1 /*
2  * Client routines for the CUPS scheduler.
3  *
4  * Copyright © 2007-2019 by Apple Inc.
5  * Copyright © 1997-2007 by Easy Software Products, all rights reserved.
6  *
7  * This file contains Kerberos support code, copyright 2006 by
8  * Jelmer Vernooij.
9  *
10  * Licensed under Apache License v2.0.  See the file "LICENSE" for more
11  * information.
12  */
13 
14 /*
15  * Include necessary headers...
16  */
17 
18 #define _CUPS_NO_DEPRECATED
19 #define _HTTP_NO_PRIVATE
20 #include "cupsd.h"
21 
22 #ifdef __APPLE__
23 #  include <libproc.h>
24 #endif /* __APPLE__ */
25 #ifdef HAVE_TCPD_H
26 #  include <tcpd.h>
27 #endif /* HAVE_TCPD_H */
28 
29 
30 /*
31  * Local functions...
32  */
33 
34 static int		check_if_modified(cupsd_client_t *con,
35 			                  struct stat *filestats);
36 static int		compare_clients(cupsd_client_t *a, cupsd_client_t *b,
37 			                void *data);
38 #ifdef HAVE_SSL
39 static int		cupsd_start_tls(cupsd_client_t *con, http_encryption_t e);
40 #endif /* HAVE_SSL */
41 static char		*get_file(cupsd_client_t *con, struct stat *filestats,
42 			          char *filename, size_t len);
43 static http_status_t	install_cupsd_conf(cupsd_client_t *con);
44 static int		is_cgi(cupsd_client_t *con, const char *filename,
45 		               struct stat *filestats, mime_type_t *type);
46 static int		is_path_absolute(const char *path);
47 static int		pipe_command(cupsd_client_t *con, int infile, int *outfile,
48 			             char *command, char *options, int root);
49 static int		valid_host(cupsd_client_t *con);
50 static int		write_file(cupsd_client_t *con, http_status_t code,
51 		        	   char *filename, char *type,
52 				   struct stat *filestats);
53 static void		write_pipe(cupsd_client_t *con);
54 
55 
56 /*
57  * 'cupsdAcceptClient()' - Accept a new client.
58  */
59 
60 void
cupsdAcceptClient(cupsd_listener_t * lis)61 cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
62 {
63   const char		*hostname;	/* Hostname of client */
64   char			name[256];	/* Hostname of client */
65   int			count;		/* Count of connections on a host */
66   cupsd_client_t	*con,		/* New client pointer */
67 			*tempcon;	/* Temporary client pointer */
68   socklen_t		addrlen;	/* Length of address */
69   http_addr_t		temp;		/* Temporary address variable */
70   static time_t		last_dos = 0;	/* Time of last DoS attack */
71 #ifdef HAVE_TCPD_H
72   struct request_info	wrap_req;	/* TCP wrappers request information */
73 #endif /* HAVE_TCPD_H */
74 
75 
76   cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAcceptClient(lis=%p(%d)) Clients=%d", lis, lis->fd, cupsArrayCount(Clients));
77 
78  /*
79   * Make sure we don't have a full set of clients already...
80   */
81 
82   if (cupsArrayCount(Clients) == MaxClients)
83     return;
84 
85   cupsdSetBusyState(1);
86 
87  /*
88   * Get a pointer to the next available client...
89   */
90 
91   if (!Clients)
92     Clients = cupsArrayNew(NULL, NULL);
93 
94   if (!Clients)
95   {
96     cupsdLogMessage(CUPSD_LOG_ERROR,
97                     "Unable to allocate memory for clients array!");
98     cupsdPauseListening();
99     return;
100   }
101 
102   if (!ActiveClients)
103     ActiveClients = cupsArrayNew((cups_array_func_t)compare_clients, NULL);
104 
105   if (!ActiveClients)
106   {
107     cupsdLogMessage(CUPSD_LOG_ERROR,
108                     "Unable to allocate memory for active clients array!");
109     cupsdPauseListening();
110     return;
111   }
112 
113   if ((con = calloc(1, sizeof(cupsd_client_t))) == NULL)
114   {
115     cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to allocate memory for client!");
116     cupsdPauseListening();
117     return;
118   }
119 
120  /*
121   * Accept the client and get the remote address...
122   */
123 
124   con->number = ++ LastClientNumber;
125   con->file   = -1;
126 
127   if ((con->http = httpAcceptConnection(lis->fd, 0)) == NULL)
128   {
129     if (errno == ENFILE || errno == EMFILE)
130       cupsdPauseListening();
131 
132     cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to accept client connection - %s.",
133                     strerror(errno));
134     free(con);
135 
136     return;
137   }
138 
139  /*
140   * Save the connected address and port number...
141   */
142 
143   addrlen = sizeof(con->clientaddr);
144 
145   if (getsockname(httpGetFd(con->http), (struct sockaddr *)&con->clientaddr, &addrlen) || addrlen == 0)
146     con->clientaddr = lis->address;
147 
148   cupsdLogClient(con, CUPSD_LOG_DEBUG, "Server address is \"%s\".", httpAddrString(&con->clientaddr, name, sizeof(name)));
149 
150  /*
151   * Check the number of clients on the same address...
152   */
153 
154   for (count = 0, tempcon = (cupsd_client_t *)cupsArrayFirst(Clients);
155        tempcon;
156        tempcon = (cupsd_client_t *)cupsArrayNext(Clients))
157     if (httpAddrEqual(httpGetAddress(tempcon->http), httpGetAddress(con->http)))
158     {
159       count ++;
160       if (count >= MaxClientsPerHost)
161 	break;
162     }
163 
164   if (count >= MaxClientsPerHost)
165   {
166     if ((time(NULL) - last_dos) >= 60)
167     {
168       last_dos = time(NULL);
169       cupsdLogMessage(CUPSD_LOG_WARN,
170                       "Possible DoS attack - more than %d clients connecting "
171 		      "from %s.",
172 	              MaxClientsPerHost,
173 		      httpGetHostname(con->http, name, sizeof(name)));
174     }
175 
176     httpClose(con->http);
177     free(con);
178     return;
179   }
180 
181  /*
182   * Get the hostname or format the IP address as needed...
183   */
184 
185   if (HostNameLookups)
186     hostname = httpResolveHostname(con->http, NULL, 0);
187   else
188     hostname = httpGetHostname(con->http, NULL, 0);
189 
190   if (hostname == NULL && HostNameLookups == 2)
191   {
192    /*
193     * Can't have an unresolved IP address with double-lookups enabled...
194     */
195 
196     httpClose(con->http);
197 
198     cupsdLogClient(con, CUPSD_LOG_WARN,
199                     "Name lookup failed - connection from %s closed!",
200                     httpGetHostname(con->http, NULL, 0));
201 
202     free(con);
203     return;
204   }
205 
206   if (HostNameLookups == 2)
207   {
208    /*
209     * Do double lookups as needed...
210     */
211 
212     http_addrlist_t	*addrlist,	/* List of addresses */
213 			*addr;		/* Current address */
214 
215     if ((addrlist = httpAddrGetList(hostname, AF_UNSPEC, NULL)) != NULL)
216     {
217      /*
218       * See if the hostname maps to the same IP address...
219       */
220 
221       for (addr = addrlist; addr; addr = addr->next)
222         if (httpAddrEqual(httpGetAddress(con->http), &(addr->addr)))
223           break;
224     }
225     else
226       addr = NULL;
227 
228     httpAddrFreeList(addrlist);
229 
230     if (!addr)
231     {
232      /*
233       * Can't have a hostname that doesn't resolve to the same IP address
234       * with double-lookups enabled...
235       */
236 
237       httpClose(con->http);
238 
239       cupsdLogClient(con, CUPSD_LOG_WARN,
240                       "IP lookup failed - connection from %s closed!",
241                       httpGetHostname(con->http, NULL, 0));
242       free(con);
243       return;
244     }
245   }
246 
247 #ifdef HAVE_TCPD_H
248  /*
249   * See if the connection is denied by TCP wrappers...
250   */
251 
252   request_init(&wrap_req, RQ_DAEMON, "cupsd", RQ_FILE, httpGetFd(con->http),
253                NULL);
254   fromhost(&wrap_req);
255 
256   if (!hosts_access(&wrap_req))
257   {
258     httpClose(con->http);
259 
260     cupsdLogClient(con, CUPSD_LOG_WARN,
261                     "Connection from %s refused by /etc/hosts.allow and "
262 		    "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
263     free(con);
264     return;
265   }
266 #endif /* HAVE_TCPD_H */
267 
268 #ifdef AF_LOCAL
269   if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
270   {
271 #  ifdef __APPLE__
272     socklen_t	peersize;		/* Size of peer credentials */
273     pid_t	peerpid;		/* Peer process ID */
274     char	peername[256];		/* Name of process */
275 
276     peersize = sizeof(peerpid);
277     if (!getsockopt(httpGetFd(con->http), SOL_LOCAL, LOCAL_PEERPID, &peerpid,
278                     &peersize))
279     {
280       if (!proc_name((int)peerpid, peername, sizeof(peername)))
281 	cupsdLogClient(con, CUPSD_LOG_DEBUG,
282 	               "Accepted from %s (Domain ???[%d])",
283                        httpGetHostname(con->http, NULL, 0), (int)peerpid);
284       else
285 	cupsdLogClient(con, CUPSD_LOG_DEBUG,
286                        "Accepted from %s (Domain %s[%d])",
287                        httpGetHostname(con->http, NULL, 0), peername, (int)peerpid);
288     }
289     else
290 #  endif /* __APPLE__ */
291 
292     cupsdLogClient(con, CUPSD_LOG_DEBUG, "Accepted from %s (Domain)",
293                    httpGetHostname(con->http, NULL, 0));
294   }
295   else
296 #endif /* AF_LOCAL */
297   cupsdLogClient(con, CUPSD_LOG_DEBUG, "Accepted from %s:%d (IPv%d)",
298                  httpGetHostname(con->http, NULL, 0),
299 		 httpAddrPort(httpGetAddress(con->http)),
300 		 httpAddrFamily(httpGetAddress(con->http)) == AF_INET ? 4 : 6);
301 
302  /*
303   * Get the local address the client connected to...
304   */
305 
306   addrlen = sizeof(temp);
307   if (getsockname(httpGetFd(con->http), (struct sockaddr *)&temp, &addrlen))
308   {
309     cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to get local address - %s",
310                    strerror(errno));
311 
312     strlcpy(con->servername, "localhost", sizeof(con->servername));
313     con->serverport = LocalPort;
314   }
315 #ifdef AF_LOCAL
316   else if (httpAddrFamily(&temp) == AF_LOCAL)
317   {
318     strlcpy(con->servername, "localhost", sizeof(con->servername));
319     con->serverport = LocalPort;
320   }
321 #endif /* AF_LOCAL */
322   else
323   {
324     if (httpAddrLocalhost(&temp))
325       strlcpy(con->servername, "localhost", sizeof(con->servername));
326     else if (HostNameLookups)
327       httpAddrLookup(&temp, con->servername, sizeof(con->servername));
328     else
329       httpAddrString(&temp, con->servername, sizeof(con->servername));
330 
331     con->serverport = httpAddrPort(&(lis->address));
332   }
333 
334  /*
335   * Add the connection to the array of active clients...
336   */
337 
338   cupsArrayAdd(Clients, con);
339 
340  /*
341   * Add the socket to the server select.
342   */
343 
344   cupsdAddSelect(httpGetFd(con->http), (cupsd_selfunc_t)cupsdReadClient, NULL,
345                  con);
346 
347   cupsdLogClient(con, CUPSD_LOG_DEBUG, "Waiting for request.");
348 
349  /*
350   * Temporarily suspend accept()'s until we lose a client...
351   */
352 
353   if (cupsArrayCount(Clients) == MaxClients)
354     cupsdPauseListening();
355 
356 #ifdef HAVE_SSL
357  /*
358   * See if we are connecting on a secure port...
359   */
360 
361   if (lis->encryption == HTTP_ENCRYPTION_ALWAYS)
362   {
363    /*
364     * https connection; go secure...
365     */
366 
367     if (cupsd_start_tls(con, HTTP_ENCRYPTION_ALWAYS))
368       cupsdCloseClient(con);
369   }
370   else
371     con->auto_ssl = 1;
372 #endif /* HAVE_SSL */
373 }
374 
375 
376 /*
377  * 'cupsdCloseAllClients()' - Close all remote clients immediately.
378  */
379 
380 void
cupsdCloseAllClients(void)381 cupsdCloseAllClients(void)
382 {
383   cupsd_client_t	*con;		/* Current client */
384 
385 
386   cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCloseAllClients() Clients=%d", cupsArrayCount(Clients));
387 
388   for (con = (cupsd_client_t *)cupsArrayFirst(Clients);
389        con;
390        con = (cupsd_client_t *)cupsArrayNext(Clients))
391     if (cupsdCloseClient(con))
392       cupsdCloseClient(con);
393 }
394 
395 
396 /*
397  * 'cupsdCloseClient()' - Close a remote client.
398  */
399 
400 int					/* O - 1 if partial close, 0 if fully closed */
cupsdCloseClient(cupsd_client_t * con)401 cupsdCloseClient(cupsd_client_t *con)	/* I - Client to close */
402 {
403   int		partial;		/* Do partial close for SSL? */
404 
405 
406   cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing connection.");
407 
408  /*
409   * Flush pending writes before closing...
410   */
411 
412   httpFlushWrite(con->http);
413 
414   partial = 0;
415 
416   if (con->pipe_pid != 0)
417   {
418    /*
419     * Stop any CGI process...
420     */
421 
422     cupsdEndProcess(con->pipe_pid, 1);
423     con->pipe_pid = 0;
424   }
425 
426   if (con->file >= 0)
427   {
428     cupsdRemoveSelect(con->file);
429 
430     close(con->file);
431     con->file = -1;
432   }
433 
434  /*
435   * Close the socket and clear the file from the input set for select()...
436   */
437 
438   if (httpGetFd(con->http) >= 0)
439   {
440     cupsArrayRemove(ActiveClients, con);
441     cupsdSetBusyState(0);
442 
443 #ifdef HAVE_SSL
444    /*
445     * Shutdown encryption as needed...
446     */
447 
448     if (httpIsEncrypted(con->http))
449       partial = 1;
450 #endif /* HAVE_SSL */
451 
452     if (partial)
453     {
454      /*
455       * Only do a partial close so that the encrypted client gets everything.
456       */
457 
458       httpShutdown(con->http);
459       cupsdAddSelect(httpGetFd(con->http), (cupsd_selfunc_t)cupsdReadClient,
460                      NULL, con);
461 
462       cupsdLogClient(con, CUPSD_LOG_DEBUG, "Waiting for socket close.");
463     }
464     else
465     {
466      /*
467       * Shut the socket down fully...
468       */
469 
470       cupsdRemoveSelect(httpGetFd(con->http));
471       httpClose(con->http);
472       con->http = NULL;
473     }
474   }
475 
476   if (!partial)
477   {
478    /*
479     * Free memory...
480     */
481 
482     cupsdRemoveSelect(httpGetFd(con->http));
483 
484     httpClose(con->http);
485 
486     if (con->filename)
487     {
488       unlink(con->filename);
489       cupsdClearString(&con->filename);
490     }
491 
492     cupsdClearString(&con->command);
493     cupsdClearString(&con->options);
494     cupsdClearString(&con->query_string);
495 
496     if (con->request)
497     {
498       ippDelete(con->request);
499       con->request = NULL;
500     }
501 
502     if (con->response)
503     {
504       ippDelete(con->response);
505       con->response = NULL;
506     }
507 
508     if (con->language)
509     {
510       cupsLangFree(con->language);
511       con->language = NULL;
512     }
513 
514 #ifdef HAVE_AUTHORIZATION_H
515     if (con->authref)
516     {
517       AuthorizationFree(con->authref, kAuthorizationFlagDefaults);
518       con->authref = NULL;
519     }
520 #endif /* HAVE_AUTHORIZATION_H */
521 
522    /*
523     * Re-enable new client connections if we are going back under the
524     * limit...
525     */
526 
527     if (cupsArrayCount(Clients) == MaxClients)
528       cupsdResumeListening();
529 
530    /*
531     * Compact the list of clients as necessary...
532     */
533 
534     cupsArrayRemove(Clients, con);
535 
536     free(con);
537   }
538 
539   return (partial);
540 }
541 
542 
543 /*
544  * 'cupsdReadClient()' - Read data from a client.
