From: Andy Green <andy.green@linaro.org>
Date: Wed, 16 Jan 2013 02:06:28 +0000 (+0800)
Subject: update test server html serving callback to use aepd whitelist approach
X-Git-Tag: accepted/2.0/20130307.220733~255
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F06%2F2906%2F1;p=profile%2Fivi%2Flibwebsockets.git

update test server html serving callback to use aepd whitelist approach

Signed-off-by: Andy Green <andy.green@linaro.org>
---

diff --git a/test-server/test-server.c b/test-server/test-server.c
index ed316ac..5936beb 100644
--- a/test-server/test-server.c
+++ b/test-server/test-server.c
@@ -109,6 +109,23 @@ enum demo_protocols {
 
 #define LOCAL_RESOURCE_PATH INSTALL_DATADIR"/libwebsockets-test-server"
 
+/*
+ * We take a strict whitelist approach to stop ../ attacks
+ */
+
+struct serveable {
+	const char *urlpath;
+	const char *mimetype;
+}; 
+
+static const struct serveable whitelist[] = {
+	{ "/favicon.ico", "image/x-icon" },
+	{ "/libwebsockets.org-logo.png", "image/png" },
+
+	/* last one is the default served if no match */
+	{ "/test.html", "text/html" },
+};
+
 /* this protocol server (always the first one) just knows how to do HTTP */
 
 static int callback_http(struct libwebsocket_context *context,
@@ -118,27 +135,24 @@ static int callback_http(struct libwebsocket_context *context,
 {
 	char client_name[128];
 	char client_ip[128];
+	char buf[256];
+	int n;
 #ifdef EXTERNAL_POLL
-	int n, m, m1;
+	int m, m1;
 	int hash, hash1;
 	int fd = (int)(long)user;
 #endif
 
 	switch (reason) {
 	case LWS_CALLBACK_HTTP:
-//		fprintf(stderr, "serving HTTP URI %s\n", (char *)in);
 
-		if (in && strcmp(in, "/favicon.ico") == 0) {
-			if (libwebsockets_serve_http_file(context, wsi,
-			     LOCAL_RESOURCE_PATH"/favicon.ico", "image/x-icon"))
-				fprintf(stderr, "Failed to send favicon\n");
-			break;
-		}
+		for (n = 0; n < (sizeof(whitelist) / sizeof(whitelist[0]) - 1); n++)
+			if (in && strcmp(in, whitelist[n].urlpath) == 0)
+				break;
 
-		/* send the script... when it runs it'll start websockets */
+		sprintf(buf, LOCAL_RESOURCE_PATH"%s", whitelist[n].urlpath);
 
-		if (libwebsockets_serve_http_file(context, wsi,
-				  LOCAL_RESOURCE_PATH"/test.html", "text/html"))
+		if (libwebsockets_serve_http_file(context, wsi, buf, whitelist[n].mimetype))
 			fprintf(stderr, "Failed to send HTTP file\n");
 
 		/*
@@ -147,7 +161,7 @@ static int callback_http(struct libwebsocket_context *context,
 		 * it's done
 		 */
 
-		return 0;
+		break;
 
 	case LWS_CALLBACK_HTTP_FILE_COMPLETION:
 //		fprintf(stderr, "LWS_CALLBACK_HTTP_FILE_COMPLETION seen\n");