--- a/.gitignore Wed Jun 18 16:16:36 2014 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,4 +0,0 @@
-*~
-*.old
-*.orig
-*.rej
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/.pc/.quilt_patches Wed Jun 18 16:17:31 2014 +0200
@@ -0,0 +1,1 @@
+debian/patches
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/.pc/.quilt_series Wed Jun 18 16:17:31 2014 +0200
@@ -0,0 +1,1 @@
+series
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/.pc/.version Wed Jun 18 16:17:31 2014 +0200
@@ -0,0 +1,1 @@
+2
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/.pc/03_havp.config.patch/etc/havp/havp.config.in Wed Jun 18 16:17:31 2014 +0200
@@ -0,0 +1,664 @@
+#
+# This is the configuration file for HAVP
+#
+# All lines starting with a hash (#) or empty lines are ignored.
+# Uncomment parameters you want to change!
+#
+# All parameters configurable in this file are explained and their default
+# values are shown. If no default value is defined "NONE" is specified.
+#
+# General syntax: Parameter Value
+# Value can be: true/false, number, or path
+#
+# Extra spaces and tabs are ignored.
+#
+
+# You must remove this line for HAVP to start.
+# This makes sure you have (hopefully) reviewed the configuration. :)
+# Hint: You must enable some scanner! Find them in the end..
+REMOVETHISLINE deleteme
+
+#
+# For reasons of security it is recommended to run a proxy program
+# without root rights. It is recommended to create user that is not
+# used by any other program.
+#
+# Default:
+# USER havp
+# GROUP havp
+
+# If this is true HAVP is running as daemon in background.
+# For testing you may run HAVP at your text console.
+#
+# Default:
+# DAEMON true
+
+#
+# Process id (PID) of the main HAVP process is written to this file.
+# Be sure that it is writeable by the user under which HAVP is running.
+# /etc/init.d/havp script requires this to work.
+#
+# Default:
+# PIDFILE @localstatedir@/run/havp/havp.pid
+
+#
+# For performance reasons several instances of HAVP have to run.
+# Specify how many servers (child processes) are simultaneously
+# listening on port PORT for a connection. Minimum value should be
+# the peak requests-per-second expected + 5 for headroom. For best
+# performance, you should have atleast 1 CPU core per 16 processes.
+#
+# For single user home use, 8 should be minimum.
+# For 500+ users corporate use, start at 40.
+#
+# Value can and should be higher than recommended. Memory and
+# CPU usage is only affected by the number of concurrent requests.
+#
+# More childs are automatically created when needed, up to MAXSERVERS.
+#
+# Default:
+# SERVERNUMBER 8
+# MAXSERVERS 100
+
+#
+# Files where to log requests and info/errors.
+# Needs to have write permission for HAVP user.
+#
+# Default:
+# ACCESSLOG @localstatedir@/log/havp/access.log
+# ERRORLOG @localstatedir@/log/havp/havp.log
+# VIRUSLOG (same as ACCESSLOG)
+
+#
+# Format for timestamps in logfile messages.
+# See: man strftime
+#
+# Default:
+# TIMEFORMAT %d/%m/%Y %H:%M:%S
+
+#
+# Syslog can be used instead of logging to file.
+# For facilities and levels, see "man syslog".
+#
+# Default:
+# USESYSLOG false
+# SYSLOGNAME havp
+# SYSLOGFACILITY daemon
+# SYSLOGLEVEL info
+# SYSLOGVIRUSLEVEL warning
+
+#
+# true: Log every request to access log
+# false: Log only viruses to access log
+#
+# Default:
+# LOG_OKS true
+
+#
+# Level of HAVP logging
+# 0 = Only serious errors and information
+# 1 = Less interesting information is included
+#
+# Default:
+# LOGLEVEL 0
+
+#
+# Temporary scan file.
+# This file must reside on a partition for which mandatory
+# locking is enabled. For Linux, use "-o mand" in mount command.
+# See "man mount" for details. Solaris does not need any special
+# steps, it works directly.
+#
+# Specify absolute path to a file which name must contain "XXXXXX".
+# These characters are used by system to create unique named files.
+#
+# Default:
+# SCANTEMPFILE /var/tmp/havp/havp-XXXXXX
+
+#
+# Directory for ClamAV and other scanner created tempfiles.
+# Needs to be writable by HAVP user. Use ramdisk for best performance.
+#
+# Default:
+# TEMPDIR /var/tmp
+
+#
+# HAVP reloads scanners virus database by receiving a signal
+# (send SIGHUP to PID from PIDFILE, see "man kill") or after
+# a specified period of time. Specify here the number of
+# minutes to wait for reloading.
+#
+# This only affects library scanners (clamlib, trophie).
+# Other scanners must be updated manually.
+#
+# Default:
+# DBRELOAD 60
+
+#
+# Run HAVP as transparent Proxy?
+#
+# If you don't know what this means read the mini-howto
+# TransparentProxy written by Daniel Kiracofe.
+# (e.g.: http://www.tldp.org/HOWTO/mini/TransparentProxy.html)
+# Definitely you have more to do than setting this to true.
+# You are warned!
+#
+# Default:
+# TRANSPARENT false
+
+#
+# Specify a parent proxy (e.g. Squid) HAVP should use.
+# If needed, user and password authentication can be used,
+# but only Basic-authentication scheme is supported.
+#
+# Default: NONE
+# PARENTPROXY localhost
+# PARENTPORT 3128
+# PARENTUSER username
+# PARENTPASSWORD password
+
+#
+# Write X-Forwarded-For: to log instead of connecters IP?
+#
+# If HAVP is used as parent proxy by some other proxy, this allows
+# to write the real users IP to log, instead of proxy IP.
+#
+# Default:
+# FORWARDED_IP false
+
+#
+# Send X-Forwarded-For: header to servers?
+#
+# If client sent this header, FORWARDED_IP setting defines the value,
+# then it is passed on. You might want to keep this disabled for security
+# reasons. Enable this if you use your own parent proxy after HAVP, so it
+# will see the original client IP.
+#
+# Disabling this also disables Via: header generation.
+#
+# Default:
+# X_FORWARDED_FOR false
+
+#
+# Port HAVP is listening on.
+#
+# Default:
+# PORT 8080
+
+#
+# IP address that HAVP listens on.
+# Let it be undefined to bind all addresses.
+#
+# Default: NONE
+# BIND_ADDRESS 127.0.0.1
+
+#
+# IP address used for sending outbound packets.
+# Let it be undefined if you want OS to handle right address.
+#
+# Default: NONE
+# SOURCE_ADDRESS 1.2.3.4
+
+#
+# Path to template files.
+#
+# Default:
+# TEMPLATEPATH @sysconfdir@/havp/templates/en
+
+#
+# Set to true if you want to prefer Whitelist.
+# If URL is Whitelisted, then Blacklist is ignored.
+# Otherwise Blacklist is preferred.
+#
+# Default:
+# WHITELISTFIRST true
+
+#
+# List of URLs not to scan.
+#
+# Default:
+# WHITELIST @sysconfdir@/havp/whitelist
+
+#
+# List of URLs that are denied access.
+#
+# Default:
+# BLACKLIST @sysconfdir@/havp/blacklist
+
+#
+# Is scanner error fatal?
+#
+# For example, archive types that are not supported by scanner
+# may return error. Also if scanner has invalid pattern files etc.
+#
+# true: User gets error page
+# false: No error is reported (viruses might not be detected)
+#
+# Default:
+# FAILSCANERROR true
+
+#
+# When scanning takes longer than this, it will be aborted.
+# Timer is started after HAVP has fully received all data.
+# If set too low, complex files/archives might produce timeout.
+# Timeout is always a fatal error regardless of FAILSCANERROR.
+#
+# Time in minutes!
+#
+# Default:
+# SCANNERTIMEOUT 10
+
+#
+# Allow HTTP Range requests?
+#
+# false: Broken downloads can NOT be resumed
+# true: Broken downloads can be resumed
+#
+# Allowing Range is a security risk, because partial
+# HTTP requests may not be properly scanned.
+#
+# Whitelisted sites are allowed to use Range in any case.
+#
+# Default:
+# RANGE false
+
+#
+# Allow HTTP Range request to get the ZIP header first?
+#
+# This allows (partial) scanning of ZIP files that are bigger than
+# MAXSCANSIZE. Scanning is done up to that many bytes into the file.
+#
+# Default:
+# PRELOADZIPHEADER true
+
+#
+# If you really need more performance, you can disable scanning of
+# JPG, GIF and PNG files. These are probably the most common files
+# around, so it will save lots of CPU. But be warned, image exploits
+# exist and more could be found. Think twice if you want to disable!
+#
+# In addition of checking Content-Type: image/*, this setting uses
+# file magic to make sure the file is really image.
+#
+# Also see SCANMIME/SKIPMIME settings to control scanning based
+# on just the Content-Type header.
+#
+# Default:
+# SCANIMAGES true
+
+#
+# What MIME types NOT to scan. For performance reasons, you could
+# exclude all media types.
+#
+# Based on Content-Type: header as given by the HTTP server.
+# Note that it is easy to forge and should not be trusted.
+#
+# Basic wildcard match supported.
+#
+# Default: NONE
+# SKIPMIME image/* video/* audio/*
+
+#
+# If set, then ONLY these MIME types will be scanned.
+#
+# Based on Content-Type: header as given by the HTTP server.
+# Note that it is easy to forge and should not be trusted.
+#
+# Basic wildcard match supported.
+#
+# Default: NONE
+# SCANMIME application/*
+
+#
+# Temporary file will grow only up to this size. This means scanner
+# will scan data until this limit is reached.
+#
+# There are two sides to this setting. By limiting the size, you gain
+# performance, less waiting for big files and less needed temporary space.
+# But there is slightly higher chance of virus slipping through (though
+# scanning large archives should not be gateways function, HAVP is more
+# geared towards small exploit detection etc).
+#
+# VALUE IN BYTES NOT KB OR MB!!!!
+# 0 = No size limit
+#
+# Default:
+# MAXSCANSIZE 5000000
+
+#
+# Amount of data going to browser that is held back, until it
+# is scanned. When we know file is clean, this held back data
+# can be sent to browser. You can safely set bigger value, only
+# thing you will notice is some "delay" in beginning of download.
+# Virus found in files bigger than this might not produce HAVP
+# error page, but result in a "broken" download.
+#
+# VALUE IN BYTES NOT KB OR MB!!!!
+#
+# Default:
+# KEEPBACKBUFFER 200000
+
+#
+# This setting complements KEEPBACKBUFFER. It tells how many Seconds to
+# initially receive data from server, before sending anything to client.
+# Even trickling is not done before this time elapses. This way files that
+# are received fast are more secure and user can get virus report page for
+# files bigger than KEEPBACKBUFFER.
+#
+# Setting to 0 will disable this, and only KEEPBACKBUFFER is used.
+#
+# Default:
+# KEEPBACKTIME 5
+
+#
+# After Trickling Time (seconds), some bytes are sent to browser
+# to keep the connection alive. Trickling is not needed if timeouts
+# are not expected for files smaller than KEEPBACKBUFFER, but it is
+# recommended to set anyway.
+#
+# 0 = No Trickling
+#
+# Default:
+# TRICKLING 30
+
+#
+# Send this many bytes to browser every TRICKLING seconds, see above
+#
+# Default:
+# TRICKLINGBYTES 1
+
+#
+# Downloads larger than MAXDOWNLOADSIZE will be blocked.
+# Only if not Whitelisted!
+#
+# VALUE IN BYTES NOT KB OR MB!!!!
+# 0 = Unlimited Downloads
+#
+# Default:
+# MAXDOWNLOADSIZE 0
+
+#
+# Space separated list of strings to partially match User-Agent: header.
