2013-01-31 17:48:47 +00:00
|
|
|
#
|
|
|
|
# Monitorix - A lightweight system monitoring tool.
|
|
|
|
#
|
|
|
|
# Copyright (C) 2005-2013 by Jordi Sanfeliu <jordi@fibranet.cat>
|
|
|
|
#
|
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
# the Free Software Foundation; either version 2 of the License, or
|
|
|
|
# (at your option) any later version.
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License along
|
|
|
|
# with this program; if not, write to the Free Software Foundation, Inc.,
|
|
|
|
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
|
#
|
|
|
|
|
|
|
|
package HTTPServer;
|
|
|
|
|
|
|
|
use strict;
|
|
|
|
use warnings;
|
2013-05-24 12:16:05 +01:00
|
|
|
use Monitorix qw(trim);
|
2013-02-06 13:26:00 +00:00
|
|
|
use POSIX qw(strftime);
|
2013-01-31 17:48:47 +00:00
|
|
|
use HTTP::Server::Simple::CGI;
|
|
|
|
use base qw(HTTP::Server::Simple::CGI);
|
2013-05-15 11:46:04 +01:00
|
|
|
use MIME::Base64 qw(decode_base64);
|
2013-05-24 12:16:05 +01:00
|
|
|
use Socket;
|
2013-01-31 17:48:47 +00:00
|
|
|
|
2013-02-06 13:26:00 +00:00
|
|
|
sub logger {
|
2013-02-07 14:57:42 +00:00
|
|
|
my ($url, $type) = @_;
|
2013-02-06 13:26:00 +00:00
|
|
|
|
2013-02-07 15:06:53 +00:00
|
|
|
if(open(OUT, ">> $main::config{httpd_builtin}->{log_file}")) {
|
2013-02-07 14:57:42 +00:00
|
|
|
if($type eq "OK") {
|
|
|
|
print OUT localtime() . " - $type - [$ENV{REMOTE_ADDR}] \"$ENV{REQUEST_METHOD} $url - $ENV{HTTP_USER_AGENT}\"\n";
|
2013-05-15 11:46:04 +01:00
|
|
|
} elsif($type eq "NOTEXIST") {
|
2013-02-07 14:57:42 +00:00
|
|
|
print OUT localtime() . " - $type - [$ENV{REMOTE_ADDR}] File does not exist: $url\n";
|
2013-05-28 09:02:25 +01:00
|
|
|
} elsif($type eq "AUTHERR") {
|
2013-05-15 11:46:04 +01:00
|
|
|
print OUT localtime() . " - $type - [$ENV{REMOTE_ADDR}] Authentication error: $url\n";
|
2013-05-24 12:16:05 +01:00
|
|
|
} elsif($type eq "NOTALLOWED") {
|
|
|
|
print OUT localtime() . " - $type - [$ENV{REMOTE_ADDR}] Access not allowed: $url\n";
|
2013-05-15 11:46:04 +01:00
|
|
|
} else {
|
|
|
|
print OUT localtime() . " - $type - [$ENV{REMOTE_ADDR}] $url\n";
|
2013-02-07 14:57:42 +00:00
|
|
|
}
|
|
|
|
close(OUT);
|
|
|
|
} else {
|
2013-02-07 15:06:53 +00:00
|
|
|
print STDERR localtime() . " - ERROR: unable to open logfile '$main::config{httpd_builtin}->{log_file}'.\n";
|
2013-02-07 14:57:42 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-05-15 11:46:04 +01:00
|
|
|
sub check_passwd {
|
|
|
|
my ($user, $pass) = @_;
|
|
|
|
|
|
|
|
if(open(IN, $main::config{httpd_builtin}->{auth}->{htpasswd})) {
|
|
|
|
while(<IN>) {
|
|
|
|
my %pair = split(':', $_);
|
|
|
|
if($pair{$user || ""}) {
|
|
|
|
chomp($pair{$user});
|
|
|
|
if(crypt($pass, $pair{$user}) ne $pair{$user}) {
|
|
|
|
next;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
close(IN);
|
|
|
|
} else {
|
|
|
|
print STDERR localtime() . " - ERROR: can't open file '$main::config{httpd_builtin}->{auth}->{htpasswd}'.\n";
|
|
|
|
}
