# HG changeset patch # User Matthias Förste # Date 1403101998 -7200 # Node ID 2d91f287b9b6ec1080f2c30aea9cf09c2f42aff5 # Parent 5979296311cb4c8e4cab9350abb3030acb54b99e reversed quilt patches from source diff -r 5979296311cb -r 2d91f287b9b6 .pc/.quilt_patches --- a/.pc/.quilt_patches Wed Jun 18 16:19:01 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,1 +0,0 @@ -debian/patches diff -r 5979296311cb -r 2d91f287b9b6 .pc/.quilt_series --- a/.pc/.quilt_series Wed Jun 18 16:19:01 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,1 +0,0 @@ -series diff -r 5979296311cb -r 2d91f287b9b6 .pc/.version --- a/.pc/.version Wed Jun 18 16:19:01 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,1 +0,0 @@ -2 diff -r 5979296311cb -r 2d91f287b9b6 .pc/03_havp.config.patch/etc/havp/havp.config.in --- a/.pc/03_havp.config.patch/etc/havp/havp.config.in Wed Jun 18 16:19:01 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,664 +0,0 @@ -# -# This is the configuration file for HAVP -# -# All lines starting with a hash (#) or empty lines are ignored. -# Uncomment parameters you want to change! -# -# All parameters configurable in this file are explained and their default -# values are shown. If no default value is defined "NONE" is specified. -# -# General syntax: Parameter Value -# Value can be: true/false, number, or path -# -# Extra spaces and tabs are ignored. -# - -# You must remove this line for HAVP to start. -# This makes sure you have (hopefully) reviewed the configuration. :) -# Hint: You must enable some scanner! Find them in the end.. -REMOVETHISLINE deleteme - -# -# For reasons of security it is recommended to run a proxy program -# without root rights. It is recommended to create user that is not -# used by any other program. -# -# Default: -# USER havp -# GROUP havp - -# If this is true HAVP is running as daemon in background. -# For testing you may run HAVP at your text console. -# -# Default: -# DAEMON true - -# -# Process id (PID) of the main HAVP process is written to this file. -# Be sure that it is writeable by the user under which HAVP is running. -# /etc/init.d/havp script requires this to work. -# -# Default: -# PIDFILE @localstatedir@/run/havp/havp.pid - -# -# For performance reasons several instances of HAVP have to run. -# Specify how many servers (child processes) are simultaneously -# listening on port PORT for a connection. Minimum value should be -# the peak requests-per-second expected + 5 for headroom. For best -# performance, you should have atleast 1 CPU core per 16 processes. -# -# For single user home use, 8 should be minimum. -# For 500+ users corporate use, start at 40. -# -# Value can and should be higher than recommended. Memory and -# CPU usage is only affected by the number of concurrent requests. -# -# More childs are automatically created when needed, up to MAXSERVERS. -# -# Default: -# SERVERNUMBER 8 -# MAXSERVERS 100 - -# -# Files where to log requests and info/errors. -# Needs to have write permission for HAVP user. -# -# Default: -# ACCESSLOG @localstatedir@/log/havp/access.log -# ERRORLOG @localstatedir@/log/havp/havp.log -# VIRUSLOG (same as ACCESSLOG) - -# -# Format for timestamps in logfile messages. -# See: man strftime -# -# Default: -# TIMEFORMAT %d/%m/%Y %H:%M:%S - -# -# Syslog can be used instead of logging to file. -# For facilities and levels, see "man syslog". -# -# Default: -# USESYSLOG false -# SYSLOGNAME havp -# SYSLOGFACILITY daemon -# SYSLOGLEVEL info -# SYSLOGVIRUSLEVEL warning - -# -# true: Log every request to access log -# false: Log only viruses to access log -# -# Default: -# LOG_OKS true - -# -# Level of HAVP logging -# 0 = Only serious errors and information -# 1 = Less interesting information is included -# -# Default: -# LOGLEVEL 0 - -# -# Temporary scan file. -# This file must reside on a partition for which mandatory -# locking is enabled. For Linux, use "-o mand" in mount command. -# See "man mount" for details. Solaris does not need any special -# steps, it works directly. -# -# Specify absolute path to a file which name must contain "XXXXXX". -# These characters are used by system to create unique named files. -# -# Default: -# SCANTEMPFILE /var/tmp/havp/havp-XXXXXX - -# -# Directory for ClamAV and other scanner created tempfiles. -# Needs to be writable by HAVP user. Use ramdisk for best performance. -# -# Default: -# TEMPDIR /var/tmp - -# -# HAVP reloads scanners virus database by receiving a signal -# (send SIGHUP to PID from PIDFILE, see "man kill") or after -# a specified period of time. Specify here the number of -# minutes to wait for reloading. -# -# This only affects library scanners (clamlib, trophie). -# Other scanners must be updated manually. -# -# Default: -# DBRELOAD 60 - -# -# Run HAVP as transparent Proxy? -# -# If you don't know what this means read the mini-howto -# TransparentProxy written by Daniel Kiracofe. -# (e.g.: http://www.tldp.org/HOWTO/mini/TransparentProxy.html) -# Definitely you have more to do than setting this to true. -# You are warned! -# -# Default: -# TRANSPARENT false - -# -# Specify a parent proxy (e.g. Squid) HAVP should use. -# If needed, user and password authentication can be used, -# but only Basic-authentication scheme is supported. -# -# Default: NONE -# PARENTPROXY localhost -# PARENTPORT 3128 -# PARENTUSER username -# PARENTPASSWORD password - -# -# Write X-Forwarded-For: to log instead of connecters IP? -# -# If HAVP is used as parent proxy by some other proxy, this allows -# to write the real users IP to log, instead of proxy IP. -# -# Default: -# FORWARDED_IP false - -# -# Send X-Forwarded-For: header to servers? -# -# If client sent this header, FORWARDED_IP setting defines the value, -# then it is passed on. You might want to keep this disabled for security -# reasons. Enable this if you use your own parent proxy after HAVP, so it -# will see the original client IP. -# -# Disabling this also disables Via: header generation. -# -# Default: -# X_FORWARDED_FOR false - -# -# Port HAVP is listening on. -# -# Default: -# PORT 8080 - -# -# IP address that HAVP listens on. -# Let it be undefined to bind all addresses. -# -# Default: NONE -# BIND_ADDRESS 127.0.0.1 - -# -# IP address used for sending outbound packets. -# Let it be undefined if you want OS to handle right address. -# -# Default: NONE -# SOURCE_ADDRESS 1.2.3.4 - -# -# Path to template files. -# -# Default: -# TEMPLATEPATH @sysconfdir@/havp/templates/en - -# -# Set to true if you want to prefer Whitelist. -# If URL is Whitelisted, then Blacklist is ignored. -# Otherwise Blacklist is preferred. -# -# Default: -# WHITELISTFIRST true - -# -# List of URLs not to scan. -# -# Default: -# WHITELIST @sysconfdir@/havp/whitelist - -# -# List of URLs that are denied access. -# -# Default: -# BLACKLIST @sysconfdir@/havp/blacklist - -# -# Is scanner error fatal? -# -# For example, archive types that are not supported by scanner -# may return error. Also if scanner has invalid pattern files etc. -# -# true: User gets error page -# false: No error is reported (viruses might not be detected) -# -# Default: -# FAILSCANERROR true - -# -# When scanning takes longer than this, it will be aborted. -# Timer is started after HAVP has fully received all data. -# If set too low, complex files/archives might produce timeout. -# Timeout is always a fatal error regardless of FAILSCANERROR. -# -# Time in minutes! -# -# Default: -# SCANNERTIMEOUT 10 - -# -# Allow HTTP Range requests? -# -# false: Broken downloads can NOT be resumed -# true: Broken downloads can be resumed -# -# Allowing Range is a security risk, because partial -# HTTP requests may not be properly scanned. -# -# Whitelisted sites are allowed to use Range in any case. -# -# Default: -# RANGE false - -# -# Allow HTTP Range request to get the ZIP header first? -# -# This allows (partial) scanning of ZIP files that are bigger than -# MAXSCANSIZE. Scanning is done up to that many bytes into the file. -# -# Default: -# PRELOADZIPHEADER true - -# -# If you really need more performance, you can disable scanning of -# JPG, GIF and PNG files. These are probably the most common files -# around, so it will save lots of CPU. But be warned, image exploits -# exist and more could be found. Think twice if you want to disable! -# -# In addition of checking Content-Type: image/*, this setting uses -# file magic to make sure the file is really image. -# -# Also see SCANMIME/SKIPMIME settings to control scanning based -# on just the Content-Type header. -# -# Default: -# SCANIMAGES true - -# -# What MIME types NOT to scan. For performance reasons, you could -# exclude all media types. -# -# Based on Content-Type: header as given by the HTTP server. -# Note that it is easy to forge and should not be trusted. -# -# Basic wildcard match supported. -# -# Default: NONE -# SKIPMIME image/* video/* audio/* - -# -# If set, then ONLY these MIME types will be scanned. -# -# Based on Content-Type: header as given by the HTTP server. -# Note that it is easy to forge and should not be trusted. -# -# Basic wildcard match supported. -# -# Default: NONE -# SCANMIME application/* - -# -# Temporary file will grow only up to this size. This means scanner -# will scan data until this limit is reached. -# -# There are two sides to this setting. By limiting the size, you gain -# performance, less waiting for big files and less needed temporary space. -# But there is slightly higher chance of virus slipping through (though -# scanning large archives should not be gateways function, HAVP is more -# geared towards small exploit detection etc). -# -# VALUE IN BYTES NOT KB OR MB!!!! -# 0 = No size limit -# -# Default: -# MAXSCANSIZE 5000000 - -# -# Amount of data going