diff options
Diffstat (limited to 'web/server')
| -rw-r--r-- | web/server/README.md | 4 | ||||
| -rw-r--r-- | web/server/static/README.md | 2 | ||||
| -rw-r--r-- | web/server/static/static-threaded.c | 2 | ||||
| -rw-r--r-- | web/server/web_client.c | 83 | ||||
| -rw-r--r-- | web/server/web_client.h | 3 |
5 files changed, 9 insertions, 85 deletions
diff --git a/web/server/README.md b/web/server/README.md index dc447118e..6485b84bc 100644 --- a/web/server/README.md +++ b/web/server/README.md @@ -221,8 +221,6 @@ present that may match DNS FQDNs. |ses max window|`15`|See [single exponential smoothing](/web/api/queries/des/README.md)| |des max window|`15`|See [double exponential smoothing](/web/api/queries/des/README.md)| |listen backlog|`4096`|The port backlog. Check `man 2 listen`.| -|web files owner|`netdata`|The user that owns the web static files. Netdata will refuse to serve a file that is not owned by this user, even if it has read access to that file. If the user given is not found, Netdata will only serve files owned by user given in `run as user`.| -|web files group|`netdata`|If this is set, Netdata will check if the file is owned by this group and refuse to serve the file if it's not.| |disconnect idle clients after seconds|`60`|The time in seconds to disconnect web clients after being totally idle.| |timeout for first request|`60`|How long to wait for a client to send a request before closing the socket. Prevents slow request attacks.| |accept a streaming request every seconds|`0`|Can be used to set a limit on how often a parent node will accept streaming requests from child nodes in a [streaming and replication setup](/streaming/README.md)| @@ -242,4 +240,4 @@ If you publish your Netdata to the internet, you may want to apply some protecti 4. Run the `netdata` process with a low process scheduling priority (the default is the lowest) 5. If possible, proxy Netdata via a full featured web server (nginx, apache, etc) -[](<>) + diff --git a/web/server/static/README.md b/web/server/static/README.md index e095f2ef3..6a83b70db 100644 --- a/web/server/static/README.md +++ b/web/server/static/README.md @@ -14,4 +14,4 @@ Each thread uses non-blocking I/O so it can serve any number of web requests in This web server respects the `keep-alive` HTTP header to serve multiple HTTP requests via the same connection. -[](<>) + diff --git a/web/server/static/static-threaded.c b/web/server/static/static-threaded.c index 07aa3fa3d..ff10cb881 100644 --- a/web/server/static/static-threaded.c +++ b/web/server/static/static-threaded.c @@ -331,7 +331,7 @@ static void web_server_tmr_callback(void *timer_data) { char title[100 + 1]; snprintfz(id, 100, "web_thread%d_cpu", worker_private->id + 1); - snprintfz(title, 100, "Netdata web server thread No %d CPU usage", worker_private->id + 1); + snprintfz(title, 100, "Netdata web server thread CPU usage"); st = rrdset_create_localhost( "netdata" diff --git a/web/server/web_client.c b/web/server/web_client.c index e4c6a0c89..e61dc0a54 100644 --- a/web/server/web_client.c +++ b/web/server/web_client.c @@ -204,68 +204,6 @@ void web_client_request_done(struct web_client *w) { #endif // NETDATA_WITH_ZLIB } -uid_t web_files_uid(void) { - static char *web_owner = NULL; - static uid_t owner_uid = 0; - - if(unlikely(!web_owner)) { - // getpwuid() is not thread safe, - // but we have called this function once - // while single threaded - struct passwd *pw = getpwuid(geteuid()); - web_owner = config_get(CONFIG_SECTION_WEB, "web files owner", (pw)?(pw->pw_name?pw->pw_name:""):""); - if(!web_owner || !*web_owner) - owner_uid = geteuid(); - else { - // getpwnam() is not thread safe, - // but we have called this function once - // while single threaded - pw = getpwnam(web_owner); - if(!pw) { - error("User '%s' is not present. Ignoring option.", web_owner); - owner_uid = geteuid(); - } - else { - debug(D_WEB_CLIENT, "Web files owner set to %s.", web_owner); - owner_uid = pw->pw_uid; - } - } - } - - return(owner_uid); -} - -gid_t web_files_gid(void) { - static char *web_group = NULL; - static gid_t owner_gid = 0; - - if(unlikely(!web_group)) { - // getgrgid() is not thread safe, - // but we have called this function once - // while single threaded - struct group *gr = getgrgid(getegid()); - web_group = config_get(CONFIG_SECTION_WEB, "web files group", (gr)?