+# These are used for streaming content, so scanning is generally not needed
+# and tempfiles grow unnecessary. Remember when enabled, that user could
+# fake header and pass some scanning. HTTP Range requests are allowed for
+# these, so players can seek content.
+#
+# You can uncomment here a list of most popular players.
+#
+# Default: NONE
+# STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS
+
+#
+# Bytes to scan from beginning of streams.
+# When set to 0, STREAMUSERAGENT scanning will be completely disabled.
+# It is not recommended as there are some exploits for players.
+#
+# Default:
+# STREAMSCANSIZE 20000
+
+#
+# Disable mandatory locking (dynamic scanning) for certain file types.
+# This is intended for fixing cases where a scanner forces use of mmap()
+# call. Mandatory locking might not allow this, so you could get errors
+# regarding memory allocation or I/O. You can test the "None" option
+# anyway, as it might even work depending on your OS (some Linux seems
+# to allow mand+mmap).
+#
+# Allowed values:
+# None
+# ClamAV:BinHex (mmap forced in versions older than 0.96)
+# ClamAV:PDF (mmap forced in versions older than 0.96)
+# ClamAV:ZIP (mmap forced in 0.93.x, should work in 0.94)
+# AVG:ALL (AVG 8.5 does not work, uses mmap MAP_SHARED)
+#
+# Default:
+# DISABLELOCKINGFOR AVG:ALL
+
+#
+# Whitelist specific viruses by case-insensitive substring match.
+# For example, "Oversized." and "Encrypted." are good candidates,
+# if you can't disable those checks any other way.
+#
+# Default: NONE
+# IGNOREVIRUS Oversized. Encrypted. Phishing.
+
+
+#####
+##### ClamAV Library Scanner (libclamav)
+#####
+
+ENABLECLAMLIB false
+
+# HAVP uses libclamav hardcoded pattern directory, which usually is
+# /usr/local/share/clamav. You only need to set CLAMDBDIR, if you are
+# using non-default DatabaseDirectory setting in clamd.conf.
+#
+# Default: NONE
+# CLAMDBDIR /path/to/directory
+
+# Should we block broken executables?
+#
+# Default:
+# CLAMBLOCKBROKEN false
+
+# Should we block encrypted archives?
+#
+# Default:
+# CLAMBLOCKENCRYPTED false
+
+# Should we block files that go over maximum archive limits?
+#
+# Default:
+# CLAMBLOCKMAX false
+
+# Scanning limits?
+# You can find some additional info from documentation or clamd.conf
+#
+# Stop when this many total bytes scanned (MB)
+# CLAMMAXSCANSIZE 20
+#
+# Stop when this many files have been scanned
+# CLAMMAXFILES 50
+#
+# Don't scan files over this size (MB)
+# CLAMMAXFILESIZE 100
+#
+# Maximum archive recursion
+# CLAMMAXRECURSION 8
+
+
+#####
+##### ClamAV Socket Scanner (clamd)
+#####
+##### NOTE: ClamAV Library Scanner should be preferred (less overhead)
+#####
+
+ENABLECLAMD false
+
+# Path to clamd socket
+#
+# Default:
+# CLAMDSOCKET /tmp/clamd
+
+# ..OR if you use clamd TCP socket, uncomment to enable use
+#
+# Clamd daemon needs to run on the same server as HAVP
+#
+# Default: NONE
+# CLAMDSERVER 127.0.0.1
+# CLAMDPORT 3310
+
+
+#####
+##### F-Prot Socket Scanner
+#####
+
+ENABLEFPROT false
+
+# F-Prot daemon needs to run on same server as HAVP
+#
+# Default:
+# FPROTSERVER 127.0.0.1
+# FPROTPORT 10200
+
+# F-Prot options (only for version 6+ !)
+#
+# See "fpscand-client.sh --help" for possible options.
+#
+# At the moment:
+# --scanlevel=<n> Which scanlevel to use, 0-4 (2).
+# --heurlevel=<n> How aggressive heuristics should be used, 0-4 (2).
+# --archive=<n> Scan inside supported archives n levels deep 1-99 (5).
+# --adware Instructs the daemon to flag adware.
+# --applications Instructs the daemon to flag potentially unwanted applications.
+#
+# Default: NONE
+# FPROTOPTIONS --scanlevel=2 --heurlevel=2
+
+
+#####
+##### AVG Socket Scanner
+#####
+
+ENABLEAVG false
+
+# AVG daemon needs to run on the same server as HAVP
+#
+# Default:
+# AVGSERVER 127.0.0.1
+# AVGPORT 55555
+
+
+#####
+##### Kaspersky Socket Scanner
+#####
+
+ENABLEAVESERVER false
+
+# Path to aveserver socket
+#
+# Default:
+# AVESOCKET /var/run/aveserver
+
+
+#####
+##### Sophos Scanner (Sophie)
+#####
+
+ENABLESOPHIE false
+
+# Path to sophie socket
+#
+# Default:
+# SOPHIESOCKET /var/run/sophie
+
+
+#####
+##### Trend Micro Library Scanner (Trophie)
+#####
+
+ENABLETROPHIE false
+
+# Scanning limits inside archives (filesize = MB):
+#
+# Default:
+# TROPHIEMAXFILES 50
+# TROPHIEMAXFILESIZE 10
+# TROPHIEMAXRATIO 250
+
+
+#####
+##### NOD32 Socket Scanner
+#####
+
+ENABLENOD32 false
+
+# Path to nod32d socket
+#
+# For 3.0+ version, try /tmp/esets.sock
+#
+# Default:
+# NOD32SOCKET /tmp/nod32d.sock
+
+# Used NOD32 Version
+#
+# 30 = 3.0+
+# 25 = 2.5+
+# 21 = 2.x (very old)
+#
+# Default:
+# NOD32VERSION 25
+
+
+#####
+##### Avast! Socket Scanner
+#####
+
+ENABLEAVAST false
+
+# Path to avastd socket
+#
+# Default:
+# AVASTSOCKET /var/run/avast4/local.sock
+
+# ..OR if you use avastd TCP socket, uncomment to enable use
+#
+# Avast daemon needs to run on the same server as HAVP
+#
+# Default: NONE
+# AVASTSERVER 127.0.0.1
+# AVASTPORT 5036
+
+
+#####
+##### Arcavir Socket Scanner
+#####
+
+ENABLEARCAVIR false
+
+# Path to arcavird socket
+#
+# For version 2008, default socket is /var/run/arcad.ctl
+#
+# Default:
+# ARCAVIRSOCKET /var/run/arcavird.socket
+
+# Used Arcavir version
+# 2007 = Version 2007 and earlier
+# 2008 = Version 2008 and later
+#
+# Default:
+# ARCAVIRVERSION 2007
+
+
+#####
+##### DrWeb Socket Scanner
+#####
+
+ENABLEDRWEB false
+
+# Enable heuristic scanning?
+#
+# Default:
+# DRWEBHEURISTIC true
+
+# Enable malware detection?
+# (Adware, Dialer, Joke, Riskware, Hacktool)
+#
+# Default:
+# DRWEBMALWARE true
+
+# Path to drwebd socket
+#
+# Default:
+# DRWEBSOCKET /var/drweb/run/.daemon
+
+# ..OR if you use drwebd TCP socket, uncomment to enable use
+#
+# DrWeb daemon needs to run on the same server as HAVP
+#
+# Default: NONE
+# DRWEBSERVER 127.0.0.1
+# DRWEBPORT 3000
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/.pc/04_params.cpp.patch/havp/params.cpp Wed Jun 18 16:17:31 2014 +0200
@@ -0,0 +1,443 @@
+/***************************************************************************
+ params.cpp - description
+ -------------------
+ begin : So Feb 20 2005
+ copyright : (C) 2005 by Peter Sebald / Christian Hilgers
+ email : christian@hilgers.ag
+ ***************************************************************************/
+
+/***************************************************************************
+ * *
+ * This program is free software; you can redistribute it and/or modify *
+ * it under the terms of the GNU General Public License as published by *
+ * the Free Software Foundation; either version 2 of the License, or *
+ * (at your option) any later version. *
+ * *
+ ***************************************************************************/
+
+#include "default.h"
+#include "params.h"
+#include "utils.h"
+
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <iostream>
+#include <fstream>
+#include <cstdlib>
+
+#ifndef INADDR_NONE
+#define INADDR_NONE ((unsigned long) -1)
+#endif
+
+map <string,string> Params::params;
+
+void Params::SetDefaults()
+{
+ SetConfig("DISPLAYINITIALMESSAGES", "true");
+ SetConfig("USER", "havp");
+ SetConfig("GROUP", "havp");
+ SetConfig("DAEMON", "true");
+ SetConfig("SERVERNUMBER", "8");
+ SetConfig("MAXSERVERS", "150");
+ SetConfig("PORT", "8080");
+ SetConfig("BIND_ADDRESS", "");
+ SetConfig("SOURCE_ADDRESS", "");
+ SetConfig("PARENTPROXY", "");
+ SetConfig("PARENTPORT", "0");
+ SetConfig("PARENTUSER", "");
+ SetConfig("PARENTPASSWORD", "");
+ SetConfig("ACCESSLOG", ACCESSLOG);
+ SetConfig("VIRUSLOG", "");
+ SetConfig("ERRORLOG", ERRORLOG);
+ SetConfig("TIMEFORMAT", "%d/%m/%Y %H:%M:%S");
+ SetConfig("LOG_OKS", "true");
+ SetConfig("LOGLEVEL", "0");
+ SetConfig("USESYSLOG", "false");
+ SetConfig("SYSLOGNAME", "havp");
+ SetConfig("SYSLOGFACILITY", "daemon");
+ SetConfig("SYSLOGLEVEL", "info");
+ SetConfig("SYSLOGVIRUSLEVEL","warning");
+ SetConfig("SCANIMAGES", "true");
+ SetConfig("SKIPMIME", "");
+ SetConfig("SCANMIME", "");
+ SetConfig("MAXSCANSIZE", "5000000");
+ SetConfig("KEEPBACKBUFFER", "200000");
+ SetConfig("KEEPBACKTIME", "5");
+ SetConfig("TRICKLING", "30");
+ SetConfig("TRICKLINGBYTES", "1");
+ SetConfig("WHITELISTFIRST", "true");
+ SetConfig("WHITELIST", WHITELISTFILE);
+ SetConfig("BLACKLIST", BLACKLISTFILE);
+ SetConfig("TEMPLATEPATH", TEMPLATEPATH);
+ SetConfig("TEMPDIR", "/var/tmp");
+ SetConfig("SCANTEMPFILE", "/var/tmp/havp/havp-XXXXXX");
+ SetConfig("PIDFILE", PIDFILE);
+ SetConfig("TRANSPARENT", "false");
+ SetConfig("RANGE", "false");
+ SetConfig("PRELOADZIPHEADER","true");
+ SetConfig("FORWARDED_IP", "false");
+ SetConfig("X_FORWARDED_FOR","false");
+ SetConfig("STREAMUSERAGENT","");
+ SetConfig("STREAMSCANSIZE", "20000");
+ SetConfig("DBRELOAD", "60");
+ SetConfig("FAILSCANERROR", "true");
+ SetConfig("MAXDOWNLOADSIZE","0");
+ SetConfig("SCANNERTIMEOUT", "10");
+ SetConfig("IGNOREVIRUS", "");
+ SetConfig("DISABLELOCKINGFOR","AVG:ALL");
+//SCANNERS
+ SetConfig("ENABLECLAMLIB","false");
+ SetConfig("CLAMDBDIR","");
+ SetConfig("CLAMBLOCKBROKEN","false");
+ SetConfig("CLAMBLOCKMAX","false");
+ SetConfig("CLAMBLOCKENCRYPTED","false");
+ SetConfig("CLAMMAXSCANSIZE","20");
+ SetConfig("CLAMMAXFILES","50");
+ SetConfig("CLAMMAXFILESIZE","100");