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2013-05-24 12:16:05 +01:00
|
|
|
sub ip_validity {
|
|
|
|
my ($myip, $hosts) = @_;
|
|
|
|
my $valid = 0;
|
|
|
|
|
|
|
|
foreach my $address (split(',', $hosts)) {
|
|
|
|
my $myip_bin = inet_aton($myip);
|
|
|
|
|
|
|
|
$address = "0.0.0.0/0" if $address eq "all";
|
|
|
|
my ($ip, $netmask) = split('/', trim($address) . "/");
|
|
|
|
my $ip_bin = inet_aton($ip);
|
|
|
|
|
|
|
|
$netmask = "255.255.255.255" if $netmask eq "";
|
|
|
|
$netmask = unpack("%32b*", inet_aton($netmask)) if length($netmask) > 2;
|
|
|
|
my $netmask_bin = ~pack("N", (2**(32-$netmask))-1);
|
|
|
|
|
|
|
|
my $first_valid = unpack("N", $ip_bin & $netmask_bin) + ($netmask eq "32" ? 0 : 1);
|
|
|
|
my $last_valid = unpack("N", $ip_bin | ~$netmask_bin) - ($netmask eq "32" ? 0 : 1);
|
|
|
|
|
|
|
|
$myip_bin = unpack("N", $myip_bin);
|
|
|
|
if($myip_bin >= $first_valid && $myip_bin <= $last_valid) {
|
|
|
|
$valid++;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return $valid;
|
|
|
|
}
|
2013-05-15 11:46:04 +01:00
|
|
|
|
2013-02-07 14:57:42 +00:00
|
|
|
sub http_header {
|
|
|
|
my ($code, $mimetype) = @_;
|
2013-05-15 11:46:04 +01:00
|
|
|
my $msg = $main::config{httpd_builtin}->{auth}->{msg} || "";
|
2013-02-07 14:57:42 +00:00
|
|
|
|
|
|
|
if($code eq "200") {
|
|
|
|
print "HTTP/1.0 200 OK\r\n";
|
2013-05-15 11:46:04 +01:00
|
|
|
} elsif($code eq "401") {
|
|
|
|
my (undef, $encoded_str) = split(' ', $ENV{HTTP_AUTHORIZATION} || "");
|
|
|
|
my ($user, $pass) = split(':', decode_base64($encoded_str || ":"));
|
|
|
|
|
|
|
|
if(check_passwd($user, $pass)) {
|
|
|
|
print "HTTP/1.0 401 Access Denied\r\n";
|
|
|
|
print "WWW-Authenticate: Basic realm=\"$msg\"\r\n";
|
|
|
|
print "Content-Length: 0\r\n";
|
|
|
|
print "\r\n";
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
} elsif($code eq "404") {
|
2013-02-07 14:57:42 +00:00
|
|
|
print "HTTP/1.0 404 Not found\r\n";
|
2013-05-15 11:46:04 +01:00
|
|
|
} else {
|
|
|
|
print "HTTP/1.0 403 Forbidden\r\n";
|
2013-02-07 14:57:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
print "Date: " . strftime("%a, %d %b %Y %H:%M:%S %z", localtime) . "\r\n";
|
|
|
|
print "Server: Monitorix HTTP Server\r\n";
|
|
|
|
print "Connection: close\r\n";
|
|
|
|
|
|
|
|
if($mimetype =~ m/(html|cgi)/) {
|
2013-04-24 14:51:06 +01:00
|
|
|
print "Content-Type: text/html; charset=UTF-8\r\n";
|
2013-02-07 14:57:42 +00:00
|
|
|
} else {
|
|
|
|
print "Content-Type: image/$mimetype;\r\n";
|
|
|
|
}
|
|
|
|
|
|
|
|
print "\r\n";
|
2013-05-15 11:46:04 +01:00
|
|
|
return 0;
|
2013-02-06 13:26:00 +00:00
|
|
|
}
|
2013-01-31 17:48:47 +00:00
|
|
|
|
|
|
|
sub handle_request {
|
|
|
|
my ($self, $cgi) = @_;
|
2013-02-07 14:57:42 +00:00
|
|
|
my $base_url = $main::config{base_url};
|
|
|
|
my $base_cgi = $main::config{base_cgi};
|
2013-05-24 12:16:05 +01:00
|
|
|
my $host = $main::config{httpd_builtin}->{host} || "localhost";
|
|
|
|
