1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
|
/*
* http_range - HTTP Range (RFC 7233)
*
* Copyright(c) 2015,2021 Glenn Strauss gstrauss()gluelogic.com All rights reserved
* License: BSD 3-clause (same as lighttpd)
*/
#include "http_range.h"
#include <limits.h>
#include <stdlib.h> /* strtol(), strtoll() */
#include <string.h> /* memmove() */
#include "buffer.h"
#include "chunk.h"
#include "http_header.h"
#include "request.h"
/* arbitrary limit for max num ranges (additional ranges are ignored) */
#undef RMAX
#define RMAX 10
/* RFC 7233 Hypertext Transfer Protocol (HTTP/1.1): Range Requests
* https://tools.ietf.org/html/rfc7233
* Range requests are an OPTIONAL feature of HTTP, designed so that recipients
* not implementing this feature (or not supporting it for the target resource)
* can respond as if it is a normal GET request without impacting
* interoperability. */
/* default: ignore Range with HTTP/1.0 requests */
static int http_range_allow_http10;
void http_range_config_allow_http10 (int flag)
{
http_range_allow_http10 = flag;
}
__attribute_noinline__
static int
http_range_coalesce (off_t * const restrict ranges, int n)
{
/* coalesce/combine overlapping ranges and ranges separated by a
* gap which is smaller than the overhead of sending multiple parts
* (typically around 80 bytes) ([RFC7233] 4.1 206 Partial Content)
* (ranges are known to be positive, so subtract 80 instead of add 80
* to avoid any chance of integer overflow)
* (n is limited to RMAX ranges (RMAX pairs of off_t) since a malicious set
* of ranges has n^2 cost for this simplistic algorithm)
* (sorting the ranges and then combining would lower the cost, but the
* cost should not be an issue since client should not send many ranges
* and we restrict the max number of ranges to limit abuse)
* [RFC7233] 4.1 206 Partial Content recommends:
* When a multipart response payload is generated, the server SHOULD send
* the parts in the same order that the corresponding byte-range-spec
* appeared in the received Range header field, excluding those ranges
* that were deemed unsatisfiable or that were coalesced into other ranges
*/
for (int i = 0; i+2 < n; i += 2) {
const off_t b = ranges[i];
const off_t e = ranges[i+1];
for (int j = i+2; j < n; j += 2) {
/* common case: ranges do not overlap */
if (b <= ranges[j] ? e < ranges[j]-80 : ranges[j+1] < b-80)
continue;
/* else ranges do overlap, so combine into first range */
ranges[i] = b <= ranges[j] ? b : ranges[j];
ranges[i+1] = e >= ranges[j+1] ? e : ranges[j+1];
memmove(ranges+j, ranges+j+2, (n-j-2)*sizeof(off_t));
/* restart outer loop from beginning */
n -= 2;
i = -2;
break;
}
}
return n;
}
static const char *
http_range_parse_next (const char * restrict s, const off_t len,
off_t * const restrict ranges)
{
/*(caller must check returned ranges[1] != -1, or else range was invalid)*/
/*assert(len > 0);*//*(caller must ensure len > 0)*/
char *e;
off_t n = strtoll(s, &e, 10);
ranges[1] = -1; /* invalid */
if (n >= 0) {
if (n != LLONG_MAX && n < len && s != e) {
ranges[0] = n;
while (*e == ' ' || *e == '\t') ++e;
if (*e == '-') {
n = strtoll((s = e+1), &e, 10);
if (s == e || (n == 0 && e[-1] != '0'))
ranges[1] = len-1;
else if (ranges[0] <= n && n != LLONG_MAX)
ranges[1] = n < len ? n : len-1;
}
}
}
else if (n != LLONG_MIN) {
ranges[0] = len > -n ? len + n : 0;/*('n' is negative here)*/
ranges[1] = len-1;
}
while (*e == ' ' || *e == '\t') ++e;
return e; /* ',' or '\0' or else invalid char in range request */
}
static int
http_range_parse (const char * restrict s, const off_t content_length,
off_t ranges[RMAX*2])
{
/* [RFC7233] 2.1 Byte Ranges
* If a valid byte-range-set includes at least one byte-range-spec
* with a first-byte-pos that is less than the current length of
* the representation, or at least one suffix-byte-range-spec with
* a non-zero suffix-length, then the byte-range-set is satisfiable.
* Otherwise, the byte-range-set is unsatisfiable.
*
* [RFC7233] 3.1 Range
* A server that supports range requests MAY ignore or reject a Range
* header field that consists of more than two overlapping ranges, or a
* set of many small ranges that are not listed in ascending order,
* since both are indications of either a broken client or a deliberate
* denial-of-service attack (Section 6.1). A client SHOULD NOT request
* multiple ranges that are inherently less efficient to process and
* transfer than a single range that encompasses the same data.