545  */
546 
547 void
cupsdReadClient(cupsd_client_t * con)548 cupsdReadClient(cupsd_client_t *con)	/* I - Client to read from */
549 {
550   char			line[32768],	/* Line from client... */
551 			locale[64],	/* Locale */
552 			*ptr;		/* Pointer into strings */
553   http_status_t		status;		/* Transfer status */
554   ipp_state_t		ipp_state;	/* State of IPP transfer */
555   int			bytes;		/* Number of bytes to POST */
556   char			*filename;	/* Name of file for GET/HEAD */
557   char			buf[1024];	/* Buffer for real filename */
558   struct stat		filestats;	/* File information */
559   mime_type_t		*type;		/* MIME type of file */
560   static unsigned	request_id = 0;	/* Request ID for temp files */
561 
562 
563   status = HTTP_STATUS_CONTINUE;
564 
565   cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cupsdReadClient: error=%d, used=%d, state=%s, data_encoding=HTTP_ENCODING_%s, data_remaining=" CUPS_LLFMT ", request=%p(%s), file=%d", httpError(con->http), (int)httpGetReady(con->http), httpStateString(httpGetState(con->http)), httpIsChunked(con->http) ? "CHUNKED" : "LENGTH", CUPS_LLCAST httpGetRemaining(con->http), con->request, con->request ? ippStateString(ippGetState(con->request)) : "", con->file);
566 
567   if (httpError(con->http) == EPIPE && !httpGetReady(con->http) && recv(httpGetFd(con->http), buf, 1, MSG_PEEK) < 1)
568   {
569    /*
570     * Connection closed...
571     */
572 
573     cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on EOF.");
574     cupsdCloseClient(con);
575     return;
576   }
577 
578   if (httpGetState(con->http) == HTTP_STATE_GET_SEND ||
579       httpGetState(con->http) == HTTP_STATE_POST_SEND ||
580       httpGetState(con->http) == HTTP_STATE_STATUS)
581   {
582    /*
583     * If we get called in the wrong state, then something went wrong with the
584     * connection and we need to shut it down...
585     */
586 
587     cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on unexpected HTTP read state %s.", httpStateString(httpGetState(con->http)));
588     cupsdCloseClient(con);
589     return;
590   }
591 
592 #ifdef HAVE_SSL
593   if (con->auto_ssl)
594   {
595    /*
596     * Automatically check for a SSL/TLS handshake...
597     */
598 
599     con->auto_ssl = 0;
600 
601     if (recv(httpGetFd(con->http), buf, 1, MSG_PEEK) == 1 &&
602         (!buf[0] || !strchr("DGHOPT", buf[0])))
603     {
604      /*
605       * Encrypt this connection...
606       */
607 
608       cupsdLogClient(con, CUPSD_LOG_DEBUG2, "Saw first byte %02X, auto-negotiating SSL/TLS session.", buf[0] & 255);
609 
610       if (cupsd_start_tls(con, HTTP_ENCRYPTION_ALWAYS))
611         cupsdCloseClient(con);
612 
613       return;
614     }
615   }
616 #endif /* HAVE_SSL */
617 
618   switch (httpGetState(con->http))
619   {
620     case HTTP_STATE_WAITING :
621        /*
622         * See if we've received a request line...
623 	*/
624 
625         con->operation = httpReadRequest(con->http, con->uri, sizeof(con->uri));
626         if (con->operation == HTTP_STATE_ERROR ||
627 	    con->operation == HTTP_STATE_UNKNOWN_METHOD ||
628 	    con->operation == HTTP_STATE_UNKNOWN_VERSION)
629 	{
630 	  if (httpError(con->http))
631 	    cupsdLogClient(con, CUPSD_LOG_DEBUG,
632 			   "HTTP_STATE_WAITING Closing for error %d (%s)",
633 			   httpError(con->http), strerror(httpError(con->http)));
634 	  else
635 	    cupsdLogClient(con, CUPSD_LOG_DEBUG,
636 	                   "HTTP_STATE_WAITING Closing on error: %s",
637 			   cupsLastErrorString());
638 
639 	  cupsdCloseClient(con);
640 	  return;
641 	}
642 
643        /*
644         * Ignore blank request lines...
645 	*/
646 
647         if (con->operation == HTTP_STATE_WAITING)
648 	  break;
649 
650        /*
651         * Clear other state variables...
652 	*/
653 
654 	con->bytes       = 0;
655 	con->file        = -1;
656 	con->file_ready  = 0;
657 	con->pipe_pid    = 0;
658 	con->username[0] = '\0';
659 	con->password[0] = '\0';
660 
661 	cupsdClearString(&con->command);
662 	cupsdClearString(&con->options);
663 	cupsdClearString(&con->query_string);
664 
665 	if (con->request)
666 	{
667 	  ippDelete(con->request);
668 	  con->request = NULL;
669 	}
670 
671 	if (con->response)
672 	{
673 	  ippDelete(con->response);
674 	  con->response = NULL;
675 	}
676 
677 	if (con->language)
678 	{
679 	  cupsLangFree(con->language);
680 	  con->language = NULL;
681 	}
682 
683 #ifdef HAVE_GSSAPI
684         con->have_gss = 0;
685 	con->gss_uid  = 0;
686 #endif /* HAVE_GSSAPI */
687 
688        /*
689         * Handle full URLs in the request line...
690 	*/
691 
692         if (strcmp(con->uri, "*"))
693 	{
694 	  char	scheme[HTTP_MAX_URI],	/* Method/scheme */
695 		userpass[HTTP_MAX_URI],	/* Username:password */
696 		hostname[HTTP_MAX_URI],	/* Hostname */
697 		resource[HTTP_MAX_URI];	/* Resource path */
698           int	port;			/* Port number */
699 
700          /*
701 	  * Separate the URI into its components...
702 	  */
703 
704           if (httpSeparateURI(HTTP_URI_CODING_MOST, con->uri,
705 	                      scheme, sizeof(scheme),
706 	                      userpass, sizeof(userpass),
707 			      hostname, sizeof(hostname), &port,
708 			      resource, sizeof(resource)) < HTTP_URI_STATUS_OK)
709           {
710 	    cupsdLogClient(con, CUPSD_LOG_ERROR, "Bad URI \"%s\" in request.",
711                            con->uri);
712 	    cupsdSendError(con, HTTP_STATUS_METHOD_NOT_ALLOWED, CUPSD_AUTH_NONE);
713 	    cupsdCloseClient(con);
714 	    return;
715 	  }
716 
717 	 /*
718 	  * Only allow URIs with the servername, localhost, or an IP
719 	  * address...
720 	  */
721 
722 	  if (strcmp(scheme, "file") &&
723 	      _cups_strcasecmp(hostname, ServerName) &&
724 	      _cups_strcasecmp(hostname, "localhost") &&
725 	      !cupsArrayFind(ServerAlias, hostname) &&
726 	      !isdigit(hostname[0]) && hostname[0] != '[')
727 	  {
728 	   /*
729 	    * Nope, we don't do proxies...
730 	    */
731 
732 	    cupsdLogClient(con, CUPSD_LOG_ERROR, "Bad URI \"%s\" in request.",
733                            con->uri);
734 	    cupsdSendError(con, HTTP_STATUS_METHOD_NOT_ALLOWED, CUPSD_AUTH_NONE);
735 	    cupsdCloseClient(con);
736 	    return;
737 	  }
738 
739          /*
740 	  * Copy the resource portion back into the URI; both resource and
741 	  * con->uri are HTTP_MAX_URI bytes in size...
742 	  */
743 
744           strlcpy(con->uri, resource, sizeof(con->uri));
745 	}
746 
747        /*
748         * Process the request...
749 	*/
750 
751         gettimeofday(&(con->start), NULL);
752 
753         cupsdLogClient(con, CUPSD_LOG_DEBUG, "%s %s HTTP/%d.%d",
754 	               httpStateString(con->operation) + 11, con->uri,
755 		       httpGetVersion(con->http) / 100,
756                        httpGetVersion(con->http) % 100);
757 
758         if (!cupsArrayFind(ActiveClients, con))
759 	{
760 	  cupsArrayAdd(ActiveClients, con);
761           cupsdSetBusyState(0);
762         }
763 
764     case HTTP_STATE_OPTIONS :
765     case HTTP_STATE_DELETE :
766     case HTTP_STATE_GET :
767     case HTTP_STATE_HEAD :
768     case HTTP_STATE_POST :
769     case HTTP_STATE_PUT :
770     case HTTP_STATE_TRACE :
771        /*
772         * Parse incoming parameters until the status changes...
773 	*/
774 
775         while ((status = httpUpdate(con->http)) == HTTP_STATUS_CONTINUE)
776 	  if (!httpGetReady(con->http))
777 	    break;
778 
779 	if (status != HTTP_STATUS_OK && status != HTTP_STATUS_CONTINUE)
780 	{
781 	  if (httpError(con->http) && httpError(con->http) != EPIPE)
782 	    cupsdLogClient(con, CUPSD_LOG_DEBUG,
783                            "Closing for error %d (%s) while reading headers.",
784                            httpError(con->http), strerror(httpError(con->http)));
785 	  else
786 	    cupsdLogClient(con, CUPSD_LOG_DEBUG,
787 	                   "Closing on EOF while reading headers.");
788 
789 	  cupsdSendError(con, HTTP_STATUS_BAD_REQUEST, CUPSD_AUTH_NONE);
790 	  cupsdCloseClient(con);
791 	  return;
792 	}
793 	break;
794 
795     default :
796         if (!httpGetReady(con->http) && recv(httpGetFd(con->http), buf, 1, MSG_PEEK) < 1)
797 	{
798 	 /*
799 	  * Connection closed...
800 	  */
801 
802 	  cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on EOF.");
803           cupsdCloseClient(con);
804 	  return;
805 	}
806         break; /* Anti-compiler-warning-code */
807   }
808 
809  /*
810   * Handle new transfers...
811   */
812 
813   cupsdLogClient(con, CUPSD_LOG_DEBUG, "Read: status=%d, state=%d", status, httpGetState(con->http));
814 
815   if (status == HTTP_STATUS_OK)
816   {
817    /*
818     * Record whether the client is a web browser.  "Mozilla" was the original
819     * and it seems that every web browser in existence now uses that as the
820     * prefix with additional information identifying *which* browser.
821     *
822     * Chrome (at least) has problems with multiple WWW-Authenticate values in
823     * a single header, so we only report Basic or Negotiate to web browsers and
824     * leave the multiple choices to the native CUPS client...
825     */
826 
827     con->is_browser = !strncmp(httpGetField(con->http, HTTP_FIELD_USER_AGENT), "Mozilla/", 8);
828 
829     if (httpGetField(con->http, HTTP_FIELD_ACCEPT_LANGUAGE)[0])
830     {
831      /*
832       * Figure out the locale from the Accept-Language and Content-Type
833       * fields...
834       */
835 
836       if ((ptr = strchr(httpGetField(con->http, HTTP_FIELD_ACCEPT_LANGUAGE),
837                         ',')) != NULL)
838         *ptr = '\0';
839 
840       if ((ptr = strchr(httpGetField(con->http, HTTP_FIELD_ACCEPT_LANGUAGE),
841                         ';')) != NULL)
842         *ptr = '\0';
843 
844       if ((ptr = strstr(httpGetField(con->http, HTTP_FIELD_CONTENT_TYPE),
845                         "charset=")) != NULL)
846       {
847        /*
848         * Combine language and charset, and trim any extra params in the
849 	* content-type.
850 	*/
851 
852         snprintf(locale, sizeof(locale), "%s.%s",
853 	         httpGetField(con->http, HTTP_FIELD_ACCEPT_LANGUAGE), ptr + 8);
854 
855 	if ((ptr = strchr(locale, ',')) != NULL)
856 	  *ptr = '\0';
857       }
858       else
859         snprintf(locale, sizeof(locale), "%s.UTF-8",
860 	         httpGetField(con->http, HTTP_FIELD_ACCEPT_LANGUAGE));
861 
862       con->language = cupsLangGet(locale);
863     }
864     else
865       con->language = cupsLangGet(DefaultLocale);
866 
867     cupsdAuthorize(con);
868 
869     if (!_cups_strncasecmp(httpGetField(con->http, HTTP_FIELD_CONNECTION),
870                            "Keep-Alive", 10) && KeepAlive)
871       httpSetKeepAlive(con->http, HTTP_KEEPALIVE_ON);
872     else if (!_cups_strncasecmp(httpGetField(con->http, HTTP_FIELD_CONNECTION),
873                                 "close", 5))
874       httpSetKeepAlive(con->http, HTTP_KEEPALIVE_OFF);
875 
876     if (!httpGetField(con->http, HTTP_FIELD_HOST)[0] &&
877         httpGetVersion(con->http) >= HTTP_VERSION_1_1)
878     {
879      /*
880       * HTTP/1.1 and higher require the "Host:" field...
881       */
882 
883       if (!cupsdSendError(con, HTTP_STATUS_BAD_REQUEST, CUPSD_AUTH_NONE))
884       {
885         cupsdLogClient(con, CUPSD_LOG_ERROR, "Missing Host: field in request.");
886 	cupsdCloseClient(con);
887 	return;
888       }
889     }
890     else if (!valid_host(con))
891     {
892      /*
893       * Access to localhost must use "localhost" or the corresponding IPv4
894       * or IPv6 values in the Host: field.
895       */
896 
897       cupsdLogClient(con, CUPSD_LOG_ERROR,
898                      "Request from \"%s\" using invalid Host: field \"%s\".",
899                      httpGetHostname(con->http, NULL, 0), httpGetField(con->http, HTTP_FIELD_HOST));
900 
901       if (!cupsdSendError(con, HTTP_STATUS_BAD_REQUEST, CUPSD_AUTH_NONE))
902       {
903 	cupsdCloseClient(con);
904 	return;
905       }
906     }
907     else if (con->operation == HTTP_STATE_OPTIONS)
908     {
909      /*
910       * Do OPTIONS command...
911       */
912 
913       if (con->best && con->best->type != CUPSD_AUTH_NONE)
914       {
915         httpClearFields(con->http);
916 
917 	if (!cupsdSendHeader(con, HTTP_STATUS_UNAUTHORIZED, NULL, CUPSD_AUTH_NONE))
918 	{
919 	  cupsdCloseClient(con);
920 	  return;
921 	}
922       }
923 
924       if (!_cups_strcasecmp(httpGetField(con->http, HTTP_FIELD_CONNECTION), "Upgrade") && strstr(httpGetField(con->http, HTTP_FIELD_UPGRADE), "TLS/") != NULL && !httpIsEncrypted(con->http))
925       {
926 #ifdef HAVE_SSL
927        /*
928         * Do encryption stuff...
929 	*/
930 
931         httpClearFields(con->http);
932 
933 	if (!cupsdSendHeader(con, HTTP_STATUS_SWITCHING_PROTOCOLS, NULL, CUPSD_AUTH_NONE))
934 	{
935 	  cupsdCloseClient(con);
936 	  return;
937 	}
938 
939         if (cupsd_start_tls(con, HTTP_ENCRYPTION_REQUIRED))
940         {
941 	  cupsdCloseClient(con);
942 	  return;
943 	}
944 #else
945 	if (!cupsdSendError(con, HTTP_STATUS_NOT_IMPLEMENTED, CUPSD_AUTH_NONE))
946 	{
947 	  cupsdCloseClient(con);
948 	  return;
949 	}
950 #endif /* HAVE_SSL */
951       }
952 
953       httpClearFields(con->http);
954       httpSetField(con->http, HTTP_FIELD_CONTENT_LENGTH, "0");
955 
956       if (!cupsdSendHeader(con, HTTP_STATUS_OK, NULL, CUPSD_AUTH_NONE))
957       {
958 	cupsdCloseClient(con);
959 	return;
960       }
961     }
962     else if (!is_path_absolute(con->uri))
963     {
964      /*
965       * Protect against malicious users!
966       */
967 
968       cupsdLogClient(con, CUPSD_LOG_ERROR,
969                      "Request for non-absolute resource \"%s\".", con->uri);
970 
971       if (!cupsdSendError(con, HTTP_STATUS_FORBIDDEN, CUPSD_AUTH_NONE))
972       {
973 	cupsdCloseClient(con);
974 	return;
975       }
976     }
977     else
978     {
979       if (!_cups_strcasecmp(httpGetField(con->http, HTTP_FIELD_CONNECTION),
980                             "Upgrade") && !httpIsEncrypted(con->http))
981       {
982 #ifdef HAVE_SSL
983        /*
984         * Do encryption stuff...
985 	*/
986 
987         httpClearFields(con->http);
988 
989 	if (!cupsdSendHeader(con, HTTP_STATUS_SWITCHING_PROTOCOLS, NULL,
990 	                     CUPSD_AUTH_NONE))
991 	{
992 	  cupsdCloseClient(con);
993 	  return;
994 	}
995 
996         if (cupsd_start_tls(con, HTTP_ENCRYPTION_REQUIRED))
997         {
998 	  cupsdCloseClient(con);
999 	  return;
1000 	}
1001 #else
1002 	if (!cupsdSendError(con, HTTP_STATUS_NOT_IMPLEMENTED, CUPSD_AUTH_NONE))
1003 	{
1004 	  cupsdCloseClient(con);
1005 	  return;
1006 	}
1007 #endif /* HAVE_SSL */
1008       }
1009 
1010       if ((status = cupsdIsAuthorized(con, NULL)) != HTTP_STATUS_OK)
1011       {
1012 	cupsdSendError(con, status, CUPSD_AUTH_NONE);
1013 	cupsdCloseClient(con);
1014 	return;
1015       }
1016 
1017       if (httpGetExpect(con->http) &&
1018           (con->operation == HTTP_STATE_POST || con->operation == HTTP_STATE_PUT))
1019       {
1020         if (httpGetExpect(con->http) == HTTP_STATUS_CONTINUE)
1021 	{
1022 	 /*
1023 	  * Send 100-continue header...