+ SetConfig("CLAMMAXRECURSION","8");
+ SetConfig("ENABLECLAMD","false");
+ SetConfig("CLAMDSOCKET","/tmp/clamd");
+ SetConfig("CLAMDSERVER","");
+ SetConfig("CLAMDPORT","3310");
+ SetConfig("ENABLEAVG","false");
+ SetConfig("AVGSERVER","127.0.0.1");
+ SetConfig("AVGPORT","55555");
+ SetConfig("ENABLEAVESERVER","false");
+ SetConfig("AVESOCKET","/var/run/aveserver");
+ SetConfig("ENABLEFPROT","false");
+ SetConfig("FPROTPORT","10200");
+ SetConfig("FPROTSERVER","127.0.0.1");
+ SetConfig("FPROTOPTIONS","");
+ SetConfig("ENABLENOD32","false");
+ SetConfig("NOD32SOCKET","/tmp/nod32d.sock");
+ SetConfig("NOD32VERSION","25");
+ SetConfig("ENABLETROPHIE","false");
+ SetConfig("TROPHIEMAXFILES","50");
+ SetConfig("TROPHIEMAXFILESIZE","10");
+ SetConfig("TROPHIEMAXRATIO","250");
+ SetConfig("ENABLESOPHIE","false");
+ SetConfig("SOPHIESOCKET","/var/run/sophie");
+ SetConfig("ENABLEAVAST","false");
+ SetConfig("AVASTSOCKET","/var/run/avast4/local.sock");
+ SetConfig("AVASTSERVER","");
+ SetConfig("AVASTPORT","5036");
+ SetConfig("ENABLEARCAVIR","false");
+ SetConfig("ARCAVIRSOCKET","/var/run/arcavird.socket");
+ SetConfig("ARCAVIRVERSION","2007");
+ SetConfig("ENABLEDRWEB","false");
+ SetConfig("DRWEBSOCKET","/var/drweb/run/.daemon");
+ SetConfig("DRWEBSERVER","");
+ SetConfig("DRWEBPORT","3000");
+ SetConfig("DRWEBHEURISTIC","true");
+ SetConfig("DRWEBMALWARE","true");
+}
+
+bool Params::ReadConfig( string file )
+{
+ ifstream input( file.c_str() );
+
+ if ( !input )
+ {
+ cerr << "Could not open config file: " << file << endl;
+ return false;
+ }
+
+ string::size_type Position;
+ string line, key, val;
+
+ while ( input )
+ {
+ getline( input, line );
+
+ //Strip whitespace from beginning and end
+ if ( (Position = line.find_first_not_of(" \t")) != string::npos )
+ {
+ line = line.substr(Position, (line.find_last_not_of(" \t", string::npos) - Position) + 1);
+ }
+
+ //Read next if nothing found
+ if ( (Position == string::npos) || (line.size() == 0) ) continue;
+
+ //Read next if commented
+ if ( line.substr(0, 1) == "#" ) continue;
+
+ //Find key and value
+ if ( (Position = line.find_first_of(" \t")) != string::npos )
+ {
+ key = line.substr(0, Position);
+
+ if ( key == "REMOVETHISLINE" )
+ {
+ cout << "Configuration is not edited!" << endl;
+ cout << "You must delete REMOVETHISLINE option." << endl;
+ cout << "Review the configuration carefully. :)" << endl;
+ return false;
+ }
+
+ if ( (Position = line.find_first_not_of(" \t", Position + 1)) == string::npos )
+ {
+ cout << "Invalid Config Line: " << line << endl;
+ return false;
+ }
+
+ val = line.substr( Position );
+
+ Params::SetConfig( key, val );
+ }
+ else
+ {
+ cout << "Invalid Config Line: " << line << endl;
+ return false;
+ }
+ }
+
+ input.close();
+
+ return true;
+}
+
+void Params::SetConfig( string param, string value )
+{
+ string TempParams[] = {CONFIGPARAMS};
+ bool ParamFound = false;
+
+ param = UpperCase(param);
+
+ for ( unsigned int i = 0; i < sizeof(TempParams)/sizeof(string); i++ )
+ {
+ if ( param == TempParams[i] )
+ {
+ ParamFound = true;
+ }
+ }
+
+ if ( ParamFound )
+ {
+ if ( UpperCase(value) == "TRUE" || UpperCase(value) == "FALSE" )
+ {
+ value = UpperCase(value);
+ }
+
+ params[param] = value;
+ }
+ else
+ {
+ cout << "Unknown Config Parameter: " << param << endl;
+ cout << "Exiting.." << endl;
+ exit(1);
+ }
+}
+
+int Params::GetConfigInt( string param )
+{
+ return atoi( params[param].c_str() );
+}
+
+bool Params::GetConfigBool( string param )
+{
+ if ( params[param] == "TRUE" )
+ {
+ return true;
+ }
+ else
+ {
+ return false;
+ }
+}
+
+string Params::GetConfigString( string param )
+{
+ return params[param];
+}
+
+void Params::ShowConfig( string cfgfile )
+{
+ cout << endl << "# Using HAVP config: " << cfgfile << endl << endl;
+ typedef map<string,string>::const_iterator CI;
+ for(CI p = params.begin(); p != params.end(); ++p)
+ {
+ cout << p->first << "=" << p->second << '\n';
+ }
+ cout << endl;
+}
+
+void Params::Usage()
+{
+ cout << endl << "Usage: havp [Options]" << endl << endl;
+ cout << "HAVP Version " << VERSION << endl << endl;
+ cout << "Possible options are:" << endl;
+ cout << "--help | -h This pamphlet" << endl;
+ cout << "--conf-file=FileName | -c Filename Use this Config-File" << endl;
+ cout << "--show-config | -s Show configuration HAVP is using" << endl << endl;
+}
+
+bool Params::SetParams( int argvT, char* argcT[] )
+{
+ string option, value;
+ string::size_type i1, i2;
+
+ string cfgfile = CONFIGFILE;
+ bool showconf = false;
+
+ SetDefaults();
+
+ while ( --argvT )
+ {
+ value = *++argcT;
+ i1 = value.find_first_not_of("-");
+
+ //No GNU options
+ if ( i1 == 1 )
+ {
+ option = value.substr(i1, 1);
+
+ if ( option == "c" )
+ {
+ --argvT;
+
+ if ( argvT == 0 )
+ {
+ Usage();
+ return false;
+ }
+ value = *++argcT;
+ }
+ else if ( option == "s" )
+ {
+ showconf = true;
+ }
+ else
+ {
+ Usage();
+ return false;
+ }
+ }
+ //GNU options
+ else if ( i1 == 2 )
+ {
+ if ( (i2 = value.find("=")) != string::npos )
+ {
+ option = value.substr(i1, i2 - i1);
+
+ if ( value.size() > i2 + 1 )
+ {
+ value = value.substr(i2 + 1);
+ }
+ else
+ {
+ Usage();
+ return false;
+ }
+ }
+ else
+ {
+ option = value.substr(i1);
+ value = "";
+ }
+ }
+ else
+ {
+ Usage();
+ return false;
+ }
+
+ if ( option == "help" )
+ {
+ Usage();
+ return false;
+ }
+ else if ( option == "show-config" )
+ {
+ showconf = true;
+ }
+ else if ( option == "conf-file" || option == "c" )
+ {
+ if (value == "")
+ {
+ Usage();
+ return false;
+ }
+
+ cfgfile = value;
+ }
+ else if ( showconf == true )
+ {
+ //Nothing: prevent Usage
+ }
+ else
+ {
+ Usage();
+ return false;
+ }
+ }
+
+ if ( ReadConfig( cfgfile ) == false )
+ {
+ return false;
+ }
+
+ if ( showconf == true )
+ {
+ ShowConfig( cfgfile );
+ return false;
+ }
+
+ return TestConfig();
+}
+
+//Test that some options are sane
+bool Params::TestConfig()
+{
+ if ( Params::GetConfigInt("SERVERNUMBER") < 1 )
+ {
+ cout << "Invalid Config: SERVERNUMBER needs to be greater than 0" << endl;
+ return false;
+ }
+ if ( Params::GetConfigString("ACCESSLOG").substr(0,1) != "/"
+ || (Params::GetConfigString("VIRUSLOG") != "" && Params::GetConfigString("VIRUSLOG").substr(0,1) != "/")
+ || Params::GetConfigString("ERRORLOG").substr(0,1) != "/" )
+ {
+ cout << "Invalid Config: Log paths need to be abolute" << endl;
+ return false;
+ }
+ if ( Params::GetConfigString("SCANTEMPFILE").find("XXXXXX") == string::npos )
+ {
+ cout << "Invalid Config: SCANTEMPFILE must contain string \"XXXXXX\"" << endl;
+ return false;
+ }
+ if ( Params::GetConfigInt("MAXSERVERS") > 500 )
+ {
+ cout << "Note: MAXSERVERS is unusually high! You are sure you want this?" << endl;
+ }
+ if ( Params::GetConfigString("BIND_ADDRESS") == "NULL" ) Params::SetConfig("BIND_ADDRESS","");
+ if ( Params::GetConfigString("BIND_ADDRESS") != "" )
+ {
+ if ( inet_addr( Params::GetConfigString("BIND_ADDRESS").c_str() ) == INADDR_NONE )
+ {
+ cout << "Invalid Config: Invalid BIND_ADDRESS" << endl;
+ return false;
+ }
+ }
+ if ( Params::GetConfigString("SOURCE_ADDRESS") == "NULL" ) Params::SetConfig("SOURCE_ADDRESS","");
+ if ( Params::GetConfigString("SOURCE_ADDRESS") != "" )
+ {
+ if ( inet_addr( Params::GetConfigString("SOURCE_ADDRESS").c_str() ) == INADDR_NONE )
+ {
+ cout << "Invalid Config: Invalid SOURCE_ADDRESS" << endl;
+ return false;
+ }
+ }
+ if ( Params::GetConfigString("PARENTPROXY") != "" && Params::GetConfigInt("PARENTPORT") < 1 )
+ {
+ cout << "Invalid Config: Invalid PARENTPROXY/PARENTPORT" << endl;
+ return false;
+ }
+ if ( Params::GetConfigInt("TRICKLING") > 0 && Params::GetConfigInt("TRICKLINGBYTES") < 1 )
+ {
+ cout << "Invalid Config: TRICKLINGBYTES needs to be greater than 0" << endl;
+ return false;
+ }
+
+ return true;
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/.pc/05_add_ssltimeout_option.patch/etc/havp/havp.config.in Wed Jun 18 16:17:31 2014 +0200
@@ -0,0 +1,670 @@
+#
+# This is the configuration file for HAVP
+#
+# All lines starting with a hash (#) or empty lines are ignored.
+# Uncomment parameters you want to change!
+#
+# All parameters configurable in this file are explained and their default
+# values are shown. If no default value is defined "NONE" is specified.
+#
+# General syntax: Parameter Value
+# Value can be: true/false, number, or path
+#
+# Extra spaces and tabs are ignored.
+#
+
+# You must remove this line for HAVP to start.
+# This makes sure you have (hopefully) reviewed the configuration. :)
+# Hint: You must enable some scanner! Find them in the end..
+# REMOVETHISLINE deleteme
+
+#
+# For reasons of security it is recommended to run a proxy program
+# without root rights. It is recommended to create user that is not
+# used by any other program.
+#
+# Default:
+# USER havp
+# GROUP havp
+
+# If this is true HAVP is running as daemon in background.
+# For testing you may run HAVP at your text console.
+#
+# Default:
+# DAEMON true
+
+#
+# Process id (PID) of the main HAVP process is written to this file.
+# Be sure that it is writeable by the user under which HAVP is running.
+# /etc/init.d/havp script requires this to work.
+#
+# Default:
+# PIDFILE @localstatedir@/run/havp/havp.pid
+
+#
+# For performance reasons several instances of HAVP have to run.