*/
int n = 0;
do {
s = http_range_parse_next(s, content_length, ranges+n);
if ((*s == '\0' || *s == ',') && ranges[n+1] != -1)
n += 2;
else
while (*s != '\0' && *s != ',') ++s; /*ignore invalid ranges*/
} while (*s++ != '\0' && n < RMAX*2);
/*(*s++ for multipart, increment to char after ',')*/
if (n <= 2)
return n;
/* error if n == 0 (no valid ranges)
* (if n == RMAX*2 (additional ranges > RMAX limit, if any, were ignored))*/
return http_range_coalesce(ranges, n);
}
static void
http_range_single (request_st * const r, const off_t ranges[2])
{
/* caller already checked: n == 2, content_length > 0, ranges valid */
chunkqueue * const restrict cq = &r->write_queue;
const off_t complete_length = chunkqueue_length(cq);
/* add Content-Range header */
/*(large enough for "bytes X-X/X" with 3 huge numbers)*/
uint32_t len = sizeof("bytes ")-1;
char cr[72] = "bytes ";
len += (uint32_t)li_itostrn(cr+len, sizeof(cr)-len, ranges[0]);
cr[len++] = '-';
len += (uint32_t)li_itostrn(cr+len, sizeof(cr)-len, ranges[1]);
cr[len++] = '/';
len += (uint32_t)li_itostrn(cr+len, sizeof(cr)-len, complete_length);
http_header_response_set(r, HTTP_HEADER_CONTENT_RANGE,
CONST_STR_LEN("Content-Range"), cr, len);
if (cq->first == cq->last) { /* single chunk in cq */
/* consume from cq to start of range, truncate after end of range */
if (ranges[0]) {
chunkqueue_mark_written(cq, ranges[0]);
cq->bytes_out -= ranges[0];
cq->bytes_in -= ranges[0];
}
cq->bytes_in -= complete_length - (ranges[1] + 1);
chunk * const c = cq->first;
if (c->type == FILE_CHUNK)
c->file.length = c->offset + ranges[1] - ranges[0] + 1;
else /*(c->type == MEM_CHUNK)*/
c->mem->used = c->offset + ranges[1] - ranges[0] + 1 + 1;
}
else {
/* transfer contents to temporary cq, then transfer range back */
chunkqueue tq;
memset(&tq, 0, sizeof(tq));
chunkqueue_steal(&tq, cq, complete_length);
cq->bytes_out -= complete_length;
cq->bytes_in -= complete_length;
chunkqueue_mark_written(&tq, ranges[0]);
chunkqueue_steal(cq, &tq, ranges[1] - ranges[0] + 1);
chunkqueue_reset(&tq);
}
}
__attribute_cold__
static void
http_range_multi (request_st * const r,
const off_t ranges[RMAX*2], const int n)
{
/* multiple ranges that are not ordered are not expected to be common,
* so those scenarios is not optimized here */
#define HTTP_MULTIPART_BOUNDARY "fkj49sn38dcn3"
static const char boundary_prefix[] =
"\r\n--" HTTP_MULTIPART_BOUNDARY;
static const char boundary_end[] =
"\r\n--" HTTP_MULTIPART_BOUNDARY "--\r\n";
static const char multipart_type[] =
"multipart/byteranges; boundary=" HTTP_MULTIPART_BOUNDARY;
buffer * const tb = r->tmp_buf;
buffer_copy_string_len(tb, CONST_STR_LEN(boundary_prefix));
const buffer * const content_type =
http_header_response_get(r, HTTP_HEADER_CONTENT_TYPE,
CONST_STR_LEN("Content-Type"));
if (content_type) {
buffer_append_str2(tb, CONST_STR_LEN("\r\nContent-Type: "),
BUF_PTR_LEN(content_type));
}
buffer_append_string_len(tb,CONST_STR_LEN("\r\nContent-Range: bytes "));
const uint32_t prefix_len = buffer_clen(tb);
http_header_response_set(r, HTTP_HEADER_CONTENT_TYPE,
CONST_STR_LEN("Content-Type"),
CONST_STR_LEN(multipart_type));
/* caller already checked: n > 2, content_length > 0, ranges valid */
chunkqueue * const restrict cq = &r->write_queue;
const off_t complete_length = chunkqueue_length(cq);
/* copy chunks for ranges to end of cq, then consume original chunks
*
* future: if ranges ordered, could use technique in http_range_single(),
* but [RFC7233] 4.1 206 Partial Content recommends:
* When a multipart response payload is generated, the server SHOULD send
* the parts in the same order that the corresponding byte-range-spec
* appeared in the received Range header field, excluding those ranges
* that were deemed unsatisfiable or that were coalesced into other ranges
* and this code path is not expected to be hot, and so not optimized.