1024 	  */
1025 
1026           if (httpWriteResponse(con->http, HTTP_STATUS_CONTINUE))
1027 	  {
1028 	    cupsdCloseClient(con);
1029 	    return;
1030 	  }
1031 	}
1032 	else
1033 	{
1034 	 /*
1035 	  * Send 417-expectation-failed header...
1036 	  */
1037 
1038           httpClearFields(con->http);
1039 	  httpSetField(con->http, HTTP_FIELD_CONTENT_LENGTH, "0");
1040 
1041 	  cupsdSendError(con, HTTP_STATUS_EXPECTATION_FAILED, CUPSD_AUTH_NONE);
1042           cupsdCloseClient(con);
1043           return;
1044 	}
1045       }
1046 
1047       switch (httpGetState(con->http))
1048       {
1049 	case HTTP_STATE_GET_SEND :
1050             cupsdLogClient(con, CUPSD_LOG_DEBUG, "Processing GET %s", con->uri);
1051 
1052             if ((filename = get_file(con, &filestats, buf, sizeof(buf))) != NULL)
1053             {
1054 	      type = mimeFileType(MimeDatabase, filename, NULL, NULL);
1055 
1056               cupsdLogClient(con, CUPSD_LOG_DEBUG, "filename=\"%s\", type=%s/%s", filename, type ? type->super : "", type ? type->type : "");
1057 
1058               if (is_cgi(con, filename, &filestats, type))
1059 	      {
1060 	       /*
1061 	        * Note: con->command and con->options were set by is_cgi()...
1062 		*/
1063 
1064         	if (!cupsdSendCommand(con, con->command, con->options, 0))
1065 		{
1066 		  if (!cupsdSendError(con, HTTP_STATUS_NOT_FOUND, CUPSD_AUTH_NONE))
1067 		  {
1068 		    cupsdCloseClient(con);
1069 		    return;
1070 		  }
1071         	}
1072 		else
1073         	  cupsdLogRequest(con, HTTP_STATUS_OK);
1074 
1075 		if (httpGetVersion(con->http) <= HTTP_VERSION_1_0)
1076 		  httpSetKeepAlive(con->http, HTTP_KEEPALIVE_OFF);
1077 	        break;
1078 	      }
1079 
1080 	      if (!check_if_modified(con, &filestats))
1081               {
1082         	if (!cupsdSendError(con, HTTP_STATUS_NOT_MODIFIED, CUPSD_AUTH_NONE))
1083 		{
1084 		  cupsdCloseClient(con);
1085 		  return;
1086 		}
1087 	      }
1088 	      else
1089               {
1090 		if (type == NULL)
1091 	          strlcpy(line, "text/plain", sizeof(line));
1092 		else
1093 	          snprintf(line, sizeof(line), "%s/%s", type->super, type->type);
1094 
1095         	if (!write_file(con, HTTP_STATUS_OK, filename, line, &filestats))
1096 		{
1097 		  cupsdCloseClient(con);
1098 		  return;
1099 		}
1100 	      }
1101             }
1102             else if (!buf[0] && (!strncmp(con->uri, "/admin", 6) || !strncmp(con->uri, "/classes", 8) || !strncmp(con->uri, "/help", 5) || !strncmp(con->uri, "/jobs", 5) || !strncmp(con->uri, "/printers", 9)))
1103 	    {
1104 	      if (!WebInterface)
1105 	      {
1106 	       /*
1107 		* Web interface is disabled. Show an appropriate message...
1108 		*/
1109 
1110 		if (!cupsdSendError(con, HTTP_STATUS_CUPS_WEBIF_DISABLED, CUPSD_AUTH_NONE))
1111 		{
1112 		  cupsdCloseClient(con);
1113 		  return;
1114 		}
1115 
1116 		break;
1117 	      }
1118 
1119 	     /*
1120 	      * Send CGI output...
1121 	      */
1122 
1123               if (!strncmp(con->uri, "/admin", 6))
1124 	      {
1125 		cupsdSetStringf(&con->command, "%s/cgi-bin/admin.cgi", ServerBin);
1126 		cupsdSetString(&con->options, strchr(con->uri + 6, '?'));
1127 	      }
1128 	      else if (!strncmp(con->uri, "/classes", 8))
1129 	      {
1130 		cupsdSetStringf(&con->command, "%s/cgi-bin/classes.cgi", ServerBin);
1131                 if (con->uri[8] && con->uri[9])
1132 		  cupsdSetString(&con->options, con->uri + 8);
1133 		else
1134 		  cupsdSetString(&con->options, NULL);
1135 	      }
1136 	      else if (!strncmp(con->uri, "/jobs", 5))
1137 	      {
1138 		cupsdSetStringf(&con->command, "%s/cgi-bin/jobs.cgi", ServerBin);
1139                 if (con->uri[5] && con->uri[6])
1140 		  cupsdSetString(&con->options, con->uri + 5);
1141 		else
1142 		  cupsdSetString(&con->options, NULL);
1143 	      }
1144               else if (!strncmp(con->uri, "/printers", 9))
1145 	      {
1146 		cupsdSetStringf(&con->command, "%s/cgi-bin/printers.cgi", ServerBin);
1147                 if (con->uri[9] && con->uri[10])
1148 		  cupsdSetString(&con->options, con->uri + 9);
1149 		else
1150 		  cupsdSetString(&con->options, NULL);
1151 	      }
1152 	      else
1153 	      {
1154 		cupsdSetStringf(&con->command, "%s/cgi-bin/help.cgi", ServerBin);
1155                 if (con->uri[5] && con->uri[6])
1156 		  cupsdSetString(&con->options, con->uri + 5);
1157 		else
1158 		  cupsdSetString(&con->options, NULL);
1159 	      }
1160 
1161               if (!cupsdSendCommand(con, con->command, con->options, 0))
1162 	      {
1163 		if (!cupsdSendError(con, HTTP_STATUS_NOT_FOUND, CUPSD_AUTH_NONE))
1164 		{
1165 		  cupsdCloseClient(con);
1166 		  return;
1167 		}
1168               }
1169 	      else
1170         	cupsdLogRequest(con, HTTP_STATUS_OK);
1171 
1172 	      if (httpGetVersion(con->http) <= HTTP_VERSION_1_0)
1173 		httpSetKeepAlive(con->http, HTTP_KEEPALIVE_OFF);
1174 	    }
1175 	    else
1176 	    {
1177 	      if (!cupsdSendError(con, HTTP_STATUS_NOT_FOUND, CUPSD_AUTH_NONE))
1178 	      {
1179 		cupsdCloseClient(con);
1180 		return;
1181 	      }
1182 	    }
1183             break;
1184 
1185 	case HTTP_STATE_POST_RECV :
1186            /*
1187 	    * See if the POST request includes a Content-Length field, and if
1188 	    * so check the length against any limits that are set...
1189 	    */
1190 
1191             if (httpGetField(con->http, HTTP_FIELD_CONTENT_LENGTH)[0] && MaxRequestSize > 0 && httpGetLength2(con->http) > MaxRequestSize)
1192 	    {
1193 	     /*
1194 	      * Request too large...
1195 	      */
1196 
1197               if (!cupsdSendError(con, HTTP_STATUS_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE))
1198 	      {
1199 		cupsdCloseClient(con);
1200 		return;
1201 	      }
1202 
1203 	      break;
1204             }
1205 	    else if (httpGetLength2(con->http) < 0)
1206 	    {
1207 	     /*
1208 	      * Negative content lengths are invalid!
1209 	      */
1210 
1211               if (!cupsdSendError(con, HTTP_STATUS_BAD_REQUEST, CUPSD_AUTH_NONE))
1212 	      {
1213 		cupsdCloseClient(con);
1214 		return;
1215 	      }
1216 
1217 	      break;
1218 	    }
1219 
1220            /*
1221 	    * See what kind of POST request this is; for IPP requests the
1222 	    * content-type field will be "application/ipp"...
1223 	    */
1224 
1225 	    if (!strcmp(httpGetField(con->http, HTTP_FIELD_CONTENT_TYPE), "application/ipp"))
1226 	    {
1227               con->request = ippNew();
1228               break;
1229             }
1230             else if (!WebInterface)
1231 	    {
1232 	     /*
1233 	      * Web interface is disabled. Show an appropriate message...
1234 	      */
1235 
1236 	      if (!cupsdSendError(con, HTTP_STATUS_CUPS_WEBIF_DISABLED, CUPSD_AUTH_NONE))
1237 	      {
1238 		cupsdCloseClient(con);
1239 		return;
1240 	      }
1241 
1242 	      break;
1243 	    }
1244 
1245 	    if ((filename = get_file(con, &filestats, buf, sizeof(buf))) != NULL)
1246             {
1247 	     /*
1248 	      * POST to a file...
1249 	      */
1250 
1251 	      type = mimeFileType(MimeDatabase, filename, NULL, NULL);
1252 
1253               if (!is_cgi(con, filename, &filestats, type))
1254 	      {
1255 	       /*
1256 	        * Only POST to CGI's...
1257 		*/
1258 
1259 		if (!cupsdSendError(con, HTTP_STATUS_UNAUTHORIZED, CUPSD_AUTH_NONE))
1260 		{
1261 		  cupsdCloseClient(con);
1262 		  return;
1263 		}
1264 	      }
1265             }
1266 	    else if (!strncmp(con->uri, "/admin", 6) || !strncmp(con->uri, "/printers", 9) ||  !strncmp(con->uri, "/classes", 8) || !strncmp(con->uri, "/help", 5) || !strncmp(con->uri, "/jobs", 5))
1267 	    {
1268 	     /*
1269 	      * CGI request...
1270 	      */
1271 
1272               if (!strncmp(con->uri, "/admin", 6))
1273 	      {
1274 		cupsdSetStringf(&con->command, "%s/cgi-bin/admin.cgi", ServerBin);
1275 		cupsdSetString(&con->options, strchr(con->uri + 6, '?'));
1276 	      }
1277               else if (!strncmp(con->uri, "/printers", 9))
1278 	      {
1279 		cupsdSetStringf(&con->command, "%s/cgi-bin/printers.cgi", ServerBin);
1280                 if (con->uri[9] && con->uri[10])
1281 		  cupsdSetString(&con->options, con->uri + 9);
1282 		else
1283 		  cupsdSetString(&con->options, NULL);
1284 	      }
1285 	      else if (!strncmp(con->uri, "/classes", 8))
1286 	      {
1287 		cupsdSetStringf(&con->command, "%s/cgi-bin/classes.cgi", ServerBin);
1288                 if (con->uri[8] && con->uri[9])
1289 		  cupsdSetString(&con->options, con->uri + 8);
1290 		else
1291 		  cupsdSetString(&con->options, NULL);
1292 	      }
1293 	      else if (!strncmp(con->uri, "/jobs", 5))
1294 	      {
1295 		cupsdSetStringf(&con->command, "%s/cgi-bin/jobs.cgi", ServerBin);
1296                 if (con->uri[5] && con->uri[6])
1297 		  cupsdSetString(&con->options, con->uri + 5);
1298 		else
1299 		  cupsdSetString(&con->options, NULL);
1300 	      }
1301 	      else
1302 	      {
1303 		cupsdSetStringf(&con->command, "%s/cgi-bin/help.cgi", ServerBin);
1304                 if (con->uri[5] && con->uri[6])
1305 		  cupsdSetString(&con->options, con->uri + 5);
1306 		else
1307 		  cupsdSetString(&con->options, NULL);
1308 	      }
1309 
1310 	      if (httpGetVersion(con->http) <= HTTP_VERSION_1_0)
1311 		httpSetKeepAlive(con->http, HTTP_KEEPALIVE_OFF);
1312 	    }
1313 	    else
1314 	    {
1315 	      if (!cupsdSendError(con, HTTP_STATUS_NOT_FOUND, CUPSD_AUTH_NONE))
1316 	      {
1317 		cupsdCloseClient(con);
1318 		return;
1319 	      }
1320 	    }
1321 	    break;
1322 
1323 	case HTTP_STATE_PUT_RECV :
1324 	   /*
1325 	    * Validate the resource name...
1326 	    */
1327 
1328             if (strcmp(con->uri, "/admin/conf/cupsd.conf"))
1329 	    {
1330 	     /*
1331 	      * PUT can only be done to the cupsd.conf file...
1332 	      */
1333 
1334 	      cupsdLogClient(con, CUPSD_LOG_ERROR, "Disallowed PUT request for \"%s\".", con->uri);
1335 
1336 	      if (!cupsdSendError(con, HTTP_STATUS_FORBIDDEN, CUPSD_AUTH_NONE))
1337 	      {
1338 		cupsdCloseClient(con);
1339 		return;
1340 	      }
1341 
1342 	      break;
1343 	    }
1344 
1345            /*
1346 	    * See if the PUT request includes a Content-Length field, and if
1347 	    * so check the length against any limits that are set...
1348 	    */
1349 
1350             if (httpGetField(con->http, HTTP_FIELD_CONTENT_LENGTH)[0] && MaxRequestSize > 0 && httpGetLength2(con->http) > MaxRequestSize)
1351 	    {
1352 	     /*
1353 	      * Request too large...
1354 	      */
1355 
1356               if (!cupsdSendError(con, HTTP_STATUS_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE))
1357 	      {
1358 		cupsdCloseClient(con);
1359 		return;
1360 	      }
1361 
1362 	      break;
1363             }
1364 	    else if (httpGetLength2(con->http) < 0)
1365 	    {
1366 	     /*
1367 	      * Negative content lengths are invalid!
1368 	      */
1369 
1370               if (!cupsdSendError(con, HTTP_STATUS_BAD_REQUEST, CUPSD_AUTH_NONE))
1371 	      {
1372 		cupsdCloseClient(con);
1373 		return;
1374 	      }
1375 
1376 	      break;
1377 	    }
1378 
1379            /*
1380 	    * Open a temporary file to hold the request...
1381 	    */
1382 
1383             cupsdSetStringf(&con->filename, "%s/%08x", RequestRoot, request_id ++);
1384 	    con->file = open(con->filename, O_WRONLY | O_CREAT | O_TRUNC, 0640);
1385 
1386 	    if (con->file < 0)
1387 	    {
1388 	      cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to create request file \"%s\": %s", con->filename, strerror(errno));
1389 
1390 	      if (!cupsdSendError(con, HTTP_STATUS_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE))
1391 	      {
1392 		cupsdCloseClient(con);
1393 		return;
1394 	      }
1395 	    }
1396 
1397 	    fchmod(con->file, 0640);
1398 	    fchown(con->file, RunUser, Group);
1399 	    fcntl(con->file, F_SETFD, fcntl(con->file, F_GETFD) | FD_CLOEXEC);
1400 	    break;
1401 
1402 	case HTTP_STATE_DELETE :
1403 	case HTTP_STATE_TRACE :
1404             cupsdSendError(con, HTTP_STATUS_NOT_IMPLEMENTED, CUPSD_AUTH_NONE);
1405 	    cupsdCloseClient(con);
1406 	    return;
1407 
1408 	case HTTP_STATE_HEAD :
1409             if ((filename = get_file(con, &filestats, buf, sizeof(buf))) != NULL)
1410             {
1411 	      if (!check_if_modified(con, &filestats))
1412 	      {
1413 		if (!cupsdSendError(con, HTTP_STATUS_NOT_MODIFIED, CUPSD_AUTH_NONE))
1414 		{
1415 		  cupsdCloseClient(con);
1416 		  return;
1417 		}
1418 
1419 		cupsdLogRequest(con, HTTP_STATUS_NOT_MODIFIED);
1420 	      }
1421 	      else
1422 	      {
1423 	       /*
1424 		* Serve a file...
1425 		*/
1426 
1427 		type = mimeFileType(MimeDatabase, filename, NULL, NULL);
1428 		if (type == NULL)
1429 		  strlcpy(line, "text/plain", sizeof(line));
1430 		else
1431 		  snprintf(line, sizeof(line), "%s/%s", type->super, type->type);
1432 
1433 		httpClearFields(con->http);
1434 
1435 		httpSetField(con->http, HTTP_FIELD_LAST_MODIFIED, httpGetDateString(filestats.st_mtime));
1436 		httpSetLength(con->http, (size_t)filestats.st_size);
1437 
1438 		if (!cupsdSendHeader(con, HTTP_STATUS_OK, line, CUPSD_AUTH_NONE))
1439 		{
1440 		  cupsdCloseClient(con);
1441 		  return;
1442 		}
1443 
1444 		cupsdLogRequest(con, HTTP_STATUS_OK);
1445 	      }
1446             }
1447 	    else if (!WebInterface)
1448 	    {
1449               httpClearFields(con->http);
1450 
1451               if (!cupsdSendHeader(con, HTTP_STATUS_OK, NULL, CUPSD_AUTH_NONE))
1452 	      {
1453 		cupsdCloseClient(con);
1454 		return;
1455 	      }
1456 
1457               cupsdLogRequest(con, HTTP_STATUS_OK);
1458 	      break;
1459 	    }
1460 
1461 	    if (!buf[0] && (!strncmp(con->uri, "/admin", 6) || !strncmp(con->uri, "/classes", 8) || !strncmp(con->uri, "/help", 5) || !strncmp(con->uri, "/jobs", 5) || !strncmp(con->uri, "/printers", 9)))
1462 	    {
1463 	     /*
1464 	      * CGI output...
