| 1 | /***************************************************************************
|
|---|
| 2 | * _ _ ____ _
|
|---|
| 3 | * Project ___| | | | _ \| |
|
|---|
| 4 | * / __| | | | |_) | |
|
|---|
| 5 | * | (__| |_| | _ <| |___
|
|---|
| 6 | * \___|\___/|_| \_\_____|
|
|---|
| 7 | *
|
|---|
| 8 | * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|---|
| 9 | *
|
|---|
| 10 | * This software is licensed as described in the file COPYING, which
|
|---|
| 11 | * you should have received as part of this distribution. The terms
|
|---|
| 12 | * are also available at https://curl.se/docs/copyright.html.
|
|---|
| 13 | *
|
|---|
| 14 | * You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
|---|
| 15 | * copies of the Software, and permit persons to whom the Software is
|
|---|
| 16 | * furnished to do so, under the terms of the COPYING file.
|
|---|
| 17 | *
|
|---|
| 18 | * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
|---|
| 19 | * KIND, either express or implied.
|
|---|
| 20 | *
|
|---|
| 21 | * SPDX-License-Identifier: curl
|
|---|
| 22 | *
|
|---|
| 23 | ***************************************************************************/
|
|---|
| 24 |
|
|---|
| 25 | #include "curl_setup.h"
|
|---|
| 26 |
|
|---|
| 27 | #ifndef CURL_DISABLE_PROXY
|
|---|
| 28 |
|
|---|
| 29 | #include "inet_pton.h"
|
|---|
| 30 | #include "strcase.h"
|
|---|
| 31 | #include "noproxy.h"
|
|---|
| 32 |
|
|---|
| 33 | #ifdef HAVE_NETINET_IN_H
|
|---|
| 34 | #include <netinet/in.h>
|
|---|
| 35 | #endif
|
|---|
| 36 |
|
|---|
| 37 | #ifdef HAVE_ARPA_INET_H
|
|---|
| 38 | #include <arpa/inet.h>
|
|---|
| 39 | #endif
|
|---|
| 40 |
|
|---|
| 41 | /*
|
|---|
| 42 | * Curl_cidr4_match() returns TRUE if the given IPv4 address is within the
|
|---|
| 43 | * specified CIDR address range.
|
|---|
| 44 | */
|
|---|
| 45 | UNITTEST bool Curl_cidr4_match(const char *ipv4, /* 1.2.3.4 address */
|
|---|
| 46 | const char *network, /* 1.2.3.4 address */
|
|---|
| 47 | unsigned int bits)
|
|---|
| 48 | {
|
|---|
| 49 | unsigned int address = 0;
|
|---|
| 50 | unsigned int check = 0;
|
|---|
| 51 |
|
|---|
| 52 | if(bits > 32)
|
|---|
| 53 | /* strange input */
|
|---|
| 54 | return FALSE;
|
|---|
| 55 |
|
|---|
| 56 | if(1 != Curl_inet_pton(AF_INET, ipv4, &address))
|
|---|
| 57 | return FALSE;
|
|---|
| 58 | if(1 != Curl_inet_pton(AF_INET, network, &check))
|
|---|
| 59 | return FALSE;
|
|---|
| 60 |
|
|---|
| 61 | if(bits && (bits != 32)) {
|
|---|
| 62 | unsigned int mask = 0xffffffff << (32 - bits);
|
|---|
| 63 | unsigned int haddr = htonl(address);
|
|---|
| 64 | unsigned int hcheck = htonl(check);
|
|---|
| 65 | #if 0
|
|---|
| 66 | fprintf(stderr, "Host %s (%x) network %s (%x) bits %u mask %x => %x\n",
|
|---|
| 67 | ipv4, haddr, network, hcheck, bits, mask,
|
|---|
| 68 | (haddr ^ hcheck) & mask);
|
|---|
| 69 | #endif
|
|---|
| 70 | if((haddr ^ hcheck) & mask)
|
|---|
| 71 | return FALSE;
|
|---|
| 72 | return TRUE;
|
|---|
| 73 | }
|
|---|
| 74 | return (address == check);
|
|---|
| 75 | }
|
|---|
| 76 |
|
|---|
| 77 | UNITTEST bool Curl_cidr6_match(const char *ipv6,
|
|---|
| 78 | const char *network,
|
|---|
| 79 | unsigned int bits)
|
|---|
| 80 | {
|
|---|
| 81 | #ifdef ENABLE_IPV6
|
|---|
| 82 | int bytes;
|
|---|
| 83 | int rest;