*/
chunk * const c = (cq->first == cq->last && cq->first->type == MEM_CHUNK)
? cq->first
: NULL;
for (int i = 0; i < n; i += 2) {
/* generate boundary-header including Content-Type and Content-Range */
buffer_truncate(tb, prefix_len);
buffer_append_int(tb, ranges[i]);
buffer_append_char(tb, '-');
buffer_append_int(tb, ranges[i+1]);
buffer_append_char(tb, '/');
buffer_append_int(tb, complete_length);
buffer_append_string_len(tb, CONST_STR_LEN("\r\n\r\n"));
if (c) /* single MEM_CHUNK in original cq; not using mem_min */
chunkqueue_append_mem(cq, BUF_PTR_LEN(tb));
else
chunkqueue_append_mem_min(cq, BUF_PTR_LEN(tb));
chunkqueue_append_cq_range(cq, cq, ranges[i],
ranges[i+1] - ranges[i] + 1);
}
/* add boundary end */
chunkqueue_append_mem_min(cq, CONST_STR_LEN(boundary_end));
/* remove initial chunk(s), since duplicated into multipart ranges */
/* remove initial "\r\n" in front of first boundary string */
chunkqueue_mark_written(cq, complete_length+2);
cq->bytes_out -= complete_length+2;
cq->bytes_in -= complete_length+2;
}
__attribute_cold__
static int
http_range_not_satisfiable (request_st * const r, const off_t content_length)
{
/*(large enough for "bytes '*'/X" with 1 huge number)*/
uint32_t len = sizeof("bytes */")-1;
char cr[32] = "bytes */";
len += (uint32_t)li_itostrn(cr+len, sizeof(cr)-len, content_length);
http_header_response_set(r, HTTP_HEADER_CONTENT_RANGE,
CONST_STR_LEN("Content-Range"), cr, len);
r->handler_module = NULL;
return (r->http_status = 416); /* Range Not Satisfiable */
}
__attribute_noinline__
static int
http_range_process (request_st * const r, const buffer * const http_range)
{
const off_t content_length = chunkqueue_length(&r->write_queue);
if (0 == content_length) /*(implementation detail; see comment at top)*/
return r->http_status; /* skip Range handling if empty payload */
/* future: might skip Range if content_length is below threshold, e.g. 1k */
/* An origin server MUST ignore a Range header field that contains a
* range unit it does not understand. */
if (buffer_clen(http_range) < sizeof("bytes=")-1
|| !buffer_eq_icase_ssn(http_range->ptr, "bytes=", sizeof("bytes=")-1))
return r->http_status; /* 200 OK */
/* arbitrary limit: support up to RMAX ranges in request Range field
* (validating and coalescing overlapping ranges is not a linear algorithm)
* (use RMAX pairs of off_t to indicate too many ranges ( >= RMAX*2)) */
off_t ranges[RMAX*2];
const int n = http_range_parse(http_range->ptr+sizeof("bytes=")-1,
content_length, ranges);
/* checked above: content_length > 0, ranges valid */
if (2 == n) /* single range */
http_range_single(r, ranges);
else if (0 == n) /* 416 Range Not Satisfiable */
return http_range_not_satisfiable(r, content_length);
else /* multipart ranges */
http_range_multi(r, ranges, n);
/*(must either set Content-Length or unset prior value, if any)*/
buffer_append_int(
http_header_response_set_ptr(r, HTTP_HEADER_CONTENT_LENGTH,
CONST_STR_LEN("Content-Length")),
chunkqueue_length(&r->write_queue));
return (r->http_status = 206); /* 206 Partial Content */
}
int
http_range_rfc7233 (request_st * const r)
{
const int http_status = r->http_status;
/* implementation limitation:
* limit range handling to when we have complete response
* (future: might extend this to streamed files if Content-Length known)
* (otherwise, might be unable to validate Range before send response header
* e.g. unable to handle suffix-byte-range-spec without entity length)*/
if (!r->resp_body_finished)
return http_status;
/* limit range handling to 200 responses
* [RFC7233] 3.1 Range
* The Range header field is evaluated after evaluating the precondition
* header fields defined in [RFC7232], and only if the result in absence
* of the Range header field would be a 200 (OK) response. */
if (200 != http_status)
return http_status;
/* limit range handling to GET and HEAD (further limited below to GET)
* [RFC7233] 3.1 Range
* A server MUST ignore a Range header field received with a request
* method other than GET.
*/
if (!http_method_get_or_head(r->http_method))
return http_status;
/* no "Range" in HTTP/1.0 */
if (r->http_version < HTTP_VERSION_1_1)
if (!http_range_allow_http10)
return http_status;
/* do not attempt to handle range if Transfer-Encoding already applied.