1465 	      */
1466 
1467               httpClearFields(con->http);
1468 
1469               if (!cupsdSendHeader(con, HTTP_STATUS_OK, "text/html", CUPSD_AUTH_NONE))
1470 	      {
1471 		cupsdCloseClient(con);
1472 		return;
1473 	      }
1474 
1475               cupsdLogRequest(con, HTTP_STATUS_OK);
1476 	    }
1477 	    else
1478 	    {
1479               httpClearFields(con->http);
1480 
1481 	      if (!cupsdSendHeader(con, HTTP_STATUS_NOT_FOUND, "text/html", CUPSD_AUTH_NONE))
1482 	      {
1483 		cupsdCloseClient(con);
1484 		return;
1485 	      }
1486 
1487               cupsdLogRequest(con, HTTP_STATUS_NOT_FOUND);
1488 	    }
1489             break;
1490 
1491 	default :
1492             break; /* Anti-compiler-warning-code */
1493       }
1494     }
1495   }
1496 
1497  /*
1498   * Handle any incoming data...
1499   */
1500 
1501   switch (httpGetState(con->http))
1502   {
1503     case HTTP_STATE_PUT_RECV :
1504         do
1505 	{
1506           if ((bytes = httpRead2(con->http, line, sizeof(line))) < 0)
1507 	  {
1508 	    if (httpError(con->http) && httpError(con->http) != EPIPE)
1509 	      cupsdLogClient(con, CUPSD_LOG_DEBUG,
1510                              "HTTP_STATE_PUT_RECV Closing for error %d (%s)",
1511                              httpError(con->http), strerror(httpError(con->http)));
1512 	    else
1513 	      cupsdLogClient(con, CUPSD_LOG_DEBUG,
1514 			     "HTTP_STATE_PUT_RECV Closing on EOF.");
1515 
1516 	    cupsdCloseClient(con);
1517 	    return;
1518 	  }
1519 	  else if (bytes > 0)
1520 	  {
1521 	    con->bytes += bytes;
1522 
1523             if (MaxRequestSize > 0 && con->bytes > MaxRequestSize)
1524             {
1525 	      close(con->file);
1526 	      con->file = -1;
1527 	      unlink(con->filename);
1528 	      cupsdClearString(&con->filename);
1529 
1530               if (!cupsdSendError(con, HTTP_STATUS_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE))
1531 	      {
1532 		cupsdCloseClient(con);
1533 		return;
1534 	      }
1535             }
1536 
1537             if (write(con->file, line, (size_t)bytes) < bytes)
1538 	    {
1539               cupsdLogClient(con, CUPSD_LOG_ERROR,
1540 	                     "Unable to write %d bytes to \"%s\": %s", bytes,
1541                              con->filename, strerror(errno));
1542 
1543 	      close(con->file);
1544 	      con->file = -1;
1545 	      unlink(con->filename);
1546 	      cupsdClearString(&con->filename);
1547 
1548               if (!cupsdSendError(con, HTTP_STATUS_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE))
1549 	      {
1550 		cupsdCloseClient(con);
1551 		return;
1552 	      }
1553 	    }
1554 	  }
1555           else if (httpGetState(con->http) == HTTP_STATE_PUT_RECV)
1556           {
1557             cupsdCloseClient(con);
1558             return;
1559           }
1560         }
1561 	while (httpGetState(con->http) == HTTP_STATE_PUT_RECV && httpGetReady(con->http));
1562 
1563         if (httpGetState(con->http) == HTTP_STATE_STATUS)
1564 	{
1565 	 /*
1566 	  * End of file, see how big it is...
1567 	  */
1568 
1569 	  fstat(con->file, &filestats);
1570 
1571 	  close(con->file);
1572 	  con->file = -1;
1573 
1574           if (filestats.st_size > MaxRequestSize &&
1575 	      MaxRequestSize > 0)
1576 	  {
1577 	   /*
1578 	    * Request is too big; remove it and send an error...
1579 	    */
1580 
1581 	    unlink(con->filename);
1582 	    cupsdClearString(&con->filename);
1583 
1584             if (!cupsdSendError(con, HTTP_STATUS_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE))
1585 	    {
1586 	      cupsdCloseClient(con);
1587 	      return;
1588 	    }
1589 	  }
1590 
1591          /*
1592 	  * Install the configuration file...
1593 	  */
1594 
1595           status = install_cupsd_conf(con);
1596 
1597          /*
1598 	  * Return the status to the client...
1599 	  */
1600 
1601           if (!cupsdSendError(con, status, CUPSD_AUTH_NONE))
1602 	  {
1603 	    cupsdCloseClient(con);
1604 	    return;
1605 	  }
1606 	}
1607         break;
1608 
1609     case HTTP_STATE_POST_RECV :
1610         do
1611 	{
1612           if (con->request && con->file < 0)
1613 	  {
1614 	   /*
1615 	    * Grab any request data from the connection...
1616 	    */
1617 
1618 	    if (!httpWait(con->http, 0))
1619 	      return;
1620 
1621 	    if ((ipp_state = ippRead(con->http, con->request)) == IPP_STATE_ERROR)
1622 	    {
1623               cupsdLogClient(con, CUPSD_LOG_ERROR, "IPP read error: %s",
1624                              cupsLastErrorString());
1625 
1626 	      cupsdSendError(con, HTTP_STATUS_BAD_REQUEST, CUPSD_AUTH_NONE);
1627 	      cupsdCloseClient(con);
1628 	      return;
1629 	    }
1630 	    else if (ipp_state != IPP_STATE_DATA)
1631 	    {
1632               if (httpGetState(con->http) == HTTP_STATE_POST_SEND)
1633 	      {
1634 		cupsdSendError(con, HTTP_STATUS_BAD_REQUEST, CUPSD_AUTH_NONE);
1635 		cupsdCloseClient(con);
1636 		return;
1637 	      }
1638 
1639 	      if (httpGetReady(con->http))
1640 	        continue;
1641 	      break;
1642             }
1643 	    else
1644 	    {
1645 	      cupsdLogClient(con, CUPSD_LOG_DEBUG, "%d.%d %s %d",
1646 			      con->request->request.op.version[0],
1647 			      con->request->request.op.version[1],
1648 			      ippOpString(con->request->request.op.operation_id),
1649 			      con->request->request.op.request_id);
1650 	      con->bytes += (off_t)ippLength(con->request);
1651 	    }
1652 	  }
1653 
1654           if (con->file < 0 && httpGetState(con->http) != HTTP_STATE_POST_SEND)
1655 	  {
1656            /*
1657 	    * Create a file as needed for the request data...
1658 	    */
1659 
1660             cupsdSetStringf(&con->filename, "%s/%08x", RequestRoot,
1661 	                    request_id ++);
1662 	    con->file = open(con->filename, O_WRONLY | O_CREAT | O_TRUNC, 0640);
1663 
1664 	    if (con->file < 0)
1665 	    {
1666 	      cupsdLogClient(con, CUPSD_LOG_ERROR,
1667 	                     "Unable to create request file \"%s\": %s",
1668                              con->filename, strerror(errno));
1669 
1670 	      if (!cupsdSendError(con, HTTP_STATUS_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE))
1671 	      {
1672 		cupsdCloseClient(con);
1673 		return;
1674 	      }
1675 	    }
1676 
1677 	    fchmod(con->file, 0640);
1678 	    fchown(con->file, RunUser, Group);
1679             fcntl(con->file, F_SETFD, fcntl(con->file, F_GETFD) | FD_CLOEXEC);
1680 	  }
1681 
1682 	  if (httpGetState(con->http) != HTTP_STATE_POST_SEND)
1683 	  {
1684 	    if (!httpWait(con->http, 0))
1685 	      return;
1686             else if ((bytes = httpRead2(con->http, line, sizeof(line))) < 0)
1687 	    {
1688 	      if (httpError(con->http) && httpError(con->http) != EPIPE)
1689 		cupsdLogClient(con, CUPSD_LOG_DEBUG,
1690 			       "HTTP_STATE_POST_SEND Closing for error %d (%s)",
1691                                httpError(con->http), strerror(httpError(con->http)));
1692 	      else
1693 		cupsdLogClient(con, CUPSD_LOG_DEBUG,
1694 			       "HTTP_STATE_POST_SEND Closing on EOF.");
1695 
1696 	      cupsdCloseClient(con);
1697 	      return;
1698 	    }
1699 	    else if (bytes > 0)
1700 	    {
1701 	      con->bytes += bytes;
1702 
1703               if (MaxRequestSize > 0 && con->bytes > MaxRequestSize)
1704               {
1705                 close(con->file);
1706                 con->file = -1;
1707                 unlink(con->filename);
1708                 cupsdClearString(&con->filename);
1709 
1710                 if (!cupsdSendError(con, HTTP_STATUS_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE))
1711                 {
1712                   cupsdCloseClient(con);
1713                   return;
1714                 }
1715               }
1716 
1717               if (write(con->file, line, (size_t)bytes) < bytes)
1718 	      {
1719         	cupsdLogClient(con, CUPSD_LOG_ERROR,
1720 	                       "Unable to write %d bytes to \"%s\": %s",
1721                                bytes, con->filename, strerror(errno));
1722 
1723 		close(con->file);
1724 		con->file = -1;
1725 		unlink(con->filename);
1726 		cupsdClearString(&con->filename);
1727 
1728         	if (!cupsdSendError(con, HTTP_STATUS_REQUEST_TOO_LARGE,
1729 		                    CUPSD_AUTH_NONE))
1730 		{
1731 		  cupsdCloseClient(con);
1732 		  return;
1733 		}
1734 	      }
1735 	    }
1736 	    else if (httpGetState(con->http) == HTTP_STATE_POST_RECV)
1737               return;
1738 	    else if (httpGetState(con->http) != HTTP_STATE_POST_SEND)
1739 	    {
1740 	      cupsdLogClient(con, CUPSD_LOG_DEBUG,
1741 	                     "Closing on unexpected state %s.",
1742 			     httpStateString(httpGetState(con->http)));
1743 	      cupsdCloseClient(con);
1744 	      return;
1745 	    }
1746 	  }
1747         }
1748 	while (httpGetState(con->http) == HTTP_STATE_POST_RECV && httpGetReady(con->http));
1749 
1750 	if (httpGetState(con->http) == HTTP_STATE_POST_SEND)
1751 	{
1752 	  if (con->file >= 0)
1753 	  {
1754 	    fstat(con->file, &filestats);
1755 
1756 	    close(con->file);
1757 	    con->file = -1;
1758 
1759             if (filestats.st_size > MaxRequestSize &&
1760 	        MaxRequestSize > 0)
1761 	    {
1762 	     /*
1763 	      * Request is too big; remove it and send an error...
1764 	      */
1765 
1766 	      unlink(con->filename);
1767 	      cupsdClearString(&con->filename);
1768 
1769 	      if (con->request)
1770 	      {
1771 	       /*
1772 	        * Delete any IPP request data...
1773 		*/
1774 
1775 	        ippDelete(con->request);
1776 		con->request = NULL;
1777               }
1778 
1779               if (!cupsdSendError(con, HTTP_STATUS_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE))
1780 	      {
1781 		cupsdCloseClient(con);
1782 		return;
1783 	      }
1784 	    }
1785 	    else if (filestats.st_size == 0)
1786 	    {
1787 	     /*
1788 	      * Don't allow empty file...
1789 	      */
1790 
1791 	      unlink(con->filename);
1792 	      cupsdClearString(&con->filename);
1793 	    }
1794 
1795 	    if (con->command)
1796 	    {
1797 	      if (!cupsdSendCommand(con, con->command, con->options, 0))
1798 	      {
1799 		if (!cupsdSendError(con, HTTP_STATUS_NOT_FOUND, CUPSD_AUTH_NONE))
1800 		{
1801 		  cupsdCloseClient(con);
1802 		  return;
1803 		}
1804               }
1805 	      else
1806         	cupsdLogRequest(con, HTTP_STATUS_OK);
1807             }
1808 	  }
1809 
1810           if (con->request)
1811 	  {
1812 	    cupsdProcessIPPRequest(con);
1813 
1814 	    if (con->filename)
1815 	    {
1816 	      unlink(con->filename);
1817 	      cupsdClearString(&con->filename);
1818 	    }
1819 
1820 	    return;
1821 	  }
1822 	}
1823         break;
1824 
1825     default :
1826         break; /* Anti-compiler-warning-code */
1827   }
1828 
1829   if (httpGetState(con->http) == HTTP_STATE_WAITING)
1830   {
1831     if (!httpGetKeepAlive(con->http))
1832     {
1833       cupsdLogClient(con, CUPSD_LOG_DEBUG,
1834                      "Closing because Keep-Alive is disabled.");
1835       cupsdCloseClient(con);
1836     }
1837     else
1838     {
1839       cupsArrayRemove(ActiveClients, con);
1840       cupsdSetBusyState(0);
1841     }
1842   }
1843 }
1844 
1845 
1846 /*
1847  * 'cupsdSendCommand()' - Send output from a command via HTTP.
1848  */
1849 
1850 int					/* O - 1 on success, 0 on failure */
cupsdSendCommand(cupsd_client_t * con,char * command,char * options,int root)1851 cupsdSendCommand(
1852     cupsd_client_t *con,		/* I - Client connection */
1853     char           *command,		/* I - Command to run */
1854     char           *options,		/* I - Command-line options */
1855     int            root)		/* I - Run as root? */
1856 {
1857   int	fd;				/* Standard input file descriptor */
1858 
1859 
1860   if (con->filename)
1861   {
1862     fd = open(con->filename, O_RDONLY);
1863 
1864     if (fd < 0)
1865     {
1866       cupsdLogClient(con, CUPSD_LOG_ERROR,
1867                      "Unable to open \"%s\" for reading: %s",
1868                      con->filename ? con->filename : "/dev/null",
1869 	             strerror(errno));
1870       return (0);
1871     }
1872 
1873     fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
1874   }
1875   else
1876     fd = -1;
1877 
1878   con->pipe_pid    = pipe_command(con, fd, &(con->file), command, options, root);
1879   con->pipe_status = HTTP_STATUS_OK;
1880 
1881   httpClearFields(con->http);
1882 
1883   if (fd >= 0)
1884     close(fd);
1885 
1886   cupsdLogClient(con, CUPSD_LOG_INFO, "Started \"%s\" (pid=%d, file=%d)",
1887                  command, con->pipe_pid, con->file);
1888 
1889   if (con->pipe_pid == 0)
1890     return (0);
1891 
1892   fcntl(con->file, F_SETFD, fcntl(con->file, F_GETFD) | FD_CLOEXEC);
1893 
1894   cupsdAddSelect(con->file, (cupsd_selfunc_t)write_pipe, NULL, con);
1895 
1896   cupsdLogClient(con, CUPSD_LOG_DEBUG, "Waiting for CGI data.");
1897 
1898   con->sent_header = 0;
1899   con->file_ready  = 0;
1900   con->got_fields  = 0;
1901   con->header_used = 0;
1902 
1903   return (1);
1904 }
1905 
1906 
1907 /*
1908  * 'cupsdSendError()' - Send an error message via HTTP.
1909  */
1910 
1911 int					/* O - 1 if successful, 0 otherwise */
cupsdSendError(cupsd_client_t * con,http_status_t code,int auth_type)1912 cupsdSendError(cupsd_client_t *con,	/* I - Connection */
1913                http_status_t  code,	/* I - Error code */
1914 	       int            auth_type)/* I - Authentication type */
1915 {
1916   char	location[HTTP_MAX_VALUE];	/* Location field */
1917 
1918 
1919   cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cupsdSendError code=%d, auth_type=%d", code, auth_type);
1920 
1921 #ifdef HAVE_SSL
1922  /*
1923   * Force client to upgrade for authentication if that is how the
1924   * server is configured...
1925   */
1926 
1927   if (code == HTTP_STATUS_UNAUTHORIZED &&
1928       DefaultEncryption == HTTP_ENCRYPTION_REQUIRED &&
1929       _cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost") &&
1930       !httpIsEncrypted(con->http))
1931   {
1932     code = HTTP_STATUS_UPGRADE_REQUIRED;
1933   }
1934 #endif /* HAVE_SSL */
1935 
1936  /*
1937   * Put the request in the access_log file...
