From 44ce233ab82694ae1c85d0969ec3dd89d04c4992 Mon Sep 17 00:00:00 2001
From: Jann Horn <jannhorn@googlemail.com>
Date: Mon, 12 Nov 2012 17:02:52 +0100
Subject: [PATCH] version one

---
 cgistuff.c        | 121 +++++++++++++++++++++++++++++++
 checkstatus.c     |  13 ++++
 compile           |   6 ++
 cwebfiles.h       |  39 ++++++++++
 hex.c             |  35 +++++++++
 listdir.c         |  60 ++++++++++++++++
 login.c           |  68 ++++++++++++++++++
 octalmodes        |  23 ++++++
 octalmodes_to_js  |   1 +
 static/index.html | 179 ++++++++++++++++++++++++++++++++++++++++++++++
 10 files changed, 545 insertions(+)
 create mode 100644 cgistuff.c
 create mode 100644 checkstatus.c
 create mode 100755 compile
 create mode 100644 cwebfiles.h
 create mode 100644 hex.c
 create mode 100644 listdir.c
 create mode 100644 login.c
 create mode 100644 octalmodes
 create mode 100644 octalmodes_to_js
 create mode 100644 static/index.html

diff --git a/cgistuff.c b/cgistuff.c
new file mode 100644
index 0000000..ac816e2
--- /dev/null
+++ b/cgistuff.c
@@ -0,0 +1,121 @@
+#define _GNU_SOURCE
+
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <time.h>
+#include <stdio.h>
+#include "cwebfiles.h"
+#include <stdbool.h>
+#include <string.h>
+#include <stdlib.h>
+#include <pwd.h>
+#include <errno.h>
+
+extern char **environ;
+
+// don't use before you've authenticated successfully!
+struct cgi_serialized_session_status session;
+
+// when we call this function, we usually leak memory - not an issue
+static char *session_file_path(char *cookie) {
+  char *file = malloc(strlen(SESSION_FOLDER)+COOKIE_LENGTH+1);
+  memcpy(file, SESSION_FOLDER, strlen(SESSION_FOLDER));
+  memcpy(file+strlen(SESSION_FOLDER), cookie, COOKIE_LENGTH);
+  file[strlen(SESSION_FOLDER)+COOKIE_LENGTH] = '\0';
+  return file;
+}
+
+int authenticate_by_cookie(char *cookie) {
+  // check cookie string for conformity
+  if (strlen(cookie) != COOKIE_LENGTH) return 1;
+  if (!checkhex(cookie, COOKIE_LENGTH)) return 2;
+  
+  // read session data
+  int fd = open(session_file_path(cookie), O_RDONLY);
+  
+  // verify that the session exists
+  if (fd == -1) return 3;
+  int res = read(fd, &session, sizeof(session));
+  close(fd);
+  
+  // verify that the session file is valid
+  if (res != sizeof(session)) return 4;
+  session.user_name[32] = 0;
+  
+  // verify that the session is still active
+  time_t cur_time = time(NULL);
+  if (session.start_time + SESSION_LENGTH < cur_time) return 5;
+  if (session.start_time > cur_time) return 6;
+  
+  // verify that the username and the userid still match
+  struct passwd *user_data = getpwuid(session.uid);
+  if (user_data == NULL) return 7;
+  if (strcmp(user_data->pw_name, session.user_name) != 0) return 8;
+  
+  // everything seems fine! :)
+  return 0;
+}
+
+void persist_session(char *cookie) {
+  char *file = session_file_path(cookie);
+  int fd = open(file, O_RDWR|O_EXCL|O_CREAT, S_IRUSR|S_IWUSR);
+  if (fd == -1) senderr("can't create session file", MYFAULT);
+  
+  errno = 0;
+  int res = write(fd, &session, sizeof(session));
+  char errstr[128];
+  if (res != sizeof(session)) {
+    snprintf(errstr, 128, "can't write all session data (%i of %i): %s", (int)res, (int)sizeof(session), strerror(errno));
+  }
+  close(fd);
+  if (res != sizeof(session)) {
+    unlink(file);
+    senderr(errstr, MYFAULT);
+  }
+}
+
+void senderr(char *errmsg, bool myfault) {
+  if (myfault) {
+    puts("Status: 500 CGI error");
+  } else {
+    puts("Status: 400 CGI error");
+  }
+  puts("Content-Type: text/plain;charset=utf8");
+  puts("X-Frame-Options: DENY");
+  puts("");
+  puts("An error occured while processing your request:");
+  puts(errmsg);
+  exit(0);
+}
+
+// may send an error response and exit
+void grabrand(unsigned char *out, size_t len) {
+  int randfd = open(RANDDEV, O_RDONLY);
+  if (randfd == -1) senderr("can't open random device", MYFAULT);
+  if (read(randfd, out, len) != len) senderr("reading random data failed", MYFAULT);
+  close(randfd);
+}
+
+void login_and_setup() {
+  char *cookies = getenv("HTTP_COOKIE");
+  environ = NULL;
+  setuid(0);
+  
+  // Note that this doesn't validate whether this is actually a cookie name or
+  // part of a value - but that shouldn't be a problem.