to browser that is held back, until it -# is scanned. When we know file is clean, this held back data -# can be sent to browser. You can safely set bigger value, only -# thing you will notice is some "delay" in beginning of download. -# Virus found in files bigger than this might not produce HAVP -# error page, but result in a "broken" download. -# -# VALUE IN BYTES NOT KB OR MB!!!! -# -# Default: -# KEEPBACKBUFFER 200000 - -# -# This setting complements KEEPBACKBUFFER. It tells how many Seconds to -# initially receive data from server, before sending anything to client. -# Even trickling is not done before this time elapses. This way files that -# are received fast are more secure and user can get virus report page for -# files bigger than KEEPBACKBUFFER. -# -# Setting to 0 will disable this, and only KEEPBACKBUFFER is used. -# -# Default: -# KEEPBACKTIME 5 - -# -# After Trickling Time (seconds), some bytes are sent to browser -# to keep the connection alive. Trickling is not needed if timeouts -# are not expected for files smaller than KEEPBACKBUFFER, but it is -# recommended to set anyway. -# -# 0 = No Trickling -# -# Default: -# TRICKLING 30 - -# -# Send this many bytes to browser every TRICKLING seconds, see above -# -# Default: -# TRICKLINGBYTES 1 - -# -# Downloads larger than MAXDOWNLOADSIZE will be blocked. -# Only if not Whitelisted! -# -# VALUE IN BYTES NOT KB OR MB!!!! -# 0 = Unlimited Downloads -# -# Default: -# MAXDOWNLOADSIZE 0 - -# -# Space separated list of strings to partially match User-Agent: header. -# These are used for streaming content, so scanning is generally not needed -# and tempfiles grow unnecessary. Remember when enabled, that user could -# fake header and pass some scanning. HTTP Range requests are allowed for -# these, so players can seek content. -# -# You can uncomment here a list of most popular players. -# -# Default: NONE -# STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS - -# -# Bytes to scan from beginning of streams. -# When set to 0, STREAMUSERAGENT scanning will be completely disabled. -# It is not recommended as there are some exploits for players. -# -# Default: -# STREAMSCANSIZE 20000 - -# -# Disable mandatory locking (dynamic scanning) for certain file types. -# This is intended for fixing cases where a scanner forces use of mmap() -# call. Mandatory locking might not allow this, so you could get errors -# regarding memory allocation or I/O. You can test the "None" option -# anyway, as it might even work depending on your OS (some Linux seems -# to allow mand+mmap). -# -# Allowed values: -# None -# ClamAV:BinHex (mmap forced in versions older than 0.96) -# ClamAV:PDF (mmap forced in versions older than 0.96) -# ClamAV:ZIP (mmap forced in 0.93.x, should work in 0.94) -# AVG:ALL (AVG 8.5 does not work, uses mmap MAP_SHARED) -# -# Default: -# DISABLELOCKINGFOR AVG:ALL - -# -# Whitelist specific viruses by case-insensitive substring match. -# For example, "Oversized." and "Encrypted." are good candidates, -# if you can't disable those checks any other way. -# -# Default: NONE -# IGNOREVIRUS Oversized. Encrypted. Phishing. - - -##### -##### ClamAV Library Scanner (libclamav) -##### - -ENABLECLAMLIB false - -# HAVP uses libclamav hardcoded pattern directory, which usually is -# /usr/local/share/clamav. You only need to set CLAMDBDIR, if you are -# using non-default DatabaseDirectory setting in clamd.conf. -# -# Default: NONE -# CLAMDBDIR /path/to/directory - -# Should we block broken executables? -# -# Default: -# CLAMBLOCKBROKEN false - -# Should we block encrypted archives? -# -# Default: -# CLAMBLOCKENCRYPTED false - -# Should we block files that go over maximum archive limits? -# -# Default: -# CLAMBLOCKMAX false - -# Scanning limits? -# You can find some additional info from documentation or clamd.conf -# -# Stop when this many total bytes scanned (MB) -# CLAMMAXSCANSIZE 20 -# -# Stop when this many files have been scanned -# CLAMMAXFILES 50 -# -# Don't scan files over this size (MB) -# CLAMMAXFILESIZE 100 -# -# Maximum archive recursion -# CLAMMAXRECURSION 8 - - -##### -##### ClamAV Socket Scanner (clamd) -##### -##### NOTE: ClamAV Library Scanner should be preferred (less overhead) -##### - -ENABLECLAMD false - -# Path to clamd socket -# -# Default: -# CLAMDSOCKET /tmp/clamd - -# ..OR if you use clamd TCP socket, uncomment to enable use -# -# Clamd daemon needs to run on the same server as HAVP -# -# Default: NONE -# CLAMDSERVER 127.0.0.1 -# CLAMDPORT 3310 - - -##### -##### F-Prot Socket Scanner -##### - -ENABLEFPROT false - -# F-Prot daemon needs to run on same server as HAVP -# -# Default: -# FPROTSERVER 127.0.0.1 -# FPROTPORT 10200 - -# F-Prot options (only for version 6+ !) -# -# See "fpscand-client.sh --help" for possible options. -# -# At the moment: -# --scanlevel= Which scanlevel to use, 0-4 (2). -# --heurlevel= How aggressive heuristics should be used, 0-4 (2). -# --archive= Scan inside supported archives n levels deep 1-99 (5). -# --adware Instructs the daemon to flag adware. -# --applications Instructs the daemon to flag potentially unwanted applications. -# -# Default: NONE -# FPROTOPTIONS --scanlevel=2 --heurlevel=2 - - -##### -##### AVG Socket Scanner -##### - -ENABLEAVG false - -# AVG daemon needs to run on the same server as HAVP -# -# Default: -# AVGSERVER 127.0.0.1 -# AVGPORT 55555 - - -##### -##### Kaspersky Socket Scanner -##### - -ENABLEAVESERVER false - -# Path to aveserver socket -# -# Default: -# AVESOCKET /var/run/aveserver - - -##### -##### Sophos Scanner (Sophie) -##### - -ENABLESOPHIE false - -# Path to sophie socket -# -# Default: -# SOPHIESOCKET /var/run/sophie - - -##### -##### Trend Micro Library Scanner (Trophie) -##### - -ENABLETROPHIE false - -# Scanning limits inside archives (filesize = MB): -# -# Default: -# TROPHIEMAXFILES 50 -# TROPHIEMAXFILESIZE 10 -# TROPHIEMAXRATIO 250 - - -##### -##### NOD32 Socket Scanner -##### - -ENABLENOD32 false - -# Path to nod32d socket -# -# For 3.0+ version, try /tmp/esets.sock -# -# Default: -# NOD32SOCKET /tmp/nod32d.sock - -# Used NOD32 Version -# -# 30 = 3.0+ -# 25 = 2.5+ -# 21 = 2.x (very old) -# -# Default: -# NOD32VERSION 25 - - -##### -##### Avast! Socket Scanner -##### - -ENABLEAVAST false - -# Path to avastd socket -# -# Default: -# AVASTSOCKET /var/run/avast4/local.sock - -# ..OR if you use avastd TCP socket, uncomment to enable use -# -# Avast daemon needs to run on the same server as HAVP -# -# Default: NONE -# AVASTSERVER 127.0.0.1 -# AVASTPORT 5036 - - -##### -##### Arcavir Socket Scanner -##### - -ENABLEARCAVIR false - -# Path to arcavird socket -# -# For version 2008, default socket is /var/run/arcad.ctl -# -# Default: -# ARCAVIRSOCKET /var/run/arcavird.socket - -# Used Arcavir version -# 2007 = Version 2007 and earlier -# 2008 = Version 2008 and later -# -# Default: -# ARCAVIRVERSION 2007 - - -##### -##### DrWeb Socket Scanner -##### - -ENABLEDRWEB false - -# Enable heuristic scanning? -# -# Default: -# DRWEBHEURISTIC true - -# Enable malware detection? -# (Adware, Dialer, Joke, Riskware, Hacktool) -# -# Default: -# DRWEBMALWARE true - -# Path to drwebd socket -# -# Default: -# DRWEBSOCKET /var/drweb/run/.daemon - -# ..OR if you use drwebd TCP socket, uncomment to enable use -# -# DrWeb daemon needs to run on the same server as HAVP -# -# Default: NONE -# DRWEBSERVER 127.0.0.1 -# DRWEBPORT 3000 - diff -r 5979296311cb -r 2d91f287b9b6 .pc/04_params.cpp.patch/havp/params.cpp --- a/.pc/04_params.cpp.patch/havp/params.cpp Wed Jun 18 16:19:01 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,443 +0,0 @@ -/*************************************************************************** - params.cpp - description - ------------------- - begin : So Feb 20 2005 - copyright : (C) 2005 by Peter Sebald / Christian Hilgers - email : christian@hilgers.ag - ***************************************************************************/ - -/*************************************************************************** - * * - * This program is free software; you can redistribute it and/or modify * - * it under the terms of the GNU General Public License as published by * - * the Free Software Foundation; either version 2 of the License, or * - * (at your option) any later version. * - * * - ***************************************************************************/ - -#include "default.h" -#include "params.h" -#include "utils.h" - -#include -#include -#include -#include -#include -#include - -#ifndef INADDR_NONE -#define INADDR_NONE ((unsigned long) -1) -#endif - -map Params::params; - -void Params::SetDefaults() -{ - SetConfig("DISPLAYINITIALMESSAGES", "true"); - SetConfig("USER", "havp"); - SetConfig("GROUP", "havp"); - SetConfig("DAEMON", "true"); - SetConfig("SERVERNUMBER", "8"); - SetConfig("MAXSERVERS", "150"); - SetConfig("PORT", "8080"); - SetConfig("BIND_ADDRESS", ""); - SetConfig("SOURCE_ADDRESS", ""); - SetConfig("PARENTPROXY", ""); - SetConfig("PARENTPORT", "0"); - SetConfig("PARENTUSER", ""); - SetConfig("PARENTPASSWORD", ""); - SetConfig("ACCESSLOG", ACCESSLOG); - SetConfig("VIRUSLOG", ""); - SetConfig("ERRORLOG", ERRORLOG); - SetConfig("TIMEFORMAT", "%d/%m/%Y %H:%M:%S"); - SetConfig("LOG_OKS", "true"); - SetConfig("LOGLEVEL", "0"); - SetConfig("USESYSLOG", "false"); - SetConfig("SYSLOGNAME", "havp"); - SetConfig("SYSLOGFACILITY", "daemon"); - SetConfig("SYSLOGLEVEL", "info"); - SetConfig("SYSLOGVIRUSLEVEL","warning"); - SetConfig("SCANIMAGES", "true"); - SetConfig("SKIPMIME", ""); - SetConfig("SCANMIME", ""); - SetConfig("MAXSCANSIZE", "5000000"); - SetConfig("KEEPBACKBUFFER", "200000"); - SetConfig("KEEPBACKTIME", "5"); - SetConfig("TRICKLING", "30"); - SetConfig("TRICKLINGBYTES", "1"); - SetConfig("WHITELISTFIRST", "true"); - SetConfig("WHITELIST", WHITELISTFILE); - SetConfig("BLACKLIST", BLACKLISTFILE); - SetConfig("TEMPLATEPATH", TEMPLATEPATH); - SetConfig("TEMPDIR", "/var/tmp"); - SetConfig("SCANTEMPFILE", "/var/tmp/havp/havp-XXXXXX"); - SetConfig("PIDFILE", PIDFILE); - SetConfig("TRANSPARENT", "false"); - SetConfig("RANGE", "false"); - SetConfig("PRELOADZIPHEADER","true"); - SetConfig("FORWARDED_IP", "false"); - SetConfig("X_FORWARDED_FOR","false"); - SetConfig("STREAMUSERAGENT",""); - SetConfig("STREAMSCANSIZE", "20000"); - SetConfig("DBRELOAD", "60"); - SetConfig("FAILSCANERROR", "true"); - SetConfig("MAXDOWNLOADSIZE","0"); - SetConfig("SCANNERTIMEOUT", "10"); - SetConfig("IGNOREVIRUS", ""); - SetConfig("DISABLELOCKINGFOR","AVG:ALL"); -//SCANNERS - SetConfig("ENABLECLAMLIB","false"); - SetConfig("CLAMDBDIR",""); - SetConfig("CLAMBLOCKBROKEN","false"); - SetConfig("CLAMBLOCKMAX","false"); - SetConfig("CLAMBLOCKENCRYPTED","false"); - SetConfig("CLAMMAXSCANSIZE","20"); - SetConfig("CLAMMAXFILES","50"); - SetConfig("CLAMMAXFILESIZE","100"); - SetConfig("CLAMMAXRECURSION","8"); - SetConfig("ENABLECLAMD","false"); - SetConfig("CLAMDSOCKET","/tmp/clamd"); - SetConfig("CLAMDSERVER",""); - SetConfig("CLAMDPORT","3310"); - SetConfig("ENABLEAVG","false"); - SetConfig("AVGSERVER","127.0.0.1"); - SetConfig("AVGPORT","55555"); - SetConfig("ENABLEAVESERVER","false"); - SetConfig("AVESOCKET","/var/run/aveserver"); - SetConfig("ENABLEFPROT","false"); - SetConfig("FPROTPORT","10200"); - SetConfig("FPROTSERVER","127.0.0.1"); - SetConfig("FPROTOPTIONS",""); - SetConfig("ENABLENOD32","false"); - SetConfig("NOD32SOCKET","/tmp/nod32d.sock"); - SetConfig("NOD32VERSION","25"); - SetConfig("ENABLETROPHIE","false"); - SetConfig("TROPHIEMAXFILES","50"); - SetConfig("TROPHIEMAXFILESIZE","10"); - SetConfig("TROPHIEMAXRATIO","250"); - SetConfig("ENABLESOPHIE","false"); - SetConfig("SOPHIESOCKET","/var/run/sophie"); - SetConfig("ENABLEAVAST","false"); - SetConfig("AVASTSOCKET","/var/run/avast4/local.sock"); - SetConfig("AVASTSERVER",""); - SetConfig("AVASTPORT","5036"); - SetConfig("ENABLEARCAVIR","false"); - SetConfig("ARCAVIRSOCKET","/var/run/arcavird.socket"); - SetConfig("ARCAVIRVERSION","2007"); - SetConfig("ENABLEDRWEB","false"); - SetConfig("DRWEBSOCKET","/var/drweb/run/.daemon"); - SetConfig("DRWEBSERVER",""); - SetConfig("DRWEBPORT","3000"); - SetConfig("DRWEBHEURISTIC","true"); - SetConfig("DRWEBMALWARE","true"); -} - -bool Params::ReadConfig( string file ) -{ - ifstream input( file.c_str() ); - - if ( !input ) - { - cerr << "Could not open config file: " << file << endl; - return false; - } - - string::size_type Position; - string line, key, val; - - while ( input ) - { - getline( input, line ); - - //Strip whitespace from beginning and end - if ( (Position = line.find_first_not_of(" \t")) != string::npos ) - { - line = line.substr(Position, (line.find_last_not_of(" \t", string::npos) - Position) + 1); - } - - //Read next if nothing found - if ( (Position == string::npos) || (line.size() == 0) ) continue; - - //Read next if commented - if ( line.substr(0, 1) == "#" ) continue; - - //Find key and value - if ( (Position = line.find_first_of(" \t")) != string::npos ) - { - key = line.substr(0, Position); - - if ( key == "REMOVETHISLINE" ) - { - cout << "Configuration is not edited!" << endl; - cout << "You must delete REMOVETHISLINE option." << endl; - cout << "Review the configuration carefully. :)" << endl; - return false; - } - - if ( (Position = line.find_first_not_of(" \t", Position + 1)) == string::npos ) - { - cout << "Invalid Config Line: " << line << endl; - return false; - } - - val = line.substr( Position ); - - Params::SetConfig( key, val ); - } - else - { - cout << "Invalid Config Line: " << line << endl; - return false; - } - } - - input.close(); - - return true; -} - -void Params::SetConfig( string param, string value ) -{ - string TempParams[] = {CONFIGPARAMS}; - bool ParamFound = false; - - param = UpperCase(param); - - for ( unsigned int i = 0; i < sizeof(TempParams)/sizeof(string); i++ ) - { - if ( param == TempParams[i] ) - { - ParamFound = true; - } - } - - if ( ParamFound ) - { - if ( UpperCase(value) == "TRUE" || UpperCase(value) == "FALSE" ) - { - value = UpperCase(value); - } - - params[param] = value; - } - else - { - cout << "Unknown Config Parameter: " << param << endl; - cout << "Exiting.." << endl; - exit(1); - } -} - -int Params::GetConfigInt( string param ) -{ - return atoi( params[param].c_str() ); -} - -bool Params::GetConfigBool( string param ) -{ - if ( params[param] == "TRUE" ) - { - return true; - } - else - { - return false; - } -} - -string Params::GetConfigString( string param ) -{ - return params[param]; -} - -void Params::ShowConfig( string cfgfile ) -{ - cout << endl << "# Using HAVP config: " << cfgfile << endl << endl; - typedef map::const_iterator CI; - for(CI p = params.begin(); p != params.end(); ++p) - { - cout << p->first << "=" << p->second << '\n'; - } - cout << endl; -} - -void Params::Usage() -{ - cout << endl << "Usage: havp [Options]" << endl << endl; - cout << "HAVP Version " << VERSION << endl << endl; - cout << "Possible options are:" << endl; - cout << "--help | -h This pamphlet" << endl; - cout << "--conf-file=FileName | -c Filename Use this Config-File" << endl; - cout << "--show-config | -s Show configuration HAVP is using" << endl << endl; -} - -bool Params::SetParams( int argvT, char* argcT[] ) -{ - string option, value; - string::size_type i1, i2; - - string cfgfile = CONFIGFILE; - bool showconf = false; - - SetDefaults(); - - while ( --argvT ) - { - value = *++argcT; - i1 = value.find_first_not_of("-"); - - //No GNU options - if ( i1 == 1 ) - { - option = value.substr(i1, 1); - - if ( option == "c" ) - { - --argvT; - - if ( argvT == 0 ) - { - Usage(); - return false; - } - value = *++argcT; - } - else if ( option == "s" ) - { - showconf = true; - } - else - { - Usage(); - return false; - } - } - //GNU options - else if ( i1 == 2 ) - { - if ( (i2 = value.find("=")) != string::npos ) - { - option = value.substr(i1, i2 - i1); - - if ( value.size() > i2 + 1 ) - { - value = value.substr(i2 + 1); - } - else - { - Usage(); - return false; - } - } - else - { - option = value.substr(i1); - value = ""; - } - } - else - { - Usage(); - return false; - } - - if ( option == "help" ) - { - Usage(); - return false; - } - else if ( option == "show-config" ) - { - showconf = true; - } - else if ( option == "conf-file" || option == "c" ) - { - if (value == "") - { - Usage(); - return false; - } - - cfgfile = value; - } - else if ( showconf == true ) - { - //Nothing: prevent Usage - } - else - { - Usage(); - return false; - } - } - - if ( ReadConfig( cfgfile ) == false ) - { - return false; - } - - if ( showconf == true ) - { - ShowConfig( cfgfile ); - return false; - } - - return TestConfig(); -} - -//Test that some options are sane -bool Params::TestConfig() -{ - if ( Params::GetConfigInt("SERVERNUMBER") < 1 ) - { - cout << "Invalid Config: SERVERNUMBER needs to be greater than 0" << endl; - return false; - } - if ( Params::GetConfigString("ACCESSLOG").substr(0,1) != "/" - || (Params::GetConfigString("VIRUSLOG") != "" && Params::GetConfigString("VIRUSLOG").substr(0,1) != "/") - || Params::GetConfigString("ERRORLOG").substr(0,1) != "/" ) - { - cout << "Invalid Config: Log paths need to be abolute" << endl; - return false; - } - if ( Params::GetConfigString("SCANTEMPFILE").find("XXXXXX") == string::npos ) - { - cout << "Invalid Config: SCANTEMPFILE must contain string \"XXXXXX\"" << endl; - return false; - } - if ( Params::GetConfigInt("MAXSERVERS") > 500 ) - { - cout << "Note: MAXSERVERS is unusually high! You are sure you want this?" << endl; - } - if ( Params::GetConfigString("BIND_ADDRESS") == "NULL" ) Params::SetConfig("BIND_ADDRESS",""); - if ( Params::GetConfigString("BIND_ADDRESS") != "" ) - { - if ( inet_addr( Params::GetConfigString("BIND_ADDRESS").c_str() ) == INADDR_NONE ) - { - cout << "Invalid Config: Invalid BIND_ADDRESS" << endl; - return false; - } - } - if ( Params::GetConfigString("SOURCE_ADDRESS") == "NULL" ) Params::SetConfig("SOURCE_ADDRESS",""); - if ( Params::GetConfigString("SOURCE_ADDRESS") != "" ) - { - if ( inet_addr( Params::GetConfigString("SOURCE_ADDRESS").c_str() ) == INADDR_NONE ) - { - cout << "Invalid Config: Invalid SOURCE_ADDRESS" << endl; - return false; - } - } - if ( Params::GetConfigString("PARENTPROXY") != "" && Params::GetConfigInt("PARENTPORT") < 1 ) - { - cout << "Invalid Config: Invalid PARENTPROXY/PARENTPORT" << endl; - return false; - } - if ( Params::GetConfigInt("TRICKLING") > 0 && Params::GetConfigInt("TRICKLINGBYTES") < 1 ) - { - cout << "Invalid Config: TRICKLINGBYTES needs to be greater than 0" << endl; - return false; - } - - return true; -} diff -r 5979296311cb -r 2d91f287b9b6 .pc/05_add_ssltimeout_option.patch/etc/havp/havp.config.in --- a/.pc/05_add_ssltimeout_option.patch/etc/havp/havp.config.in Wed Jun 18 16:19:01 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,670 +0,0 @@ -# -# This is the configuration file for HAVP -# -# All lines starting with a hash (#) or empty lines are ignored. -# Uncomment parameters you want to change! -# -# All parameters configurable in this file are explained and their default -# values are shown. If no default value is defined "NONE" is specified. -# -# General syntax: Parameter Value -# Value can be: true/false, number, or path -# -# Extra spaces and tabs are ignored. -# - -# You must remove this line for HAVP to start. -# This makes sure you have (hopefully) reviewed the configuration. :) -# Hint: You must enable some scanner! Find them in the end.. -# REMOVETHISLINE deleteme - -# -# For reasons