diff --git a/server/dial_server.c b/server/dial_server.c index 6f8bfab..ff11344 100644 --- a/server/dial_server.c +++ b/server/dial_server.c @@ -625,7 +625,7 @@ static int origin_matches(const char *origin, const char *candidate) { if (origin_len < candidate_len) return 0; - fprintf(stderr, "comparing %s to %s len %lld\n", origin, candidate, candidate_len); + fprintf(stderr, "comparing %s to %s len %zu\n", origin, candidate, candidate_len); return strncmp(origin, candidate, candidate_len - 1) == 0; } @@ -712,23 +712,19 @@ static int is_allowed_origin(DIALServer* ds, char * origin, const char * app_nam #define RUN_URI "/run" #define HIDE_URI "/hide" -static void *options_response(DIALServer *ds, struct mg_connection *conn, char *host_header, char *origin_header, const char* app_name, const char* methods) +static void *options_response(DIALServer *ds, struct mg_connection *conn, char *origin_header, const char* app_name, const char* methods) { - if (host_header && is_allowed_origin(ds, origin_header, app_name)) { - mg_printf( - conn, - "HTTP/1.1 204 No Content\r\n" - "Access-Control-Allow-Methods: %s\r\n" - "Access-Control-Max-Age: 86400\r\n" - "Access-Control-Allow-Origin: %s\r\n" - "Content-Length: 0" - "\r\n", - methods, - origin_header); - return "done"; - } - mg_send_http_error(conn, 403, "Forbidden", "Forbidden"); - return "done"; + mg_printf( + conn, + "HTTP/1.1 204 No Content\r\n" + "Access-Control-Allow-Methods: %s\r\n" + "Access-Control-Max-Age: 86400\r\n" + "Access-Control-Allow-Origin: %s\r\n" + "Content-Length: 0" + "\r\n", + methods, + origin_header); + return "done"; } static void *request_handler(enum mg_event event, struct mg_connection *conn, @@ -761,20 +757,22 @@ static void *request_handler(enum mg_event event, struct mg_connection *conn, } strncpy(app_name, request_info->uri + strlen(APPS_URI), appname_len); + // Check authorized origins. + if (origin_header && !is_allowed_origin(ds, origin_header, app_name)) { + mg_send_http_error(conn, 403, "Forbidden", "Forbidden"); + return "done"; + } + + // Return OPTIONS. if (!strcmp(request_info->request_method, "OPTIONS")) { - return options_response(ds, conn, host_header, origin_header, app_name, "DELETE, OPTIONS"); + return options_response(ds, conn, origin_header, app_name, "DELETE, OPTIONS"); } // DELETE non-empty app name if (app_name[0] != '\0' && !strcmp(request_info->request_method, "DELETE")) { - if (host_header && is_allowed_origin(ds, origin_header, app_name)) { - handle_app_stop(conn, request_info, app_name, origin_header); - } else { - mg_send_http_error(conn, 403, "Forbidden", "Forbidden"); - return "done"; - } + handle_app_stop(conn, request_info, app_name, origin_header); } else { mg_send_http_error(conn, 501, "Not Implemented", "Not Implemented"); @@ -788,18 +786,20 @@ static void *request_handler(enum mg_event event, struct mg_connection *conn, const char *app_name; app_name = request_info->uri + strlen(APPS_URI); + // Check authorized origins. + if (origin_header && !is_allowed_origin(ds, origin_header, app_name)) { + mg_send_http_error(conn, 403, "Forbidden", "Forbidden"); + return "done"; + } + + // Return OPTIONS. if (!strcmp(request_info->request_method, "OPTIONS")) { - return options_response(ds, conn, host_header, origin_header, app_name, "GET, POST, OPTIONS"); + return options_response(ds, conn, origin_header, app_name, "GET, POST, OPTIONS"); } // start app if (!strcmp(request_info->request_method, "POST")) { - if (host_header && is_allowed_origin(ds, origin_header, app_name)) { - handle_app_start(conn, request_info, app_name, origin_header); - } else { - mg_send_http_error(conn, 403, "Forbidden", "Forbidden"); - return "done"; - } + handle_app_start(conn, request_info, app_name, origin_header); // get app status } else if (!strcmp(request_info->request_method, "GET")) { handle_app_status(conn, request_info, app_name, origin_header); @@ -819,10 +819,18 @@ static void *request_handler(enum mg_event event, struct mg_connection *conn, } strncpy(app_name, request_info->uri + strlen(APPS_URI), appname_len); - if (!strcmp(request_info->request_method, "OPTIONS")) { - return options_response(ds, conn, host_header, origin_header, app_name, "POST, OPTIONS"); + // Check authorized origins. + if (origin_header && !is_allowed_origin(ds, origin_header, app_name)) { + mg_send_http_error(conn, 403, "Forbidden", "Forbidden"); + return "done"; } - + + // Return OPTIONS. + if (!strcmp(request_info->request_method, "OPTIONS")) { + return options_response(ds, conn, origin_header, app_name, "POST, OPTIONS"); + } + + // hide app if (app_name[0] != '\0' && !strcmp(request_info->request_method, "POST")) { handle_app_hide(conn, request_info, app_name, origin_header); } else { @@ -840,11 +848,20 @@ static void *request_handler(enum mg_event event, struct mg_connection *conn, if (app_name == NULL) { mg_send_http_error(conn, 500, "Internal Error", "Internal Error"); } else { + // Check authorized origins (still applicable via loopback). + if (origin_header && !is_allowed_origin(ds, origin_header, app_name)) { + mg_send_http_error(conn, 403, "Forbidden", "Forbidden"); + return "done"; + } + + // Return OPTIONS. if (!strcmp(request_info->request_method, "OPTIONS")) { - void *ret = options_response(ds, conn, host_header, origin_header, app_name, "POST, OPTIONS"); + void *ret = options_response(ds, conn, origin_header, app_name, "POST, OPTIONS"); free(app_name); return ret; } + + // deliver data payload int use_payload = strcmp(request_info->request_method, "POST") ? 0 : 1; handle_dial_data(conn, request_info, app_name, origin_header, use_payload); diff --git a/server/tests/test_cors.sh b/server/tests/test_cors.sh index 38e83da..7b60b1c 100755 --- a/server/tests/test_cors.sh +++ b/server/tests/test_cors.sh @@ -11,61 +11,91 @@ port=$2 #Testing all the positive cases origins="https://www.netflix.com https://netflix.com https://port.netflix.com:123 https://www.netflix.com:80 https://www.netflix.com:123 proto://netflix.com proto://netflix proto://netflix.com:123" for origin in $origins; do -curl --fail --silent --header "Origin:$origin" --data "v=QH2-TGUlwu4" http://$ip_address:$port/apps/Netflix || echo "failed: $origin should be accepted" -curl --fail --silent --header "Origin:$origin" -X OPTIONS http://$ip_address:$port/apps/Netflix || echo "failed: $origin should be accepted" -curl --fail --silent --header "Origin:$origin" -X OPTIONS http://$ip_address:$port/apps/Netflix/run || echo "failed: $origin should be accepted" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/Netflix | grep -q "403" && echo "failed[p0]: $origin should be accepted" +curl --output /dev/null --fail --silent --header "Origin:$origin" --data "v=QH2-TGUlwu4" -X POST http://$ip_address:$port/apps/Netflix || echo "failed[p1]: $origin should be accepted" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/Netflix | grep -q "403" && echo "failed[p2]: $origin should be accepted" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/Netflix | grep -q "403" && echo "failed[p3]: $origin should be accepted" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/Netflix/run | grep -q "403" && echo "failed[p4]: $origin should be accepted" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X DELETE http://$ip_address:$port/apps/Netflix/run | grep -q "403" && echo "failed[p5]: $origin should be accepted" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/Netflix/run/hide | grep -q "403" && echo "failed[p6]: $origin should be accepted" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/Netflix/run/hide | grep -q "403" && echo "failed[p7]: $origin should be accepted" if [ $ip_address == "localhost" ]; then echo "testing dial_data OPTIONS on $ip_address from origin $origin" - curl --fail --silent --header "Origin:$origin" -X OPTIONS http://$ip_address:$port/apps/Netflix/dial_data || echo "failed: $origin should be accepted" + curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/Netflix/dial_data | grep -q "403" && echo "failed[p8]: $origin should be accepted" + curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/Netflix/dial_data | grep -q "403" && echo "failed[p9]: $origin should be accepted" fi done origins="https://www.youtube.com https://music.youtube.com https://youtube.com https://port.youtube.com:123 https://www.youtube.com:80 https://www.youtube.com:123 package:com.google.android.youtube package:com.google.ios.youtube proto:g proto:com.google" for origin in $origins; do -curl --fail --silent --header "Origin:$origin" --data "v=QH2-TGUlwu4" http://$ip_address:$port/apps/YouTube || echo "failed: $origin should be accepted" -curl --fail --silent --header "Origin:$origin" -X OPTIONS http://$ip_address:$port/apps/YouTube || echo "failed: $origin should be accepted" -curl --fail --silent --header "Origin:$origin" -X OPTIONS http://$ip_address:$port/apps/YouTube/run || echo "failed: $origin should be accepted" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/YouTube | grep -q "403" && echo "failed[p10]: $origin should be accepted" +curl --output /dev/null --fail --silent --header "Origin:$origin" --data "v=QH2-TGUlwu4" -X POST http://$ip_address:$port/apps/YouTube || echo "failed[p11]: $origin should be accepted" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/YouTube | grep -q "403" && echo "failed[p12]: $origin should be accepted" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/YouTube | grep -q "403" && echo "failed[p13]: $origin should be accepted" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/YouTube/run | grep -q "403" && echo "failed[p14]: $origin should be accepted" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X DELETE http://$ip_address:$port/apps/YouTube/run | grep -q "403" && echo "failed[p15]: $origin should be accepted" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/YouTube/run/hide | grep -q "403" && echo "failed[p16]: $origin should be accepted" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/YouTube/run/hide | grep -q "403" && echo "failed[p17]: $origin should be accepted" if [ $ip_address == "localhost" ]; then echo "testing dial_data OPTIONS on $ip_address from origin $origin" - curl --fail --silent --header "Origin:$origin" -X OPTIONS http://$ip_address:$port/apps/YouTube/dial_data || echo "failed: $origin should be accepted" + curl --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/YouTube/dial_data | grep -q "403" && echo "failed[p18]: $origin should be accepted" + curl --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/YouTube/dial_data | grep -q "403" && echo "failed[p19]: $origin should be accepted" fi done #Testing all the negative cases origins="http://www.netflix-a.com http://www.netflix.com4 http://a-netflix.com http://www4.netflix.com https://port.netflix.com:1234 http://1.netflix.com https://www4.netflix.com https://ww.netflix-a.com https://www.netflix.com4 https://a-netflix.com http://netflix.com http://www.attack.com https://www.attack.com file://www.attack.com ftp://this.is.not.fine package: package:com.netflix.null proto:// proto:n proto:/n proto" for origin in $origins; do -curl --fail --silent --header "Origin:$origin" --data "v=QH2-TGUlwu4" http://$ip_address:$port/apps/Netflix && echo "failed: $origin should be rejected" -curl --fail --silent --header "Origin:$origin" -X OPTIONS http://$ip_address:$port/apps/Netflix && echo "failed: $origin should be rejected" -curl --fail --silent --header "Origin:$origin" -X OPTIONS http://$ip_address:$port/apps/Netflix/run && echo "failed: $origin should be rejected" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/Netflix | grep -q "403" || echo "failed[n0]: $origin should be rejected" +curl --output /dev/null --fail --silent --header "Origin:$origin" --data "v=QH2-TGUlwu4" -X POST http://$ip_address:$port/apps/Netflix && echo "failed[n1]: $origin should be rejected" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/Netflix | grep -q "403" || echo "failed[n2]: $origin should be rejected" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/Netflix | grep -q "403" || echo "failed[n3]: $origin should be rejected" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/Netflix/run | grep -q "403" || echo "failed[n4]: $origin should be rejected" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X DELETE http://$ip_address:$port/apps/Netflix/run | grep -q "403" || echo "failed[n5]: $origin should be rejected" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/Netflix/run | grep -q "403" || echo "failed[n6]: $origin should be rejected" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/Netflix/run/hide | grep -q "403" || echo "failed[n7]: $origin should be rejected" if [ $ip_address == "localhost" ]; then echo "testing dial_data OPTIONS on $ip_address from origin $origin" - curl --fail --silent --header "Origin:$origin" -X OPTIONS http://$ip_address:$port/apps/Netflix/dial_data && echo "failed: $origin should be rejected" + curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/Netflix/dial_data | grep -q "403" || echo "failed[n8]: $origin should be rejected" + curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/Netflix/dial_data | grep -q "403" || echo "failed[n9]: $origin should be rejected" fi done origins="http://www.youtube-a.com http://www.youtube.com4 https://.youtube.com http://a-youtube.com https://ww.youtube-a.com http://www4.youtube.com https://port.youtube.com:1234 http://1.youtube.com https://www.youtube.com4 https://a-youtube.com http://youtube.com http://www.attack.com https://www.attack.com file://www.attack.com ftp://this.is.not.fine packagecom.google.android.youtube package:com.google.android.utube packagea package: pack:com.google.android protoa proto:" for origin in $origins; do -curl --fail --silent --header "Origin:$origin" --data "v=QH2-TGUlwu4" http://$ip_address:$port/apps/YouTube && echo "failed: $origin should be rejected" -curl --fail --silent --header "Origin:$origin" -X