1938   */
1939 
1940   cupsdLogRequest(con, code);
1941 
1942  /*
1943   * To work around bugs in some proxies, don't use Keep-Alive for some
1944   * error messages...
1945   *
1946   * Kerberos authentication doesn't work without Keep-Alive, so
1947   * never disable it in that case.
1948   */
1949 
1950   strlcpy(location, httpGetField(con->http, HTTP_FIELD_LOCATION), sizeof(location));
1951 
1952   httpClearFields(con->http);
1953   httpClearCookie(con->http);
1954 
1955   httpSetField(con->http, HTTP_FIELD_LOCATION, location);
1956 
1957   if (code >= HTTP_STATUS_BAD_REQUEST && con->type != CUPSD_AUTH_NEGOTIATE)
1958     httpSetKeepAlive(con->http, HTTP_KEEPALIVE_OFF);
1959 
1960   if (httpGetVersion(con->http) >= HTTP_VERSION_1_1 &&
1961       httpGetKeepAlive(con->http) == HTTP_KEEPALIVE_OFF)
1962     httpSetField(con->http, HTTP_FIELD_CONNECTION, "close");
1963 
1964   if (code >= HTTP_STATUS_BAD_REQUEST)
1965   {
1966    /*
1967     * Send a human-readable error message.
1968     */
1969 
1970     char	message[4096],		/* Message for user */
1971 		urltext[1024],		/* URL redirection text */
1972 		redirect[1024];		/* Redirection link */
1973     const char	*text;			/* Status-specific text */
1974 
1975 
1976     redirect[0] = '\0';
1977 
1978     if (code == HTTP_STATUS_UNAUTHORIZED)
1979     {
1980       text = _cupsLangString(con->language,
1981                              _("Enter your username and password or the "
1982 			       "root username and password to access this "
1983 			       "page. If you are using Kerberos authentication, "
1984 			       "make sure you have a valid Kerberos ticket."));
1985     }
1986     else if (code == HTTP_STATUS_FORBIDDEN)
1987     {
1988       if (con->username[0])
1989         text = _cupsLangString(con->language, _("Your account does not have the necessary privileges."));
1990       else
1991         text = _cupsLangString(con->language, _("You cannot access this page."));
1992     }
1993     else if (code == HTTP_STATUS_UPGRADE_REQUIRED)
1994     {
1995       text = urltext;
1996 
1997       snprintf(urltext, sizeof(urltext), _cupsLangString(con->language, _("You must access this page using the URL https://%s:%d%s.")), con->servername, con->serverport, con->uri);
1998 
1999       snprintf(redirect, sizeof(redirect), "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"3;URL=https://%s:%d%s\">\n", con->servername, con->serverport, con->uri);
2000     }
2001     else if (code == HTTP_STATUS_CUPS_WEBIF_DISABLED)
2002       text = _cupsLangString(con->language,
2003                              _("The web interface is currently disabled. Run "
2004 			       "\"cupsctl WebInterface=yes\" to enable it."));
2005     else
2006       text = "";
2007 
2008     snprintf(message, sizeof(message),
2009              "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" "
2010 	     "\"http://www.w3.org/TR/html4/loose.dtd\">\n"
2011 	     "<HTML>\n"
2012 	     "<HEAD>\n"
2013              "\t<META HTTP-EQUIV=\"Content-Type\" "
2014 	     "CONTENT=\"text/html; charset=utf-8\">\n"
2015 	     "\t<TITLE>%s - " CUPS_SVERSION "</TITLE>\n"
2016 	     "\t<LINK REL=\"STYLESHEET\" TYPE=\"text/css\" "
2017 	     "HREF=\"/cups.css\">\n"
2018 	     "%s"
2019 	     "</HEAD>\n"
2020              "<BODY>\n"
2021 	     "<H1>%s</H1>\n"
2022 	     "<P>%s</P>\n"
2023 	     "</BODY>\n"
2024 	     "</HTML>\n",
2025 	     _httpStatus(con->language, code), redirect,
2026 	     _httpStatus(con->language, code), text);
2027 
2028    /*
2029     * Send an error message back to the client.  If the error code is a
2030     * 400 or 500 series, make sure the message contains some text, too!
2031     */
2032 
2033     size_t length = strlen(message);	/* Length of message */
2034 
2035     httpSetLength(con->http, length);
2036 
2037     if (!cupsdSendHeader(con, code, "text/html", auth_type))
2038       return (0);
2039 
2040     if (httpWrite2(con->http, message, length) < 0)
2041       return (0);
2042 
2043     if (httpFlushWrite(con->http) < 0)
2044       return (0);
2045   }
2046   else
2047   {
2048     httpSetField(con->http, HTTP_FIELD_CONTENT_LENGTH, "0");
2049 
2050     if (!cupsdSendHeader(con, code, NULL, auth_type))
2051       return (0);
2052   }
2053 
2054   return (1);
2055 }
2056 
2057 
2058 /*
2059  * 'cupsdSendHeader()' - Send an HTTP request.
2060  */
2061 
2062 int					/* O - 1 on success, 0 on failure */
cupsdSendHeader(cupsd_client_t * con,http_status_t code,char * type,int auth_type)2063 cupsdSendHeader(
2064     cupsd_client_t *con,		/* I - Client to send to */
2065     http_status_t  code,		/* I - HTTP status code */
2066     char           *type,		/* I - MIME type of document */
2067     int            auth_type)		/* I - Type of authentication */
2068 {
2069   char		auth_str[1024];		/* Authorization string */
2070 
2071 
2072   cupsdLogClient(con, CUPSD_LOG_DEBUG, "cupsdSendHeader: code=%d, type=\"%s\", auth_type=%d", code, type, auth_type);
2073 
2074  /*
2075   * Send the HTTP status header...
2076   */
2077 
2078   if (code == HTTP_STATUS_CUPS_WEBIF_DISABLED)
2079   {
2080    /*
2081     * Treat our special "web interface is disabled" status as "200 OK" for web
2082     * browsers.
2083     */
2084 
2085     code = HTTP_STATUS_OK;
2086   }
2087 
2088   if (ServerHeader)
2089     httpSetField(con->http, HTTP_FIELD_SERVER, ServerHeader);
2090 
2091   if (code == HTTP_STATUS_METHOD_NOT_ALLOWED)
2092     httpSetField(con->http, HTTP_FIELD_ALLOW, "GET, HEAD, OPTIONS, POST, PUT");
2093 
2094   if (code == HTTP_STATUS_UNAUTHORIZED)
2095   {
2096     if (auth_type == CUPSD_AUTH_NONE)
2097     {
2098       if (!con->best || con->best->type <= CUPSD_AUTH_NONE)
2099 	auth_type = cupsdDefaultAuthType();
2100       else
2101 	auth_type = con->best->type;
2102     }
2103 
2104     auth_str[0] = '\0';
2105 
2106     if (auth_type == CUPSD_AUTH_BASIC)
2107     {
2108       strlcpy(auth_str, "Basic realm=\"CUPS\"", sizeof(auth_str));
2109     }
2110     else if (auth_type == CUPSD_AUTH_NEGOTIATE)
2111     {
2112 #if defined(SO_PEERCRED) && defined(AF_LOCAL)
2113       if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
2114 	strlcpy(auth_str, "PeerCred", sizeof(auth_str));
2115       else
2116 #endif /* SO_PEERCRED && AF_LOCAL */
2117       strlcpy(auth_str, "Negotiate", sizeof(auth_str));
2118     }
2119 
2120     if (con->best && auth_type != CUPSD_AUTH_NEGOTIATE && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
2121     {
2122      /*
2123       * Add a "trc" (try root certification) parameter for local non-Kerberos
2124       * requests when the request requires system group membership - then the
2125       * client knows the root certificate can/should be used.
2126       *
2127       * Also, for macOS we also look for @AUTHKEY and add an "AuthRef key=foo"
2128       * method as needed...
2129       */
2130 
2131       char	*name,			/* Current user name */
2132 		*auth_key;		/* Auth key buffer */
2133       size_t	auth_size;		/* Size of remaining buffer */
2134       int	need_local = 1;		/* Do we need to list "Local" method? */
2135 
2136       auth_key  = auth_str + strlen(auth_str);
2137       auth_size = sizeof(auth_str) - (size_t)(auth_key - auth_str);
2138 
2139 #if defined(SO_PEERCRED) && defined(AF_LOCAL)
2140       if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
2141       {
2142         strlcpy(auth_key, ", PeerCred", auth_size);
2143         auth_key += 10;
2144         auth_size -= 10;
2145       }
2146 #endif /* SO_PEERCRED && AF_LOCAL */
2147 
2148       for (name = (char *)cupsArrayFirst(con->best->names);
2149            name;
2150 	   name = (char *)cupsArrayNext(con->best->names))
2151       {
2152         cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cupsdSendHeader: require \"%s\"", name);
2153 
2154 #ifdef HAVE_AUTHORIZATION_H
2155 	if (!_cups_strncasecmp(name, "@AUTHKEY(", 9))
2156 	{
2157 	  snprintf(auth_key, auth_size, ", AuthRef key=\"%s\", Local trc=\"y\"", name + 9);
2158 	  need_local = 0;
2159 	  /* end parenthesis is stripped in conf.c */
2160 	  break;
2161         }
2162 	else
2163 #endif /* HAVE_AUTHORIZATION_H */
2164 	if (!_cups_strcasecmp(name, "@SYSTEM"))
2165 	{
2166 #ifdef HAVE_AUTHORIZATION_H
2167 	  if (SystemGroupAuthKey)
2168 	    snprintf(auth_key, auth_size, ", AuthRef key=\"%s\", Local trc=\"y\"", SystemGroupAuthKey);
2169           else
2170 #endif /* HAVE_AUTHORIZATION_H */
2171 	  strlcpy(auth_key, ", Local trc=\"y\"", auth_size);
2172 	  need_local = 0;
2173 	  break;
2174 	}
2175       }
2176 
2177       if (need_local)
2178 	strlcat(auth_key, ", Local", auth_size);
2179     }
2180 
2181     if (auth_str[0])
2182     {
2183       cupsdLogClient(con, CUPSD_LOG_DEBUG, "WWW-Authenticate: %s", auth_str);
2184 
2185       httpSetField(con->http, HTTP_FIELD_WWW_AUTHENTICATE, auth_str);
2186     }
2187   }
2188 
2189   if (con->language && strcmp(con->language->language, "C"))
2190     httpSetField(con->http, HTTP_FIELD_CONTENT_LANGUAGE, con->language->language);
2191 
2192   if (type)
2193   {
2194     if (!strcmp(type, "text/html"))
2195       httpSetField(con->http, HTTP_FIELD_CONTENT_TYPE, "text/html; charset=utf-8");
2196     else
2197       httpSetField(con->http, HTTP_FIELD_CONTENT_TYPE, type);
2198   }
2199 
2200   return (!httpWriteResponse(con->http, code));
2201 }
2202 
2203 
2204 /*
2205  * 'cupsdUpdateCGI()' - Read status messages from CGI scripts and programs.
2206  */
2207 
2208 void
cupsdUpdateCGI(void)2209 cupsdUpdateCGI(void)
2210 {
2211   char		*ptr,			/* Pointer to end of line in buffer */
2212 		message[1024];		/* Pointer to message text */
2213   int		loglevel;		/* Log level for message */
2214 
2215 
2216   while ((ptr = cupsdStatBufUpdate(CGIStatusBuffer, &loglevel,
2217                                    message, sizeof(message))) != NULL)
2218   {
2219     if (loglevel == CUPSD_LOG_INFO)
2220       cupsdLogMessage(CUPSD_LOG_INFO, "%s", message);
2221 
2222     if (!strchr(CGIStatusBuffer->buffer, '\n'))
2223       break;
2224   }
2225 
2226   if (ptr == NULL && !CGIStatusBuffer->bufused)
2227   {
2228    /*
2229     * Fatal error on pipe - should never happen!
2230     */
2231 
2232     cupsdLogMessage(CUPSD_LOG_CRIT,
2233                     "cupsdUpdateCGI: error reading from CGI error pipe - %s",
2234                     strerror(errno));
2235   }
2236 }
2237 
2238 
2239 /*
2240  * 'cupsdWriteClient()' - Write data to a client as needed.
2241  */
2242 
2243 void
cupsdWriteClient(cupsd_client_t * con)2244 cupsdWriteClient(cupsd_client_t *con)	/* I - Client connection */
2245 {
2246   int		bytes,			/* Number of bytes written */
2247 		field_col;		/* Current column */
2248   char		*bufptr,		/* Pointer into buffer */
2249 		*bufend;		/* Pointer to end of buffer */
2250   ipp_state_t	ipp_state;		/* IPP state value */
2251 
2252 
2253   cupsdLogClient(con, CUPSD_LOG_DEBUG, "con->http=%p", con->http);
2254   cupsdLogClient(con, CUPSD_LOG_DEBUG,
2255 		 "cupsdWriteClient "
2256 		 "error=%d, "
2257 		 "used=%d, "
2258 		 "state=%s, "
2259 		 "data_encoding=HTTP_ENCODING_%s, "
2260 		 "data_remaining=" CUPS_LLFMT ", "
2261 		 "response=%p(%s), "
2262 		 "pipe_pid=%d, "
2263 		 "file=%d",
2264 		 httpError(con->http), (int)httpGetReady(con->http),
2265 		 httpStateString(httpGetState(con->http)),
2266 		 httpIsChunked(con->http) ? "CHUNKED" : "LENGTH",
2267 		 CUPS_LLCAST httpGetLength2(con->http),
2268 		 con->response,
2269 		 con->response ? ippStateString(ippGetState(con->request)) : "",
2270 		 con->pipe_pid, con->file);
2271 
2272   if (httpGetState(con->http) != HTTP_STATE_GET_SEND &&
2273       httpGetState(con->http) != HTTP_STATE_POST_SEND)
2274   {
2275    /*
2276     * If we get called in the wrong state, then something went wrong with the
2277     * connection and we need to shut it down...
2278     */
2279 
2280     cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on unexpected HTTP write state %s.",
2281 		   httpStateString(httpGetState(con->http)));
2282     cupsdCloseClient(con);
2283     return;
2284   }
2285 
2286   if (con->pipe_pid)
2287   {
2288    /*
2289     * Make sure we select on the CGI output...
2290     */
2291 
2292     cupsdAddSelect(con->file, (cupsd_selfunc_t)write_pipe, NULL, con);
2293 
2294     cupsdLogClient(con, CUPSD_LOG_DEBUG, "Waiting for CGI data.");
2295 
2296     if (!con->file_ready)
2297     {
2298      /*
2299       * Try again later when there is CGI output available...
2300       */
2301 
2302       cupsdRemoveSelect(httpGetFd(con->http));
2303       return;
2304     }
2305 
2306     con->file_ready = 0;
2307   }
2308 
2309   bytes = (ssize_t)(sizeof(con->header) - (size_t)con->header_used);
2310 
2311   if (!con->pipe_pid && bytes > (ssize_t)httpGetRemaining(con->http))
2312   {
2313    /*
2314     * Limit GET bytes to original size of file (STR #3265)...
2315     */
2316 
2317     bytes = (ssize_t)httpGetRemaining(con->http);
2318   }
2319 
2320   if (con->response && con->response->state != IPP_STATE_DATA)
2321   {
2322     size_t wused = httpGetPending(con->http);	/* Previous write buffer use */
2323 
2324     do
2325     {
2326      /*
2327       * Write a single attribute or the IPP message header...
2328       */
2329 
2330       ipp_state = ippWrite(con->http, con->response);
2331 
2332      /*
2333       * If the write buffer has been flushed, stop buffering up attributes...
2334       */
2335 
2336       if (httpGetPending(con->http) <= wused)
2337         break;
2338     }
2339     while (ipp_state != IPP_STATE_DATA && ipp_state != IPP_STATE_ERROR);
2340 
2341     cupsdLogClient(con, CUPSD_LOG_DEBUG,
2342                    "Writing IPP response, ipp_state=%s, old "
2343                    "wused=" CUPS_LLFMT ", new wused=" CUPS_LLFMT,
2344                    ippStateString(ipp_state),
2345 		   CUPS_LLCAST wused, CUPS_LLCAST httpGetPending(con->http));
2346 
2347     if (httpGetPending(con->http) > 0)
2348       httpFlushWrite(con->http);
2349 
2350     bytes = ipp_state != IPP_STATE_ERROR &&
2351 	    (con->file >= 0 || ipp_state != IPP_STATE_DATA);
2352 
2353     cupsdLogClient(con, CUPSD_LOG_DEBUG,
2354                    "bytes=%d, http_state=%d, data_remaining=" CUPS_LLFMT,
2355                    (int)bytes, httpGetState(con->http),
2356                    CUPS_LLCAST httpGetLength2(con->http));
2357   }
2358   else if ((bytes = read(con->file, con->header + con->header_used, (size_t)bytes)) > 0)
2359   {
2360     con->header_used += bytes;
2361 
2362     if (con->pipe_pid && !con->got_fields)
2363     {
2364      /*
2365       * Inspect the data for Content-Type and other fields.
