diff options
| -rw-r--r-- | src/mod_access.c | 18 | ||||
| -rw-r--r-- | tests/lowercase.conf | 80 | ||||
| -rwxr-xr-x | tests/lowercase.t | 94 |
3 files changed, 188 insertions, 4 deletions
diff --git a/src/mod_access.c b/src/mod_access.c index aa8d16f5..f3f70718 100644 --- a/src/mod_access.c +++ b/src/mod_access.c @@ -129,11 +129,21 @@ URIHANDLER_FUNC(mod_access_uri_handler) { if (ct_len > s_len) continue; if (ds->value->used == 0) continue; - - if (0 == strncmp(con->uri.path->ptr + s_len - ct_len, ds->value->ptr, ct_len)) { - con->http_status = 403; + + /* if we have a case-insensitive FS we have to lower-case the URI here too */ + + if (con->conf.force_lowercase_filenames) { + if (0 == strncasecmp(con->uri.path->ptr + s_len - ct_len, ds->value->ptr, ct_len)) { + con->http_status = 403; - return HANDLER_FINISHED; + return HANDLER_FINISHED; + } + } else { + if (0 == strncmp(con->uri.path->ptr + s_len - ct_len, ds->value->ptr, ct_len)) { + con->http_status = 403; + + return HANDLER_FINISHED; + } } } diff --git a/tests/lowercase.conf b/tests/lowercase.conf new file mode 100644 index 00000000..bedf1456 --- /dev/null +++ b/tests/lowercase.conf @@ -0,0 +1,80 @@ +server.document-root = "@SRCDIR@/tmp/lighttpd/servers/www.example.org/pages/" +server.pid-file = "@SRCDIR@/tmp/lighttpd/lighttpd.pid" + +## bind to port (default: 80) +server.port = 2048 + +## bind to localhost (default: all interfaces) +server.bind = "localhost" +server.errorlog = "@SRCDIR@/tmp/lighttpd/logs/lighttpd.error.log" + +server.force-lowercase-filenames = "enable" + +server.dir-listing = "enable" + +server.modules = ( + "mod_rewrite", + "mod_setenv", + "mod_secdownload", + "mod_access", + "mod_auth", + "mod_status", + "mod_expire", + "mod_redirect", + "mod_fastcgi", + "mod_cgi" ) + +server.indexfiles = ( "index.php", "index.html", + "index.htm", "default.htm" ) + + +######################## MODULE CONFIG ############################ + +mimetype.assign = ( ".png" => "image/png", + ".jpg" => "image/jpeg", + ".jpeg" => "image/jpeg", + ".gif" => "image/gif", + ".html" => "text/html", + ".htm" => "text/html", + ".pdf" => "application/pdf", + ".swf" => "application/x-shockwave-flash", + ".spl" => "application/futuresplash", + ".txt" => "text/plain", + ".tar.gz" => "application/x-tgz", + ".tgz" => "application/x-tgz", + ".gz" => "application/x-gzip", + ".c" => "text/plain", + ".conf" => "text/plain" ) + +fastcgi.debug = 0 +fastcgi.server = ( ".php" => ( ( "host" => "127.0.0.1", "port" => 1026, "broken-scriptfilename" => "enable" ) ), + "/prefix.fcgi" => ( ( "host" => "127.0.0.1", "port" => 1026, "check-local" => "disable", "broken-scriptfilename" => "enable" ) ) + ) + + +cgi.assign = ( ".pl" => "/usr/bin/perl", + ".cgi" => "/usr/bin/perl", + ".py" => "/usr/bin/python" ) + +auth.backend = "plain" +auth.backend.plain.userfile = "@SRCDIR@/tmp/lighttpd/lighttpd.user" + +auth.backend.htpasswd.userfile = "@SRCDIR@/tmp/lighttpd/lighttpd.htpasswd" + +$HTTP["host"] == "lowercase-auth" { + auth.require = ( "/image.jpg" => + ( + "method" => "digest", + "realm" => "download archiv", + "require" => "valid-user" + ) + ) +} + +$HTTP["host"] == "lowercase-deny" { + url.access-deny = ( ".jpg") +} + +$HTTP["host"] == "lowercase-exclude" { + static-file.exclude-extensions = ( ".jpg" ) +} diff --git a/tests/lowercase.t b/tests/lowercase.t new file mode 100755 index 00000000..e127cddc --- /dev/null +++ b/tests/lowercase.t @@ -0,0 +1,94 @@ +#!/usr/bin/env perl +BEGIN { + # add current source dir to the include-path + # we need this for make distcheck + (my $srcdir = $0) =~ s#/[^/]+$#/#; + unshift @INC, $srcdir; +} + +use strict; +use IO::Socket; +use Test::More tests => 10; +use LightyTest; + +my $tf = LightyTest->new(); +my $t; + +$tf->{CONFIGFILE} = 'lowercase.conf'; + +ok($tf->start_proc == 0, "Starting lighttpd") or die(); + +## check if lower-casing works + +$t->{REQUEST} = ( <<EOF +GET /image.JPG HTTP/1.0 +EOF + ); +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ]; +ok($tf->handle_http($t) == 0, 'uppercase access'); + +$t->{REQUEST} = ( <<EOF +GET /image.jpg HTTP/1.0 +EOF + ); +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ]; +ok($tf->handle_http($t) == 0, 'lowercase access'); + +## check that mod-auth works + +$t->{REQUEST} = ( <<EOF +GET /image.JPG HTTP/1.0 +Host: lowercase-auth +EOF + ); +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ]; +ok($tf->handle_http($t) == 0, 'uppercase access'); + +$t->{REQUEST} = ( <<EOF +GET /image.jpg HTTP/1.0 +Host: lowercase-auth +EOF + ); +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ]; +ok($tf->handle_http($t) == 0, 'lowercase access'); + + +## check that mod-staticfile exclude works +$t->{REQUEST} = ( <<EOF +GET /image.JPG HTTP/1.0 +Host: lowercase-exclude +EOF + ); +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 403 } ]; +ok($tf->handle_http($t) == 0, 'upper case access to staticfile.exclude-extension'); + +$t->{REQUEST} = ( <<EOF +GET /image.jpg HTTP/1.0 +Host: lowercase-exclude +EOF + ); +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 403 } ]; +ok($tf->handle_http($t) == 0, 'lowercase access'); + + +## check that mod-access exclude works +$t->{REQUEST} = ( <<EOF +GET /image.JPG HTTP/1.0 +Host: lowercase-deny +EOF + ); +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 403 } ]; +ok($tf->handle_http($t) == 0, 'uppercase access to url.access-deny protected location'); + +$t->{REQUEST} = ( <<EOF +GET /image.jpg HTTP/1.0 +Host: lowercase-deny +EOF + ); +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 403 } ]; +ok($tf->handle_http($t) == 0, 'lowercase access'); + + + +ok($tf->stop_proc == 0, "Stopping lighttpd"); + |