diff --git a/NEWS b/NEWS index 0bc2471eb..319e506f4 100644 --- a/NEWS +++ b/NEWS @@ -1,4 +1,6 @@ ver 0.21.10 (not yet released) +* output + - httpd: reject some well-known URIs * fix crash bug (0.21.9 regression) ver 0.21.9 (2019/05/20) diff --git a/src/output/plugins/httpd/HttpdClient.cxx b/src/output/plugins/httpd/HttpdClient.cxx index 3de895092..40435fae1 100644 --- a/src/output/plugins/httpd/HttpdClient.cxx +++ b/src/output/plugins/httpd/HttpdClient.cxx @@ -83,6 +83,17 @@ HttpdClient::HandleLine(const char *line) noexcept return false; } + /* blacklist some well-known request paths */ + if ((strncmp(line, "favicon.ico", 11) == 0 && + (line[11] == '\0' || line[11] == ' ')) || + (strncmp(line, "robots.txt", 10) == 0 && + (line[10] == '\0' || line[10] == ' ')) || + (strncmp(line, "sitemap.xml", 11) == 0 && + (line[11] == '\0' || line[11] == ' ')) || + (strncmp(line, ".well-known/", 12) == 0)) { + should_reject = true; + } + line = strchr(line, ' '); if (line == nullptr || strncmp(line + 1, "HTTP/", 5) != 0) { /* HTTP/0.9 without request headers */ @@ -129,7 +140,14 @@ HttpdClient::SendResponse() noexcept assert(state == State::RESPONSE); - if (metadata_requested) { + if (should_reject) { + response = + "HTTP/1.1 404 not found\r\n" + "Content-Type: text/plain\r\n" + "Connection: close\r\n" + "\r\n" + "404 not found"; + } else if (metadata_requested) { allocated = icy_server_metadata_header(httpd.name, httpd.genre, httpd.website, @@ -415,7 +433,7 @@ HttpdClient::OnSocketInput(void *data, size_t length) noexcept if (!SendResponse()) return InputResult::CLOSED; - if (head_method) { + if (head_method || should_reject) { LockClose(); return InputResult::CLOSED; } diff --git a/src/output/plugins/httpd/HttpdClient.hxx b/src/output/plugins/httpd/HttpdClient.hxx index 751d3f2c3..7977cf419 100644 --- a/src/output/plugins/httpd/HttpdClient.hxx +++ b/src/output/plugins/httpd/HttpdClient.hxx @@ -83,6 +83,11 @@ class HttpdClient final */ bool head_method = false; + /** + * Should we reject this request? + */ + bool should_reject = false; + /* ICY */ /**