+  // Note: Redo if I feel like doing it.
+  if (cookies == NULL) senderr("no cookies sent", NOTMYFAULT);
+  char *session_cookie = strstr(cookies, COOKIE_NAME"=");
+  if (session_cookie == NULL) senderr("session cookie not present", NOTMYFAULT);
+  session_cookie += strlen(COOKIE_NAME"=");
+  if (strlen(session_cookie) < COOKIE_LENGTH) senderr("invalid session cookie (error code 1)", NOTMYFAULT);
+  session_cookie[COOKIE_LENGTH] = '\0';
+  int res = authenticate_by_cookie(session_cookie);
+  if (res != 0) {
+    char errstr[128];
+    snprintf(errstr, 128, "invalid session cookie (error code 2-%i)", res);
+    senderr(errstr, NOTMYFAULT);
+  }
+}
diff --git a/checkstatus.c b/checkstatus.c
new file mode 100644
index 0000000..c620e1f
--- /dev/null
+++ b/checkstatus.c
@@ -0,0 +1,13 @@
+#include <stdio.h>
+#include "cwebfiles.h"
+
+int main() {
+  FASTOUTPUT
+  
+  login_and_setup();
+  puts("Status: 200 you're authenticated");
+  puts("X-Frame-Options: DENY");
+  puts("Content-Type: text/plain;charset=utf8");
+  puts("");
+  puts("OK");
+}
diff --git a/compile b/compile
new file mode 100755
index 0000000..68ca0e5
--- /dev/null
+++ b/compile
@@ -0,0 +1,6 @@
+#!/bin/bash
+for cgi in login checkstatus listdir; do
+  diet gcc -O3 -std=gnu99 -Wall -Werror -g -o $cgi $cgi.c cgistuff.c hex.c -lcrypt
+  sudo chown root:root $cgi
+  sudo chmod u+s $cgi
+done
diff --git a/cwebfiles.h b/cwebfiles.h
new file mode 100644
index 0000000..cada2eb
--- /dev/null
+++ b/cwebfiles.h
@@ -0,0 +1,39 @@
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdbool.h>
+
+#define SESSION_FOLDER "/var/run/cwebfiles/sessions/"
+#define SESSION_LENGTH 60 * 60 * 3 /* unit is seconds; we allow three-hour-sessions */
+
+#define COOKIE_NAME "WEBFILESESS"
+#define COOKIE_LENGTH 64
+
+#define RANDDEV "/dev/urandom"
+
+#define MYFAULT true
+#define NOTMYFAULT false
+
+struct cgi_serialized_session_status {
+  // "man useradd" says 32 chars is the length limit
+  char user_name[33];
+  uid_t uid;
+  time_t start_time;
+};
+
+extern struct cgi_serialized_session_status session;
+
+void unhex(unsigned char *out, char *in, size_t in_len);
+void hex(char *out, unsigned char *in, size_t in_len);
+bool checkhex(char *p, size_t l);
+
+int authenticate_by_cookie(char *cookie);
+void persist_session(char *cookie);
+void senderr(char *errmsg, bool myfault);
+void grabrand(unsigned char *out, size_t len);
+void login_and_setup();
+
+#define OUTBUFSIZE 64*1024
+#define FASTOUTPUT                             \
+  char outbuf[OUTBUFSIZE];                     \
+  setvbuf(stdout, outbuf, _IOFBF, OUTBUFSIZE); \
+
diff --git a/hex.c b/hex.c
new file mode 100644
index 0000000..150d4de
--- /dev/null
+++ b/hex.c
@@ -0,0 +1,35 @@
+#include "cwebfiles.h"
+
+// these routines don't respect nullbytes!