|
|---|
| 84 | unsigned char address[16];
|
|---|
| 85 | unsigned char check[16];
|
|---|
| 86 |
|
|---|
| 87 | if(!bits)
|
|---|
| 88 | bits = 128;
|
|---|
| 89 |
|
|---|
| 90 | bytes = bits/8;
|
|---|
| 91 | rest = bits & 0x07;
|
|---|
| 92 | if(1 != Curl_inet_pton(AF_INET6, ipv6, address))
|
|---|
| 93 | return FALSE;
|
|---|
| 94 | if(1 != Curl_inet_pton(AF_INET6, network, check))
|
|---|
| 95 | return FALSE;
|
|---|
| 96 | if((bytes > 16) || ((bytes == 16) && rest))
|
|---|
| 97 | return FALSE;
|
|---|
| 98 | if(bytes && memcmp(address, check, bytes))
|
|---|
| 99 | return FALSE;
|
|---|
| 100 | if(rest && !((address[bytes] ^ check[bytes]) & (0xff << (8 - rest))))
|
|---|
| 101 | return FALSE;
|
|---|
| 102 |
|
|---|
| 103 | return TRUE;
|
|---|
| 104 | #else
|
|---|
| 105 | (void)ipv6;
|
|---|
| 106 | (void)network;
|
|---|
| 107 | (void)bits;
|
|---|
| 108 | return FALSE;
|
|---|
| 109 | #endif
|
|---|
| 110 | }
|
|---|
| 111 |
|
|---|
| 112 | enum nametype {
|
|---|
| 113 | TYPE_HOST,
|
|---|
| 114 | TYPE_IPV4,
|
|---|
| 115 | TYPE_IPV6
|
|---|
| 116 | };
|
|---|
| 117 |
|
|---|
| 118 | /****************************************************************
|
|---|
| 119 | * Checks if the host is in the noproxy list. returns TRUE if it matches and
|
|---|
| 120 | * therefore the proxy should NOT be used.
|
|---|
| 121 | ****************************************************************/
|
|---|
| 122 | bool Curl_check_noproxy(const char *name, const char *no_proxy)
|
|---|
| 123 | {
|
|---|
| 124 | /*
|
|---|
| 125 | * If we don't have a hostname at all, like for example with a FILE
|
|---|
| 126 | * transfer, we have nothing to interrogate the noproxy list with.
|
|---|
| 127 | */
|
|---|
| 128 | if(!name || name[0] == '\0')
|
|---|
| 129 | return FALSE;
|
|---|
| 130 |
|
|---|
| 131 | /* no_proxy=domain1.dom,host.domain2.dom
|
|---|
| 132 | * (a comma-separated list of hosts which should
|
|---|
| 133 | * not be proxied, or an asterisk to override
|
|---|
| 134 | * all proxy variables)
|
|---|
| 135 | */
|
|---|
| 136 | if(no_proxy && no_proxy[0]) {
|
|---|
| 137 | const char *p = no_proxy;
|
|---|
| 138 | size_t namelen;
|
|---|
| 139 | enum nametype type = TYPE_HOST;
|
|---|
| 140 | char hostip[128];
|
|---|
| 141 | if(!strcmp("*", no_proxy))
|
|---|
| 142 | return TRUE;
|
|---|
| 143 |
|
|---|
| 144 | /* NO_PROXY was specified and it wasn't just an asterisk */
|
|---|
| 145 |
|
|---|
| 146 | if(name[0] == '[') {
|
|---|
| 147 | char *endptr;
|
|---|
| 148 | /* IPv6 numerical address */
|
|---|
| 149 | endptr = strchr(name, ']');
|
|---|
| 150 | if(!endptr)
|
|---|
| 151 | return FALSE;
|
|---|
| 152 | name++;
|
|---|
| 153 | namelen = endptr - name;
|
|---|
| 154 | if(namelen >= sizeof(hostip))
|
|---|
| 155 | return FALSE;
|
|---|
| 156 | memcpy(hostip, name, namelen);
|
|---|
| 157 | hostip[namelen] = 0;
|
|---|
| 158 | name = hostip;
|
|---|
| 159 | type = TYPE_IPV6;
|
|---|
| 160 | }
|
|---|
| 161 | else {
|
|---|
| 162 | unsigned int address;
|
|---|
| 163 | namelen = strlen(name);
|
|---|
| 164 | if(1 == Curl_inet_pton(AF_INET, name, &address))
|
|---|
| 165 | type = TYPE_IPV4;
|
|---|
| 166 | else {
|
|---|
| 167 | /* ignore trailing dots in the host name */
|
|---|
| 168 | if(name[namelen - 1] == '.')