my $port = $main::config{httpd_builtin}->{port} || "8080";
|
|
|
|
my $hosts_deny = $main::config{httpd_builtin}->{hosts_deny} || "";
|
|
|
|
my $hosts_allow = $main::config{httpd_builtin}->{hosts_allow} || "";
|
2013-05-15 11:46:04 +01:00
|
|
|
my $auth = lc($main::config{httpd_builtin}->{auth}->{enabled});
|
2013-02-07 14:57:42 +00:00
|
|
|
my $mimetype;
|
2013-02-06 13:26:00 +00:00
|
|
|
my $target;
|
2013-02-11 14:28:20 +00:00
|
|
|
my $target_cgi;
|
2013-02-06 13:26:00 +00:00
|
|
|
my @data;
|
2013-11-21 09:08:19 +00:00
|
|
|
my $OK_CHARS='-a-zA-Z0-9_./'; # a restrictive list of valid chars
|
2013-01-31 17:48:47 +00:00
|
|
|
|
|
|
|
return if fork(); # parent returns
|
|
|
|
|
|
|
|
my $url = $cgi->path_info();
|
2013-11-25 17:00:28 +00:00
|
|
|
my $url_disarmed = $url;
|
|
|
|
|
|
|
|
# this should disarm all XSS and Cookie Injection attempts
|
|
|
|
$url_disarmed =~ s/\&/&/g;
|
|
|
|
$url_disarmed =~ s/\</</g;
|
|
|
|
$url_disarmed =~ s/\>/>/g;
|
|
|
|
$url_disarmed =~ s/\"/"/g;
|
|
|
|
$url_disarmed =~ s/\'/'/g;
|
|
|
|
$url_disarmed =~ s/\(/(/g;
|
|
|
|
$url_disarmed =~ s/\)/)/g;
|
|
|
|
$url_disarmed =~ s/\////g;
|
|
|
|
|
2013-02-15 09:10:10 +00:00
|
|
|
$0 = "monitorix-httpd"; # change process' name
|
2013-01-31 17:48:47 +00:00
|
|
|
|
2013-05-24 12:16:05 +01:00
|
|
|
# check if the IP address is allowed to connect
|
|
|
|
my $denied;
|
|
|
|
my $allowed = ip_validity($ENV{REMOTE_ADDR}, $hosts_allow);
|
|
|
|
$denied = ip_validity($ENV{REMOTE_ADDR}, $hosts_deny) if !$allowed;
|
|
|
|
if(!$allowed && $denied) {
|
|
|
|
http_header("403", "html");
|
|
|
|
print "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n";
|
|
|
|
print "<html><head>\r\n";
|
|
|
|
print "<title>403 Forbidden</title>\r\n";
|
|
|
|
print "</head><body>\r\n";
|
|
|
|
print "<h1>Forbidden</h1>\r\n";
|
2013-11-25 17:00:28 +00:00
|
|
|
print "<p>You don't have permission to access $url_disarmed\r\n";
|
2013-05-24 12:16:05 +01:00
|
|
|
print "on this server.</p>\r\n";
|
|
|
|
print "<hr>\r\n";
|
|
|
|
print "<address>Monitorix HTTP Server listening at $host Port $port</address>\r\n";
|
|
|
|
print "</body></html>\r\n";
|
|
|
|
logger($url, "NOTALLOWED");
|
|
|
|
exit(0);
|
|
|
|
}
|
|
|
|
|
2013-02-06 13:26:00 +00:00
|
|
|
# sanitizes the $target
|
|
|
|
$target = $url;
|
2013-01-31 17:48:47 +00:00
|
|
|
while() {
|
2013-02-06 13:26:00 +00:00
|
|
|
my $cur = length($target);
|
|
|
|
$target =~ s/\.\.\///;
|
|
|
|
$target =~ s/^\///;
|
2013-02-07 17:37:09 +00:00
|
|
|
$target =~ s/\/$//;
|
2013-02-19 11:57:27 +00:00
|
|
|
last unless $cur ne length($target);
|
2013-01-31 17:48:47 +00:00
|
|
|
}
|
2013-02-11 14:28:20 +00:00
|
|
|
$target = $target_cgi = "/$target";
|
2013-01-31 17:48:47 +00:00
|
|
|
|
2013-02-07 14:57:42 +00:00
|
|
|
$target =~ s/^$base_url//; # removes the 'base_url' part
|
2013-02-11 14:28:20 +00:00
|
|
|
$target_cgi =~ s/^$base_cgi//; # removes the 'base_cgi' part
|
|
|
|
if(!$target || $target eq $base_url) {
|
|
|
|
