */ |
83 | | UNITTEST bool cidr6_match(const char *ipv6, const char *network, |
84 | | unsigned int bits); |
85 | | UNITTEST bool cidr6_match(const char *ipv6, const char *network, |
86 | | unsigned int bits) |
87 | 1.23k | { |
88 | 1.23k | #ifdef USE_IPV6 |
89 | 1.23k | unsigned int bytes; |
90 | 1.23k | unsigned int rest; |
91 | 1.23k | unsigned char address[16]; |
92 | 1.23k | unsigned char check[16]; |
93 | | |
94 | 1.23k | if(!bits) |
95 | 1.05k | bits = 128; |
96 | | |
97 | 1.23k | bytes = bits / 8; |
98 | 1.23k | rest = bits & 0x07; |
99 | 1.23k | if((bytes > 16) || ((bytes == 16) && rest)) |
100 | 0 | return FALSE; |
101 | 1.23k | if(curlx_inet_pton(AF_INET6, ipv6, address) != 1) |
102 | 0 | return FALSE; |
103 | 1.23k | if(curlx_inet_pton(AF_INET6, network, check) != 1) |
104 | 916 | return FALSE; |
105 | 322 | if(bytes && memcmp(address, check, bytes)) |
106 | 235 | return FALSE; |
107 | 87 | if(rest && ((address[bytes] ^ check[bytes]) & (0xff << (8 - rest)))) |
108 | 54 | return FALSE; |
109 | | |
110 | 33 | return TRUE; |
111 | | #else |
112 | | (void)ipv6; |
113 | | (void)network; |
114 | | (void)bits; |
115 | | return FALSE; |
116 | | #endif |
117 | 87 | } |
118 | | |
119 | | enum nametype { |
120 | | TYPE_HOST, |
121 | | TYPE_IPV4, |
122 | | TYPE_IPV6 |
123 | | }; |
124 | | |
125 | | static bool match_host(const char *token, size_t tokenlen, |
126 | | const char *name, size_t namelen) |
127 | 23.0k | { |
128 | 23.0k | bool match = FALSE; |
129 | | |
130 | | /* ignore trailing dots in the token to check */ |
131 | 23.0k | if(token[tokenlen - 1] == '.') |
132 | 2.43k | tokenlen--; |
133 | | |
134 | 23.0k | if(tokenlen && (*token == '.')) { |
135 | | /* ignore leading token dot as well */ |
136 | 1.49k | token++; |
137 | 1.49k | tokenlen--; |
138 | 1.49k | } |
139 | | /* A: example.com matches 'example.com' |
140 | | B: www.example.com matches 'example.com' |
141 | | C: nonexample.com DOES NOT match 'example.com' |
142 | | */ |
143 | 23.0k | if(tokenlen == namelen) |
144 | | /* case A, exact match */ |
145 | 4.30k | match = curl_strnequal(token, name, namelen); |
146 | 18.7k | else if(tokenlen < namelen) { |
147 | | /* case B, tailmatch domain */ |
148 | 8.59k | match = (name[namelen - tokenlen - 1] == '.') && |
149 | 2.19k | curl_strnequal(token, name + (namelen - tokenlen), tokenlen); |
150 | 8.59k | } |
151 | | /* case C passes through, not a match */ |
152 | 23.0k | return match; |
153 | 23.0k | } |
154 | | |
155 | | static bool match_ip(int type, const char *token, size_t tokenlen, |
156 | | const char *name) |
157 | 12.9k | { |
158 | 12.9k | char *slash; |
159 | 12.9k | unsigned int bits = 0; |
160 | 12.9k | char checkip[128]; |
161 | 12.9k | if(tokenlen >= sizeof(checkip)) |
162 | | /* this cannot match */ |
163 | 528 | return FALSE; |
164 | | /* copy the check name to a temp buffer */ |
165 | 12.4k | memcpy(checkip, token, tokenlen); |
166 | 12.4k | checkip[tokenlen] = 0; |
167 | | |
168 | 12.4k | slash = strchr(checkip, '/'); |
169 | | /* if the slash is part of this token, use it */ |
170 | 12.4k | if(slash) { |
171 | 3.67k | curl_off_t value; |
172 | 3.67k | const char *p = &slash[1]; |
173 | 3.67k | if(curlx_str_number(&p, &value, 128) || *p) |
174 | 2.68k | return FALSE; |
175 | | /* a too large value is rejected in the cidr function below */ |