+# Specify how many servers (child processes) are simultaneously
+# listening on port PORT for a connection. Minimum value should be
+# the peak requests-per-second expected + 5 for headroom. For best
+# performance, you should have atleast 1 CPU core per 16 processes.
+#
+# For single user home use, 8 should be minimum.
+# For 500+ users corporate use, start at 40.
+#
+# Value can and should be higher than recommended. Memory and
+# CPU usage is only affected by the number of concurrent requests.
+#
+# More childs are automatically created when needed, up to MAXSERVERS.
+#
+# Default:
+# SERVERNUMBER 8
+# MAXSERVERS 100
+
+#
+# Files where to log requests and info/errors.
+# Needs to have write permission for HAVP user.
+#
+# Default:
+# ACCESSLOG @localstatedir@/log/havp/access.log
+# ERRORLOG @localstatedir@/log/havp/havp.log
+# VIRUSLOG (same as ACCESSLOG)
+
+#
+# Format for timestamps in logfile messages.
+# See: man strftime
+#
+# Default:
+# TIMEFORMAT %d/%m/%Y %H:%M:%S
+
+#
+# Syslog can be used instead of logging to file.
+# For facilities and levels, see "man syslog".
+#
+# Default:
+# USESYSLOG false
+# SYSLOGNAME havp
+# SYSLOGFACILITY daemon
+# SYSLOGLEVEL info
+# SYSLOGVIRUSLEVEL warning
+
+#
+# true: Log every request to access log
+# false: Log only viruses to access log
+#
+# Default:
+# LOG_OKS true
+
+#
+# Level of HAVP logging
+# 0 = Only serious errors and information
+# 1 = Less interesting information is included
+#
+# Default:
+# LOGLEVEL 0
+
+#
+# Temporary scan file.
+# This file must reside on a partition for which mandatory
+# locking is enabled. For Linux, use "-o mand" in mount command.
+# See "man mount" for details. Solaris does not need any special
+# steps, it works directly.
+#
+# Specify absolute path to a file which name must contain "XXXXXX".
+# These characters are used by system to create unique named files.
+#
+# Default:
+# SCANTEMPFILE /var/spool/havp/havp-XXXXXX
+
+#
+# Directory for ClamAV and other scanner created tempfiles.
+# Needs to be writable by HAVP user. Use ramdisk for best performance.
+#
+# Default:
+# TEMPDIR /var/tmp
+
+#
+# HAVP reloads scanners virus database by receiving a signal
+# (send SIGHUP to PID from PIDFILE, see "man kill") or after
+# a specified period of time. Specify here the number of
+# minutes to wait for reloading.
+#
+# This only affects library scanners (clamlib, trophie).
+# Other scanners must be updated manually.
+#
+# Default:
+# DBRELOAD 60
+
+#
+# Run HAVP as transparent Proxy?
+#
+# If you don't know what this means read the mini-howto
+# TransparentProxy written by Daniel Kiracofe.
+# (e.g.: http://www.tldp.org/HOWTO/mini/TransparentProxy.html)
+# Definitely you have more to do than setting this to true.
+# You are warned!
+#
+# Default:
+# TRANSPARENT false
+
+#
+# Specify a parent proxy (e.g. Squid) HAVP should use.
+# If needed, user and password authentication can be used,
+# but only Basic-authentication scheme is supported.
+#
+# Default: NONE
+# PARENTPROXY localhost
+# PARENTPORT 3128
+# PARENTUSER username
+# PARENTPASSWORD password
+
+#
+# Write X-Forwarded-For: to log instead of connecters IP?
+#
+# If HAVP is used as parent proxy by some other proxy, this allows
+# to write the real users IP to log, instead of proxy IP.
+#
+# Default:
+# FORWARDED_IP false
+
+#
+# Send X-Forwarded-For: header to servers?
+#
+# If client sent this header, FORWARDED_IP setting defines the value,
+# then it is passed on. You might want to keep this disabled for security
+# reasons. Enable this if you use your own parent proxy after HAVP, so it
+# will see the original client IP.
+#
+# Disabling this also disables Via: header generation.
+#
+# Default:
+# X_FORWARDED_FOR false
+
+#
+# Port HAVP is listening on.
+#
+# Default:
+# PORT 8080
+
+#
+# IP address that HAVP listens on.
+# Let it be undefined to bind all addresses.
+#
+# Default: NONE
+# BIND_ADDRESS 127.0.0.1
+
+#
+# IP address used for sending outbound packets.
+# Let it be undefined if you want OS to handle right address.
+#
+# Default: NONE
+# SOURCE_ADDRESS 1.2.3.4
+
+#
+# Path to template files.
+#
+# Default:
+# TEMPLATEPATH @sysconfdir@/havp/templates/en
+
+#
+# Set to true if you want to prefer Whitelist.
+# If URL is Whitelisted, then Blacklist is ignored.
+# Otherwise Blacklist is preferred.
+#
+# Default:
+# WHITELISTFIRST true
+
+#
+# List of URLs not to scan.
+#
+# Default:
+# WHITELIST @sysconfdir@/havp/whitelist
+
+#
+# List of URLs that are denied access.
+#
+# Default:
+# BLACKLIST @sysconfdir@/havp/blacklist
+
+#
+# Is scanner error fatal?
+#
+# For example, archive types that are not supported by scanner
+# may return error. Also if scanner has invalid pattern files etc.
+#
+# true: User gets error page
+# false: No error is reported (viruses might not be detected)
+#
+# Default:
+# FAILSCANERROR true
+
+# SSL connections may be silent for a while (mostly when "abused"
+# for other communication than HTTP). HAVP disconnects these connections
+# after several seconds.
+#
+# Default:
+# SSLTIMEOUT 20
+
+#
+# When scanning takes longer than this, it will be aborted.
+# Timer is started after HAVP has fully received all data.
+# If set too low, complex files/archives might produce timeout.
+# Timeout is always a fatal error regardless of FAILSCANERROR.
+#
+# Time in minutes!
+#
+# Default:
+# SCANNERTIMEOUT 10
+
+#
+# Allow HTTP Range requests?
+#
+# false: Broken downloads can NOT be resumed
+# true: Broken downloads can be resumed
+#
+# Allowing Range is a security risk, because partial
+# HTTP requests may not be properly scanned.
+#
+# Whitelisted sites are allowed to use Range in any case.
+#
+# Default:
+# RANGE false
+
+#
+# Allow HTTP Range request to get the ZIP header first?
+#
+# This allows (partial) scanning of ZIP files that are bigger than
+# MAXSCANSIZE. Scanning is done up to that many bytes into the file.
+#
+# Default:
+# PRELOADZIPHEADER true
+
+#
+# If you really need more performance, you can disable scanning of
+# JPG, GIF and PNG files. These are probably the most common files
+# around, so it will save lots of CPU. But be warned, image exploits
+# exist and more could be found. Think twice if you want to disable!
+#
+# In addition of checking Content-Type: image/*, this setting uses
+# file magic to make sure the file is really image.
+#
+# Also see SCANMIME/SKIPMIME settings to control scanning based
+# on just the Content-Type header.
+#
+# Default:
+# SCANIMAGES true
+
+#
+# What MIME types NOT to scan. For performance reasons, you could
+# exclude all media types.
+#
+# Based on Content-Type: header as given by the HTTP server.
+# Note that it is easy to forge and should not be trusted.
+#
+# Basic wildcard match supported.
+#
+# Default: NONE
+# SKIPMIME image/* video/* audio/*
+
+#
+# If set, then ONLY these MIME types will be scanned.
+#
+# Based on Content-Type: header as given by the HTTP server.
+# Note that it is easy to forge and should not be trusted.
+#
+# Basic wildcard match supported.
+#
+# Default: NONE
+# SCANMIME application/*
+
+#
+# Temporary file will grow only up to this size. This means scanner
+# will scan data until this limit is reached.
+#
+# There are two sides to this setting. By limiting the size, you gain
+# performance, less waiting for big files and less needed temporary space.
+# But there is slightly higher chance of virus slipping through (though
+# scanning large archives should not be gateways function, HAVP is more
+# geared towards small exploit detection etc).
+#
+# VALUE IN BYTES NOT KB OR MB!!!!
+# 0 = No size limit
+#
+# Default:
+# MAXSCANSIZE 5000000
+
+#
+# Amount of data going to browser that is held back, until it
+# is scanned. When we know file is clean, this held back data
+# can be sent to browser. You can safely set bigger value, only
+# thing you will notice is some "delay" in beginning of download.
+# Virus found in files bigger than this might not produce HAVP
+# error page, but result in a "broken" download.
+#
+# VALUE IN BYTES NOT KB OR MB!!!!
+#
+# Default:
+# KEEPBACKBUFFER 200000
+
+#
+# This setting complements KEEPBACKBUFFER. It tells how many Seconds to
+# initially receive data from server, before sending anything to client.
+# Even trickling is not done before this time elapses. This way files that
+# are received fast are more secure and user can get virus report page for
+# files bigger than KEEPBACKBUFFER.
+#
+# Setting to 0 will disable this, and only KEEPBACKBUFFER is used.
+#
+# Default:
+# KEEPBACKTIME 5
+
+#
+# After Trickling Time (seconds), some bytes are sent to browser
+# to keep the connection alive. Trickling is not needed if timeouts
+# are not expected for files smaller than KEEPBACKBUFFER, but it is
+# recommended to set anyway.
+#
+# 0 = No Trickling
+#
+# Default:
+# TRICKLING 30
+
+#
+# Send this many bytes to browser every TRICKLING seconds, see above
+#
+# Default:
+# TRICKLINGBYTES 1
+
+#
+# Downloads larger than MAXDOWNLOADSIZE will be blocked.
+# Only if not Whitelisted!
+#
+# VALUE IN BYTES NOT KB OR MB!!!!
+# 0 = Unlimited Downloads
+#
+# Default:
+# MAXDOWNLOADSIZE 0
+
+#
+# Space separated list of strings to partially match User-Agent: header.
+# These are used for streaming content, so scanning is generally not needed
+# and tempfiles grow unnecessary. Remember when enabled, that user could
+# fake header and pass some scanning. HTTP Range requests are allowed for
+# these, so players can seek content.
+#
+# You can uncomment here a list of most popular players.
+#
+# Default: NONE
+# STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS
+
+#
+# Bytes to scan from beginning of streams.
+# When set to 0, STREAMUSERAGENT scanning will be completely disabled.
+# It is not recommended as there are some exploits for players.
+#
+# Default:
+# STREAMSCANSIZE 20000
+
+#
+# Disable mandatory locking (dynamic scanning) for certain file types.
+# This is intended for fixing cases where a scanner forces use of mmap()
+# call. Mandatory locking might not allow this, so you could get errors
+# regarding memory allocation or I/O. You can test the "None" option
+# anyway, as it might even work depending on your OS (some Linux seems
+# to allow mand+mmap).
+#
+# Allowed values:
+# None
+# ClamAV:BinHex (mmap forced in versions older than 0.96)
+# ClamAV:PDF (mmap forced in versions older than 0.96)
+# ClamAV:ZIP (mmap forced in 0.93.x, should work in 0.94)
+# AVG:ALL (AVG 8.5 does not work, uses mmap MAP_SHARED)
+#
+# Default:
+# DISABLELOCKINGFOR AVG:ALL
+
+#
+# Whitelist specific viruses by case-insensitive substring match.
+# For example, "Oversized." and "Encrypted." are good candidates,
+# if you can't disable those checks any other way.
+#
+# Default: NONE
+# IGNOREVIRUS Oversized. Encrypted. Phishing.
+
+
+#####
+##### ClamAV Library Scanner (libclamav)
+#####
+
+ENABLECLAMLIB true
+
+# HAVP uses libclamav hardcoded pattern directory, which usually is
+# /usr/share/clamav. You only need to set CLAMDBDIR, if you are
+# using non-default DatabaseDirectory setting in clamd.conf.