$target = "index.html" unless $target;
|
|
|
|
}
|
2013-02-07 14:57:42 +00:00
|
|
|
($mimetype) = ($target =~ m/.*\.(html|cgi|png)$/);
|
|
|
|
|
2013-11-21 09:08:19 +00:00
|
|
|
$target =~ s/^\/*//; # removes leading slashes
|
|
|
|
$target_cgi =~ s/^\/*//; # removes leading slashes
|
|
|
|
|
|
|
|
$target =~ s/[^$OK_CHARS]/_/go; # only $OK_CHARS are allowed
|
|
|
|
$target_cgi =~ s/[^$OK_CHARS]/_/go; # only $OK_CHARS are allowed
|
|
|
|
|
2013-02-11 14:28:20 +00:00
|
|
|
if($target_cgi eq "monitorix.cgi") {
|
2013-02-14 17:52:29 +00:00
|
|
|
chdir("cgi");
|
2013-02-11 14:28:20 +00:00
|
|
|
open(EXEC, "./$target_cgi |");
|
2013-02-07 14:57:42 +00:00
|
|
|
@data = <EXEC>;
|
|
|
|
close(EXEC);
|
2013-02-11 14:28:20 +00:00
|
|
|
} elsif($target) {
|
2013-02-06 13:26:00 +00:00
|
|
|
if(open(IN, $target)) {
|
|
|
|
@data = <IN>;
|
|
|
|
close(IN);
|
|
|
|
}
|
2013-01-31 17:48:47 +00:00
|
|
|
}
|
|
|
|
|
2013-02-06 13:26:00 +00:00
|
|
|
if(scalar(@data)) {
|
2013-05-15 11:46:04 +01:00
|
|
|
if($auth eq "y") {
|
|
|
|
if(http_header("401", $mimetype)) {
|
|
|
|
print "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n";
|
|
|
|
print "<html><head>\r\n";
|
|
|
|
print "<title>401 Authorization Required</title>\r\n";
|
|
|
|
print "</head><body>\r\n";
|
|
|
|
print "<h1>Authorization Required</h1>\r\n";
|
|
|
|
print "<p>This server could not verify that you\r\n";
|
|
|
|
print "are authorized to access the document\r\n";
|
|
|
|
print "requested. Either you supplied the wrong\r\n";
|
|
|
|
print "credentials (e.g., bad password), or your\r\n";
|
|
|
|
print "browser doesn't understand how to supply\r\n";
|
|
|
|
print "the credentials required.</p>\r\n";
|
|
|
|
print "</body></html>\r\n";
|
2013-05-28 09:02:25 +01:00
|
|
|
logger($url, "AUTHERR");
|
2013-05-15 11:46:04 +01:00
|
|
|
exit(0);
|
|
|
|
}
|
|
|
|
}
|
2013-02-07 14:57:42 +00:00
|
|
|
http_header("200", $mimetype);
|
2013-02-06 13:26:00 +00:00
|
|
|
foreach(@data) {
|
|
|
|
print $_;
|
|
|
|
}
|
2013-02-07 14:57:42 +00:00
|
|
|
logger($url, "OK");
|
2013-01-31 17:48:47 +00:00
|
|
|
} else {
|
2013-02-07 14:57:42 +00:00
|
|
|
http_header("404", "html");
|
2013-02-06 13:26:00 +00:00
|
|
|
print "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n";
|
|
|
|
print "<html><head>\r\n";
|
|
|
|
print "<title>404 Not Found</title>\r\n";
|
|
|
|
print "</head><body>\r\n";
|
|
|
|
print "<h1>Not Found</h1>\r\n";
|
2013-11-25 17:00:28 +00:00
|
|
|
print "The requested URL $url_disarmed was not found on this server.<p>\r\n";
|
2013-02-06 13:26:00 +00:00
|
|
|
print "<hr>\r\n";
|
2013-05-24 12:16:05 +01:00
|
|
|
print "<address>Monitorix HTTP Server listening at $host Port $port</address>\r\n";
|
2013-02-06 13:26:00 +00:00
|
|
|
print "</body></html>\r\n";
|
2013-05-15 11:46:04 +01:00
|
|
|
logger($url, "NOTEXIST");
|
2013-01-31 17:48:47 +00:00
|
|
|
}
|
|
|
|
|
2013-02-06 13:26:00 +00:00
|
|
|
exit(0);
|
2013-01-31 17:48:47 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
1;
|