Finalize proxy support for http_get()

... for curl, wget and sockets. Tested and worked.

Furthermore: fd_socket() now is a bit more injection safe as
an echo statement was exchange by printf. For possible future
changes fd_socket now also has and arg1 for the file descriptor.
This commit is contained in:
Dirk 2018-08-17 12:23:16 +02:00
parent 7cc584027c
commit ed17797b13

View File

@ -1399,33 +1399,38 @@ filter_input() {
# Dl's any URL (arg1) via HTTP 1.1 GET from port 80, arg2: file to store http body.
# Proxy is not honored yet (see cmd line switches) -- except when using curl or wget.
# There the environment variable is used automatically
#
# Currently it is being used by check_revocation_crl() only.
http_get() {
local proto z
local node="" query=""
local dl="$2"
local useragent="$UA_STD"
local proxy_arg=""
local jsonID="http_get"
"$SNEAKY" && useragent="$UA_SNEAKY"
set -x
if type -p curl &>/dev/null; then
if [[ -z "$PROXY" ]]; then
curl -s --noproxy '*' -A $''"$useragent"'' -o $dl "$1"
else
# If there's a proxy defined, we just use the env variable http_proxy
#http_proxy hier definieren!
curl -s -A $''"$useragent"'' -o $dl "$1"
# for the sake of simplicity assume the proxy is using http
curl -s -x $PROXYIP:$PROXYPORT -A $''"$useragent"'' -o $dl "$1"
fi
return $?
elif type -p wget &>/dev/null; then
if [[ -z "$PROXY" ]] ; then
proxy_arg='--no-proxy'
#http_proxy hier definieren!
# wget has no proxy command line. We need to use http_proxy instead. And for the sake of simplicity
# assume the GET protocol we query is using http -- http_proxy is the $ENV not for the connection TO
# the proxy, but for the protocol we query THROUGH the proxy
if [[ -z "$PROXY" ]]; then
wget --no-proxy -q -U $''"$useragent"'' -O $dl "$1"
else
if [[ -z "$http_proxy" ]]; then
http_proxy=http://$PROXYIP:$PROXYPORT wget -q -U $''"$useragent"'' -O $dl "$1"
else
wget -q -U $''"$useragent"'' -O $dl "$1"
fi
fi
# If there's a proxy defined, we just use the env variable http_proxy
wget "$proxy_arg" -q -U $''"$useragent"'' -O $dl "$1"
return $?
else
# Worst option: slower and hiccups with chunked transfers. Workround for the
@ -1435,31 +1440,34 @@ set -x
proto=${proto%:}
if [[ "$proto" != http ]]; then
pr_warning "protocol $proto not supported yet"
fileout "$jsonID" "DEBUG" "protocol $proto not supported yet"
return 6
fi
if [[ -n $PROXY ]]; then
#FIXME: finish proxy support here. fd_socket connects to NODE or NODEIP
# fd_socket || return 6
# printf -- "%b" "GET $proto://$node/$query HTTP/1.0\r\nUser-Agent: $useragent\r\nHost: $node\r\nAccept: */*\r\n\r\n" >&5
pr_warning "proxying not supported yet"
return 6
# PROXYNODE works better than PROXYIP on modern versions of squid. \
# We don't reuse the code in fd_socket() as there's initial CONNECT which makes problems
if ! exec 33<> /dev/tcp/${PROXYNODE}/${PROXYPORT}; then
outln
pr_warning "$PROG_NAME: unable to open a socket to proxy $PROXYNODE:$PROXYPORT"
fileout "$jsonID" "DEBUG" "$PROG_NAME: unable to open a socket to proxy $PROXYNODE:$PROXYPORT"