+#
+# Default: NONE
+# CLAMDBDIR /var/lib/clamav
+
+# Should we block broken executables?
+#
+# Default:
+# CLAMBLOCKBROKEN false
+
+# Should we block encrypted archives?
+#
+# Default:
+# CLAMBLOCKENCRYPTED false
+
+# Should we block files that go over maximum archive limits?
+#
+# Default:
+# CLAMBLOCKMAX false
+
+# Scanning limits?
+# You can find some additional info from documentation or clamd.conf
+#
+# Stop when this many total bytes scanned (MB)
+# CLAMMAXSCANSIZE 20
+#
+# Stop when this many files have been scanned
+# CLAMMAXFILES 50
+#
+# Don't scan files over this size (MB)
+# CLAMMAXFILESIZE 100
+#
+# Maximum archive recursion
+# CLAMMAXRECURSION 8
+
+
+#####
+##### ClamAV Socket Scanner (clamd)
+#####
+##### NOTE: ClamAV Library Scanner should be preferred (less overhead)
+#####
+
+ENABLECLAMD false
+
+# Path to clamd socket
+#
+# Default:
+# CLAMDSOCKET /tmp/clamd
+
+# ..OR if you use clamd TCP socket, uncomment to enable use
+#
+# Clamd daemon needs to run on the same server as HAVP
+#
+# Default: NONE
+# CLAMDSERVER 127.0.0.1
+# CLAMDPORT 3310
+
+
+#####
+##### F-Prot Socket Scanner
+#####
+
+ENABLEFPROT false
+
+# F-Prot daemon needs to run on same server as HAVP
+#
+# Default:
+# FPROTSERVER 127.0.0.1
+# FPROTPORT 10200
+
+# F-Prot options (only for version 6+ !)
+#
+# See "fpscand-client.sh --help" for possible options.
+#
+# At the moment:
+# --scanlevel=<n> Which scanlevel to use, 0-4 (2).
+# --heurlevel=<n> How aggressive heuristics should be used, 0-4 (2).
+# --archive=<n> Scan inside supported archives n levels deep 1-99 (5).
+# --adware Instructs the daemon to flag adware.
+# --applications Instructs the daemon to flag potentially unwanted applications.
+#
+# Default: NONE
+# FPROTOPTIONS --scanlevel=2 --heurlevel=2
+
+
+#####
+##### AVG Socket Scanner
+#####
+
+ENABLEAVG false
+
+# AVG daemon needs to run on the same server as HAVP
+#
+# Default:
+# AVGSERVER 127.0.0.1
+# AVGPORT 55555
+
+
+#####
+##### Kaspersky Socket Scanner
+#####
+
+ENABLEAVESERVER false
+
+# Path to aveserver socket
+#
+# Default:
+# AVESOCKET /var/run/aveserver
+
+
+#####
+##### Sophos Scanner (Sophie)
+#####
+
+ENABLESOPHIE false
+
+# Path to sophie socket
+#
+# Default:
+# SOPHIESOCKET /var/run/sophie
+
+
+#####
+##### Trend Micro Library Scanner (Trophie)
+#####
+
+ENABLETROPHIE false
+
+# Scanning limits inside archives (filesize = MB):
+#
+# Default:
+# TROPHIEMAXFILES 50
+# TROPHIEMAXFILESIZE 10
+# TROPHIEMAXRATIO 250
+
+
+#####
+##### NOD32 Socket Scanner
+#####
+
+ENABLENOD32 false
+
+# Path to nod32d socket
+#
+# For 3.0+ version, try /tmp/esets.sock
+#
+# Default:
+# NOD32SOCKET /tmp/nod32d.sock
+
+# Used NOD32 Version
+#
+# 30 = 3.0+
+# 25 = 2.5+
+# 21 = 2.x (very old)
+#
+# Default:
+# NOD32VERSION 25
+
+
+#####
+##### Avast! Socket Scanner
+#####
+
+ENABLEAVAST false
+
+# Path to avastd socket
+#
+# Default:
+# AVASTSOCKET /var/run/avast4/local.sock
+
+# ..OR if you use avastd TCP socket, uncomment to enable use
+#
+# Avast daemon needs to run on the same server as HAVP
+#
+# Default: NONE
+# AVASTSERVER 127.0.0.1
+# AVASTPORT 5036
+
+
+#####
+##### Arcavir Socket Scanner
+#####
+
+ENABLEARCAVIR false
+
+# Path to arcavird socket
+#
+# For version 2008, default socket is /var/run/arcad.ctl
+#
+# Default:
+# ARCAVIRSOCKET /var/run/arcavird.socket
+
+# Used Arcavir version
+# 2007 = Version 2007 and earlier
+# 2008 = Version 2008 and later
+#
+# Default:
+# ARCAVIRVERSION 2007
+
+
+#####
+##### DrWeb Socket Scanner
+#####
+
+ENABLEDRWEB false
+
+# Enable heuristic scanning?
+#
+# Default:
+# DRWEBHEURISTIC true
+
+# Enable malware detection?
+# (Adware, Dialer, Joke, Riskware, Hacktool)
+#
+# Default:
+# DRWEBMALWARE true
+
+# Path to drwebd socket
+#
+# Default:
+# DRWEBSOCKET /var/drweb/run/.daemon
+
+# ..OR if you use drwebd TCP socket, uncomment to enable use
+#
+# DrWeb daemon needs to run on the same server as HAVP
+#
+# Default: NONE
+# DRWEBSERVER 127.0.0.1
+# DRWEBPORT 3000
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/.pc/05_add_ssltimeout_option.patch/havp/default.h.in Wed Jun 18 16:17:31 2014 +0200
@@ -0,0 +1,120 @@
+/***************************************************************************
+ default.h - description
+ -------------------
+ begin : Sa Feb 12 2005
+ copyright : (C) 2005 by Christian Hilgers
+ email : christian@hilgers.ag
+ ***************************************************************************/
+
+/***************************************************************************
+ * *
+ * This program is free software; you can redistribute it and/or modify *
+ * it under the terms of the GNU General Public License as published by *
+ * the Free Software Foundation; either version 2 of the License, or *
+ * (at your option) any later version. *
+ * *
+ ***************************************************************************/
+
+
+#ifndef DEFAULT_H
+#define DEFAULT_H
+
+#define VERSION "0.92"
+
+//##############################################################
+//Define if you want to rewrite a URL
+//#define REWRITE URLRewrite["havp"]="www.server-side.de"; URLRewrite["www.havp"]="www.server-side.de";
+
+//##############################################################
+//Parameters in Configurationfile
+
+#define CONFIGPARAMS \
+ "WHITELISTFIRST","TEMPDIR","RANGE", "PRELOADZIPHEADER", "USER","GROUP", \
+ "SERVERNUMBER","PORT","BIND_ADDRESS","SOURCE_ADDRESS","KEEPBACKBUFFER", \
+ "KEEPBACKTIME","TRICKLING","TRICKLINGBYTES","MAXSCANSIZE","WHITELIST","BLACKLIST","PIDFILE", \
+ "DAEMON","TRANSPARENT","LOG_OKS","ACCESSLOG","VIRUSLOG","ERRORLOG","TIMEFORMAT","LOGLEVEL", \
+ "USESYSLOG","SYSLOGNAME","SYSLOGFACILITY","SYSLOGLEVEL","SYSLOGVIRUSLEVEL","IGNOREVIRUS", \
+ "DISPLAYINITIALMESSAGES","DBRELOAD","SCANTEMPFILE","TEMPLATEPATH","DISABLELOCKINGFOR", \
+ "PARENTPROXY","PARENTPORT","MAXSERVERS","FORWARDED_IP","X_FORWARDED_FOR","FAILSCANERROR", \
+ "MAXDOWNLOADSIZE","SCANNERTIMEOUT","STREAMUSERAGENT","STREAMSCANSIZE","SCANIMAGES", \
+ "SKIPMIME","SCANMIME", \
+ "ENABLECLAMLIB","CLAMDBDIR","CLAMBLOCKBROKEN","CLAMBLOCKMAX","CLAMBLOCKENCRYPTED", \
+ "CLAMMAXFILES","CLAMMAXFILESIZE","CLAMMAXRECURSION","CLAMMAXSCANSIZE", \
+ "ENABLEAVG","AVGSERVER","AVGPORT", \
+ "ENABLEAVESERVER","AVESOCKET", \
+ "ENABLEFPROT","FPROTSERVER","FPROTPORT","FPROTOPTIONS", \
+ "ENABLETROPHIE","TROPHIEMAXFILES","TROPHIEMAXFILESIZE","TROPHIEMAXRATIO", \
+ "ENABLENOD32","NOD32SOCKET","NOD32VERSION", \
+ "ENABLECLAMD","CLAMDSOCKET","CLAMDSERVER","CLAMDPORT", \
+ "ENABLESOPHIE","SOPHIESOCKET", \
+ "ENABLEAVAST","AVASTSOCKET","AVASTSERVER","AVASTPORT", \
+ "ENABLEARCAVIR","ARCAVIRSOCKET","ARCAVIRVERSION", \
+ "ENABLEDRWEB","DRWEBSOCKET","DRWEBSERVER","DRWEBPORT","DRWEBHEURISTIC","DRWEBMALWARE", \
+ "PARENTUSER", "PARENTPASSWORD"
+//SCANNERS
+
+
+//##############################################################
+//Configuration not setable in havp.config
+
+//CONNTIMEOUT in seconds
+#define CONNTIMEOUT 60
+
+//RECVTIMEOUT in seconds
+#define RECVTIMEOUT 120
+
+//SENDTIMEOUT in seconds
+#define SENDTIMEOUT 120
+
+//Maximum client connection waiting for accept
+#define MAXCONNECTIONS 1024
+
+//Maximum bytes received in one request
+#define MAXRECV 14600
+
+//Maximum logfile line length
+#define STRINGLENGTH 1000
+
+//Maximum hardlock size - do not change
+#define MAXFILELOCKSIZE 1000000000
+
+//Valid Methods
+#define METHODS \
+ "GET","POST","HEAD","CONNECT","PUT","TRACE","PURGE","OPTIONS","UNLOCK", \
+ "SEARCH","PROPFIND","BPROPFIND","PROPPATCH","BPROPPATCH","MKCOL","COPY", \
+ "BCOPY","MOVE","LOCK","BMOVE","DELETE","BDELETE","SUBSCRIBE","UNSUBSCRIBE", \
+ "POLL","REPORT","ERROR","NONE","MKACTIVITY","CHECKOUT","MERGE"
+
+//Maximum length of SCANTEMPFILE
+#define MAXSCANTEMPFILELENGTH 200
+
+//Maximum length of http headers
+#define MAXHTTPHEADERLENGTH 65536
+
+// HTML Error String
+#define ERROR_DNS "dns.html"
+#define VIRUS_FOUND "virus.html"
+#define ERROR_SCANNER "scanner.html"
+#define ERROR_DOWN "down.html"
+#define ERROR_INVALID "invalid.html"
+#define ERROR_REQUEST "request.html"
+#define ERROR_BODY "error.html"
+#define ERROR_BLACKLIST "blacklist.html"
+#define ERROR_MAXSIZE "maxsize.html"
+
+// DONT TOUCH - run configure
+#undef CONFIGFILE