+
+// we use fast hex. start from 'a'. no checks performed (apart from length validity).
+// out must be half the size of in
+void unhex(unsigned char *out, char *in, size_t in_len) {
+  in_len = in_len & ~1; // input length mod 2 must be 0 - mask out the last bit
+  char *in_end = in + in_len;
+  while (in != in_end) {
+    unsigned char in1 = *(in++), in2 = *(in++);
+    *(out++) = (in1 - 'a') << 4 | (in2 - 'a');
+  }
+}
+
+// out must be twice the size of in
+void hex(char *out, unsigned char *in, size_t in_len) {
+  unsigned char *in_end = in+in_len;
+  while (in != in_end) {
+    *(out++) = (*in >> 4) + 'a';
+    *(out++) = (*in & 0xf) + 'a';
+    in++;
+  }
+}
+
+bool checkhex(char *p, size_t l) {
+  if ((l&1) == 1) return false;
+  char *e = p+l;
+  while (p<e) {
+    if (*p < 'a') return false;
+    if (*p >= 'a'+16) return false;
+    p++;
+  }
+  return true;
+}
diff --git a/listdir.c b/listdir.c
new file mode 100644
index 0000000..bfbd47c
--- /dev/null
+++ b/listdir.c
@@ -0,0 +1,60 @@
+#include <stdlib.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include "cwebfiles.h"
+#include <sys/types.h>
+#include <dirent.h>
+#include <unistd.h>
+#include <sys/fsuid.h>
+#include <string.h>
+#include <stdio.h>
+#include <errno.h>
+#include <sys/stat.h>
+
+int main() {
+  FASTOUTPUT
+  
+  char *encpath = getenv("QUERY_STRING");
+  login_and_setup(); // will clear the environment
+  if (encpath == NULL) senderr("no query string received", NOTMYFAULT);
+  
+  // OK, we're authenticated. Drop our fsuid to the user's.
+  // Yes, there's no error indication apart from this kludge. Sucks.
+  setfsuid(session.uid);
+  if (setfsuid(session.uid) != session.uid) senderr("setfsuid failed", MYFAULT);
+  
+  // Do what the user wants us to do.
+  char path[strlen(encpath)/2+1];
+  unhex((unsigned char *)path, encpath, strlen(encpath));
+  path[strlen(encpath)/2] = 0;
+  if (chdir(path)) {
+    char errstr[128];
+    snprintf(errstr, 128, "can't access that path: %s", strerror(errno));
+    senderr(errstr, NOTMYFAULT);
+  }
+  DIR *dir = opendir(".");
+  if (dir == NULL) {
+    char errstr[128];
+    snprintf(errstr, 128, "can't open that path for reading: %s", strerror(errno));
+    senderr(errstr, NOTMYFAULT);
+  }
+  
+  // The directory was opened successfully - send our success header.