of security it is recommended to run a proxy program -# without root rights. It is recommended to create user that is not -# used by any other program. -# -# Default: -# USER havp -# GROUP havp - -# If this is true HAVP is running as daemon in background. -# For testing you may run HAVP at your text console. -# -# Default: -# DAEMON true - -# -# Process id (PID) of the main HAVP process is written to this file. -# Be sure that it is writeable by the user under which HAVP is running. -# /etc/init.d/havp script requires this to work. -# -# Default: -# PIDFILE @localstatedir@/run/havp/havp.pid - -# -# For performance reasons several instances of HAVP have to run. -# Specify how many servers (child processes) are simultaneously -# listening on port PORT for a connection. Minimum value should be -# the peak requests-per-second expected + 5 for headroom. For best -# performance, you should have atleast 1 CPU core per 16 processes. -# -# For single user home use, 8 should be minimum. -# For 500+ users corporate use, start at 40. -# -# Value can and should be higher than recommended. Memory and -# CPU usage is only affected by the number of concurrent requests. -# -# More childs are automatically created when needed, up to MAXSERVERS. -# -# Default: -# SERVERNUMBER 8 -# MAXSERVERS 100 - -# -# Files where to log requests and info/errors. -# Needs to have write permission for HAVP user. -# -# Default: -# ACCESSLOG @localstatedir@/log/havp/access.log -# ERRORLOG @localstatedir@/log/havp/havp.log -# VIRUSLOG (same as ACCESSLOG) - -# -# Format for timestamps in logfile messages. -# See: man strftime -# -# Default: -# TIMEFORMAT %d/%m/%Y %H:%M:%S - -# -# Syslog can be used instead of logging to file. -# For facilities and levels, see "man syslog". -# -# Default: -# USESYSLOG false -# SYSLOGNAME havp -# SYSLOGFACILITY daemon -# SYSLOGLEVEL info -# SYSLOGVIRUSLEVEL warning - -# -# true: Log every request to access log -# false: Log only viruses to access log -# -# Default: -# LOG_OKS true - -# -# Level of HAVP logging -# 0 = Only serious errors and information -# 1 = Less interesting information is included -# -# Default: -# LOGLEVEL 0 - -# -# Temporary scan file. -# This file must reside on a partition for which mandatory -# locking is enabled. For Linux, use "-o mand" in mount command. -# See "man mount" for details. Solaris does not need any special -# steps, it works directly. -# -# Specify absolute path to a file which name must contain "XXXXXX". -# These characters are used by system to create unique named files. -# -# Default: -# SCANTEMPFILE /var/spool/havp/havp-XXXXXX - -# -# Directory for ClamAV and other scanner created tempfiles. -# Needs to be writable by HAVP user. Use ramdisk for best performance. -# -# Default: -# TEMPDIR /var/tmp - -# -# HAVP reloads scanners virus database by receiving a signal -# (send SIGHUP to PID from PIDFILE, see "man kill") or after -# a specified period of time. Specify here the number of -# minutes to wait for reloading. -# -# This only affects library scanners (clamlib, trophie). -# Other scanners must be updated manually. -# -# Default: -# DBRELOAD 60 - -# -# Run HAVP as transparent Proxy? -# -# If you don't know what this means read the mini-howto -# TransparentProxy written by Daniel Kiracofe. -# (e.g.: http://www.tldp.org/HOWTO/mini/TransparentProxy.html) -# Definitely you have more to do than setting this to true. -# You are warned! -# -# Default: -# TRANSPARENT false - -# -# Specify a parent proxy (e.g. Squid) HAVP should use. -# If needed, user and password authentication can be used, -# but only Basic-authentication scheme is supported. -# -# Default: NONE -# PARENTPROXY localhost -# PARENTPORT 3128 -# PARENTUSER username -# PARENTPASSWORD password - -# -# Write X-Forwarded-For: to log instead of connecters IP? -# -# If HAVP is used as parent proxy by some other proxy, this allows -# to write the real users IP to log, instead of proxy IP. -# -# Default: -# FORWARDED_IP false - -# -# Send X-Forwarded-For: header to servers? -# -# If client sent this header, FORWARDED_IP setting defines the value, -# then it is passed on. You might want to keep this disabled for security -# reasons. Enable this if you use your own parent proxy after HAVP, so it -# will see the original client IP. -# -# Disabling this also disables Via: header generation. -# -# Default: -# X_FORWARDED_FOR false - -# -# Port HAVP is listening on. -# -# Default: -# PORT 8080 - -# -# IP address that HAVP listens on. -# Let it be undefined to bind all addresses. -# -# Default: NONE -# BIND_ADDRESS 127.0.0.1 - -# -# IP address used for sending outbound packets. -# Let it be undefined if you want OS to handle right address. -# -# Default: NONE -# SOURCE_ADDRESS 1.2.3.4 - -# -# Path to template files. -# -# Default: -# TEMPLATEPATH @sysconfdir@/havp/templates/en - -# -# Set to true if you want to prefer Whitelist. -# If URL is Whitelisted, then Blacklist is ignored. -# Otherwise Blacklist is preferred. -# -# Default: -# WHITELISTFIRST true - -# -# List of URLs not to scan. -# -# Default: -# WHITELIST @sysconfdir@/havp/whitelist - -# -# List of URLs that are denied access. -# -# Default: -# BLACKLIST @sysconfdir@/havp/blacklist - -# -# Is scanner error fatal? -# -# For example, archive types that are not supported by scanner -# may return error. Also if scanner has invalid pattern files etc. -# -# true: User gets error page -# false: No error is reported (viruses might not be detected) -# -# Default: -# FAILSCANERROR true - -# SSL connections may be silent for a while (mostly when "abused" -# for other communication than HTTP). HAVP disconnects these connections -# after several seconds. -# -# Default: -# SSLTIMEOUT 20 - -# -# When scanning takes longer than this, it will be aborted. -# Timer is started after HAVP has fully received all data. -# If set too low, complex files/archives might produce timeout. -# Timeout is always a fatal error regardless of FAILSCANERROR. -# -# Time in minutes! -# -# Default: -# SCANNERTIMEOUT 10 - -# -# Allow HTTP Range requests? -# -# false: Broken downloads can NOT be resumed -# true: Broken downloads can be resumed -# -# Allowing Range is a security risk, because partial -# HTTP requests may not be properly scanned. -# -# Whitelisted sites are allowed to use Range in any case. -# -# Default: -# RANGE false - -# -# Allow HTTP Range request to get the ZIP header first? -# -# This allows (partial) scanning of ZIP files that are bigger than -# MAXSCANSIZE. Scanning is done up to that many bytes into the file. -# -# Default: -# PRELOADZIPHEADER true - -# -# If you really need more performance, you can disable scanning of -# JPG, GIF and PNG files. These are probably the most common files -# around, so it will save lots of CPU. But be warned, image exploits -# exist and more could be found. Think twice if you want to disable! -# -# In addition of checking Content-Type: image/*, this setting uses -# file magic to make sure the file is really image. -# -# Also see SCANMIME/SKIPMIME settings to control scanning based -# on just the Content-Type header. -# -# Default: -# SCANIMAGES true - -# -# What MIME types NOT to scan. For performance reasons, you could -# exclude all media types. -# -# Based on Content-Type: header as given by the HTTP server. -# Note that it is easy to forge and should not be trusted. -# -# Basic wildcard match supported. -# -# Default: NONE -# SKIPMIME image/* video/* audio/* - -# -# If set, then ONLY these MIME types will be scanned. -# -# Based on Content-Type: header as given by the HTTP server. -# Note that it is easy to forge and should not be trusted. -# -# Basic wildcard match supported. -# -# Default: NONE -# SCANMIME application/* - -# -# Temporary file will grow only up to this size. This means scanner -# will scan data until this limit is reached. -# -# There are two sides to this setting. By limiting the size, you gain -# performance, less waiting for big files and less needed temporary space. -# But there is slightly higher chance of virus slipping through (though -# scanning large archives should not be gateways function, HAVP is more -# geared towards small exploit detection etc). -# -# VALUE IN BYTES NOT KB OR MB!!!! -# 0 = No size limit -# -# Default: -# MAXSCANSIZE 5000000 - -# -# Amount of data going to browser that is held back, until it -# is scanned. When we know file is clean, this held back data -# can be sent to browser. You can safely set bigger value, only -# thing you will notice is some "delay" in beginning of download. -# Virus found in files bigger than this might not produce HAVP -# error page, but result in a "broken" download. -# -# VALUE IN BYTES NOT KB OR MB!!!! -# -# Default: -# KEEPBACKBUFFER 200000 - -# -# This setting complements KEEPBACKBUFFER. It tells how many Seconds to -# initially receive data from server, before sending anything to client. -# Even trickling is not done before this time elapses. This way files that -# are received fast are more secure and user can get virus report page for -# files bigger than KEEPBACKBUFFER. -# -# Setting to 0 will disable this, and only KEEPBACKBUFFER is used. -# -# Default: -# KEEPBACKTIME 5 - -# -# After Trickling Time (seconds), some bytes are sent to browser -# to keep the connection alive. Trickling is not needed if timeouts -# are not expected for files smaller than KEEPBACKBUFFER, but it is -# recommended to set anyway. -# -# 0 = No Trickling -# -# Default: -# TRICKLING 30 - -# -# Send this many bytes to browser every TRICKLING seconds, see above -# -# Default: -# TRICKLINGBYTES 1 - -# -# Downloads larger than MAXDOWNLOADSIZE will be blocked. -# Only if not Whitelisted! -# -# VALUE IN BYTES NOT KB OR