+#undef WHITELISTFILE
+#undef BLACKLISTFILE
+#undef TEMPLATEPATH
+#undef ACCESSLOG
+#undef ERRORLOG
+#undef PIDFILE
+#undef NOMAND
+#undef SSLTUNNEL
+#undef USECLAMLIB
+#undef USETROPHIE
+#undef HAVE_SETGROUPS
+#undef HAVE_INITGROUPS
+
+#endif
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/.pc/05_add_ssltimeout_option.patch/havp/params.cpp Wed Jun 18 16:17:31 2014 +0200
@@ -0,0 +1,443 @@
+/***************************************************************************
+ params.cpp - description
+ -------------------
+ begin : So Feb 20 2005
+ copyright : (C) 2005 by Peter Sebald / Christian Hilgers
+ email : christian@hilgers.ag
+ ***************************************************************************/
+
+/***************************************************************************
+ * *
+ * This program is free software; you can redistribute it and/or modify *
+ * it under the terms of the GNU General Public License as published by *
+ * the Free Software Foundation; either version 2 of the License, or *
+ * (at your option) any later version. *
+ * *
+ ***************************************************************************/
+
+#include "default.h"
+#include "params.h"
+#include "utils.h"
+
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <iostream>
+#include <fstream>
+#include <cstdlib>
+
+#ifndef INADDR_NONE
+#define INADDR_NONE ((unsigned long) -1)
+#endif
+
+map <string,string> Params::params;
+
+void Params::SetDefaults()
+{
+ SetConfig("DISPLAYINITIALMESSAGES", "true");
+ SetConfig("USER", "havp");
+ SetConfig("GROUP", "havp");
+ SetConfig("DAEMON", "true");
+ SetConfig("SERVERNUMBER", "8");
+ SetConfig("MAXSERVERS", "150");
+ SetConfig("PORT", "8080");
+ SetConfig("BIND_ADDRESS", "");
+ SetConfig("SOURCE_ADDRESS", "");
+ SetConfig("PARENTPROXY", "");
+ SetConfig("PARENTPORT", "0");
+ SetConfig("PARENTUSER", "");
+ SetConfig("PARENTPASSWORD", "");
+ SetConfig("ACCESSLOG", ACCESSLOG);
+ SetConfig("VIRUSLOG", "");
+ SetConfig("ERRORLOG", ERRORLOG);
+ SetConfig("TIMEFORMAT", "%d/%m/%Y %H:%M:%S");
+ SetConfig("LOG_OKS", "true");
+ SetConfig("LOGLEVEL", "0");
+ SetConfig("USESYSLOG", "false");
+ SetConfig("SYSLOGNAME", "havp");
+ SetConfig("SYSLOGFACILITY", "daemon");
+ SetConfig("SYSLOGLEVEL", "info");
+ SetConfig("SYSLOGVIRUSLEVEL","warning");
+ SetConfig("SCANIMAGES", "true");
+ SetConfig("SKIPMIME", "");
+ SetConfig("SCANMIME", "");
+ SetConfig("MAXSCANSIZE", "5000000");
+ SetConfig("KEEPBACKBUFFER", "200000");
+ SetConfig("KEEPBACKTIME", "5");
+ SetConfig("TRICKLING", "30");
+ SetConfig("TRICKLINGBYTES", "1");
+ SetConfig("WHITELISTFIRST", "true");
+ SetConfig("WHITELIST", WHITELISTFILE);
+ SetConfig("BLACKLIST", BLACKLISTFILE);
+ SetConfig("TEMPLATEPATH", TEMPLATEPATH);
+ SetConfig("TEMPDIR", "/var/spool/havp");
+ SetConfig("SCANTEMPFILE", "/var/spool/havp/havp-XXXXXX");
+ SetConfig("PIDFILE", PIDFILE);
+ SetConfig("TRANSPARENT", "false");
+ SetConfig("RANGE", "false");
+ SetConfig("PRELOADZIPHEADER","true");
+ SetConfig("FORWARDED_IP", "false");
+ SetConfig("X_FORWARDED_FOR","false");
+ SetConfig("STREAMUSERAGENT","");
+ SetConfig("STREAMSCANSIZE", "20000");
+ SetConfig("DBRELOAD", "60");
+ SetConfig("FAILSCANERROR", "true");
+ SetConfig("MAXDOWNLOADSIZE","0");
+ SetConfig("SCANNERTIMEOUT", "10");
+ SetConfig("IGNOREVIRUS", "");
+ SetConfig("DISABLELOCKINGFOR","AVG:ALL");
+//SCANNERS
+ SetConfig("ENABLECLAMLIB","false");
+ SetConfig("CLAMDBDIR","");
+ SetConfig("CLAMBLOCKBROKEN","false");
+ SetConfig("CLAMBLOCKMAX","false");
+ SetConfig("CLAMBLOCKENCRYPTED","false");
+ SetConfig("CLAMMAXSCANSIZE","20");
+ SetConfig("CLAMMAXFILES","50");
+ SetConfig("CLAMMAXFILESIZE","100");
+ SetConfig("CLAMMAXRECURSION","8");
+ SetConfig("ENABLECLAMD","false");
+ SetConfig("CLAMDSOCKET","/tmp/clamd");
+ SetConfig("CLAMDSERVER","");
+ SetConfig("CLAMDPORT","3310");
+ SetConfig("ENABLEAVG","false");
+ SetConfig("AVGSERVER","127.0.0.1");
+ SetConfig("AVGPORT","55555");
+ SetConfig("ENABLEAVESERVER","false");
+ SetConfig("AVESOCKET","/var/run/aveserver");
+ SetConfig("ENABLEFPROT","false");
+ SetConfig("FPROTPORT","10200");
+ SetConfig("FPROTSERVER","127.0.0.1");
+ SetConfig("FPROTOPTIONS","");
+ SetConfig("ENABLENOD32","false");
+ SetConfig("NOD32SOCKET","/tmp/nod32d.sock");
+ SetConfig("NOD32VERSION","25");
+ SetConfig("ENABLETROPHIE","false");
+ SetConfig("TROPHIEMAXFILES","50");
+ SetConfig("TROPHIEMAXFILESIZE","10");
+ SetConfig("TROPHIEMAXRATIO","250");
+ SetConfig("ENABLESOPHIE","false");
+ SetConfig("SOPHIESOCKET","/var/run/sophie");
+ SetConfig("ENABLEAVAST","false");
+ SetConfig("AVASTSOCKET","/var/run/avast4/local.sock");
+ SetConfig("AVASTSERVER","");
+ SetConfig("AVASTPORT","5036");
+ SetConfig("ENABLEARCAVIR","false");
+ SetConfig("ARCAVIRSOCKET","/var/run/arcavird.socket");
+ SetConfig("ARCAVIRVERSION","2007");
+ SetConfig("ENABLEDRWEB","false");
+ SetConfig("DRWEBSOCKET","/var/drweb/run/.daemon");
+ SetConfig("DRWEBSERVER","");
+ SetConfig("DRWEBPORT","3000");
+ SetConfig("DRWEBHEURISTIC","true");
+ SetConfig("DRWEBMALWARE","true");
+}
+
+bool Params::ReadConfig( string file )
+{
+ ifstream input( file.c_str() );
+
+ if ( !input )
+ {
+ cerr << "Could not open config file: " << file << endl;
+ return false;
+ }
+
+ string::size_type Position;
+ string line, key, val;
+
+ while ( input )
+ {
+ getline( input, line );
+
+ //Strip whitespace from beginning and end
+ if ( (Position = line.find_first_not_of(" \t")) != string::npos )
+ {
+ line = line.substr(Position, (line.find_last_not_of(" \t", string::npos) - Position) + 1);
+ }
+
+ //Read next if nothing found
+ if ( (Position == string::npos) || (line.size() == 0) ) continue;
+
+ //Read next if commented
+ if ( line.substr(0, 1) == "#" ) continue;
+
+ //Find key and value
+ if ( (Position = line.find_first_of(" \t")) != string::npos )
+ {
+ key = line.substr(0, Position);
+
+ if ( key == "REMOVETHISLINE" )
+ {
+ cout << "Configuration is not edited!" << endl;
+ cout << "You must delete REMOVETHISLINE option." << endl;
+ cout << "Review the configuration carefully. :)" << endl;
+ return false;
+ }
+
+ if ( (Position = line.find_first_not_of(" \t", Position + 1)) == string::npos )
+ {
+ cout << "Invalid Config Line: " << line << endl;
+ return false;
+ }
+
+ val = line.substr( Position );
+
+ Params::SetConfig( key, val );
+ }
+ else
+ {
+ cout << "Invalid Config Line: " << line << endl;
+ return false;
+ }
+ }
+
+ input.close();
+
+ return true;
+}
+
+void Params::SetConfig( string param, string value )
+{
+ string TempParams[] = {CONFIGPARAMS};
+ bool ParamFound = false;
+
+ param = UpperCase(param);
+
+ for ( unsigned int i = 0; i < sizeof(TempParams)/sizeof(string); i++ )
+ {
+ if ( param == TempParams[i] )
+ {
+ ParamFound = true;
+ }
+ }
+
+ if ( ParamFound )
+ {
+ if ( UpperCase(value) == "TRUE" || UpperCase(value) == "FALSE" )
+ {
+ value = UpperCase(value);
+ }
+
+ params[param] = value;
+ }
+ else
+ {
+ cout << "Unknown Config Parameter: " << param << endl;
+ cout << "Exiting.." << endl;
+ exit(1);
+ }
+}
+
+int Params::GetConfigInt( string param )
+{
+ return atoi( params[param].c_str() );
+}
+
+bool Params::GetConfigBool( string param )
+{
+ if ( params[param] == "TRUE" )
+ {
+ return true;
+ }
+ else
+ {
+ return false;
+ }
+}
+
+string Params::GetConfigString( string param )
+{
+ return params[param];
+}
+
+void Params::ShowConfig( string cfgfile )
+{
+ cout << endl << "# Using HAVP config: " << cfgfile << endl << endl;
+ typedef map<string,string>::const_iterator CI;
+ for(CI p = params.begin(); p != params.end(); ++p)
+ {
+ cout << p->first << "=" << p->second << '\n';
+ }
+ cout << endl;
+}
+
+void Params::Usage()
+{
+ cout << endl << "Usage: havp [Options]" << endl << endl;
+ cout << "HAVP Version " << VERSION << endl << endl;
+ cout << "Possible options are:" << endl;
+ cout << "--help | -h This pamphlet" << endl;
+ cout << "--conf-file=FileName | -c Filename Use this Config-File" << endl;
+ cout << "--show-config | -s Show configuration HAVP is using" << endl << endl;
+}
+
+bool Params::SetParams( int argvT, char* argcT[] )
+{
+ string option, value;
+ string::size_type i1, i2;
+
+ string cfgfile = CONFIGFILE;
+ bool showconf = false;
+
+ SetDefaults();
+
+ while ( --argvT )
+ {