+  puts("Status: 200 here's your listing");
+  puts("X-Frame-Options: DENY");
+  puts("Content-Type: text/plain;charset=utf8");
+  puts("");
+  
+  // send one line per file
+  struct dirent *dent;
+  char encfilename[NAME_MAX*2+1];
+  while ((dent = readdir(dir)) != NULL) {
+    size_t name_len = strlen(dent->d_name);
+    hex(encfilename, (unsigned char *)dent->d_name, name_len);
+    encfilename[name_len*2] = 0;
+    struct stat st;
+    // if we can't really see the file anyway, skip it
+    if (lstat(dent->d_name, &st)) continue;
+    printf("%s %lu %u\n", encfilename, (unsigned long)st.st_size, (unsigned int)st.st_mode);
+  }
+}
diff --git a/login.c b/login.c
new file mode 100644
index 0000000..96b95bc
--- /dev/null
+++ b/login.c
@@ -0,0 +1,68 @@
+#define _GNU_SOURCE
+
+#include <stdlib.h>
+#include <string.h>
+#include "cwebfiles.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <time.h>
+#include <unistd.h>
+#include <shadow.h>
+#include <pwd.h>
+#include <stdio.h>
+
+extern char **environ;
+
+#define BADAUTH "invalid user/pass"
+
+int main() {
+  FASTOUTPUT
+  environ = NULL;
+  setuid(0);
+  
+  char buf[1024];
+  int res = read(0, buf, 1023);
+  if (res == -1) senderr("couldn't read POST data", NOTMYFAULT);
+  buf[res] = 0;
+  char *nl = strchr(buf, '\r');
+  if (nl != NULL) *nl = 0;
+  char *user = buf;
+  char *pass = strchr(buf, ':');
+  if (pass == NULL) senderr("can't find user-pass-seperator", NOTMYFAULT);
+  *pass = 0;
+  pass++;
+  
+  // verify password
+  struct spwd *shadow_entry = getspnam(user);
+  struct passwd *passwd_entry = getpwnam(user);
+  if (passwd_entry == NULL || shadow_entry == NULL) senderr(BADAUTH, NOTMYFAULT);
+  char *enc_pass = crypt(pass, shadow_entry->sp_pwdp);
+  if (enc_pass == NULL) senderr(BADAUTH, NOTMYFAULT);
+  if (strcmp(enc_pass, shadow_entry->sp_pwdp) != 0) senderr(BADAUTH, NOTMYFAULT);
+  
+  // now create a new session
+  // create a cookie
+  unsigned char bincookie[COOKIE_LENGTH/2];
+  grabrand(bincookie, COOKIE_LENGTH/2);
+  char cookie[COOKIE_LENGTH+1];
+  hex(cookie, bincookie, COOKIE_LENGTH/2);
+  cookie[COOKIE_LENGTH] = 0;
+  
+  // set session data
+  strncpy(session.user_name, user, 33);
+  session.start_time = time(NULL);
+  session.uid = passwd_entry->pw_uid;
+  
+  // write out session data to the fs
+  persist_session(cookie);
+  
+  // phew, all done! tell the user everything is fine
+  puts("Status: 200 login successful");
+  puts("X-Frame-Options: DENY");
+  puts("Content-Type: text/plain;charset=utf8");
+  // TODO XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX SET SECURE FLAG!
+  printf("Set-Cookie: " COOKIE_NAME "=%s; HttpOnly\n", cookie);
+  puts("");
+  puts("OK");
+}
diff --git a/octalmodes b/octalmodes
new file mode 100644
index 0000000..e4e5627
--- /dev/null
+++ b/octalmodes
@@ -0,0 +1,23 @@
+           S_IFMT     0170000   bit mask for the file type bit fields
+           S_IFSOCK   0140000   socket
+           S_IFLNK    0120000   symbolic link
+           S_IFREG    0100000   regular file
+           S_IFBLK    0060000   block device
+           S_IFDIR    0040000   directory
+           S_IFCHR    0020000   character device
+           S_IFIFO    0010000   FIFO
+           S_ISUID    0004000   set UID bit
+           S_ISGID    0002000   set-group-ID bit (see below)
+           S_ISVTX    0001000   sticky bit (see below)
+           S_IRWXU    00700     mask for file owner permissions
+           S_IRUSR    00400     owner has read permission