OPTIONS http://$ip_address:$port/apps/YouTube && echo "failed: $origin should be rejected" -curl --fail --silent --header "Origin:$origin" -X OPTIONS http://$ip_address:$port/apps/YouTube/run && echo "failed: $origin should be rejected" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/YouTube | grep -q "403" || echo "failed[n10]: $origin should be rejected" +curl --output /dev/null --fail --silent --header "Origin:$origin" --data "v=QH2-TGUlwu4" -X POST http://$ip_address:$port/apps/YouTube && echo "failed[n11]: $origin should be rejected" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/YouTube | grep -q "403" || echo "failed[n12]: $origin should be rejected" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/YouTube | grep -q "403" || echo "failed[n13]: $origin should be rejected" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/YouTube/run | grep -q "403" || echo "failed[n14]: $origin should be rejected" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X DELETE http://$ip_address:$port/apps/YouTube/run | grep -q "403" || echo "failed[n15]: $origin should be rejected" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/YouTube/run | grep -q "403" || echo "failed[n16]: $origin should be rejected" +curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/YouTube/run/hide | grep -q "403" || echo "failed[n17]: $origin should be rejected" if [ $ip_address == "localhost" ]; then echo "testing dial_data OPTIONS on $ip_address from origin $origin" - curl --fail --silent --header "Origin:$origin" -X OPTIONS http://$ip_address:$port/apps/YouTube/dial_data && echo "failed: $origin should be rejected" + curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/YouTube/dial_data | grep -q "403" || echo "failed[n18]: $origin should be rejected" + curl --output /dev/null --fail --silent --header "Origin:$origin" -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/YouTube/dial_data | grep -q "403" || echo "failed[n19]: $origin should be rejected" fi done #Finally test with no header -curl --fail --silent --data "v=QH2-TGUlwu4" http://$ip_address:$port/apps/YouTube || echo "failed: request without an Origin should be accepted" -curl --fail --silent -X OPTIONS http://$ip_address:$port/apps/YouTube || echo "failed: request without an Origin should be accepted" -curl --fail --silent -X OPTIONS http://$ip_address:$port/apps/YouTube/run || echo "failed: request without an Origin should be accepted" +curl --output /dev/null --fail --silent -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/YouTube | grep -q "403" && echo "failed[o0]: request without an Origin should be accepted" +curl --output /dev/null --fail --silent --data "v=QH2-TGUlwu4" -X POST http://$ip_address:$port/apps/YouTube || echo "failed[o1]: request without an Origin should be accepted" +curl --output /dev/null --fail --silent -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/YouTube | grep -q "403" && echo "failed[o2]: request without an Origin should be accepted" +curl --output /dev/null --fail --silent -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/YouTube | grep -q "403" && echo "failed[o3]: request without an Origin should be accepted" +curl --output /dev/null --fail --silent -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/YouTube/run | grep -q "403" && echo "failed[o4]: request without an Origin should be accepted" +curl --output /dev/null --fail --silent -I -w "%{http_code}" -X DELETE http://$ip_address:$port/apps/YouTube/run | grep -q "403" && echo "failed[o5]: request without an Origin should be accepted" +curl --output /dev/null --fail --silent -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/YouTube/run/hide | grep -q "403" && echo "failed[o6]: request without an Origin should be accepted" +curl --output /dev/null --fail --silent -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/YouTube/run/hide | grep -q "403" && echo "failed[o7]: request without an Origin should be accepted" if [ $ip_address == "localhost" ]; then echo "testing dial_data OPTIONS on $ip_address with no origin" - curl --fail --silent -X OPTIONS http://$ip_address:$port/apps/YouTube/dial_data || echo "failed: request without an Origin should be accepted" + curl --output /dev/null --fail --silent -I -w "%{http_code}" -X OPTIONS http://$ip_address:$port/apps/YouTube/dial_data | grep -q "403" && echo "failed[o8]: request without an Origin should be accepted" + curl --output /dev/null --fail --silent -I -w "%{http_code}" -X GET http://$ip_address:$port/apps/YouTube/dial_data | grep -q "403" && echo "failed[o9]: request without an Origin should be accepted" fi echo "Done."