+ value = *++argcT;
+ i1 = value.find_first_not_of("-");
+
+ //No GNU options
+ if ( i1 == 1 )
+ {
+ option = value.substr(i1, 1);
+
+ if ( option == "c" )
+ {
+ --argvT;
+
+ if ( argvT == 0 )
+ {
+ Usage();
+ return false;
+ }
+ value = *++argcT;
+ }
+ else if ( option == "s" )
+ {
+ showconf = true;
+ }
+ else
+ {
+ Usage();
+ return false;
+ }
+ }
+ //GNU options
+ else if ( i1 == 2 )
+ {
+ if ( (i2 = value.find("=")) != string::npos )
+ {
+ option = value.substr(i1, i2 - i1);
+
+ if ( value.size() > i2 + 1 )
+ {
+ value = value.substr(i2 + 1);
+ }
+ else
+ {
+ Usage();
+ return false;
+ }
+ }
+ else
+ {
+ option = value.substr(i1);
+ value = "";
+ }
+ }
+ else
+ {
+ Usage();
+ return false;
+ }
+
+ if ( option == "help" )
+ {
+ Usage();
+ return false;
+ }
+ else if ( option == "show-config" )
+ {
+ showconf = true;
+ }
+ else if ( option == "conf-file" || option == "c" )
+ {
+ if (value == "")
+ {
+ Usage();
+ return false;
+ }
+
+ cfgfile = value;
+ }
+ else if ( showconf == true )
+ {
+ //Nothing: prevent Usage
+ }
+ else
+ {
+ Usage();
+ return false;
+ }
+ }
+
+ if ( ReadConfig( cfgfile ) == false )
+ {
+ return false;
+ }
+
+ if ( showconf == true )
+ {
+ ShowConfig( cfgfile );
+ return false;
+ }
+
+ return TestConfig();
+}
+
+//Test that some options are sane
+bool Params::TestConfig()
+{
+ if ( Params::GetConfigInt("SERVERNUMBER") < 1 )
+ {
+ cout << "Invalid Config: SERVERNUMBER needs to be greater than 0" << endl;
+ return false;
+ }
+ if ( Params::GetConfigString("ACCESSLOG").substr(0,1) != "/"
+ || (Params::GetConfigString("VIRUSLOG") != "" && Params::GetConfigString("VIRUSLOG").substr(0,1) != "/")
+ || Params::GetConfigString("ERRORLOG").substr(0,1) != "/" )
+ {
+ cout << "Invalid Config: Log paths need to be abolute" << endl;
+ return false;
+ }
+ if ( Params::GetConfigString("SCANTEMPFILE").find("XXXXXX") == string::npos )
+ {
+ cout << "Invalid Config: SCANTEMPFILE must contain string \"XXXXXX\"" << endl;
+ return false;
+ }
+ if ( Params::GetConfigInt("MAXSERVERS") > 500 )
+ {
+ cout << "Note: MAXSERVERS is unusually high! You are sure you want this?" << endl;
+ }
+ if ( Params::GetConfigString("BIND_ADDRESS") == "NULL" ) Params::SetConfig("BIND_ADDRESS","");
+ if ( Params::GetConfigString("BIND_ADDRESS") != "" )
+ {
+ if ( inet_addr( Params::GetConfigString("BIND_ADDRESS").c_str() ) == INADDR_NONE )
+ {
+ cout << "Invalid Config: Invalid BIND_ADDRESS" << endl;
+ return false;
+ }
+ }
+ if ( Params::GetConfigString("SOURCE_ADDRESS") == "NULL" ) Params::SetConfig("SOURCE_ADDRESS","");
+ if ( Params::GetConfigString("SOURCE_ADDRESS") != "" )
+ {
+ if ( inet_addr( Params::GetConfigString("SOURCE_ADDRESS").c_str() ) == INADDR_NONE )
+ {
+ cout << "Invalid Config: Invalid SOURCE_ADDRESS" << endl;
+ return false;
+ }
+ }
+ if ( Params::GetConfigString("PARENTPROXY") != "" && Params::GetConfigInt("PARENTPORT") < 1 )
+ {
+ cout << "Invalid Config: Invalid PARENTPROXY/PARENTPORT" << endl;
+ return false;
+ }
+ if ( Params::GetConfigInt("TRICKLING") > 0 && Params::GetConfigInt("TRICKLINGBYTES") < 1 )
+ {
+ cout << "Invalid Config: TRICKLINGBYTES needs to be greater than 0" << endl;
+ return false;
+ }
+
+ return true;
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/.pc/05_add_ssltimeout_option.patch/havp/sockethandler.cpp Wed Jun 18 16:17:31 2014 +0200
@@ -0,0 +1,654 @@
+/***************************************************************************
+ sockethandler.cpp - description
+ -------------------
+ begin : Sa Feb 12 2005
+ copyright : (C) 2005 by Christian Hilgers
+ email : christian@hilgers.ag
+ ***************************************************************************/
+
+/***************************************************************************
+ * *
+ * This program is free software; you can redistribute it and/or modify *
+ * it under the terms of the GNU General Public License as published by *
+ * the Free Software Foundation; either version 2 of the License, or *
+ * (at your option) any later version. *
+ * *
+ ***************************************************************************/
+
+#include "sockethandler.h"
+#include "logfile.h"
+#include "params.h"
+#include "utils.h"
+
+#include <netdb.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+
+#ifndef INADDR_NONE
+#define INADDR_NONE ((unsigned long) -1)
+#endif
+#ifndef AF_LOCAL
+#define AF_LOCAL AF_UNIX
+#endif
+
+//Create Server Socket
+bool SocketHandler::CreateServer( int portT, in_addr_t bind_addrT )
+{
+ int i = 1;
+
+ my_s_addr.sin_addr.s_addr = bind_addrT;
+ my_s_addr.sin_port = htons(portT);
+
+ if ( (sock_fd = socket( AF_INET, SOCK_STREAM, 0 )) < 0 )
+ {
+ LogFile::ErrorMessage("socket() failed: %s\n", strerror(errno));
+ return false;
+ }
+
+ // Enable re-use Socket
+ if ( setsockopt( sock_fd, SOL_SOCKET, SO_REUSEADDR, &i, sizeof(i) ) < 0 )
+ {
+ LogFile::ErrorMessage("setsockopt() failed: %s\n", strerror(errno));
+ return false;
+ }
+
+ if ( ::bind( sock_fd, (struct sockaddr *) &my_s_addr, sizeof(my_s_addr) ) < 0 )
+ {
+ LogFile::ErrorMessage("bind() failed: %s\n", strerror(errno));
+ return false;
+ }
+
+ if ( ::listen( sock_fd, MAXCONNECTIONS ) < 0 )
+ {
+ LogFile::ErrorMessage("listen() failed: %s\n", strerror(errno));
+ return false;
+ }
+
+ return true;
+}
+
+
+//Create Server Socket, convert ASCII address representation into binary one
+bool SocketHandler::CreateServer( int portT, string bind_addrT )
+{
+ if ( bind_addrT == "" )
+ {
+ return CreateServer( portT, INADDR_ANY );
+ }
+ else
+ {
+ return CreateServer( portT, inet_addr( Params::GetConfigString("BIND_ADDRESS").c_str() ) );
+ }
+}
+
+
+//Connect to Server
+bool SocketHandler::ConnectToServer()
+{
+ if ( (sock_fd = socket(AF_INET, SOCK_STREAM, 0)) < 0 )
+ {
+ LogFile::ErrorMessage("ConnectToServer socket() failed: %s\n", strerror(errno));
+ return false;
+ }
+
+ if ( source_address != "" )
+ {
+ if ( ::bind(sock_fd, (struct sockaddr *) &l_addr, sizeof(l_addr)) < 0 )
+ {
+ LogFile::ErrorMessage("ConnectoToServer bind() failed: %s\n", strerror(errno));
+ Close();
+ return false;
+ }
+ }
+
+ int flags, ret;
+
+ //Nonblocking connect to get a proper timeout
+ while ( (flags = fcntl(sock_fd, F_GETFL, 0)) < 0 )
+ {
+ if (errno == EINTR) continue;
+
+ LogFile::ErrorMessage("ConnectToServer fcntl() get failed: %s\n", strerror(errno));
+ Close();
+ return false;
+ }
+ while ( fcntl(sock_fd, F_SETFL, flags | O_NONBLOCK) < 0 )
+ {
+ if (errno == EINTR) continue;
+
+ LogFile::ErrorMessage("ConnectToServer fcntl() O_NONBLOCK failed: %s\n", strerror(errno));
+ Close();
+ return false;
+ }
+
+ while ( (ret = ::connect(sock_fd, (struct sockaddr *) &my_s_addr, sizeof(my_s_addr))) < 0 )
+ {
+ if (errno == EINTR) continue;
+
+ if (errno != EINPROGRESS)
+ {
+ if (errno != EINVAL) LogFile::ErrorMessage("connect() failed: %s\n", strerror(errno));
+ Close();
+ return false;
+ }
+
+ break;
+ }
+
+ if ( ret != 0 )
+ {
+ FD_ZERO(&checkfd);
+ FD_SET(sock_fd,&checkfd);
+ wset = checkfd;
+
+ Timeout.tv_sec = CONNTIMEOUT;
+ Timeout.tv_usec = 0;
+
+ ret = select_eintr(sock_fd+1, &checkfd, &wset, NULL, &Timeout);
+
+ if ( ret <= 0 )
+ {
+ Close();
+ return false;
+ }
+
+ addr_len = sizeof(peer_addr);
+
+ if ( getpeername(sock_fd, (struct sockaddr *) &peer_addr, (socklen_t *) &addr_len) < 0 )
+ {
+ Close();
+ return false;
+ }
+ }
+
+ while ( fcntl(sock_fd, F_SETFL, flags) < 0 )
+ {
+ if (errno == EINTR) continue;
+
+ LogFile::ErrorMessage("ConnectToServer fcntl() set failed: %s\n", strerror(errno));
+ Close();
+ return false;
+ }
+
+ return true;
+}
+
+
+bool SocketHandler::ConnectToSocket( string SocketPath, int retry )
+{
+ strncpy(my_u_addr.sun_path, SocketPath.c_str(), sizeof(my_u_addr.sun_path)-1);
+
+ if ( (sock_fd = socket(AF_LOCAL, SOCK_STREAM, 0)) < 0 )
+ {
+ LogFile::ErrorMessage("ConnectToSocket socket() failed: %s\n", strerror(errno));
+ return false;
+ }
+
+ int tries = 0;
+ int ret;
+
+ for(;;)
+ {
+ while ( (ret = ::connect(sock_fd, (struct sockaddr *) &my_u_addr, sizeof(my_u_addr))) < 0 )
+ {
+ if (errno == EINTR) continue;
+
+ if (errno != ENOENT) LogFile::ErrorMessage("ConnectToSocket connect() failed: %s\n", strerror(errno));
+ break;
+ }
+
+ //Success?
+ if ( ret == 0 ) return true;
+
+ //All retried?