2366       */
2367 
2368       for (bufptr = con->header, bufend = con->header + con->header_used,
2369                field_col = 0;
2370            !con->got_fields && bufptr < bufend;
2371 	   bufptr ++)
2372       {
2373         if (*bufptr == '\n')
2374 	{
2375 	 /*
2376 	  * Send line to client...
2377 	  */
2378 
2379 	  if (bufptr > con->header && bufptr[-1] == '\r')
2380 	    bufptr[-1] = '\0';
2381 	  *bufptr++ = '\0';
2382 
2383           cupsdLogClient(con, CUPSD_LOG_DEBUG, "Script header: %s", con->header);
2384 
2385           if (!con->sent_header)
2386 	  {
2387 	   /*
2388 	    * Handle redirection and CGI status codes...
2389 	    */
2390 
2391 	    http_field_t field;		/* HTTP field */
2392 	    char	*value = strchr(con->header, ':');
2393 					/* Value of field */
2394 
2395 	    if (value)
2396 	    {
2397 	      *value++ = '\0';
2398 	      while (isspace(*value & 255))
2399 		value ++;
2400 	    }
2401 
2402 	    field = httpFieldValue(con->header);
2403 
2404 	    if (field != HTTP_FIELD_UNKNOWN && value)
2405 	    {
2406 	      httpSetField(con->http, field, value);
2407 
2408 	      if (field == HTTP_FIELD_LOCATION)
2409 	      {
2410 		con->pipe_status = HTTP_STATUS_SEE_OTHER;
2411 		con->sent_header = 2;
2412 	      }
2413 	      else
2414 	        con->sent_header = 1;
2415 	    }
2416 	    else if (!_cups_strcasecmp(con->header, "Status") && value)
2417 	    {
2418   	      con->pipe_status = (http_status_t)atoi(value);
2419 	      con->sent_header = 2;
2420 	    }
2421 	    else if (!_cups_strcasecmp(con->header, "Set-Cookie") && value)
2422 	    {
2423 	      httpSetCookie(con->http, value);
2424 	      con->sent_header = 1;
2425 	    }
2426 	  }
2427 
2428          /*
2429 	  * Update buffer...
2430 	  */
2431 
2432 	  con->header_used -= bufptr - con->header;
2433 
2434 	  if (con->header_used > 0)
2435 	    memmove(con->header, bufptr, (size_t)con->header_used);
2436 
2437 	  bufptr = con->header - 1;
2438 
2439          /*
2440 	  * See if the line was empty...
2441 	  */
2442 
2443 	  if (field_col == 0)
2444 	  {
2445 	    con->got_fields = 1;
2446 
2447 	    if (httpGetVersion(con->http) == HTTP_VERSION_1_1 &&
2448 		!httpGetField(con->http, HTTP_FIELD_CONTENT_LENGTH)[0])
2449 	      httpSetLength(con->http, 0);
2450 
2451             cupsdLogClient(con, CUPSD_LOG_DEBUG, "Sending status %d for CGI.", con->pipe_status);
2452 
2453             if (con->pipe_status == HTTP_STATUS_OK)
2454 	    {
2455 	      if (!cupsdSendHeader(con, con->pipe_status, NULL, CUPSD_AUTH_NONE))
2456 	      {
2457 		cupsdCloseClient(con);
2458 		return;
2459 	      }
2460 	    }
2461 	    else
2462 	    {
2463 	      if (!cupsdSendError(con, con->pipe_status, CUPSD_AUTH_NONE))
2464 	      {
2465 		cupsdCloseClient(con);
2466 		return;
2467 	      }
2468 	    }
2469           }
2470 	  else
2471 	    field_col = 0;
2472 	}
2473 	else if (*bufptr != '\r')
2474 	  field_col ++;
2475       }
2476 
2477       if (!con->got_fields)
2478         return;
2479     }
2480 
2481     if (con->header_used > 0)
2482     {
2483       if (httpWrite2(con->http, con->header, (size_t)con->header_used) < 0)
2484       {
2485 	cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing for error %d (%s)",
2486 		       httpError(con->http), strerror(httpError(con->http)));
2487 	cupsdCloseClient(con);
2488 	return;
2489       }
2490 
2491       if (httpIsChunked(con->http))
2492         httpFlushWrite(con->http);
2493 
2494       con->bytes += con->header_used;
2495 
2496       if (httpGetState(con->http) == HTTP_STATE_WAITING)
2497 	bytes = 0;
2498       else
2499         bytes = con->header_used;
2500 
2501       con->header_used = 0;
2502     }
2503   }
2504 
2505   if (bytes <= 0 ||
2506       (httpGetState(con->http) != HTTP_STATE_GET_SEND &&
2507        httpGetState(con->http) != HTTP_STATE_POST_SEND))
2508   {
2509     if (!con->sent_header && con->pipe_pid)
2510       cupsdSendError(con, HTTP_STATUS_SERVER_ERROR, CUPSD_AUTH_NONE);
2511     else
2512     {
2513       cupsdLogRequest(con, HTTP_STATUS_OK);
2514 
2515       if (httpIsChunked(con->http) && (!con->pipe_pid || con->sent_header > 0))
2516       {
2517         cupsdLogClient(con, CUPSD_LOG_DEBUG, "Sending 0-length chunk.");
2518 
2519 	if (httpWrite2(con->http, "", 0) < 0)
2520 	{
2521 	  cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing for error %d (%s)",
2522 			 httpError(con->http), strerror(httpError(con->http)));
2523 	  cupsdCloseClient(con);
2524 	  return;
2525 	}
2526       }
2527 
2528       cupsdLogClient(con, CUPSD_LOG_DEBUG, "Flushing write buffer.");
2529       httpFlushWrite(con->http);
2530       cupsdLogClient(con, CUPSD_LOG_DEBUG, "New state is %s", httpStateString(httpGetState(con->http)));
2531     }
2532 
2533     cupsdAddSelect(httpGetFd(con->http), (cupsd_selfunc_t)cupsdReadClient, NULL, con);
2534 
2535     cupsdLogClient(con, CUPSD_LOG_DEBUG, "Waiting for request.");
2536 
2537     if (con->file >= 0)
2538     {
2539       cupsdRemoveSelect(con->file);
2540 
2541       if (con->pipe_pid)
2542 	cupsdEndProcess(con->pipe_pid, 0);
2543 
2544       close(con->file);
2545       con->file     = -1;
2546       con->pipe_pid = 0;
2547     }
2548 
2549     if (con->filename)
2550     {
2551       unlink(con->filename);
2552       cupsdClearString(&con->filename);
2553     }
2554 
2555     if (con->request)
2556     {
2557       ippDelete(con->request);
2558       con->request = NULL;
2559     }
2560 
2561     if (con->response)
2562     {
2563       ippDelete(con->response);
2564       con->response = NULL;
2565     }
2566 
2567     cupsdClearString(&con->command);
2568     cupsdClearString(&con->options);
2569     cupsdClearString(&con->query_string);
2570 
2571     if (!httpGetKeepAlive(con->http))
2572     {
2573       cupsdLogClient(con, CUPSD_LOG_DEBUG,
2574 		     "Closing because Keep-Alive is disabled.");
2575       cupsdCloseClient(con);
2576       return;
2577     }
2578     else
2579     {
2580       cupsArrayRemove(ActiveClients, con);
2581       cupsdSetBusyState(0);
2582     }
2583   }
2584 }
2585 
2586 
2587 /*
2588  * 'check_if_modified()' - Decode an "If-Modified-Since" line.
2589  */
2590 
2591 static int				/* O - 1 if modified since */
check_if_modified(cupsd_client_t * con,struct stat * filestats)2592 check_if_modified(
2593     cupsd_client_t *con,		/* I - Client connection */
2594     struct stat    *filestats)		/* I - File information */
2595 {
2596   const char	*ptr;			/* Pointer into field */
2597   time_t	date;			/* Time/date value */
2598   off_t		size;			/* Size/length value */
2599 
2600 
2601   size = 0;
2602   date = 0;
2603   ptr  = httpGetField(con->http, HTTP_FIELD_IF_MODIFIED_SINCE);
2604 
2605   if (*ptr == '\0')
2606     return (1);
2607 
2608   cupsdLogClient(con, CUPSD_LOG_DEBUG2, "check_if_modified: filestats=%p(" CUPS_LLFMT ", %d)) If-Modified-Since=\"%s\"", filestats, CUPS_LLCAST filestats->st_size, (int)filestats->st_mtime, ptr);
2609 
2610   while (*ptr != '\0')
2611   {
2612     while (isspace(*ptr) || *ptr == ';')
2613       ptr ++;
2614 
2615     if (_cups_strncasecmp(ptr, "length=", 7) == 0)
2616     {
2617       ptr += 7;
2618       size = strtoll(ptr, NULL, 10);
2619 
2620       while (isdigit(*ptr))
2621         ptr ++;
2622     }
2623     else if (isalpha(*ptr))
2624     {
2625       date = httpGetDateTime(ptr);
2626       while (*ptr != '\0' && *ptr != ';')
2627         ptr ++;
2628     }
2629     else
2630       ptr ++;
2631   }
2632 
2633   return ((size != filestats->st_size && size != 0) ||
2634           (date < filestats->st_mtime && date != 0) ||
2635 	  (size == 0 && date == 0));
2636 }
2637 
2638 
2639 /*
2640  * 'compare_clients()' - Compare two client connections.
2641  */
2642 
2643 static int				/* O - Result of comparison */
compare_clients(cupsd_client_t * a,cupsd_client_t * b,void * data)2644 compare_clients(cupsd_client_t *a,	/* I - First client */
2645                 cupsd_client_t *b,	/* I - Second client */
2646                 void           *data)	/* I - User data (not used) */
2647 {
2648   (void)data;
2649 
2650   if (a == b)
2651     return (0);
2652   else if (a < b)
2653     return (-1);
2654   else
2655     return (1);
2656 }
2657 
2658 
2659 #ifdef HAVE_SSL
2660 /*
2661  * 'cupsd_start_tls()' - Start encryption on a connection.
2662  */
2663 
2664 static int				/* O - 0 on success, -1 on error */
cupsd_start_tls(cupsd_client_t * con,http_encryption_t e)2665 cupsd_start_tls(cupsd_client_t    *con,	/* I - Client connection */
2666                 http_encryption_t e)	/* I - Encryption mode */
2667 {
2668   if (httpEncryption(con->http, e))
2669   {
2670     cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to encrypt connection: %s",
2671                    cupsLastErrorString());
2672     return (-1);
2673   }
2674 
2675   cupsdLogClient(con, CUPSD_LOG_DEBUG, "Connection now encrypted.");
2676   return (0);
2677 }
2678 #endif /* HAVE_SSL */
2679 
2680 
2681 /*
2682  * 'get_file()' - Get a filename and state info.
2683  */
2684 
2685 static char *				/* O  - Real filename */
get_file(cupsd_client_t * con,struct stat * filestats,char * filename,size_t len)2686 get_file(cupsd_client_t *con,		/* I  - Client connection */
2687          struct stat    *filestats,	/* O  - File information */
2688          char           *filename,	/* IO - Filename buffer */
2689          size_t         len)		/* I  - Buffer length */
2690 {
2691   int		status;			/* Status of filesystem calls */
2692   char		*ptr;			/* Pointer info filename */
2693   size_t	plen;			/* Remaining length after pointer */
2694   char		language[7],		/* Language subdirectory, if any */
2695 		dest[1024];		/* Destination name */
2696   int		perm_check = 1;		/* Do permissions check? */
2697   cupsd_printer_t *p;			/* Printer */
2698 
2699 
2700  /*
2701   * Figure out the real filename...
2702   */
2703 
2704   filename[0] = '\0';
2705   language[0] = '\0';
2706 
2707   if (!strncmp(con->uri, "/help", 5) && (con->uri[5] == '/' || !con->uri[5]))
2708   {
2709    /*
2710     * All help files are served by the help.cgi program...
2711     */
2712 
2713     return (NULL);
2714   }
2715   else if ((!strncmp(con->uri, "/ppd/", 5) || !strncmp(con->uri, "/printers/", 10) || !strncmp(con->uri, "/classes/", 9)) && !strcmp(con->uri + strlen(con->uri) - 4, ".ppd"))
2716   {
2717     strlcpy(dest, strchr(con->uri + 1, '/') + 1, sizeof(dest));
2718     dest[strlen(dest) - 4] = '\0'; /* Strip .ppd */
2719 
2720     if ((p = cupsdFindDest(dest)) == NULL)
2721     {
2722       strlcpy(filename, "/", len);
2723       cupsdLogClient(con, CUPSD_LOG_INFO, "No destination \"%s\" found.", dest);
2724       return (NULL);
2725     }
2726 
2727     if (p->type & CUPS_PRINTER_CLASS)
2728     {
2729       int i;				/* Looping var */
2730 
2731       for (i = 0; i < p->num_printers; i ++)
2732       {
2733 	if (!(p->printers[i]->type & CUPS_PRINTER_CLASS))
2734 	{
2735 	  snprintf(filename, len, "%s/ppd/%s.ppd", ServerRoot, p->printers[i]->name);
2736 	  if (!access(filename, 0))
2737 	  {
2738 	    p = p->printers[i];
2739 	    break;
2740 	  }
2741 	}
2742       }
2743 
2744       if (i >= p->num_printers)
2745 	p = NULL;
2746     }
2747     else
2748       snprintf(filename, len, "%s/ppd/%s.ppd", ServerRoot, p->name);
2749 
2750     perm_check = 0;
2751   }
2752   else if ((!strncmp(con->uri, "/icons/", 7) || !strncmp(con->uri, "/printers/", 10) || !strncmp(con->uri, "/classes/", 9)) && !strcmp(con->uri + strlen(con->uri) - 4, ".png"))
2753   {
2754     strlcpy(dest, strchr(con->uri + 1, '/') + 1, sizeof(dest));
2755     dest[strlen(dest) - 4] = '\0'; /* Strip .png */
2756 
2757     if ((p = cupsdFindDest(dest)) == NULL)
2758     {
2759       strlcpy(filename, "/", len);
2760       cupsdLogClient(con, CUPSD_LOG_INFO, "No destination \"%s\" found.", dest);
2761       return (NULL);
2762     }
2763 
2764     if (p->type & CUPS_PRINTER_CLASS)
2765     {
2766       int i;				/* Looping var */
2767 
2768       for (i = 0; i < p->num_printers; i ++)
2769       {
2770 	if (!(p->printers[i]->type & CUPS_PRINTER_CLASS))
2771 	{
2772 	  snprintf(filename, len, "%s/images/%s.png", CacheDir, p->printers[i]->name);
2773 	  if (!access(filename, 0))
2774 	  {
2775 	    p = p->printers[i];
2776 	    break;
2777 	  }
2778 	}
2779       }
2780 
2781       if (i >= p->num_printers)
2782 	p = NULL;
2783     }
2784     else
2785       snprintf(filename, len, "%s/images/%s.png", CacheDir, p->name);
2786 
2787     if (access(filename, F_OK) < 0)
2788       snprintf(filename, len, "%s/images/generic.png", DocumentRoot);
2789 
2790     perm_check = 0;
2791   }
2792   else if (!strncmp(con->uri, "/admin", 6) || !strncmp(con->uri, "/classes", 8) || !strncmp(con->uri, "/jobs", 5) || !strncmp(con->uri, "/printers", 9))
2793   {
2794    /*
2795     * Admin/class/job/printer pages are served by CGI...
2796     */
2797 
2798     return (NULL);
2799   }
2800   else if (!strncmp(con->uri, "/rss/", 5) && !strchr(con->uri + 5, '/'))
2801     snprintf(filename, len, "%s/rss/%s", CacheDir, con->uri + 5);
2802   else if (!strncmp(con->uri, "/strings/", 9) && !strcmp(con->uri + strlen(con->uri) - 8, ".strings"))
2803   {
2804     strlcpy(dest, con->uri + 9, sizeof(dest));
2805     dest[strlen(dest) - 8] = '\0';
2806 
2807     if ((p = cupsdFindDest(dest)) == NULL)
2808     {
2809       strlcpy(filename, "/", len);
2810       cupsdLogClient(con, CUPSD_LOG_INFO, "No destination \"%s\" found.", dest);
2811       return (NULL);
2812     }
2813 
2814     if (!p->strings)
2815     {
2816       strlcpy(filename, "/", len);
2817       cupsdLogClient(con, CUPSD_LOG_INFO, "No strings files for \"%s\".", dest);
2818       return (NULL);
2819     }
2820 
2821     strlcpy(filename, p->strings, len);
2822 
2823     perm_check = 0;
2824   }
2825   else if (!strcmp(con->uri, "/admin/conf/cupsd.conf"))
2826   {
2827     strlcpy(filename, ConfigurationFile, len);
2828 
2829     perm_check = 0;
2830   }
2831   else if (!strncmp(con->uri, "/admin/log/", 11))
2832   {
2833     if (!strncmp(con->uri + 11, "access_log", 10) && AccessLog[0] == '/')
2834       strlcpy(filename, AccessLog, len);
2835     else if (!strncmp(con->uri + 11, "error_log", 9) && ErrorLog[0] == '/')
2836       strlcpy(filename, ErrorLog, len);
2837     else if (!strncmp(con->uri + 11, "page_log", 8) && PageLog[0] == '/')
2838       strlcpy(filename, PageLog, len);
2839     else
2840       return (NULL);
2841 
2842     perm_check = 0;
2843   }
2844   else if (con->language)
2845   {
2846     snprintf(language, sizeof(language), "/%s", con->language->language);
2847     snprintf(filename, len, "%s%s%s", DocumentRoot, language, con->uri);
2848   }
2849   else
2850     snprintf(filename, len, "%s%s", DocumentRoot, con->uri);
2851 
2852   if ((ptr = strchr(filename, '?')) != NULL)
2853     *ptr = '\0';
2854 
2855  /*
2856   * Grab the status for this language; if there isn't a language-specific file
2857   * then fallback to the default one...