* skip Range processing if Content-Encoding has already been applied,
* since Range is on the unencoded content length and Content-Encoding
* might change content. This includes if mod_deflate has applied
* Content-Encoding. If Transfer-Encoding: gzip, chunked were used
* instead (not done), then Range processing could safely take place, too,
* (but mod_deflate would need to run from new hook to handle TE: gzip).
* Alternatively, lighttpd.conf could be configured to disable mod_deflate
* for Range requests:
* $REQUEST_HEADER["Range"] != "" { deflate.mimetypes = () }
*/
if ((r->resp_htags
& (light_bshift(HTTP_HEADER_TRANSFER_ENCODING)
|light_bshift(HTTP_HEADER_CONTENT_ENCODING))))
return http_status;
#if 0 /*(if Range already handled, HTTP status expected to be 206, not 200)*/
/* check if Range request already handled (single range or multipart)*/
if (light_btst(r->resp_htags, HTTP_HEADER_CONTENT_RANGE))
return http_status;
const buffer * const content_type =
http_header_response_get(r, HTTP_HEADER_CONTENT_TYPE,
CONST_STR_LEN("Content-Type"));
if (content_type
&& buffer_clen(content_type) >= sizeof("multipart/byteranges")-1
&& buffer_eq_icase_ssn(content_type->ptr, "multipart/byteranges",
sizeof("multipart/byteranges")-1))
return http_status;
#endif
/* optional: advertise Accept-Ranges: bytes
* Even if "Accept-Ranges: bytes" is not given,
* [RFC7233] 2.3 Accept-Ranges
* A client MAY generate range requests without having received this
* header for the resource involved.
*/
if (!light_btst(r->resp_htags, HTTP_HEADER_ACCEPT_RANGES))
http_header_response_set(r, HTTP_HEADER_ACCEPT_RANGES,
CONST_STR_LEN("Accept-Ranges"),
CONST_STR_LEN("bytes"));
else {
const buffer * const accept_ranges =
http_header_response_get(r, HTTP_HEADER_ACCEPT_RANGES,
CONST_STR_LEN("Accept-Ranges"));
#ifdef __COVERITY__
force_assert(accept_ranges); /*(r->resp_htags checked above)*/
#endif
if (buffer_eq_slen(accept_ranges, CONST_STR_LEN("none")))
return http_status;
}
/* limit range handling to GET
* [RFC7233] 3.1 Range
* A server MUST ignore a Range header field received with a request
* method other than GET.
*/
if (r->http_method != HTTP_METHOD_GET)
return http_status;
/* check for Range request */
const buffer * const http_range =
http_header_request_get(r, HTTP_HEADER_RANGE, CONST_STR_LEN("Range"));
if (!http_range)
return http_status;
/* [RFC7233] 3.2 If-Range
* If-Range = entity-tag / HTTP-date
* A client MUST NOT generate an If-Range header field containing an
* entity-tag that is marked as weak.
* [...]
* Note that this comparison by exact match, including when the validator
* is an HTTP-date, differs from the "earlier than or equal to" comparison
* used when evaluating an If-Unmodified-Since conditional. */
if (light_btst(r->rqst_htags, HTTP_HEADER_IF_RANGE)) {
const buffer * const if_range =
http_header_request_get(r, HTTP_HEADER_IF_RANGE,
CONST_STR_LEN("If-Range"));
#ifdef __COVERITY__
force_assert(if_range); /*(r->rqst_htags checked above)*/
#endif
/* (weak ETag W/"<etag>" will not match Last-Modified) */
const buffer * const cmp = (if_range->ptr[0] == '"')
? http_header_response_get(r, HTTP_HEADER_ETAG,
CONST_STR_LEN("ETag"))
: http_header_response_get(r, HTTP_HEADER_LAST_MODIFIED,
CONST_STR_LEN("Last-Modified"));
if (!cmp || !buffer_is_equal(if_range, cmp))
return http_status;
#if 0 /*(questionable utility; not deemed worthwhile)*/
/* (In a modular server, the following RFC recommendation might be
* expensive and invasive to implement perfectly, so only making an
* effort here to comply with known headers added within this routine
* and within the purview of Range requests)
* [RFC7233] 4.1 206 Partial Content
* If a 206 is generated in response to a request with an If-Range
* header field, the sender SHOULD NOT generate other representation
* header fields beyond those required above, because the client is
* understood to already have a prior response containing those header
* fields.
*/
http_header_response_unset(r, HTTP_HEADER_ACCEPT_RANGES,
CONST_STR_LEN("Accept-Ranges"));
#endif
}
return http_range_process(r, http_range);
}
|