(gr->gr_name?gr->gr_name:""):""); - if(!web_group || !*web_group) - owner_gid = getegid(); - else { - // getgrnam() is not thread safe, - // but we have called this function once - // while single threaded - gr = getgrnam(web_group); - if(!gr) { - error("Group '%s' is not present. Ignoring option.", web_group); - owner_gid = getegid(); - } - else { - debug(D_WEB_CLIENT, "Web files group set to %s.", web_group); - owner_gid = gr->gr_gid; - } - } - } - - return(owner_gid); -} - static struct { const char *extension; uint32_t hash; @@ -399,18 +337,6 @@ int mysendfile(struct web_client *w, char *filename) { return access_to_file_is_not_permitted(w, webfilename); } - // check if the file is owned by expected user - if (statbuf.st_uid != web_files_uid()) { - error("%llu: File '%s' is owned by user %u (expected user %u). Access Denied.", w->id, webfilename, statbuf.st_uid, web_files_uid()); - return access_to_file_is_not_permitted(w, webfilename); - } - - // check if the file is owned by expected group - if (statbuf.st_gid != web_files_gid()) { - error("%llu: File '%s' is owned by group %u (expected group %u). Access Denied.", w->id, webfilename, statbuf.st_gid, web_files_gid()); - return access_to_file_is_not_permitted(w, webfilename); - } - done = 1; } @@ -439,7 +365,7 @@ int mysendfile(struct web_client *w, char *filename) { sock_setnonblock(w->ifd); w->response.data->contenttype = contenttype_for_filename(webfilename); - debug(D_WEB_CLIENT_ACCESS, "%llu: Sending file '%s' (%ld bytes, ifd %d, ofd %d).", w->id, webfilename, statbuf.st_size, w->ifd, w->ofd); + debug(D_WEB_CLIENT_ACCESS, "%llu: Sending file '%s' (%"PRId64" bytes, ifd %d, ofd %d).", w->id, webfilename, (int64_t)statbuf.st_size, w->ifd, w->ofd); w->mode = WEB_CLIENT_MODE_FILECOPY; web_client_enable_wait_receive(w); @@ -582,14 +508,14 @@ static inline int check_host_and_call(RRDHOST *host, struct web_client *w, char return func(host, w, url); } -static inline int check_host_and_dashboard_acl_and_call(RRDHOST *host, struct web_client *w, char *url, int (*func)(RRDHOST *, struct web_client *, char *)) { +static inline int UNUSED_FUNCTION(check_host_and_dashboard_acl_and_call)(RRDHOST *host, struct web_client *w, char *url, int (*func)(RRDHOST *, struct web_client *, char *)) { if(!web_client_can_access_dashboard(w)) return web_client_permission_denied(w); return check_host_and_call(host, w, url, func); } -static inline int check_host_and_mgmt_acl_and_call(RRDHOST *host, struct web_client *w, char *url, int (*func)(RRDHOST *, struct web_client *, char *)) { +static inline int UNUSED_FUNCTION(check_host_and_mgmt_acl_and_call)(RRDHOST *host, struct web_client *w, char *url, int (*func)(RRDHOST *, struct web_client *, char *)) { if(!web_client_can_access_mgmt(w)) return web_client_permission_denied(w); @@ -1076,6 +1002,9 @@ static inline HTTP_VALIDATION http_request_validate(struct web_client *w) { if (url_parse_query_string(w->decoded_query_string, NETDATA_WEB_REQUEST_URL_SIZE + 1, ptr_variables, total_variables)) { return HTTP_VALIDATION_MALFORMED_URL; } + } else { + //make sure there's no leftovers from previous request on the same web client + w->decoded_query_string[1]='\0'; } } *ue = ' '; diff --git a/web/server/web_client.h b/web/server/web_client.h index 4580b9749..e859e1136 100644 --- a/web/server/web_client.h +++ b/web/server/web_client.h @@ -194,9 +194,6 @@ struct web_client { #endif }; -extern uid_t web_files_uid(void); -extern uid_t web_files_gid(void); - extern int web_client_permission_denied(struct web_client *w); extern ssize_t web_client_send(struct web_client *w); |