2858   */
2859 
2860   if ((status = lstat(filename, filestats)) != 0 && language[0] &&
2861       strncmp(con->uri, "/icons/", 7) &&
2862       strncmp(con->uri, "/ppd/", 5) &&
2863       strncmp(con->uri, "/rss/", 5) &&
2864       strncmp(con->uri, "/strings/", 9) &&
2865       strncmp(con->uri, "/admin/conf/", 12) &&
2866       strncmp(con->uri, "/admin/log/", 11))
2867   {
2868    /*
2869     * Drop the country code...
2870     */
2871 
2872     language[3] = '\0';
2873     snprintf(filename, len, "%s%s%s", DocumentRoot, language, con->uri);
2874 
2875     if ((ptr = strchr(filename, '?')) != NULL)
2876       *ptr = '\0';
2877 
2878     if ((status = lstat(filename, filestats)) != 0)
2879     {
2880      /*
2881       * Drop the language prefix and try the root directory...
2882       */
2883 
2884       language[0] = '\0';
2885       snprintf(filename, len, "%s%s", DocumentRoot, con->uri);
2886 
2887       if ((ptr = strchr(filename, '?')) != NULL)
2888 	*ptr = '\0';
2889 
2890       status = lstat(filename, filestats);
2891     }
2892   }
2893 
2894  /*
2895   * If we've found a symlink, 404 the sucker to avoid disclosing information.
2896   */
2897 
2898   if (!status && S_ISLNK(filestats->st_mode))
2899   {
2900     cupsdLogClient(con, CUPSD_LOG_INFO, "Symlinks such as \"%s\" are not allowed.", filename);
2901     return (NULL);
2902   }
2903 
2904  /*
2905   * Similarly, if the file/directory does not have world read permissions, do
2906   * not allow access...
2907   */
2908 
2909   if (!status && perm_check && !(filestats->st_mode & S_IROTH))
2910   {
2911     cupsdLogClient(con, CUPSD_LOG_INFO, "Files/directories such as \"%s\" must be world-readable.", filename);
2912     return (NULL);
2913   }
2914 
2915  /*
2916   * If we've found a directory, get the index.html file instead...
2917   */
2918 
2919   if (!status && S_ISDIR(filestats->st_mode))
2920   {
2921    /*
2922     * Make sure the URI ends with a slash...
2923     */
2924 
2925     if (con->uri[strlen(con->uri) - 1] != '/')
2926       strlcat(con->uri, "/", sizeof(con->uri));
2927 
2928    /*
2929     * Find the directory index file, trying every language...
2930     */
2931 
2932     do
2933     {
2934       if (status && language[0])
2935       {
2936        /*
2937         * Try a different language subset...
2938 	*/
2939 
2940 	if (language[3])
2941 	  language[0] = '\0';		/* Strip country code */
2942 	else
2943 	  language[0] = '\0';		/* Strip language */
2944       }
2945 
2946      /*
2947       * Look for the index file...
2948       */
2949 
2950       snprintf(filename, len, "%s%s%s", DocumentRoot, language, con->uri);
2951 
2952       if ((ptr = strchr(filename, '?')) != NULL)
2953 	*ptr = '\0';
2954 
2955       ptr  = filename + strlen(filename);
2956       plen = len - (size_t)(ptr - filename);
2957 
2958       strlcpy(ptr, "index.html", plen);
2959       status = lstat(filename, filestats);
2960     }
2961     while (status && language[0]);
2962 
2963    /*
2964     * If we've found a symlink, 404 the sucker to avoid disclosing information.
2965     */
2966 
2967     if (!status && S_ISLNK(filestats->st_mode))
2968     {
2969       cupsdLogClient(con, CUPSD_LOG_INFO, "Symlinks such as \"%s\" are not allowed.", filename);
2970       return (NULL);
2971     }
2972 
2973    /*
2974     * Similarly, if the file/directory does not have world read permissions, do
2975     * not allow access...
2976     */
2977 
2978     if (!status && perm_check && !(filestats->st_mode & S_IROTH))
2979     {
2980       cupsdLogClient(con, CUPSD_LOG_INFO, "Files/directories such as \"%s\" must be world-readable.", filename);
2981       return (NULL);
2982     }
2983   }
2984 
2985   cupsdLogClient(con, CUPSD_LOG_DEBUG2, "get_file: filestats=%p, filename=%p, len=" CUPS_LLFMT ", returning \"%s\".", filestats, filename, CUPS_LLCAST len, status ? "(null)" : filename);
2986 
2987   if (status)
2988     return (NULL);
2989   else
2990     return (filename);
2991 }
2992 
2993 
2994 /*
2995  * 'install_cupsd_conf()' - Install a configuration file.
2996  */
2997 
2998 static http_status_t			/* O - Status */
install_cupsd_conf(cupsd_client_t * con)2999 install_cupsd_conf(cupsd_client_t *con)	/* I - Connection */
3000 {
3001   char		filename[1024];		/* Configuration filename */
3002   cups_file_t	*in,			/* Input file */
3003 		*out;			/* Output file */
3004   char		buffer[16384];		/* Copy buffer */
3005   ssize_t	bytes;			/* Number of bytes */
3006 
3007 
3008  /*
3009   * Open the request file...
3010   */
3011 
3012   if ((in = cupsFileOpen(con->filename, "rb")) == NULL)
3013   {
3014     cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to open request file \"%s\": %s",
3015                     con->filename, strerror(errno));
3016     goto server_error;
3017   }
3018 
3019  /*
3020   * Open the new config file...
3021   */
3022 
3023   if ((out = cupsdCreateConfFile(ConfigurationFile, ConfigFilePerm)) == NULL)
3024   {
3025     cupsFileClose(in);
3026     goto server_error;
3027   }
3028 
3029   cupsdLogClient(con, CUPSD_LOG_INFO, "Installing config file \"%s\"...",
3030                   ConfigurationFile);
3031 
3032  /*
3033   * Copy from the request to the new config file...
3034   */
3035 
3036   while ((bytes = cupsFileRead(in, buffer, sizeof(buffer))) > 0)
3037     if (cupsFileWrite(out, buffer, (size_t)bytes) < bytes)
3038     {
3039       cupsdLogClient(con, CUPSD_LOG_ERROR,
3040                       "Unable to copy to config file \"%s\": %s",
3041         	      ConfigurationFile, strerror(errno));
3042 
3043       cupsFileClose(in);
3044       cupsFileClose(out);
3045 
3046       snprintf(filename, sizeof(filename), "%s.N", ConfigurationFile);
3047       cupsdUnlinkOrRemoveFile(filename);
3048 
3049       goto server_error;
3050     }
3051 
3052  /*
3053   * Close the files...
3054   */
3055 
3056   cupsFileClose(in);
3057 
3058   if (cupsdCloseCreatedConfFile(out, ConfigurationFile))
3059     goto server_error;
3060 
3061  /*
3062   * Remove the request file...
3063   */
3064 
3065   cupsdUnlinkOrRemoveFile(con->filename);
3066   cupsdClearString(&con->filename);
3067 
3068  /*
3069   * Set the NeedReload flag...
3070   */
3071 
3072   NeedReload = RELOAD_CUPSD;
3073   ReloadTime = time(NULL);
3074 
3075  /*
3076   * Return that the file was created successfully...
3077   */
3078 
3079   return (HTTP_STATUS_CREATED);
3080 
3081  /*
3082   * Common exit for errors...
3083   */
3084 
3085   server_error:
3086 
3087   cupsdUnlinkOrRemoveFile(con->filename);
3088   cupsdClearString(&con->filename);
3089 
3090   return (HTTP_STATUS_SERVER_ERROR);
3091 }
3092 
3093 
3094 /*
3095  * 'is_cgi()' - Is the resource a CGI script/program?
3096  */
3097 
3098 static int				/* O - 1 = CGI, 0 = file */
is_cgi(cupsd_client_t * con,const char * filename,struct stat * filestats,mime_type_t * type)3099 is_cgi(cupsd_client_t *con,		/* I - Client connection */
3100        const char     *filename,	/* I - Real filename */
3101        struct stat    *filestats,	/* I - File information */
3102        mime_type_t    *type)		/* I - MIME type */
3103 {
3104   const char	*options;		/* Options on URL */
3105 
3106 
3107  /*
3108   * Get the options, if any...
3109   */
3110 
3111   if ((options = strchr(con->uri, '?')) != NULL)
3112   {
3113     options ++;
3114     cupsdSetStringf(&(con->query_string), "QUERY_STRING=%s", options);
3115   }
3116 
3117  /*
3118   * Check for known types...
3119   */
3120 
3121   if (!type || _cups_strcasecmp(type->super, "application"))
3122   {
3123     cupsdLogClient(con, CUPSD_LOG_DEBUG2, "is_cgi: filename=\"%s\", filestats=%p, type=%s/%s, returning 0.", filename, filestats, type ? type->super : "unknown", type ? type->type : "unknown");
3124     return (0);
3125   }
3126 
3127   if (!_cups_strcasecmp(type->type, "x-httpd-cgi") &&
3128       (filestats->st_mode & 0111))
3129   {
3130    /*
3131     * "application/x-httpd-cgi" is a CGI script.
3132     */
3133 
3134     cupsdSetString(&con->command, filename);
3135 
3136     if (options)
3137       cupsdSetStringf(&con->options, " %s", options);
3138 
3139     cupsdLogClient(con, CUPSD_LOG_DEBUG2, "is_cgi: filename=\"%s\", filestats=%p, type=%s/%s, returning 1.", filename, filestats, type->super, type->type);
3140     return (1);
3141   }
3142 
3143   cupsdLogClient(con, CUPSD_LOG_DEBUG2, "is_cgi: filename=\"%s\", filestats=%p, type=%s/%s, returning 0.", filename, filestats, type->super, type->type);
3144   return (0);
3145 }
3146 
3147 
3148 /*
3149  * 'is_path_absolute()' - Is a path absolute and free of relative elements (i.e. "..").
3150  */
3151 
3152 static int				/* O - 0 if relative, 1 if absolute */
is_path_absolute(const char * path)3153 is_path_absolute(const char *path)	/* I - Input path */
3154 {
3155  /*
3156   * Check for a leading slash...
3157   */
3158 
3159   if (path[0] != '/')
3160     return (0);
3161 
3162  /*
3163   * Check for "<" or quotes in the path and reject since this is probably
3164   * someone trying to inject HTML...
3165   */
3166 
3167   if (strchr(path, '<') != NULL || strchr(path, '\"') != NULL || strchr(path, '\'') != NULL)
3168     return (0);
3169 
3170  /*
3171   * Check for "/.." in the path...
3172   */
3173 
3174   while ((path = strstr(path, "/..")) != NULL)
3175   {
3176     if (!path[3] || path[3] == '/')
3177       return (0);
3178 
3179     path ++;
3180   }
3181 
3182  /*
3183   * If we haven't found any relative paths, return 1 indicating an
3184   * absolute path...
3185   */
3186 
3187   return (1);
3188 }
3189 
3190 
3191 /*
3192  * 'pipe_command()' - Pipe the output of a command to the remote client.
3193  */
3194 
3195 static int				/* O - Process ID */
pipe_command(cupsd_client_t * con,int infile,int * outfile,char * command,char * options,int root)3196 pipe_command(cupsd_client_t *con,	/* I - Client connection */
3197              int            infile,	/* I - Standard input for command */
3198              int            *outfile,	/* O - Standard output for command */
3199 	     char           *command,	/* I - Command to run */
3200 	     char           *options,	/* I - Options for command */
3201 	     int            root)	/* I - Run as root? */
3202 {
3203   int		i;			/* Looping var */
3204   int		pid;			/* Process ID */
3205   char		*commptr,		/* Command string pointer */
3206 		commch;			/* Command string character */
3207   char		*uriptr;		/* URI string pointer */
3208   int		fds[2];			/* Pipe FDs */
3209   int		argc;			/* Number of arguments */
3210   int		envc;			/* Number of environment variables */
3211   char		argbuf[10240],		/* Argument buffer */
3212 		*argv[100],		/* Argument strings */
3213 		*envp[MAX_ENV + 20];	/* Environment variables */
3214   char		auth_type[256],		/* AUTH_TYPE environment variable */
3215 		content_length[1024],	/* CONTENT_LENGTH environment variable */
3216 		content_type[1024],	/* CONTENT_TYPE environment variable */
3217 		http_cookie[32768],	/* HTTP_COOKIE environment variable */
3218 		http_referer[1024],	/* HTTP_REFERER environment variable */
3219 		http_user_agent[1024],	/* HTTP_USER_AGENT environment variable */
3220 		lang[1024],		/* LANG environment variable */
3221 		path_info[1024],	/* PATH_INFO environment variable */
3222 		remote_addr[1024],	/* REMOTE_ADDR environment variable */
3223 		remote_host[1024],	/* REMOTE_HOST environment variable */
3224 		remote_user[1024],	/* REMOTE_USER environment variable */
3225 		script_filename[1024],	/* SCRIPT_FILENAME environment variable */
3226 		script_name[1024],	/* SCRIPT_NAME environment variable */
3227 		server_name[1024],	/* SERVER_NAME environment variable */
3228 		server_port[1024];	/* SERVER_PORT environment variable */
3229   ipp_attribute_t *attr;		/* attributes-natural-language attribute */
3230 
3231 
3232  /*
3233   * Parse a copy of the options string, which is of the form:
3234   *
3235   *     argument+argument+argument
3236   *     ?argument+argument+argument
3237   *     param=value&param=value
3238   *     ?param=value&param=value
3239   *     /name?argument+argument+argument
3240   *     /name?param=value&param=value
3241   *
3242   * If the string contains an "=" character after the initial name,
3243   * then we treat it as a HTTP GET form request and make a copy of
3244   * the remaining string for the environment variable.
3245   *
3246   * The string is always parsed out as command-line arguments, to
3247   * be consistent with Apache...
3248   */
3249 
3250   cupsdLogClient(con, CUPSD_LOG_DEBUG2, "pipe_command: infile=%d, outfile=%p, command=\"%s\", options=\"%s\", root=%d", infile, outfile, command, options ? options : "(null)", root);
3251 
3252   argv[0] = command;
3253 
3254   if (options)
3255     strlcpy(argbuf, options, sizeof(argbuf));
3256   else
3257     argbuf[0] = '\0';
3258 
3259   if (argbuf[0] == '/')
3260   {
3261    /*
3262     * Found some trailing path information, set PATH_INFO...
3263     */
3264 
3265     if ((commptr = strchr(argbuf, '?')) == NULL)
3266       commptr = argbuf + strlen(argbuf);
3267 
3268     commch   = *commptr;
3269     *commptr = '\0';
3270     snprintf(path_info, sizeof(path_info), "PATH_INFO=%s", argbuf);
3271     *commptr = commch;
3272   }
3273   else
3274   {
3275     commptr      = argbuf;
3276     path_info[0] = '\0';
3277 
3278     if (*commptr == ' ')
3279       commptr ++;
3280   }
3281 
3282   if (*commptr == '?' && con->operation == HTTP_STATE_GET && !con->query_string)
3283   {
3284     commptr ++;
3285     cupsdSetStringf(&(con->query_string), "QUERY_STRING=%s", commptr);
3286   }
3287 
3288   argc = 1;
3289 
3290   if (*commptr)
3291   {
3292     argv[argc ++] = commptr;
3293 
3294     for (; *commptr && argc < 99; commptr ++)
3295     {
3296      /*
3297       * Break arguments whenever we see a + or space...
3298       */
3299 
3300       if (*commptr == ' ' || *commptr == '+')
3301       {
3302 	while (*commptr == ' ' || *commptr == '+')
3303 	  *commptr++ = '\0';
3304 
3305        /*
3306 	* If we don't have a blank string, save it as another argument...
3307 	*/
3308 
3309 	if (*commptr)
3310 	{
3311 	  argv[argc] = commptr;
3312 	  argc ++;
3313 	}
3314 	else
3315 	  break;
3316       }
3317       else if (*commptr == '%' && isxdigit(commptr[1] & 255) &&
3318                isxdigit(commptr[2] & 255))
3319       {
3320        /*
3321 	* Convert the %xx notation to the individual character.