MB!!!! -# 0 = Unlimited Downloads -# -# Default: -# MAXDOWNLOADSIZE 0 - -# -# Space separated list of strings to partially match User-Agent: header. -# These are used for streaming content, so scanning is generally not needed -# and tempfiles grow unnecessary. Remember when enabled, that user could -# fake header and pass some scanning. HTTP Range requests are allowed for -# these, so players can seek content. -# -# You can uncomment here a list of most popular players. -# -# Default: NONE -# STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS - -# -# Bytes to scan from beginning of streams. -# When set to 0, STREAMUSERAGENT scanning will be completely disabled. -# It is not recommended as there are some exploits for players. -# -# Default: -# STREAMSCANSIZE 20000 - -# -# Disable mandatory locking (dynamic scanning) for certain file types. -# This is intended for fixing cases where a scanner forces use of mmap() -# call. Mandatory locking might not allow this, so you could get errors -# regarding memory allocation or I/O. You can test the "None" option -# anyway, as it might even work depending on your OS (some Linux seems -# to allow mand+mmap). -# -# Allowed values: -# None -# ClamAV:BinHex (mmap forced in versions older than 0.96) -# ClamAV:PDF (mmap forced in versions older than 0.96) -# ClamAV:ZIP (mmap forced in 0.93.x, should work in 0.94) -# AVG:ALL (AVG 8.5 does not work, uses mmap MAP_SHARED) -# -# Default: -# DISABLELOCKINGFOR AVG:ALL - -# -# Whitelist specific viruses by case-insensitive substring match. -# For example, "Oversized." and "Encrypted." are good candidates, -# if you can't disable those checks any other way. -# -# Default: NONE -# IGNOREVIRUS Oversized. Encrypted. Phishing. - - -##### -##### ClamAV Library Scanner (libclamav) -##### - -ENABLECLAMLIB true - -# HAVP uses libclamav hardcoded pattern directory, which usually is -# /usr/share/clamav. You only need to set CLAMDBDIR, if you are -# using non-default DatabaseDirectory setting in clamd.conf. -# -# Default: NONE -# CLAMDBDIR /var/lib/clamav - -# Should we block broken executables? -# -# Default: -# CLAMBLOCKBROKEN false - -# Should we block encrypted archives? -# -# Default: -# CLAMBLOCKENCRYPTED false - -# Should we block files that go over maximum archive limits? -# -# Default: -# CLAMBLOCKMAX false - -# Scanning limits? -# You can find some additional info from documentation or clamd.conf -# -# Stop when this many total bytes scanned (MB) -# CLAMMAXSCANSIZE 20 -# -# Stop when this many files have been scanned -# CLAMMAXFILES 50 -# -# Don't scan files over this size (MB) -# CLAMMAXFILESIZE 100 -# -# Maximum archive recursion -# CLAMMAXRECURSION 8 - - -##### -##### ClamAV Socket Scanner (clamd) -##### -##### NOTE: ClamAV Library Scanner should be preferred (less overhead) -##### - -ENABLECLAMD false - -# Path to clamd socket -# -# Default: -# CLAMDSOCKET /tmp/clamd - -# ..OR if you use clamd TCP socket, uncomment to enable use -# -# Clamd daemon needs to run on the same server as HAVP -# -# Default: NONE -# CLAMDSERVER 127.0.0.1 -# CLAMDPORT 3310 - - -##### -##### F-Prot Socket Scanner -##### - -ENABLEFPROT false - -# F-Prot daemon needs to run on same server as HAVP -# -# Default: -# FPROTSERVER 127.0.0.1 -# FPROTPORT 10200 - -# F-Prot options (only for version 6+ !) -# -# See "fpscand-client.sh --help" for possible options. -# -# At the moment: -# --scanlevel= Which scanlevel to use, 0-4 (2). -# --heurlevel= How aggressive heuristics should be used, 0-4 (2). -# --archive= Scan inside supported archives n levels deep 1-99 (5). -# --adware Instructs the daemon to flag adware. -# --applications Instructs the daemon to flag potentially unwanted applications. -# -# Default: NONE -# FPROTOPTIONS --scanlevel=2 --heurlevel=2 - - -##### -##### AVG Socket Scanner -##### - -ENABLEAVG false - -# AVG daemon needs to run on the same server as HAVP -# -# Default: -# AVGSERVER 127.0.0.1 -# AVGPORT 55555 - - -##### -##### Kaspersky Socket Scanner -##### - -ENABLEAVESERVER false - -# Path to aveserver socket -# -# Default: -# AVESOCKET /var/run/aveserver - - -##### -##### Sophos Scanner (Sophie) -##### - -ENABLESOPHIE false - -# Path to sophie socket -# -# Default: -# SOPHIESOCKET /var/run/sophie - - -##### -##### Trend Micro Library Scanner (Trophie) -##### - -ENABLETROPHIE false - -# Scanning limits inside archives (filesize = MB): -# -# Default: -# TROPHIEMAXFILES 50 -# TROPHIEMAXFILESIZE 10 -# TROPHIEMAXRATIO 250 - - -##### -##### NOD32 Socket Scanner -##### - -ENABLENOD32 false - -# Path to nod32d socket -# -# For 3.0+ version, try /tmp/esets.sock -# -# Default: -# NOD32SOCKET /tmp/nod32d.sock - -# Used NOD32 Version -# -# 30 = 3.0+ -# 25 = 2.5+ -# 21 = 2.x (very old) -# -# Default: -# NOD32VERSION 25 - - -##### -##### Avast! Socket Scanner -##### - -ENABLEAVAST false - -# Path to avastd socket -# -# Default: -# AVASTSOCKET /var/run/avast4/local.sock - -# ..OR if you use avastd TCP socket, uncomment to enable use -# -# Avast daemon needs to run on the same server as HAVP -# -# Default: NONE -# AVASTSERVER 127.0.0.1 -# AVASTPORT 5036 - - -##### -##### Arcavir Socket Scanner -##### - -ENABLEARCAVIR false - -# Path to arcavird socket -# -# For version 2008, default socket is /var/run/arcad.ctl -# -# Default: -# ARCAVIRSOCKET /var/run/arcavird.socket - -# Used Arcavir version -# 2007 = Version 2007 and earlier -# 2008 = Version 2008 and later -# -# Default: -# ARCAVIRVERSION 2007 - - -##### -##### DrWeb Socket Scanner -##### - -ENABLEDRWEB false - -# Enable heuristic scanning? -# -# Default: -# DRWEBHEURISTIC true - -# Enable malware detection? -# (Adware, Dialer, Joke, Riskware, Hacktool) -# -# Default: -# DRWEBMALWARE true - -# Path to drwebd socket -# -# Default: -# DRWEBSOCKET /var/drweb/run/.daemon - -# ..OR if you use drwebd TCP socket, uncomment to enable use -# -# DrWeb daemon needs to run on the same server as HAVP -# -# Default: NONE -# DRWEBSERVER 127.0.0.1 -# DRWEBPORT 3000 diff -r 5979296311cb -r 2d91f287b9b6 .pc/05_add_ssltimeout_option.patch/havp/default.h.in --- a/.pc/05_add_ssltimeout_option.patch/havp/default.h.in Wed Jun 18 16:19:01 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,120 +0,0 @@ -/*************************************************************************** - default.h - description - ------------------- - begin : Sa Feb 12 2005 - copyright : (C) 2005 by Christian Hilgers - email : christian@hilgers.ag - ***************************************************************************/ - -/*************************************************************************** - * * - * This program is free software; you can redistribute it and/or modify * - * it under the terms of the GNU General Public License as published by * - * the Free Software Foundation; either version 2 of the License, or * - * (at your option) any later version. * - * * - ***************************************************************************/ - - -#ifndef DEFAULT_H -#define DEFAULT_H - -#define VERSION "0.92" - -//############################################################## -//Define if you want to rewrite a URL -//#define REWRITE URLRewrite["havp"]="www.server-side.de"; URLRewrite["www.havp"]="www.server-side.de"; - -//############################################################## -//Parameters in Configurationfile - -#define CONFIGPARAMS \ - "WHITELISTFIRST","TEMPDIR","RANGE", "PRELOADZIPHEADER", "USER","GROUP", \ - "SERVERNUMBER","PORT","BIND_ADDRESS","SOURCE_ADDRESS","KEEPBACKBUFFER", \ - "KEEPBACKTIME","TRICKLING","TRICKLINGBYTES","MAXSCANSIZE","WHITELIST","BLACKLIST","PIDFILE", \ - "DAEMON","TRANSPARENT","LOG_OKS","ACCESSLOG","VIRUSLOG","ERRORLOG","TIMEFORMAT","LOGLEVEL", \ - "USESYSLOG","SYSLOGNAME","SYSLOGFACILITY","SYSLOGLEVEL","SYSLOGVIRUSLEVEL","IGNOREVIRUS", \ - "DISPLAYINITIALMESSAGES","DBRELOAD","SCANTEMPFILE","TEMPLATEPATH","DISABLELOCKINGFOR", \ - "PARENTPROXY","PARENTPORT","MAXSERVERS","FORWARDED_IP","X_FORWARDED_FOR","FAILSCANERROR", \ - "MAXDOWNLOADSIZE","SCANNERTIMEOUT","STREAMUSERAGENT","STREAMSCANSIZE","SCANIMAGES", \ - "SKIPMIME","SCANMIME", \ - "ENABLECLAMLIB","CLAMDBDIR","CLAMBLOCKBROKEN","CLAMBLOCKMAX","CLAMBLOCKENCRYPTED", \ - "CLAMMAXFILES","CLAMMAXFILESIZE","CLAMMAXRECURSION","CLAMMAXSCANSIZE", \ - "ENABLEAVG","AVGSERVER","AVGPORT", \ - "ENABLEAVESERVER","AVESOCKET", \ - "ENABLEFPROT","FPROTSERVER","FPROTPORT","FPROTOPTIONS", \ - "ENABLETROPHIE","TROPHIEMAXFILES","TROPHIEMAXFILESIZE","TROPHIEMAXRATIO", \ - "ENABLENOD32","NOD32SOCKET","NOD32VERSION", \ - "ENABLECLAMD","CLAMDSOCKET","CLAMDSERVER","CLAMDPORT", \ - "ENABLESOPHIE","SOPHIESOCKET", \ - "ENABLEAVAST","AVASTSOCKET","AVASTSERVER","AVASTPORT", \ - "ENABLEARCAVIR","ARCAVIRSOCKET","ARCAVIRVERSION", \ - "ENABLEDRWEB","DRWEBSOCKET","DRWEBSERVER","DRWEBPORT","DRWEBHEURISTIC","DRWEBMALWARE", \ - "PARENTUSER", "PARENTPASSWORD" -//SCANNERS - - -//############################################################## -//Configuration not setable in havp.config - -//CONNTIMEOUT in seconds -#define CONNTIMEOUT 60 - -//RECVTIMEOUT in seconds -#define RECVTIMEOUT 120 - -//SENDTIMEOUT in seconds -#define SENDTIMEOUT 120 - -//Maximum client connection waiting for accept -#define MAXCONNECTIONS 1024 - -//Maximum bytes received in one request -#define MAXRECV 14600 - -//Maximum logfile line length -#define STRINGLENGTH 1000 - -//Maximum hardlock size - do not change -#define MAXFILELOCKSIZE 1000000000 - -//Valid Methods -#define METHODS \ - "GET","POST","HEAD","CONNECT","PUT","TRACE","PURGE","OPTIONS","UNLOCK", \ - "SEARCH","PROPFIND","BPROPFIND","PROPPATCH","BPROPPATCH","MKCOL","COPY", \ - "BCOPY","MOVE","LOCK","BMOVE","DELETE","BDELETE","SUBSCRIBE","UNSUBSCRIBE", \ - "POLL","REPORT","ERROR","NONE","MKACTIVITY","CHECKOUT","MERGE" - -//Maximum length of SCANTEMPFILE -#define MAXSCANTEMPFILELENGTH 200 - -//Maximum length of http headers -#define MAXHTTPHEADERLENGTH 65536 - -// HTML Error String -#define ERROR_DNS "dns.html" -#define VIRUS_FOUND "virus.html" -#define ERROR_SCANNER "scanner.html" -#define ERROR_DOWN "down.html" -#define ERROR_INVALID "invalid.html" -#define ERROR_REQUEST "request.html" -#define ERROR_BODY "error.html" -#define ERROR_BLACKLIST "blacklist.html" -#define ERROR_MAXSIZE "maxsize.html" - -// DONT TOUCH - run configure -#undef CONFIGFILE -#undef WHITELISTFILE -#undef BLACKLISTFILE -#undef TEMPLATEPATH -#undef ACCESSLOG -#undef ERRORLOG -#undef PIDFILE -#undef NOMAND -#undef SSLTUNNEL -#undef USECLAMLIB -#undef USETROPHIE -#undef HAVE_SETGROUPS -#undef HAVE_INITGROUPS - -#endif diff -r 5979296311cb -r 2d91f287b9b6 .pc/05_add_ssltimeout_option.patch/havp/params.cpp --- a/.pc/05_add_ssltimeout_option.patch/havp/params.cpp Wed Jun 18 16:19:01 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,443 +0,0 @@ -/*************************************************************************** - params.cpp - description - ------------------- - begin : So Feb 20 2005 - copyright : (C) 2005 by Peter Sebald / Christian Hilgers - email : christian@hilgers.ag - ***************************************************************************/ - -/*************************************************************************** - * * - * This program is free software; you can redistribute it and/or modify * - * it under the terms of the GNU General Public License as published by * - * the Free Software Foundation; either version 2 of the License, or * - * (at your option) any later version. * - * * - ***************************************************************************/ - -#include "default.h" -#include "params.h" -#include "utils.h" - -#include -#include -#include -#include -#include -#include - -#ifndef INADDR_NONE -#define INADDR_NONE ((unsigned long) -1) -#endif - -map Params::params; - -void Params::SetDefaults() -{ - SetConfig("DISPLAYINITIALMESSAGES", "true"); - SetConfig("USER", "havp"); - SetConfig("GROUP", "havp"); - SetConfig("DAEMON", "true"); - SetConfig("SERVERNUMBER", "8"); - SetConfig("MAXSERVERS", "150"); - SetConfig("PORT", "8080"); - SetConfig("BIND_ADDRESS", ""); - SetConfig("SOURCE_ADDRESS", ""); - SetConfig("PARENTPROXY", ""); - SetConfig("PARENTPORT", "0"); - SetConfig("PARENTUSER", ""); - SetConfig("PARENTPASSWORD", ""); - SetConfig("ACCESSLOG", ACCESSLOG); - SetConfig("VIRUSLOG", ""); - SetConfig("ERRORLOG", ERRORLOG); - SetConfig("TIMEFORMAT", "%d/%m/%Y %H:%M:%S"); - SetConfig("LOG_OKS", "true"); - SetConfig("LOGLEVEL", "0"); - SetConfig("USESYSLOG", "false"); - SetConfig("SYSLOGNAME", "havp"); - SetConfig("SYSLOGFACILITY", "daemon"); - SetConfig("SYSLOGLEVEL", "info"); - SetConfig("SYSLOGVIRUSLEVEL","warning"); - SetConfig("SCANIMAGES", "true"); - SetConfig("SKIPMIME", ""); - SetConfig("SCANMIME", ""); - SetConfig("MAXSCANSIZE", "5000000"); - SetConfig("KEEPBACKBUFFER", "200000"); - SetConfig("KEEPBACKTIME", "5"); - SetConfig("TRICKLING", "30"); - SetConfig("TRICKLINGBYTES", "1"); - SetConfig("WHITELISTFIRST", "true"); - SetConfig("WHITELIST", WHITELISTFILE); - SetConfig("BLACKLIST", BLACKLISTFILE); - SetConfig("TEMPLATEPATH", TEMPLATEPATH); - SetConfig("TEMPDIR", "/var/spool/havp"); - SetConfig("SCANTEMPFILE", "/var/spool/havp/havp-XXXXXX"); - SetConfig("PIDFILE", PIDFILE); - SetConfig("TRANSPARENT", "false"); - SetConfig("RANGE", "false"); - SetConfig("PRELOADZIPHEADER","true"); - SetConfig("FORWARDED_IP", "false"); - SetConfig("X_FORWARDED_FOR","false"); - SetConfig("STREAMUSERAGENT",""); - SetConfig("STREAMSCANSIZE", "20000"); - SetConfig("DBRELOAD", "60"); - SetConfig("FAILSCANERROR", "true"); - SetConfig("MAXDOWNLOADSIZE","0"); - SetConfig("SCANNERTIMEOUT", "10"); - SetConfig("IGNOREVIRUS", ""); - SetConfig("DISABLELOCKINGFOR","AVG:ALL"); -//SCANNERS - SetConfig("ENABLECLAMLIB","false"); - SetConfig("CLAMDBDIR",""); - SetConfig("CLAMBLOCKBROKEN","false"); - SetConfig("CLAMBLOCKMAX","false"); - SetConfig("CLAMBLOCKENCRYPTED","false"); - SetConfig("CLAMMAXSCANSIZE","20"); - SetConfig("CLAMMAXFILES","50"); - SetConfig("CLAMMAXFILESIZE","100"); - SetConfig("CLAMMAXRECURSION","8"); - SetConfig("ENABLECLAMD","false"); - SetConfig("CLAMDSOCKET","/tmp/clamd"); - SetConfig("CLAMDSERVER",""); - SetConfig("CLAMDPORT","3310"); - SetConfig("ENABLEAVG","false"); - SetConfig("AVGSERVER","127.0.0.1"); - SetConfig("AVGPORT","55555"); - SetConfig("ENABLEAVESERVER","false"); - SetConfig("AVESOCKET","/var/run/aveserver"); - SetConfig("ENABLEFPROT","false"); - SetConfig("FPROTPORT","10200"); - SetConfig("FPROTSERVER","127.0.0.1"); - SetConfig("FPROTOPTIONS",""); - SetConfig("ENABLENOD32","false"); - SetConfig("NOD32SOCKET","/tmp/nod32d.sock"); - SetConfig("NOD32VERSION","25"); - SetConfig("ENABLETROPHIE","false"); - SetConfig("TROPHIEMAXFILES","50"); - SetConfig("TROPHIEMAXFILESIZE","10"); - SetConfig("TROPHIEMAXRATIO","250"); - SetConfig("ENABLESOPHIE","false"); - SetConfig("SOPHIESOCKET","/var/run/sophie"); - SetConfig("ENABLEAVAST","false"); - SetConfig("AVASTSOCKET","/var/run/avast4/local.sock"); - SetConfig("AVASTSERVER",""); - SetConfig("AVASTPORT","5036"); - SetConfig("ENABLEARCAVIR","false"); - SetConfig("ARCAVIRSOCKET","/var/run/arcavird.socket"); - SetConfig("ARCAVIRVERSION","2007"); - SetConfig("ENABLEDRWEB","false"); - SetConfig("DRWEBSOCKET","/var/drweb/run/.daemon"); - SetConfig("DRWEBSERVER",""); - SetConfig("DRWEBPORT","3000"); - SetConfig("DRWEBHEURISTIC","true"); - SetConfig("DRWEBMALWARE","true"); -} - -bool Params::ReadConfig( string file ) -{ - ifstream input( file.c_str() ); - - if ( !input ) - { - cerr << "Could not open config file: " << file << endl; - return false; - } - - string::size_type Position; - string line, key, val; - - while ( input ) - { - getline( input, line ); - - //Strip whitespace from beginning and end - if ( (Position = line.find_first_not_of(" \t")) != string::npos ) - { - line = line.substr(Position, (line.find_last_not_of(" \t", string::npos) - Position) + 1); - } - - //Read next if nothing found - if ( (Position == string::npos) || (line.size() == 0) ) continue; - - //Read next if commented - if ( line.substr(0, 1) == "#" ) continue; - - //Find key and value - if ( (Position = line.find_first_of(" \t")) != string::npos ) - { - key = line.substr(0, Position); - - if ( key == "REMOVETHISLINE" ) - { - cout << "Configuration is not edited!" << endl; - cout << "You must delete REMOVETHISLINE option." << endl; - cout << "Review the configuration carefully. :)" << endl; - return false; - } - - if ( (Position = line.find_first_not_of(" \t", Position + 1)) == string::npos ) - { - cout << "Invalid Config Line: " << line << endl; - return false; - } - - val = line.substr( Position ); - - Params::SetConfig( key, val ); - } - else - { - cout << "Invalid Config Line: " << line << endl; - return false; - } - } - - input.close(); - - return true; -} - -void Params::SetConfig( string param, string value ) -{ - string TempParams[] = {CONFIGPARAMS}; - bool ParamFound = false; - - param = UpperCase(param); - - for ( unsigned int i = 0; i < sizeof(TempParams)/sizeof(string); i++ ) - { - if ( param == TempParams[i] ) - { - ParamFound = true; - } - } - - if ( ParamFound ) - { - if ( UpperCase(value) == "TRUE" || UpperCase(value) == "FALSE" ) - { - value = UpperCase(value); - } - - params[param] = value; - } - else - { - cout << "Unknown Config Parameter: " << param << endl; - cout << "Exiting.." << endl; - exit(1); - } -} - -int Params::GetConfigInt( string param ) -{ - return atoi( params[param].c_str() ); -} - -bool Params::GetConfigBool( string param ) -{ - if ( params[param] == "TRUE" ) - { - return true; - } - else - { - return false; - } -} - -string Params::GetConfigString( string param ) -{ - return params[param]; -} - -void Params::ShowConfig( string cfgfile ) -{ - cout << endl << "# Using HAVP config: " << cfgfile << endl << endl; - typedef map::const_iterator CI; - for(CI p = params.begin(); p != params.end(); ++p) - { - cout << p->first << "=" << p->second << '\n'; - } - cout << endl; -} - -void Params::Usage() -{ - cout << endl << "Usage: havp [Options]" << endl << endl; - cout << "HAVP Version " << VERSION << endl << endl; - cout << "Possible options are:" << endl; - cout << "--help | -h This pamphlet" << endl; - cout << "--conf-file=FileName | -c Filename Use this Config-File" << endl; - cout << "--show-config | -s Show configuration HAVP is using" << endl << endl; -} - -bool Params::SetParams( int argvT, char* argcT[] ) -{ - string option, value; - string::size_type i1, i2; - - string cfgfile = CONFIGFILE; - bool showconf = false; - - SetDefaults(); - - while ( --argvT ) - { - value = *++argcT; - i1 = value.find_first_not_of("-"); - - //No GNU options - if ( i1 == 1 ) - { - option = value.substr(i1, 1); - - if ( option == "c" ) - { - --argvT; - - if ( argvT == 0 ) - { - Usage(); - return false; - } - value = *++argcT; - } - else if ( option == "s" ) - { - showconf = true; - } - else - { - Usage(); - return false; - } - } - //GNU options - else if ( i1 == 2 ) - { - if ( (i2 = value.find("=")) != string::npos ) - { - option = value.substr(i1, i2 - i1); - - if ( value.size() > i2 + 1 ) - { - value = value.substr(i2 + 1); - } - else - { - Usage(); - return false; - } - } - else - { - option = value.substr(i1); - value = ""; - } - } - else - { - Usage(); - return false; - } - - if ( option == "help" ) - { - Usage(); - return false; - } - else if ( option == "show-config" ) - { - showconf = true; - } - else if ( option == "conf-file" || option == "c" ) - { - if (value == "") - { - Usage(); - return