+           S_IWUSR    00200     owner has write permission
+           S_IXUSR    00100     owner has execute permission
+           S_IRWXG    00070     mask for group permissions
+           S_IRGRP    00040     group has read permission
+           S_IWGRP    00020     group has write permission
+           S_IXGRP    00010     group has execute permission
+           S_IRWXO    00007     mask for permissions for others (not in group)
+           S_IROTH    00004     others have read permission
+           S_IWOTH    00002     others have write permission
+           S_IXOTH    00001     others have execute permission
diff --git a/octalmodes_to_js b/octalmodes_to_js
new file mode 100644
index 0000000..107470b
--- /dev/null
+++ b/octalmodes_to_js
@@ -0,0 +1 @@
+cat octalmodes | sed 's|^ *|var |g' | sed 's|   *| = parseInt("|' | sed 's|   *|",8) // |'
diff --git a/static/index.html b/static/index.html
new file mode 100644
index 0000000..1e6adcc
--- /dev/null
+++ b/static/index.html
@@ -0,0 +1,179 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <script>
+function hex(str) {
+  var res = "";
+  var achar = 'a'.charCodeAt(0)
+  for (var i=0; i<str.length; i++) {
+    var c = str.charCodeAt(i)
+    res += String.fromCharCode((c>>4)+achar) + String.fromCharCode((c&0xf)+achar)
+  }
+  return res
+}
+
+function dehex(str) {
+  var res = ""
+  var achar = 'a'.charCodeAt(0)
+  for (var i=0; i<str.length; i+=2) {
+    var c1 = str.charCodeAt(i)-achar, c2 = str.charCodeAt(i+1)-achar
+    res += String.fromCharCode((c1<<4)+c2)
+  }
+  return res
+}
+
+function cgireq(script, qs, body, cb) {
+  var req = new XMLHttpRequest()
+  req.open((body!=null)?'POST':'GET', '/cgi-bin/cwebfiles/'+script+(qs?'?'+qs:''), !!cb)
+  if (cb) {
+    req.onloadend = function() {
+      cb(req.status, req.responseText)
+    }
+  }
+  req.send(body)
+  if (!cb) {
+    return {status: req.status, data: req.responseText}
+  }
+}
+
+function login(user, pass, cb) {
+  return cgireq('login', null, user+':'+pass, cb)
+}
+
+function listdir(path, cb) {
+  cgireq('listdir', hex(path), null, function(status, data) {
+    if (status != 200) return cb(status, data, null)
+    var listing = data.split('\n').filter(function(line) {
+      return line.trim().length > 0
+    }).map(function(line) {
+      var parts = line.split(' ')
+      return {name: dehex(parts[0]), size: parseInt(parts[1]), mode: parseInt(parts[2])}
+    })
+    cb(status, data, listing)
+  })
+}
+
+var S_IFMT = parseInt("0170000",8) // bit mask for the file type bit fields
+var S_IFSOCK = parseInt("0140000",8) // socket
+var S_IFLNK = parseInt("0120000",8) // symbolic link
+var S_IFREG = parseInt("0100000",8) // regular file
+var S_IFBLK = parseInt("0060000",8) // block device
+var S_IFDIR = parseInt("0040000",8) // directory
+var S_IFCHR = parseInt("0020000",8) // character device
+var S_IFIFO = parseInt("0010000",8) // FIFO
+
+var S_ISUID = parseInt("0004000",8) // set UID bit
+var S_ISGID = parseInt("0002000",8) // set-group-ID bit (see below)
+var S_ISVTX = parseInt("0001000",8) // sticky bit (see below)
+
+var S_IRWXU = parseInt("00700",8) // mask for file owner permissions
+var S_IRUSR = parseInt("00400",8) // owner has read permission
+var S_IWUSR = parseInt("00200",8) // owner has write permission
+var S_IXUSR = parseInt("00100",8) // owner has execute permission
+var S_IRWXG = parseInt("00070",8) // mask for group permissions
+var S_IRGRP = parseInt("00040",8) // group has read permission
+var S_IWGRP = parseInt("00020",8) // group has write permission