176 | 995 | bits = (unsigned int)value; |
177 | 995 | *slash = 0; /* null-terminate there */ |
178 | 995 | } |
179 | 9.75k | if(type == TYPE_IPV6) |
180 | 1.23k | return cidr6_match(name, checkip, bits); |
181 | 8.51k | else |
182 | 8.51k | return cidr4_match(name, checkip, bits); |
183 | 9.75k | } |
184 | | |
185 | | /**************************************************************** |
186 | | * Checks if the host is in the noproxy list. returns TRUE if it matches and |
187 | | * therefore the proxy should NOT be used. |
188 | | ****************************************************************/ |
189 | | bool Curl_check_noproxy(const char *name, const char *no_proxy) |
190 | 132k | { |
191 | | /* |
192 | | * If we do not have a hostname at all, like for example with a FILE |
193 | | * transfer, we have nothing to interrogate the noproxy list with. |
194 | | */ |
195 | 132k | if(!name || name[0] == '\0') |
196 | 0 | return FALSE; |
197 | | |
198 | | /* no_proxy=domain1.dom,host.domain2.dom |
199 | | * (a comma-separated list of hosts which should |
200 | | * not be proxied, or an asterisk to override |
201 | | * all proxy variables) |
202 | | */ |
203 | 132k | if(no_proxy && no_proxy[0]) { |
204 | 2.83k | const char *p = no_proxy; |
205 | 2.83k | size_t namelen; |
206 | 2.83k | char address[16]; |
207 | 2.83k | enum nametype type = TYPE_HOST; |
208 | 2.83k | if(!strcmp("*", no_proxy)) |
209 | 38 | return TRUE; |
210 | | |
211 | | /* NO_PROXY was specified and it was not only an asterisk */ |
212 | | |
213 | | /* Check if name is an IP address; if not, assume it being a hostname. */ |
214 | 2.79k | namelen = strlen(name); |
215 | 2.79k | if(curlx_inet_pton(AF_INET, name, &address) == 1) |
216 | 1.06k | type = TYPE_IPV4; |
217 | 1.72k | #ifdef USE_IPV6 |
218 | 1.72k | else if(curlx_inet_pton(AF_INET6, name, &address) == 1) |
219 | 296 | type = TYPE_IPV6; |
220 | 1.43k | #endif |
221 | 1.43k | else { |
222 | | /* ignore trailing dots in the hostname */ |
223 | 1.43k | if(name[namelen - 1] == '.') |
224 | 418 | namelen--; |
225 | 1.43k | } |
226 | | |
227 | 37.5k | while(*p) { |
228 | 37.1k | const char *token; |
229 | 37.1k | size_t tokenlen = 0; |
230 | | |
231 | | /* pass blanks */ |
232 | 37.1k | curlx_str_passblanks(&p); |
233 | | |
234 | 37.1k | token = p; |
235 | | /* pass over the pattern */ |
236 | 1.38M | while(*p && !ISBLANK(*p) && (*p != ',')) { |
237 | 1.34M | p++; |
238 | 1.34M | tokenlen++; |
239 | 1.34M | } |
240 | | |
241 | 37.1k | if(tokenlen) { |
242 | 35.9k | bool match = FALSE; |
243 | 35.9k | if(type == TYPE_HOST) |
244 | 23.0k | match = match_host(token, tokenlen, name, namelen); |
245 | 12.9k | else |
246 | 12.9k | match = match_ip(type, token, tokenlen, name); |
247 | | |
248 | 35.9k | if(match) |
249 | 98 | return TRUE; |
250 | 35.9k | } |
251 | | |
252 | | /* pass blanks after pattern */ |
253 | 37.0k | curlx_str_passblanks(&p); |
254 | | /* if not a comma, this ends the loop */ |
255 | 37.0k | if(*p != ',') |
256 | 2.33k | break; |
257 | | /* pass any number of commas */ |
258 | 82.1k | while(*p == ',') |
259 | 47.4k | p++; |
260 | 34.7k | } /* while(*p) */ |
261 | 2.79k | } /* NO_PROXY was specified and it was not only an asterisk */ |
262 | | |
263 | 132k | return FALSE; |
264 | 132k | } |
265 | | |
266 | | #endif /* CURL_DISABLE_PROXY */ |