return 6
else
printf -- "%b" "GET $proto://$node/$query HTTP/1.0\r\nUser-Agent: $useragent\r\nHost: $node\r\nAccept: */*\r\n\r\n" >&33
fi
else
IFS=/ read -r proto z node query <<< "$1"
exec 33<>/dev/tcp/$node/80
printf -- "%b" "GET /$query HTTP/1.0\r\nUser-Agent: $useragent\r\nHost: $node\r\nAccept: */*\r\n\r\n" >&33
fi
# strip HTTP header
# Strip HTTP header. When in Debug Mode we leave the raw data in place
if [[ $DEBUG -ge 1 ]]; then
cat <&5 >${dl}.raw
cat <&33 >${dl}.raw
cat ${dl}.raw | sed '1,/^[[:space:]]*$/d' >${dl}
else
cat <&5 | sed '1,/^[[:space:]]*$/d' >${dl}
fi
if [[ -n $PROXY ]]; then
close_socket
else
exec 33<&-
cat <&33 | sed '1,/^[[:space:]]*$/d' >${dl}
fi
exec 33<&-
exec 33>&-
[[ -s "$dl" ]] && return 0 || return 1
fi
}
@ -1564,9 +1572,9 @@ check_revocation_ocsp() {
grep -q "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem || return 0
tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${uri##*\/} || exit $ERR_FCREATE
if [[ -n "$stapled_response" ]]; then
> "$TEMPDIR/stabled_ocsp_response.dd"
asciihex_to_binary_file "$stapled_response" "$TEMPDIR/stabled_ocsp_response.dd"
$OPENSSL ocsp -no_nonce -respin "$TEMPDIR/stabled_ocsp_response.dd" \
> "$TEMPDIR/stapled_ocsp_response.dd"
asciihex_to_binary_file "$stapled_response" "$TEMPDIR/stapled_ocsp_response.dd"
$OPENSSL ocsp -no_nonce -respin "$TEMPDIR/stapled_ocsp_response.dd" \
-issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \
-CAfile <(cat $ADDITIONAL_CA_FILES "$GOOD_CA_BUNDLE") -cert $HOSTCERT -text &> "$tmpfile"
else
@ -8948,7 +8956,8 @@ starttls_mysql_dialog() {
return $ret
}
# arg for a fd doesn't work here
# arg1: fd for socket -- which we don't use as it is a hassle and it is not clear whether it works under every bash version
#
fd_socket() {
local jabber=""
local proyxline=""
@ -8962,9 +8971,9 @@ fd_socket() {
return 6
fi
if "$DNS_VIA_PROXY"; then
printf -- "%b" "CONNECT $NODE:$PORT\r\n" >&5
printf -- "%b" "CONNECT $NODE:$PORT HTTP/1.0\n\n" >&5
else
printf -- "%b" "CONNECT $nodeip:$PORT\r\n\r\n" >&5
printf -- "%b" "CONNECT $nodeip:$PORT HTTP/1.0\n\n" >&5
fi
while true; do
read -t $PROXY_WAIT -r proyxline <&5
@ -16160,12 +16169,6 @@ check_proxy() {
PROXY="${https_proxy#*\/\/}"
[[ -z "$PROXY" ]] && PROXY="${http_proxy#*\/\/}"
[[ -z "$PROXY" ]] && fatal "you specified \"--proxy=auto\" but \"\$http(s)_proxy\" is empty" $ERR_CMDLINE
else
# set ENV as we might need it for http_get(). Normalize it to remove protocol
http_proxy="${PROXY/http\:\/\//}"
https_proxy="${PROXY/http\:\/\//}"
export http_proxy=http://${PROXY}
export https_proxy=http://${PROXY}
fi
# strip off http/https part if supplied:
PROXY="${PROXY/http\:\/\//}"
@ -16319,7 +16322,7 @@ determine_service() {
local ua
local protocol
if ! fd_socket; then # check if we can connect to $NODEIP:$PORT
if ! fd_socket 5; then # check if we can connect to $NODEIP:$PORT
if [[ -n "$PROXY" ]]; then
fatal "You're sure $PROXYNODE:$PROXYPORT allows tunneling here? Can't connect to \"$NODEIP:$PORT\"" $ERR_CONNECT
else