For -WWW, fix test for ".." directory references (and avoid warning for

[openssl.git] / apps / s_server.c

diff --git a/apps/s_server.c b/apps/s_server.c
index 561e3a2358fbbc951c7a6fa55e9e6b4db93da1d4..f8e44ce43e095866da6cb4cb493596594b917372 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -250,6 +250,8 @@ static void sv_usage(void)
        BIO_printf(bio_err," -bugs         - Turn on SSL bug compatibility\n");
        BIO_printf(bio_err," -www          - Respond to a 'GET /' with a status page\n");
        BIO_printf(bio_err," -WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
+       BIO_printf(bio_err," -HTTP         - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
+        BIO_printf(bio_err,"                 with the assumption it contains a complete HTTP response.\n");
        BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
        BIO_printf(bio_err," -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n");
        BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
@@ -559,6 +561,8 @@ int MAIN(int argc, char *argv[])
                        { www=1; }
                else if (strcmp(*argv,"-WWW") == 0)
                        { www=2; }
+               else if (strcmp(*argv,"-HTTP") == 0)
+                       { www=3; }
                else if (strcmp(*argv,"-no_ssl2") == 0)
                        { off|=SSL_OP_NO_SSLv2; }
                else if (strcmp(*argv,"-no_ssl3") == 0)
@@ -1414,7 +1418,8 @@ static int www_body(char *hostname, int s, unsigned char *context)
                        BIO_puts(io,"</BODY></HTML>\r\n\r\n");
                        break;
                        }
-               else if ((www == 2) && (strncmp("GET /",buf,5) == 0))
+               else if ((www == 2 || www == 3)
+                         && (strncmp("GET /",buf,5) == 0))
                        {
                        BIO *file;
                        char *p,*e;
@@ -1422,15 +1427,30 @@ static int www_body(char *hostname, int s, unsigned char *context)
 
                        /* skip the '/' */
                        p= &(buf[5]);
-                       dot=0;
+
+                       dot = 1;
                        for (e=p; *e != '\0'; e++)
                                {
-                               if (e[0] == ' ') break;
-                               if (    (e[0] == '.') &&
-                                       (strncmp(&(e[-1]),"/../",4) == 0))
-                                       dot=1;
+                               if (e[0] == ' ')
+                                       break;
+
+                               switch (dot)
+                                       {
+                               case 0:
+                                       dot = (e[0] == '/') ? 1 : 0;
+                                       break;
+                               case 1:
+                                       dot = (e[0] == '.') ? 2 : 0;
+                                       break;
+                               case 2:
+                                       dot = (e[0] == '.') ? 3 : 0;
+                                       break;
+                               case 3:
+                                       dot = (e[0] == '/') ? -1 : 0;
+                                       break;
+                                       }
                                }
-                       
+                       dot = (dot == 3) || (dot == -1); /* filename contains ".." component */
 
                        if (*e == '\0')
                                {
@@ -1482,13 +1502,16 @@ static int www_body(char *hostname, int s, unsigned char *context)
                        if (!s_quiet)
                                BIO_printf(bio_err,"FILE:%s\n",p);
 
-                       i=strlen(p);
-                       if (    ((i > 5) && (strcmp(&(p[i-5]),".html") == 0)) ||
-                               ((i > 4) && (strcmp(&(p[i-4]),".php") == 0)) ||
-                               ((i > 4) && (strcmp(&(p[i-4]),".htm") == 0)))
-                               BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
-                       else
-                               BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n");
+                        if (www == 2)
+                                {
+                                i=strlen(p);
+                                if (   ((i > 5) && (strcmp(&(p[i-5]),".html") == 0)) ||
+                                        ((i > 4) && (strcmp(&(p[i-4]),".php") == 0)) ||
+                                        ((i > 4) && (strcmp(&(p[i-4]),".htm") == 0)))
+                                        BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
+                                else
+                                        BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n");
+                                }
                        /* send the file */
                        total_bytes=0;
                        for (;;)
@@ -1605,7 +1628,7 @@ static int generate_session_id(const SSL *ssl, unsigned char *id,
                        (strlen(session_id_prefix) < *id_len) ?
                        strlen(session_id_prefix) : *id_len);
                }
-       while(SSL_CTX_has_matching_session_id(ssl->ctx, id, *id_len) &&
+       while(SSL_has_matching_session_id(ssl, id, *id_len) &&
                (++count < MAX_SESSION_ID_ATTEMPTS));
        if(count >= MAX_SESSION_ID_ATTEMPTS)
                return 0;