+var S_IXGRP = parseInt("00010",8) // group has execute permission
+var S_IRWXO = parseInt("00007",8) // mask for permissions for others (not in group)
+var S_IROTH = parseInt("00004",8) // others have read permission
+var S_IWOTH = parseInt("00002",8) // others have write permission
+var S_IXOTH = parseInt("00001",8) // others have execute permission
+
+
+var typechars = {}
+typechars[S_IFSOCK] = 's'
+typechars[S_IFLNK] = 'l'
+typechars[S_IFREG] = '-'
+typechars[S_IFBLK] = 'b'
+typechars[S_IFDIR] = 'd'
+typechars[S_IFCHR] = 'c'
+typechars[S_IFIFO] = 'p'
+
+function escapehtml(text) {
+  return text.replace(/&/g, '&amp;')
+              .replace(/</g, '&lt;')
+              .replace(/>/g, '&gt;')
+              .replace(/"/g, '&quot;')
+}
+
+var loc = '/'
+
+function dive(hexedname) { __listdir(loc + dehex(hexedname) + '/'); }
+
+function format_entry(entry) {
+  var modeline = ""
+  modeline += typechars[entry.mode&S_IFMT]
+  modeline += (entry.mode&S_IRUSR) ? 'r' : '-'
+  modeline += (entry.mode&S_IWUSR) ? 'w' : '-'
+  modeline += (entry.mode&S_ISUID) ? ((entry.mode&S_IXUSR) ? 's' : 'S') : ((entry.mode&S_IXUSR) ? 'x' : '-')
+  modeline += (entry.mode&S_IRGRP) ? 'r' : '-'
+  modeline += (entry.mode&S_IWGRP) ? 'w' : '-'
+  modeline += (entry.mode&S_ISGID) ? ((entry.mode&S_IXGRP) ? 's' : 'S') : ((entry.mode&S_IXGRP) ? 'x' : '-')
+  modeline += (entry.mode&S_IROTH) ? 'r' : '-'
+  modeline += (entry.mode&S_IWOTH) ? 'w' : '-'
+  modeline += (entry.mode&S_ISVTX) ? ((entry.mode&S_IXOTH) ? 's' : 'S') : ((entry.mode&S_IXOTH) ? 'x' : '-')
+  
+  var markred = (entry.mode&(S_ISUID|S_ISGID))
+  if (markred) {
+    modeline = '<span style="color: red">'+modeline+'</span>'
+  }
+  
+  var showsize = (entry.mode&S_IFMT) == S_IFREG
+  
+  var escaped_name = escapehtml(entry.name)
+  
+  var clickcode = ''
+  if ((entry.mode&S_IFMT) == S_IFDIR) clickcode = "dive('"+hex(entry.name)+"')"
+  
+  return '<tr><td>'+modeline+'</td><td '+(clickcode?'class="clickme" ':'')+'onclick="'+clickcode+'">'+escaped_name+'</td><td>'+(showsize?entry.size:'')+'</td></tr>'
+}
+
+function renderloc(path) {
+  var parts = path.split('/')
+  var curpath = '/';
+  var linkparts = parts.map(function(dir, i) {
+    var esc = (i==0) ? 'main directory' : escapehtml(dir)
+    if (i != 0) curpath += dir + '/'
+    var hexpath = hex(curpath)
+    var clickcode = "__listdir(dehex('"+hexpath+"'))"
+    return '<span class="clickme" onclick="'+clickcode+'">'+esc+'</span>'
+  })
+  return '<div id="loc">'+linkparts.join(' / ')+'</div>'
+}
+
+function __listdir(path) {
+  listdir(path, function(status, err, listing) {
+    if (status != 200) {
+      alert(err)
+      return
+    }
+    loc = path
+    var body = document.getElementsByTagName('body')[0]
+    body.innerHTML = renderloc(path)
+                   + '<table><thead><tr><th>mode</th><th>name</th><th>size</th></tr></thead><tbody>'+listing.filter(function(e) {
+      return e.name != '.' && e.name != '..'
+    }).map(function(e) {
+      return format_entry(e)
+    }).join('')+'</tbody></table>'
+    /*listing.forEach(function(e) {
+      //e.mode = e.mode.toString(8)
+      console.log(Object.keys(e).map(function(k) {
+        return k+':'+e[k]
+      }).join(', '))
+    })*/
+  })
+}
+
+
+    </script>
+    <style>
+      .clickme {
+        text-decoration: underline;
+        color: blue;
+        cursor: pointer;
+      }
+    </style>
+  </head>
+  <body onload="__listdir('/')">
+  </body>
+</html>
-- 
2.20.1