|
|---|
| 169 | namelen--;
|
|---|
| 170 | }
|
|---|
| 171 | }
|
|---|
| 172 |
|
|---|
| 173 | while(*p) {
|
|---|
| 174 | const char *token;
|
|---|
| 175 | size_t tokenlen = 0;
|
|---|
| 176 | bool match = FALSE;
|
|---|
| 177 |
|
|---|
| 178 | /* pass blanks */
|
|---|
| 179 | while(*p && ISBLANK(*p))
|
|---|
| 180 | p++;
|
|---|
| 181 |
|
|---|
| 182 | token = p;
|
|---|
| 183 | /* pass over the pattern */
|
|---|
| 184 | while(*p && !ISBLANK(*p) && (*p != ',')) {
|
|---|
| 185 | p++;
|
|---|
| 186 | tokenlen++;
|
|---|
| 187 | }
|
|---|
| 188 |
|
|---|
| 189 | if(tokenlen) {
|
|---|
| 190 | switch(type) {
|
|---|
| 191 | case TYPE_HOST:
|
|---|
| 192 | /* ignore trailing dots in the token to check */
|
|---|
| 193 | if(token[tokenlen - 1] == '.')
|
|---|
| 194 | tokenlen--;
|
|---|
| 195 |
|
|---|
| 196 | if(tokenlen && (*token == '.')) {
|
|---|
| 197 | /* ignore leading token dot as well */
|
|---|
| 198 | token++;
|
|---|
| 199 | tokenlen--;
|
|---|
| 200 | }
|
|---|
| 201 | /* A: example.com matches 'example.com'
|
|---|
| 202 | B: www.example.com matches 'example.com'
|
|---|
| 203 | C: nonexample.com DOES NOT match 'example.com'
|
|---|
| 204 | */
|
|---|
| 205 | if(tokenlen == namelen)
|
|---|
| 206 | /* case A, exact match */
|
|---|
| 207 | match = strncasecompare(token, name, namelen);
|
|---|
| 208 | else if(tokenlen < namelen) {
|
|---|
| 209 | /* case B, tailmatch domain */
|
|---|
| 210 | match = (name[namelen - tokenlen - 1] == '.') &&
|
|---|
| 211 | strncasecompare(token, name + (namelen - tokenlen),
|
|---|
| 212 | tokenlen);
|
|---|
| 213 | }
|
|---|
| 214 | /* case C passes through, not a match */
|
|---|
| 215 | break;
|
|---|
| 216 | case TYPE_IPV4:
|
|---|
| 217 | /* FALLTHROUGH */
|
|---|
| 218 | case TYPE_IPV6: {
|
|---|
| 219 | const char *check = token;
|
|---|
| 220 | char *slash;
|
|---|
| 221 | unsigned int bits = 0;
|
|---|
| 222 | char checkip[128];
|
|---|
| 223 | if(tokenlen >= sizeof(checkip))
|
|---|
| 224 | /* this cannot match */
|
|---|
| 225 | break;
|
|---|
| 226 | /* copy the check name to a temp buffer */
|
|---|
| 227 | memcpy(checkip, check, tokenlen);
|
|---|
| 228 | checkip[tokenlen] = 0;
|
|---|
| 229 | check = checkip;
|
|---|
| 230 |
|
|---|
| 231 | slash = strchr(check, '/');
|
|---|
| 232 | /* if the slash is part of this token, use it */
|
|---|
| 233 | if(slash) {
|
|---|
| 234 | bits = atoi(slash + 1);
|
|---|
| 235 | *slash = 0; /* null terminate there */
|
|---|
| 236 | }
|
|---|
| 237 | if(type == TYPE_IPV6)
|
|---|
| 238 | match = Curl_cidr6_match(name, check, bits);
|
|---|
| 239 | else
|
|---|
| 240 | match = Curl_cidr4_match(name, check, bits);
|
|---|
| 241 | break;
|
|---|
| 242 | }
|
|---|
| 243 | }
|
|---|
| 244 | if(match)
|
|---|
| 245 | return TRUE;
|
|---|
| 246 | } /* if(tokenlen) */
|
|---|
| 247 | while(*p == ',')
|
|---|
| 248 | p++;
|
|---|
| 249 | } /* while(*p) */
|
|---|
| 250 | } /* NO_PROXY was specified and it wasn't just an asterisk */
|
|---|
| 251 |
|
|---|
| 252 | return FALSE;
|
|---|
| 253 | }
|
|---|
| 254 |
|
|---|
| 255 | #endif /* CURL_DISABLE_PROXY */
|
|---|