3322 	*/
3323 
3324 	if (commptr[1] >= '0' && commptr[1] <= '9')
3325           *commptr = (char)((commptr[1] - '0') << 4);
3326 	else
3327           *commptr = (char)((tolower(commptr[1]) - 'a' + 10) << 4);
3328 
3329 	if (commptr[2] >= '0' && commptr[2] <= '9')
3330           *commptr |= commptr[2] - '0';
3331 	else
3332           *commptr |= tolower(commptr[2]) - 'a' + 10;
3333 
3334 	_cups_strcpy(commptr + 1, commptr + 3);
3335 
3336        /*
3337 	* Check for a %00 and break if that is the case...
3338 	*/
3339 
3340 	if (!*commptr)
3341           break;
3342       }
3343     }
3344   }
3345 
3346   argv[argc] = NULL;
3347 
3348  /*
3349   * Setup the environment variables as needed...
3350   */
3351 
3352   if (con->username[0])
3353   {
3354     snprintf(auth_type, sizeof(auth_type), "AUTH_TYPE=%s",
3355              httpGetField(con->http, HTTP_FIELD_AUTHORIZATION));
3356 
3357     if ((uriptr = strchr(auth_type + 10, ' ')) != NULL)
3358       *uriptr = '\0';
3359   }
3360   else
3361     auth_type[0] = '\0';
3362 
3363   if (con->request && (attr = ippFindAttribute(con->request, "attributes-natural-language", IPP_TAG_LANGUAGE)) != NULL)
3364   {
3365     cups_lang_t *language = cupsLangGet(ippGetString(attr, 0, NULL));
3366 
3367     snprintf(lang, sizeof(lang), "LANG=%s.UTF8", language->language);
3368     cupsLangFree(language);
3369   }
3370   else if (con->language)
3371     snprintf(lang, sizeof(lang), "LANG=%s.UTF8", con->language->language);
3372   else
3373     strlcpy(lang, "LANG=C", sizeof(lang));
3374 
3375   strlcpy(remote_addr, "REMOTE_ADDR=", sizeof(remote_addr));
3376   httpAddrString(httpGetAddress(con->http), remote_addr + 12,
3377                  sizeof(remote_addr) - 12);
3378 
3379   snprintf(remote_host, sizeof(remote_host), "REMOTE_HOST=%s",
3380            httpGetHostname(con->http, NULL, 0));
3381 
3382   snprintf(script_name, sizeof(script_name), "SCRIPT_NAME=%s", con->uri);
3383   if ((uriptr = strchr(script_name, '?')) != NULL)
3384     *uriptr = '\0';
3385 
3386   snprintf(script_filename, sizeof(script_filename), "SCRIPT_FILENAME=%s%s",
3387            DocumentRoot, script_name + 12);
3388 
3389   snprintf(server_port, sizeof(server_port), "SERVER_PORT=%d", con->serverport);
3390 
3391   if (httpGetField(con->http, HTTP_FIELD_HOST)[0])
3392   {
3393     char *nameptr;			/* Pointer to ":port" */
3394 
3395     snprintf(server_name, sizeof(server_name), "SERVER_NAME=%s",
3396 	     httpGetField(con->http, HTTP_FIELD_HOST));
3397     if ((nameptr = strrchr(server_name, ':')) != NULL && !strchr(nameptr, ']'))
3398       *nameptr = '\0';			/* Strip trailing ":port" */
3399   }
3400   else
3401     snprintf(server_name, sizeof(server_name), "SERVER_NAME=%s",
3402 	     con->servername);
3403 
3404   envc = cupsdLoadEnv(envp, (int)(sizeof(envp) / sizeof(envp[0])));
3405 
3406   if (auth_type[0])
3407     envp[envc ++] = auth_type;
3408 
3409   envp[envc ++] = lang;
3410   envp[envc ++] = "REDIRECT_STATUS=1";
3411   envp[envc ++] = "GATEWAY_INTERFACE=CGI/1.1";
3412   envp[envc ++] = server_name;
3413   envp[envc ++] = server_port;
3414   envp[envc ++] = remote_addr;
3415   envp[envc ++] = remote_host;
3416   envp[envc ++] = script_name;
3417   envp[envc ++] = script_filename;
3418 
3419   if (path_info[0])
3420     envp[envc ++] = path_info;
3421 
3422   if (con->username[0])
3423   {
3424     snprintf(remote_user, sizeof(remote_user), "REMOTE_USER=%s", con->username);
3425 
3426     envp[envc ++] = remote_user;
3427   }
3428 
3429   if (httpGetVersion(con->http) == HTTP_VERSION_1_1)
3430     envp[envc ++] = "SERVER_PROTOCOL=HTTP/1.1";
3431   else if (httpGetVersion(con->http) == HTTP_VERSION_1_0)
3432     envp[envc ++] = "SERVER_PROTOCOL=HTTP/1.0";
3433   else
3434     envp[envc ++] = "SERVER_PROTOCOL=HTTP/0.9";
3435 
3436   if (httpGetCookie(con->http))
3437   {
3438     snprintf(http_cookie, sizeof(http_cookie), "HTTP_COOKIE=%s",
3439              httpGetCookie(con->http));
3440     envp[envc ++] = http_cookie;
3441   }
3442 
3443   if (httpGetField(con->http, HTTP_FIELD_USER_AGENT)[0])
3444   {
3445     snprintf(http_user_agent, sizeof(http_user_agent), "HTTP_USER_AGENT=%s",
3446              httpGetField(con->http, HTTP_FIELD_USER_AGENT));
3447     envp[envc ++] = http_user_agent;
3448   }
3449 
3450   if (httpGetField(con->http, HTTP_FIELD_REFERER)[0])
3451   {
3452     snprintf(http_referer, sizeof(http_referer), "HTTP_REFERER=%s",
3453              httpGetField(con->http, HTTP_FIELD_REFERER));
3454     envp[envc ++] = http_referer;
3455   }
3456 
3457   if (con->operation == HTTP_STATE_GET)
3458   {
3459     envp[envc ++] = "REQUEST_METHOD=GET";
3460 
3461     if (con->query_string)
3462     {
3463      /*
3464       * Add GET form variables after ?...
3465       */
3466 
3467       envp[envc ++] = con->query_string;
3468     }
3469     else
3470       envp[envc ++] = "QUERY_STRING=";
3471   }
3472   else
3473   {
3474     sprintf(content_length, "CONTENT_LENGTH=" CUPS_LLFMT,
3475             CUPS_LLCAST con->bytes);
3476     snprintf(content_type, sizeof(content_type), "CONTENT_TYPE=%s",
3477              httpGetField(con->http, HTTP_FIELD_CONTENT_TYPE));
3478 
3479     envp[envc ++] = "REQUEST_METHOD=POST";
3480     envp[envc ++] = content_length;
3481     envp[envc ++] = content_type;
3482   }
3483 
3484  /*
3485   * Tell the CGI if we are using encryption...
3486   */
3487 
3488   if (httpIsEncrypted(con->http))
3489     envp[envc ++] = "HTTPS=ON";
3490 
3491  /*
3492   * Terminate the environment array...
3493   */
3494 
3495   envp[envc] = NULL;
3496 
3497   if (LogLevel >= CUPSD_LOG_DEBUG)
3498   {
3499     for (i = 0; i < argc; i ++)
3500       cupsdLogMessage(CUPSD_LOG_DEBUG,
3501                       "[CGI] argv[%d] = \"%s\"", i, argv[i]);
3502     for (i = 0; i < envc; i ++)
3503       cupsdLogMessage(CUPSD_LOG_DEBUG,
3504                       "[CGI] envp[%d] = \"%s\"", i, envp[i]);
3505   }
3506 
3507  /*
3508   * Create a pipe for the output...
3509   */
3510 
3511   if (cupsdOpenPipe(fds))
3512   {
3513     cupsdLogMessage(CUPSD_LOG_ERROR, "[CGI] Unable to create pipe for %s - %s",
3514                     argv[0], strerror(errno));
3515     return (0);
3516   }
3517 
3518  /*
3519   * Then execute the command...
3520   */
3521 
3522   if (cupsdStartProcess(command, argv, envp, infile, fds[1], CGIPipes[1],
3523 			-1, -1, root, DefaultProfile, NULL, &pid) < 0)
3524   {
3525    /*
3526     * Error - can't fork!
3527     */
3528 
3529     cupsdLogMessage(CUPSD_LOG_ERROR, "[CGI] Unable to start %s - %s", argv[0],
3530                     strerror(errno));
3531 
3532     cupsdClosePipe(fds);
3533     pid = 0;
3534   }
3535   else
3536   {
3537    /*
3538     * Fork successful - return the PID...
3539     */
3540 
3541     if (con->username[0])
3542       cupsdAddCert(pid, con->username, con->type);
3543 
3544     cupsdLogMessage(CUPSD_LOG_DEBUG, "[CGI] Started %s (PID %d)", command, pid);
3545 
3546     *outfile = fds[0];
3547     close(fds[1]);
3548   }
3549 
3550   return (pid);
3551 }
3552 
3553 
3554 /*
3555  * 'valid_host()' - Is the Host: field valid?
3556  */
3557 
3558 static int				/* O - 1 if valid, 0 if not */
valid_host(cupsd_client_t * con)3559 valid_host(cupsd_client_t *con)		/* I - Client connection */
3560 {
3561   cupsd_alias_t	*a;			/* Current alias */
3562   cupsd_netif_t	*netif;			/* Current network interface */
3563   const char	*end;			/* End character */
3564   char		*ptr;			/* Pointer into host value */
3565 
3566 
3567  /*
3568   * Copy the Host: header for later use...
3569   */
3570 
3571   strlcpy(con->clientname, httpGetField(con->http, HTTP_FIELD_HOST),
3572           sizeof(con->clientname));
3573   if ((ptr = strrchr(con->clientname, ':')) != NULL && !strchr(ptr, ']'))
3574   {
3575     *ptr++ = '\0';
3576     con->clientport = atoi(ptr);
3577   }
3578   else
3579     con->clientport = con->serverport;
3580 
3581  /*
3582   * Then validate...
3583   */
3584 
3585   if (httpAddrLocalhost(httpGetAddress(con->http)))
3586   {
3587    /*
3588     * Only allow "localhost" or the equivalent IPv4 or IPv6 numerical
3589     * addresses when accessing CUPS via the loopback interface...
3590     */
3591 
3592     return (!_cups_strcasecmp(con->clientname, "localhost") ||
3593 	    !_cups_strcasecmp(con->clientname, "localhost.") ||
3594             !strcmp(con->clientname, "127.0.0.1") ||
3595 	    !strcmp(con->clientname, "[::1]"));
3596   }
3597 
3598 #if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
3599  /*
3600   * Check if the hostname is something.local (Bonjour); if so, allow it.
3601   */
3602 
3603   if ((end = strrchr(con->clientname, '.')) != NULL && end > con->clientname &&
3604       !end[1])
3605   {
3606    /*
3607     * "." on end, work back to second-to-last "."...
3608     */
3609 
3610     for (end --; end > con->clientname && *end != '.'; end --);
3611   }
3612 
3613   if (end && (!_cups_strcasecmp(end, ".local") ||
3614 	      !_cups_strcasecmp(end, ".local.")))
3615     return (1);
3616 #endif /* HAVE_DNSSD || HAVE_AVAHI */
3617 
3618  /*
3619   * Check if the hostname is an IP address...
3620   */
3621 
3622   if (isdigit(con->clientname[0] & 255) || con->clientname[0] == '[')
3623   {
3624    /*
3625     * Possible IPv4/IPv6 address...
3626     */
3627 
3628     http_addrlist_t *addrlist;		/* List of addresses */
3629 
3630 
3631     if ((addrlist = httpAddrGetList(con->clientname, AF_UNSPEC, NULL)) != NULL)
3632     {
3633      /*
3634       * Good IPv4/IPv6 address...
3635       */
3636 
3637       httpAddrFreeList(addrlist);
3638       return (1);
3639     }
3640   }
3641 
3642  /*
3643   * Check for (alias) name matches...
3644   */
3645 
3646   for (a = (cupsd_alias_t *)cupsArrayFirst(ServerAlias);
3647        a;
3648        a = (cupsd_alias_t *)cupsArrayNext(ServerAlias))
3649   {
3650    /*
3651     * "ServerAlias *" allows all host values through...
3652     */
3653 
3654     if (!strcmp(a->name, "*"))
3655       return (1);
3656 
3657     if (!_cups_strncasecmp(con->clientname, a->name, a->namelen))
3658     {
3659      /*
3660       * Prefix matches; check the character at the end - it must be "." or nul.
3661       */
3662 
3663       end = con->clientname + a->namelen;
3664 
3665       if (!*end || (*end == '.' && !end[1]))
3666         return (1);
3667     }
3668   }
3669 
3670 #if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
3671   for (a = (cupsd_alias_t *)cupsArrayFirst(DNSSDAlias);
3672        a;
3673        a = (cupsd_alias_t *)cupsArrayNext(DNSSDAlias))
3674   {
3675    /*
3676     * "ServerAlias *" allows all host values through...
3677     */
3678 
3679     if (!strcmp(a->name, "*"))
3680       return (1);
3681 
3682     if (!_cups_strncasecmp(con->clientname, a->name, a->namelen))
3683     {
3684      /*
3685       * Prefix matches; check the character at the end - it must be "." or nul.
3686       */
3687 
3688       end = con->clientname + a->namelen;
3689 
3690       if (!*end || (*end == '.' && !end[1]))
3691         return (1);
3692     }
3693   }
3694 #endif /* HAVE_DNSSD || HAVE_AVAHI */
3695 
3696  /*
3697   * Check for interface hostname matches...
3698   */
3699 
3700   for (netif = (cupsd_netif_t *)cupsArrayFirst(NetIFList);
3701        netif;
3702        netif = (cupsd_netif_t *)cupsArrayNext(NetIFList))
3703   {
3704     if (!_cups_strncasecmp(con->clientname, netif->hostname, netif->hostlen))
3705     {
3706      /*
3707       * Prefix matches; check the character at the end - it must be "." or nul.
3708       */
3709 
3710       end = con->clientname + netif->hostlen;
3711 
3712       if (!*end || (*end == '.' && !end[1]))
3713         return (1);
3714     }
3715   }
3716 
3717   return (0);
3718 }
3719 
3720 
3721 /*
3722  * 'write_file()' - Send a file via HTTP.
3723  */
3724 
3725 static int				/* O - 0 on failure, 1 on success */
write_file(cupsd_client_t * con,http_status_t code,char * filename,char * type,struct stat * filestats)3726 write_file(cupsd_client_t *con,		/* I - Client connection */
3727            http_status_t  code,		/* I - HTTP status */
3728 	   char           *filename,	/* I - Filename */
3729 	   char           *type,	/* I - File type */
3730 	   struct stat    *filestats)	/* O - File information */
3731 {
3732   con->file = open(filename, O_RDONLY);
3733 
3734   cupsdLogClient(con, CUPSD_LOG_DEBUG2, "write_file: code=%d, filename=\"%s\" (%d), type=\"%s\", filestats=%p.", code, filename, con->file, type ? type : "(null)", filestats);
3735 
3736   if (con->file < 0)
3737     return (0);
3738 
3739   fcntl(con->file, F_SETFD, fcntl(con->file, F_GETFD) | FD_CLOEXEC);
3740 
3741   con->pipe_pid    = 0;
3742   con->sent_header = 1;
3743 
3744   httpClearFields(con->http);
3745 
3746   httpSetLength(con->http, (size_t)filestats->st_size);
3747 
3748   httpSetField(con->http, HTTP_FIELD_LAST_MODIFIED,
3749 	       httpGetDateString(filestats->st_mtime));
3750 
3751   if (!cupsdSendHeader(con, code, type, CUPSD_AUTH_NONE))
3752     return (0);
3753 
3754   cupsdAddSelect(httpGetFd(con->http), NULL, (cupsd_selfunc_t)cupsdWriteClient, con);
3755 
3756   cupsdLogClient(con, CUPSD_LOG_DEBUG, "Sending file.");
3757 
3758   return (1);
3759 }
3760 
3761 
3762 /*
3763  * 'write_pipe()' - Flag that data is available on the CGI pipe.
3764  */
3765 
3766 static void
write_pipe(cupsd_client_t * con)3767 write_pipe(cupsd_client_t *con)		/* I - Client connection */
3768 {
3769   cupsdLogClient(con, CUPSD_LOG_DEBUG2, "write_pipe: CGI output on fd %d.", con->file);
3770 
3771   con->file_ready = 1;
3772 
3773   cupsdRemoveSelect(con->file);
3774   cupsdAddSelect(httpGetFd(con->http), NULL, (cupsd_selfunc_t)cupsdWriteClient, con);
3775 
3776   cupsdLogClient(con, CUPSD_LOG_DEBUG, "CGI data ready to be sent.");
3777 }
3778