false; - } - - cfgfile = value; - } - else if ( showconf == true ) - { - //Nothing: prevent Usage - } - else - { - Usage(); - return false; - } - } - - if ( ReadConfig( cfgfile ) == false ) - { - return false; - } - - if ( showconf == true ) - { - ShowConfig( cfgfile ); - return false; - } - - return TestConfig(); -} - -//Test that some options are sane -bool Params::TestConfig() -{ - if ( Params::GetConfigInt("SERVERNUMBER") < 1 ) - { - cout << "Invalid Config: SERVERNUMBER needs to be greater than 0" << endl; - return false; - } - if ( Params::GetConfigString("ACCESSLOG").substr(0,1) != "/" - || (Params::GetConfigString("VIRUSLOG") != "" && Params::GetConfigString("VIRUSLOG").substr(0,1) != "/") - || Params::GetConfigString("ERRORLOG").substr(0,1) != "/" ) - { - cout << "Invalid Config: Log paths need to be abolute" << endl; - return false; - } - if ( Params::GetConfigString("SCANTEMPFILE").find("XXXXXX") == string::npos ) - { - cout << "Invalid Config: SCANTEMPFILE must contain string \"XXXXXX\"" << endl; - return false; - } - if ( Params::GetConfigInt("MAXSERVERS") > 500 ) - { - cout << "Note: MAXSERVERS is unusually high! You are sure you want this?" << endl; - } - if ( Params::GetConfigString("BIND_ADDRESS") == "NULL" ) Params::SetConfig("BIND_ADDRESS",""); - if ( Params::GetConfigString("BIND_ADDRESS") != "" ) - { - if ( inet_addr( Params::GetConfigString("BIND_ADDRESS").c_str() ) == INADDR_NONE ) - { - cout << "Invalid Config: Invalid BIND_ADDRESS" << endl; - return false; - } - } - if ( Params::GetConfigString("SOURCE_ADDRESS") == "NULL" ) Params::SetConfig("SOURCE_ADDRESS",""); - if ( Params::GetConfigString("SOURCE_ADDRESS") != "" ) - { - if ( inet_addr( Params::GetConfigString("SOURCE_ADDRESS").c_str() ) == INADDR_NONE ) - { - cout << "Invalid Config: Invalid SOURCE_ADDRESS" << endl; - return false; - } - } - if ( Params::GetConfigString("PARENTPROXY") != "" && Params::GetConfigInt("PARENTPORT") < 1 ) - { - cout << "Invalid Config: Invalid PARENTPROXY/PARENTPORT" << endl; - return false; - } - if ( Params::GetConfigInt("TRICKLING") > 0 && Params::GetConfigInt("TRICKLINGBYTES") < 1 ) - { - cout << "Invalid Config: TRICKLINGBYTES needs to be greater than 0" << endl; - return false; - } - - return true; -} diff -r 5979296311cb -r 2d91f287b9b6 .pc/05_add_ssltimeout_option.patch/havp/sockethandler.cpp --- a/.pc/05_add_ssltimeout_option.patch/havp/sockethandler.cpp Wed Jun 18 16:19:01 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,654 +0,0 @@ -/*************************************************************************** - sockethandler.cpp - description - ------------------- - begin : Sa Feb 12 2005 - copyright : (C) 2005 by Christian Hilgers - email : christian@hilgers.ag - ***************************************************************************/ - -/*************************************************************************** - * * - * This program is free software; you can redistribute it and/or modify * - * it under the terms of the GNU General Public License as published by * - * the Free Software Foundation; either version 2 of the License, or * - * (at your option) any later version. * - * * - ***************************************************************************/ - -#include "sockethandler.h" -#include "logfile.h" -#include "params.h" -#include "utils.h" - -#include -#include -#include -#include - -#ifndef INADDR_NONE -#define INADDR_NONE ((unsigned long) -1) -#endif -#ifndef AF_LOCAL -#define AF_LOCAL AF_UNIX -#endif - -//Create Server Socket -bool SocketHandler::CreateServer( int portT, in_addr_t bind_addrT ) -{ - int i = 1; - - my_s_addr.sin_addr.s_addr = bind_addrT; - my_s_addr.sin_port = htons(portT); - - if ( (sock_fd = socket( AF_INET, SOCK_STREAM, 0 )) < 0 ) - { - LogFile::ErrorMessage("socket() failed: %s\n", strerror(errno)); - return false; - } - - // Enable re-use Socket - if ( setsockopt( sock_fd, SOL_SOCKET, SO_REUSEADDR, &i, sizeof(i) ) < 0 ) - { - LogFile::ErrorMessage("setsockopt() failed: %s\n", strerror(errno)); - return false; - } - - if ( ::bind( sock_fd, (struct sockaddr *) &my_s_addr, sizeof(my_s_addr) ) < 0 ) - { - LogFile::ErrorMessage("bind() failed: %s\n", strerror(errno)); - return false; - } - - if ( ::listen( sock_fd, MAXCONNECTIONS ) < 0 ) - { - LogFile::ErrorMessage("listen() failed: %s\n", strerror(errno)); - return false; - } - - return true; -} - - -//Create Server Socket, convert ASCII address representation into binary one -bool SocketHandler::CreateServer( int portT, string bind_addrT ) -{ - if ( bind_addrT == "" ) - { - return CreateServer( portT, INADDR_ANY ); - } - else - { - return CreateServer( portT, inet_addr( Params::GetConfigString("BIND_ADDRESS").c_str() ) ); - } -} - - -//Connect to Server -bool SocketHandler::ConnectToServer() -{ - if ( (sock_fd = socket(AF_INET, SOCK_STREAM, 0)) < 0 ) - { - LogFile::ErrorMessage("ConnectToServer socket() failed: %s\n", strerror(errno)); - return false; - } - - if ( source_address != "" ) - { - if ( ::bind(sock_fd, (struct sockaddr *) &l_addr, sizeof(l_addr)) < 0 ) - { - LogFile::ErrorMessage("ConnectoToServer bind() failed: %s\n", strerror(errno)); - Close(); - return false; - } - } - - int flags, ret; - - //Nonblocking connect to get a proper timeout - while ( (flags = fcntl(sock_fd, F_GETFL, 0)) < 0 ) - { - if (errno == EINTR) continue; - - LogFile::ErrorMessage("ConnectToServer fcntl() get failed: %s\n", strerror(errno)); - Close(); - return false; - } - while ( fcntl(sock_fd, F_SETFL, flags | O_NONBLOCK) < 0 ) - { - if (errno == EINTR) continue; - - LogFile::ErrorMessage("ConnectToServer fcntl() O_NONBLOCK failed: %s\n", strerror(errno)); - Close(); - return false; - } - - while ( (ret = ::connect(sock_fd, (struct sockaddr *) &my_s_addr, sizeof(my_s_addr))) < 0 ) - { - if (errno == EINTR) continue; - - if (errno != EINPROGRESS) - { - if (errno != EINVAL) LogFile::ErrorMessage("connect() failed: %s\n", strerror(errno)); - Close(); - return false; - } - - break; - } - - if ( ret != 0 ) - { - FD_ZERO(&checkfd); - FD_SET(sock_fd,&checkfd); - wset = checkfd; - - Timeout.tv_sec = CONNTIMEOUT; - Timeout.tv_usec = 0; - - ret = select_eintr(sock_fd+1, &checkfd, &wset, NULL, &Timeout); - - if ( ret <= 0 ) - { - Close(); - return false; - } - - addr_len = sizeof(peer_addr); - - if ( getpeername(sock_fd, (struct sockaddr *) &peer_addr, (socklen_t *) &addr_len) < 0 ) - { - Close(); - return false; - } - } - - while ( fcntl(sock_fd, F_SETFL, flags) < 0 ) - { - if (errno == EINTR) continue; - - LogFile::ErrorMessage("ConnectToServer fcntl() set failed: %s\n", strerror(errno)); - Close(); - return false; - } - - return true; -} - - -bool SocketHandler::ConnectToSocket( string SocketPath, int retry ) -{ - strncpy(my_u_addr.sun_path, SocketPath.c_str(), sizeof(my_u_addr.sun_path)-1); - - if ( (sock_fd = socket(AF_LOCAL, SOCK_STREAM, 0)) < 0 ) - { - LogFile::ErrorMessage("ConnectToSocket socket() failed: %s\n", strerror(errno)); - return false; - } - - int tries = 0; - int ret; - - for(;;) - { - while ( (ret = ::connect(sock_fd, (struct sockaddr *) &my_u_addr, sizeof(my_u_addr))) < 0 ) - { - if (errno == EINTR) continue; - - if (errno != ENOENT) LogFile::ErrorMessage("ConnectToSocket connect() failed: %s\n", strerror(errno)); - break; - } - - //Success? - if ( ret == 0 ) return true; - - //All retried? - if ( ++tries > retry ) break; - - //Try again in one second - sleep(1); - continue; - } - - Close(); - return false; -} - - -//Accept Client -bool SocketHandler::AcceptClient( SocketHandler &accept_socketT ) -{ - addr_len = sizeof(my_s_addr); - - while ((accept_socketT.sock_fd = ::accept(sock_fd, (sockaddr *) &my_s_addr, (socklen_t *) &addr_len)) < 0) - { - if (errno == EINTR) continue; - - LogFile::ErrorMessage("accept() failed: %s\n", strerror(errno)); - - return false; - } - - //Save IP to ToBrowser - accept_socketT.my_s_addr = my_s_addr; - - return true; -} - -//Send String -bool SocketHandler::Send( const char *sock_outT, int len ) -{ - int total_sent = 0; - int ret, buffer_count; - - do - { - Timeout.tv_sec = SENDTIMEOUT; - Timeout.tv_usec = 0; - FD_ZERO(&checkfd); - FD_SET(sock_fd,&checkfd); - - ret = select_eintr(sock_fd+1, NULL, &checkfd, NULL, &Timeout); - - if (ret <= 0) - { - return false; - } - - while ((buffer_count = ::send(sock_fd, sock_outT + total_sent, len - total_sent, 0)) < 0) - { - if (errno == EINTR) continue; - - return false; - } - if (buffer_count == 0) - { - return false; - } - - total_sent += buffer_count; - } - while (total_sent < len); - - return true; -} - -//Send String -bool SocketHandler::Send( string &sock_outT ) -{ - int total_sent = 0; - int len = sock_outT.size(); - int ret, buffer_count; - - do - { - Timeout.tv_sec = SENDTIMEOUT; - Timeout.tv_usec = 0; - FD_ZERO(&checkfd); - FD_SET(sock_fd,&checkfd); - - ret = select_eintr(sock_fd+1, NULL, &checkfd, NULL, &Timeout); - - if (ret <= 0) - { - return false; - } - - while ((buffer_count = ::send(sock_fd, sock_outT.substr(total_sent).c_str(), len - total_sent, 0)) < 0) - { - if (errno == EINTR) continue; - - return false; - } - if (buffer_count == 0) - { - return false; - } - - total_sent += buffer_count; - } - while (total_sent < len); - - return true; -} - - -//Receive String - Maximal MAXRECV -//sock_del = false : Do not delete Data from Socket -ssize_t SocketHandler::Recv( string &sock_inT, bool sock_delT, int timeout ) -{ - if ( RecvBuf.size() > 0 ) - { - sock_inT.append( RecvBuf ); - - if ( sock_delT == true ) - { - ssize_t tempsize = RecvBuf.size(); - - RecvBuf = ""; - - return tempsize; - } - - return RecvBuf.size(); - } - - char buffer[MAXRECV+1]; - ssize_t buffer_count; - int ret; - - if ( timeout != -1 ) - { - Timeout.tv_sec = timeout; - } - else - { - Timeout.tv_sec = RECVTIMEOUT; - } - Timeout.tv_usec = 0; - - FD_ZERO(&checkfd); - FD_SET(sock_fd,&checkfd); - - ret = select_eintr(sock_fd+1, &checkfd, NULL, NULL, &Timeout); - - if (ret <= 0) - { - return -1; - } - - while ((buffer_count = ::recv(sock_fd, buffer, MAXRECV, 0)) < 0) - { - if (errno == EINTR) continue; - - return -1; - } - - if ( sock_delT == false ) - { - RecvBuf.append( buffer, buffer_count ); - } - - if ( buffer_count == 0 ) - { - return 0; - } - - sock_inT.append( buffer, buffer_count ); - - return buffer_count; -} - - -//Receive String of length sock_length -bool SocketHandler::RecvLength( string &sock_inT, unsigned int sock_lengthT ) -{ - if ( RecvBuf.size() >= sock_lengthT ) - { - sock_inT.append( RecvBuf.substr( 0, sock_lengthT ) ); - - RecvBuf.erase( 0, sock_lengthT ); - - return true; - } - - char buffer[MAXRECV+1]; - ssize_t buffer_count; - unsigned int received = 0; - - if ( RecvBuf.size() > 0 ) - { - sock_inT.append( RecvBuf ); - received += RecvBuf.size(); - - RecvBuf = ""; - } - - for(;;) - { - Timeout.tv_sec = RECVTIMEOUT; - Timeout.tv_usec = 0; - - FD_ZERO(&checkfd); - FD_SET(sock_fd,&checkfd); - - int ret = select_eintr(sock_fd+1, &checkfd, NULL, NULL, &Timeout); - - if ( ret <= 0 ) - { - return false; - } - - while ((buffer_count = ::recv(sock_fd, buffer, MAXRECV, 0)) < 0 && errno == EINTR); - - if ( buffer_count < 1 ) - { - return false; - } - - if ( received + buffer_count >= sock_lengthT ) - { - string Rest; - Rest.append( buffer, buffer_count ); - - unsigned int needed = sock_lengthT - received; - - sock_inT.append( Rest.substr( 0, needed ) ); - if ( Rest.size() > needed ) RecvBuf.append( Rest.substr( needed ) ); - - return true; - } - - sock_inT.append( buffer, buffer_count ); - received += buffer_count; - } - - return true; -} - - -//Wait and get something from socket until separator -bool SocketHandler::GetLine( string &lineT, string separator, int timeout ) -{ - lineT = ""; - - string TempLine; - string::size_type Position; - - do - { - if ( Recv( TempLine, false, timeout ) == false ) - { - return false; - } - } - while ( (Position = TempLine.find( separator )) == string::npos ); - - TempLine = ""; - - if ( RecvLength( TempLine, Position + separator.size() ) == false ) - { - return false; - } - - lineT = TempLine.erase( Position ); - - return true; -} - - -//Resolve and set hostname/port for connecting -bool SocketHandler::SetDomainAndPort( string domainT, int portT ) -{ - if ( domainT == "" ) return false; - if ( portT < 1 || portT > 65536 ) return false; - - int domlen = domainT.length(); - - if (domlen > 250) domainT = domainT.substr(0, 250); - my_s_addr.sin_port = htons(portT); - - //IP? - if ( domlen >= 7 && domlen <= 15 && domainT.find_first_not_of("0123456789.") == string::npos ) - { - LastHost = ""; - if ( inet_aton( domainT.c_str(), &my_s_addr.sin_addr ) != 0 ) return true; - return false; - } - - //Same host as last time, use next IP - if ( server && LastHost == domainT ) - { - if ( ips == 1 ) return true; - - if ( ++ip_count == ips ) ip_count = 0; - memcpy((char *) &my_s_addr.sin_addr.s_addr, server->h_addr_list[ip_count], server->h_length); - - return true; - } - - //Resolve host - if ( (server = gethostbyname( domainT.c_str() )) ) - { - //Count IPs - for ( ips = 0; server->h_addr_list[ips] != NULL && server->h_addrtype == AF_INET && ips != 16; ips++ ); - - if ( !ips ) return false; - - memcpy((char *) &my_s_addr.sin_addr.s_addr, server->h_addr_list[0], server->h_length); - - ip_count = 0; - LastHost = domainT; - - return true; - } - - LastHost = ""; - return false; -} - -int SocketHandler::IPCount() -{ - return ips; -} - -string SocketHandler::GetIP() -{ - string ip = inet_ntoa(my_s_addr.sin_addr); - return ip; -} - -bool SocketHandler::CheckForData( int timeout ) -{ - if ( RecvBuf.size() > 0 ) - { - return true; - } - - int ret; - - Timeout.tv_sec = timeout; - Timeout.tv_usec = 0; - - FD_ZERO(&checkfd); - FD_SET(sock_fd,&checkfd); - - ret = select_eintr(sock_fd+1, &checkfd, NULL, NULL, &Timeout); - - if (ret <= 0) - { - return false; - } - - return true; -} - - -#ifdef SSLTUNNEL -int SocketHandler::CheckForSSLData( int sockBrowser, int sockServer ) -{ - fd_set readfd; - int fds; - - FD_ZERO(&readfd); - FD_SET(sockBrowser,&readfd); - FD_SET(sockServer,&readfd); - - if ( sockBrowser > sockServer ) - { - fds = sockBrowser; - } - else - { - fds = sockServer; - } - - Timeout.tv_sec = 20; - Timeout.tv_usec = 0; - - int ret = select_eintr(fds+1, &readfd, NULL, NULL, &Timeout); - - if (ret <= 0) return 0; - - if (FD_ISSET(sockBrowser,&readfd)) return 1; - - return 2; -} -#endif - - -void SocketHandler::Close() -{ - //Clear receive buffer - RecvBuf = ""; - - //Check that we have a real fd - if ( sock_fd > -1 ) - { - while ( ::close(sock_fd) < 0 ) - { - if (errno == EINTR) continue; - if (errno == EBADF) break; - - //IO error? - LogFile::ErrorMessage("close() failed: %s\n", strerror(errno)); - } - - //Mark socket unused - sock_fd = -1; - } -} - - -//Constructor -SocketHandler::SocketHandler() -{ - memset(&my_s_addr, 0, sizeof(my_s_addr)); - my_s_addr.sin_family = AF_INET; - - memset(&my_u_addr, 0, sizeof(my_u_addr)); - my_u_addr.sun_family = AF_LOCAL; - - ip_count = 0; - ips = 0; - - //No socket exists yet - sock_fd = -1; - - source_address = Params::GetConfigString("SOURCE_ADDRESS"); - - if ( source_address != "" ) - { - l_addr.sin_family = AF_INET; - l_addr.sin_port = htons(0); - l_addr.sin_addr.s_addr = inet_addr( source_address.c_str() ); - } - - RecvBuf.reserve(1500); - RecvBuf = ""; -} - - -//Destructor -SocketHandler::~SocketHandler() -{ -} diff -r 5979296311cb -r 2d91f287b9b6 .pc/applied-patches --- a/.pc/applied-patches Wed Jun 18 16:19:01 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,3 +0,0 @@ -03_havp.config.patch -04_params.cpp.patch -05_add_ssltimeout_option.patch diff -r 5979296311cb -r 2d91f287b9b6 etc/havp/havp.config.in --- a/etc/havp/havp.config.in Wed Jun 18 16:19:01 2014 +0200 +++ b/etc/havp/havp.config.in Wed Jun 18 16:33:18 2014 +0200 @@ -16,7 +16,7 @@ # You must remove this line for HAVP to start. # This makes sure you have (hopefully) reviewed the configuration. :) # Hint: You must enable some scanner! Find them in the end.. -# REMOVETHISLINE deleteme +REMOVETHISLINE deleteme # # For reasons of security it is recommended to run a proxy program @@ -113,7 +113,7 @@ # These characters are used by system to create unique named files. # # Default: -# SCANTEMPFILE /var/spool/havp/havp-XXXXXX +# SCANTEMPFILE /var/tmp/havp/havp-XXXXXX # # Directory for ClamAV and other scanner created tempfiles. @@ -237,13 +237,6 @@ # Default: # FAILSCANERROR true -# SSL connections may be silent for a while (mostly when "abused" -# for other communication than HTTP). HAVP disconnects these connections -# after several seconds. -# -# Default: -# SSLTIMEOUT 20 - # # When scanning takes longer than this, it will be aborted. # Timer is started after HAVP has fully received all data. @@ -255,13 +248,6 @@ # Default: # SCANNERTIMEOUT 10 -# SSL connections may be silent for a while (mostly when "abused" -# for other communication than HTTP). HAVP disconnects these connections -# after several seconds. -# -# Default: -# SSLTIMEOUT 20 - # # Allow HTTP Range requests? # @@ -442,14 +428,14 @@ ##### ClamAV Library Scanner (libclamav) ##### -ENABLECLAMLIB true +ENABLECLAMLIB false # HAVP uses libclamav hardcoded pattern directory, which usually is -# /usr/share/clamav. You only need to set CLAMDBDIR, if you are +# /usr/local/share/clamav. You only need to set CLAMDBDIR, if you are # using non-default DatabaseDirectory setting in clamd.conf. # # Default: NONE -# CLAMDBDIR /var/lib/clamav +# CLAMDBDIR /path/to/directory # Should we block broken executables? # @@ -675,3 +661,4 @@ # Default: NONE # DRWEBSERVER 127.0.0.1 # DRWEBPORT 3000 + diff -r 5979296311cb -r 2d91f287b9b6 havp/default.h.in --- a/havp/default.h.in Wed Jun 18 16:19:01 2014 +0200 +++ b/havp/default.h.in Wed Jun 18 16:33:18 2014 +0200 @@ -36,7 +36,6 @@ "USESYSLOG","SYSLOGNAME","SYSLOGFACILITY","SYSLOGLEVEL","SYSLOGVIRUSLEVEL","IGNOREVIRUS", \ "DISPLAYINITIALMESSAGES","DBRELOAD","SCANTEMPFILE","TEMPLATEPATH","DISABLELOCKINGFOR", \ "PARENTPROXY","PARENTPORT","MAXSERVERS","FORWARDED_IP","X_FORWARDED_FOR","FAILSCANERROR", \ - "SSLTIMEOUT", \ "MAXDOWNLOADSIZE","SCANNERTIMEOUT","STREAMUSERAGENT","STREAMSCANSIZE","SCANIMAGES", \ "SKIPMIME","SCANMIME", \ "ENABLECLAMLIB","CLAMDBDIR","CLAMBLOCKBROKEN","CLAMBLOCKMAX","CLAMBLOCKENCRYPTED", \ diff -r 5979296311cb -r 2d91f287b9b6 havp/params.cpp --- a/havp/params.cpp Wed Jun 18 16:19:01 2014 +0200 +++ b/havp/params.cpp Wed Jun 18 16:33:18 2014 +0200 @@ -70,8 +70,8 @@ SetConfig("WHITELIST", WHITELISTFILE); SetConfig("BLACKLIST", BLACKLISTFILE); SetConfig("TEMPLATEPATH", TEMPLATEPATH); - SetConfig("TEMPDIR", "/var/spool/havp"); - SetConfig("SCANTEMPFILE", "/var/spool/havp/havp-XXXXXX"); + SetConfig("TEMPDIR", "/var/tmp"); + SetConfig("SCANTEMPFILE", "/var/tmp/havp/havp-XXXXXX"); SetConfig("PIDFILE", PIDFILE); SetConfig("TRANSPARENT", "false"); SetConfig("RANGE", "false"); @@ -86,7 +86,6 @@ SetConfig("SCANNERTIMEOUT", "10"); SetConfig("IGNOREVIRUS", ""); SetConfig("DISABLELOCKINGFOR","AVG:ALL"); - SetConfig("SSLTIMEOUT", "20"); //SCANNERS SetConfig("ENABLECLAMLIB","false"); SetConfig("CLAMDBDIR",""); diff -r 5979296311cb -r 2d91f287b9b6 havp/sockethandler.cpp --- a/havp/sockethandler.cpp Wed Jun 18 16:19:01 2014 +0200 +++ b/havp/sockethandler.cpp Wed Jun 18 16:33:18 2014 +0200 @@ -582,7 +582,7 @@ fds = sockServer; } - Timeout.tv_sec = Params::GetConfigInt("SSLTIMEOUT"); + Timeout.tv_sec = 20; Timeout.tv_usec = 0; int ret = select_eintr(fds+1, &readfd, NULL, NULL, &Timeout);