+ if ( ++tries > retry ) break;
+
+ //Try again in one second
+ sleep(1);
+ continue;
+ }
+
+ Close();
+ return false;
+}
+
+
+//Accept Client
+bool SocketHandler::AcceptClient( SocketHandler &accept_socketT )
+{
+ addr_len = sizeof(my_s_addr);
+
+ while ((accept_socketT.sock_fd = ::accept(sock_fd, (sockaddr *) &my_s_addr, (socklen_t *) &addr_len)) < 0)
+ {
+ if (errno == EINTR) continue;
+
+ LogFile::ErrorMessage("accept() failed: %s\n", strerror(errno));
+
+ return false;
+ }
+
+ //Save IP to ToBrowser
+ accept_socketT.my_s_addr = my_s_addr;
+
+ return true;
+}
+
+//Send String
+bool SocketHandler::Send( const char *sock_outT, int len )
+{
+ int total_sent = 0;
+ int ret, buffer_count;
+
+ do
+ {
+ Timeout.tv_sec = SENDTIMEOUT;
+ Timeout.tv_usec = 0;
+ FD_ZERO(&checkfd);
+ FD_SET(sock_fd,&checkfd);
+
+ ret = select_eintr(sock_fd+1, NULL, &checkfd, NULL, &Timeout);
+
+ if (ret <= 0)
+ {
+ return false;
+ }
+
+ while ((buffer_count = ::send(sock_fd, sock_outT + total_sent, len - total_sent, 0)) < 0)
+ {
+ if (errno == EINTR) continue;
+
+ return false;
+ }
+ if (buffer_count == 0)
+ {
+ return false;
+ }
+
+ total_sent += buffer_count;
+ }
+ while (total_sent < len);
+
+ return true;
+}
+
+//Send String
+bool SocketHandler::Send( string &sock_outT )
+{
+ int total_sent = 0;
+ int len = sock_outT.size();
+ int ret, buffer_count;
+
+ do
+ {
+ Timeout.tv_sec = SENDTIMEOUT;
+ Timeout.tv_usec = 0;
+ FD_ZERO(&checkfd);
+ FD_SET(sock_fd,&checkfd);
+
+ ret = select_eintr(sock_fd+1, NULL, &checkfd, NULL, &Timeout);
+
+ if (ret <= 0)
+ {
+ return false;
+ }
+
+ while ((buffer_count = ::send(sock_fd, sock_outT.substr(total_sent).c_str(), len - total_sent, 0)) < 0)
+ {
+ if (errno == EINTR) continue;
+
+ return false;
+ }
+ if (buffer_count == 0)
+ {
+ return false;
+ }
+
+ total_sent += buffer_count;
+ }
+ while (total_sent < len);
+
+ return true;
+}
+
+
+//Receive String - Maximal MAXRECV
+//sock_del = false : Do not delete Data from Socket
+ssize_t SocketHandler::Recv( string &sock_inT, bool sock_delT, int timeout )
+{
+ if ( RecvBuf.size() > 0 )
+ {
+ sock_inT.append( RecvBuf );
+
+ if ( sock_delT == true )
+ {
+ ssize_t tempsize = RecvBuf.size();
+
+ RecvBuf = "";
+
+ return tempsize;
+ }
+
+ return RecvBuf.size();
+ }
+
+ char buffer[MAXRECV+1];
+ ssize_t buffer_count;
+ int ret;
+
+ if ( timeout != -1 )
+ {
+ Timeout.tv_sec = timeout;
+ }
+ else
+ {
+ Timeout.tv_sec = RECVTIMEOUT;
+ }
+ Timeout.tv_usec = 0;
+
+ FD_ZERO(&checkfd);
+ FD_SET(sock_fd,&checkfd);
+
+ ret = select_eintr(sock_fd+1, &checkfd, NULL, NULL, &Timeout);
+
+ if (ret <= 0)
+ {
+ return -1;
+ }
+
+ while ((buffer_count = ::recv(sock_fd, buffer, MAXRECV, 0)) < 0)
+ {
+ if (errno == EINTR) continue;
+
+ return -1;
+ }
+
+ if ( sock_delT == false )
+ {
+ RecvBuf.append( buffer, buffer_count );
+ }
+
+ if ( buffer_count == 0 )
+ {
+ return 0;
+ }
+
+ sock_inT.append( buffer, buffer_count );
+
+ return buffer_count;
+}
+
+
+//Receive String of length sock_length
+bool SocketHandler::RecvLength( string &sock_inT, unsigned int sock_lengthT )
+{
+ if ( RecvBuf.size() >= sock_lengthT )
+ {
+ sock_inT.append( RecvBuf.substr( 0, sock_lengthT ) );
+
+ RecvBuf.erase( 0, sock_lengthT );
+
+ return true;
+ }
+
+ char buffer[MAXRECV+1];
+ ssize_t buffer_count;
+ unsigned int received = 0;
+
+ if ( RecvBuf.size() > 0 )
+ {
+ sock_inT.append( RecvBuf );
+ received += RecvBuf.size();
+
+ RecvBuf = "";
+ }
+
+ for(;;)
+ {
+ Timeout.tv_sec = RECVTIMEOUT;
+ Timeout.tv_usec = 0;
+
+ FD_ZERO(&checkfd);
+ FD_SET(sock_fd,&checkfd);
+
+ int ret = select_eintr(sock_fd+1, &checkfd, NULL, NULL, &Timeout);
+
+ if ( ret <= 0 )
+ {
+ return false;
+ }
+
+ while ((buffer_count = ::recv(sock_fd, buffer, MAXRECV, 0)) < 0 && errno == EINTR);
+
+ if ( buffer_count < 1 )
+ {
+ return false;
+ }
+
+ if ( received + buffer_count >= sock_lengthT )
+ {
+ string Rest;
+ Rest.append( buffer, buffer_count );
+
+ unsigned int needed = sock_lengthT - received;
+
+ sock_inT.append( Rest.substr( 0, needed ) );
+ if ( Rest.size() > needed ) RecvBuf.append( Rest.substr( needed ) );
+
+ return true;
+ }
+
+ sock_inT.append( buffer, buffer_count );
+ received += buffer_count;
+ }
+
+ return true;
+}
+
+
+//Wait and get something from socket until separator
+bool SocketHandler::GetLine( string &lineT, string separator, int timeout )
+{
+ lineT = "";
+
+ string TempLine;
+ string::size_type Position;
+
+ do
+ {
+ if ( Recv( TempLine, false, timeout ) == false )
+ {
+ return false;
+ }
+ }
+ while ( (Position = TempLine.find( separator )) == string::npos );
+
+ TempLine = "";
+
+ if ( RecvLength( TempLine, Position + separator.size() ) == false )
+ {
+ return false;
+ }
+
+ lineT = TempLine.erase( Position );
+
+ return true;
+}
+
+
+//Resolve and set hostname/port for connecting
+bool SocketHandler::SetDomainAndPort( string domainT, int portT )
+{
+ if ( domainT == "" ) return false;
+ if ( portT < 1 || portT > 65536 ) return false;
+
+ int domlen = domainT.length();
+
+ if (domlen > 250) domainT = domainT.substr(0, 250);
+ my_s_addr.sin_port = htons(portT);
+
+ //IP?
+ if ( domlen >= 7 && domlen <= 15 && domainT.find_first_not_of("0123456789.") == string::npos )
+ {
+ LastHost = "";
+ if ( inet_aton( domainT.c_str(), &my_s_addr.sin_addr ) != 0 ) return true;
+ return false;
+ }
+
+ //Same host as last time, use next IP
+ if ( server && LastHost == domainT )
+ {
+ if ( ips == 1 ) return true;
+
+ if ( ++ip_count == ips ) ip_count = 0;
+ memcpy((char *) &my_s_addr.sin_addr.s_addr, server->h_addr_list[ip_count], server->h_length);
+
+ return true;
+ }
+
+ //Resolve host
+ if ( (server = gethostbyname( domainT.c_str() )) )
+ {
+ //Count IPs
+ for ( ips = 0; server->h_addr_list[ips] != NULL && server->h_addrtype == AF_INET && ips != 16; ips++ );
+
+ if ( !ips ) return false;
+
+ memcpy((char *) &my_s_addr.sin_addr.s_addr, server->h_addr_list[0], server->h_length);
+
+ ip_count = 0;
+ LastHost = domainT;
+
+ return true;
+ }
+
+ LastHost = "";
+ return false;
+}
+
+int SocketHandler::IPCount()
+{
+ return ips;
+}
+
+string SocketHandler::GetIP()
+{
+ string ip = inet_ntoa(my_s_addr.sin_addr);
+ return ip;
+}
+
+bool SocketHandler::CheckForData( int timeout )
+{
+ if ( RecvBuf.size() > 0 )
+ {
+ return true;
+ }
+
+ int ret;
+
+ Timeout.tv_sec = timeout;
+ Timeout.tv_usec = 0;
+
+ FD_ZERO(&checkfd);
+ FD_SET(sock_fd,&checkfd);
+
+ ret = select_eintr(sock_fd+1, &checkfd, NULL, NULL, &Timeout);
+
+ if (ret <= 0)
+ {
+ return false;
+ }
+
+ return true;
+}
+
+
+#ifdef SSLTUNNEL
+int SocketHandler::CheckForSSLData( int sockBrowser, int sockServer )
+{
+ fd_set readfd;
+ int fds;
+
+ FD_ZERO(&readfd);
+ FD_SET(sockBrowser,&readfd);
+ FD_SET(sockServer,&readfd);
+
+ if ( sockBrowser > sockServer )
+ {
+ fds = sockBrowser;
+ }
+ else
+ {
+ fds = sockServer;
+ }
+
+ Timeout.tv_sec = 20;
+ Timeout.tv_usec = 0;
+
+ int ret = select_eintr(fds+1, &readfd, NULL, NULL, &Timeout);
+
+ if (ret <= 0) return 0;
+
+ if (FD_ISSET(sockBrowser,&readfd)) return 1;
+
+ return 2;
+}
+#endif
+
+
+void SocketHandler::Close()
+{
+ //Clear receive buffer
+ RecvBuf = "";
+
+ //Check that we have a real fd
+ if ( sock_fd > -1 )
+ {
+ while ( ::close(sock_fd) < 0 )
+ {
+ if (errno == EINTR) continue;
+ if (errno == EBADF) break;
+
+ //IO error?
+ LogFile::ErrorMessage("close() failed: %s\n", strerror(errno));
+ }
+
+ //Mark socket unused
+ sock_fd = -1;
+ }
+}
+
+
+//Constructor
+SocketHandler::SocketHandler()
+{
+ memset(&my_s_addr, 0, sizeof(my_s_addr));
+ my_s_addr.sin_family = AF_INET;
+
+ memset(&my_u_addr, 0, sizeof(my_u_addr));
+ my_u_addr.sun_family = AF_LOCAL;
+
+ ip_count = 0;
+ ips = 0;
+
+ //No socket exists yet
+ sock_fd = -1;
+
+ source_address = Params::GetConfigString("SOURCE_ADDRESS");
+
+ if ( source_address != "" )
+ {
+ l_addr.sin_family = AF_INET;
+ l_addr.sin_port = htons(0);
+ l_addr.sin_addr.s_addr = inet_addr( source_address.c_str() );
+ }
+
+ RecvBuf.reserve(1500);
+ RecvBuf = "";
+}
+
+
+//Destructor
+SocketHandler::~SocketHandler()
+{
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/.pc/applied-patches Wed Jun 18 16:17:31 2014 +0200
@@ -0,0 +1,3 @@
+03_havp.config.patch
+04_params.cpp.patch
+05_add_ssltimeout_option.patch
--- a/debian/changelog Wed Jun 18 16:16:36 2014 +0200
+++ b/debian/changelog Wed Jun 18 16:17:31 2014 +0200
@@ -1,3 +1,34 @@
+havp (0.92a-2.ius.2) stable; urgency=low
+
+ * Non-maintainer upload.
+ * cosmetic for SSLTIMEOUT option in sockethandler.cpp
+ * displace SSLTIMEOUT in config file
+
+ -- Christian Arnold <arnold@schlittermann.de> Tue, 11 Oct 2011 11:34:14 +0200
+
+havp (0.92a-2.ius.1) stable; urgency=low
+
+ * Non-maintainer upload.
+ * fixed version string to ius
+
+ -- Heiko Schlittermann <hs@schlittermann.de> Fri, 07 Oct 2011 15:51:29 +0200
+
+havp (0.92a-2.1) stable; urgency=low
+
+ * Non-maintainer upload.
+ * fixed init script and init script invocation
+ * pushed to 3.0 (quilt) source format
+ * added example config line to havp.config
+
+ -- Heiko Schlittermann <hs@schlittermann.de> Fri, 07 Oct 2011 15:41:23 +0200
+
+havp (0.92a-2) stable; urgency=low
+
+ * Non-maintainer upload.
+ * buld for squeeze
+
+ -- Heiko Schlittermann <hs@schlittermann.de> Fri, 07 Oct 2011 13:48:22 +0200
+
havp (0.92a-2) unstable; urgency=low
* Include debconf language updates from previous NMU and new updates.
--- a/debian/compat Wed Jun 18 16:16:36 2014 +0200
+++ b/debian/compat Wed Jun 18 16:17:31 2014 +0200
@@ -1,1 +1,1 @@
-4
+7
--- a/debian/control Wed Jun 18 16:16:36 2014 +0200
+++ b/debian/control Wed Jun 18 16:17:31 2014 +0200
@@ -2,8 +2,9 @@
Section: net
Priority: optional
Maintainer: Rene Mayrhofer <rene.mayrhofer@gibraltar.at>
-Build-Depends: debhelper (>= 4.0.0), autotools-dev, libssl-dev, libclamav-dev, dpatch, docbook-to-man, po-debconf
-Standards-Version: 3.8.1
+Build-Depends: debhelper (>= 7.0.0), autotools-dev, libssl-dev, libclamav-dev, docbook-to-man, po-debconf,
+ quilt (>= 0.46-7~)
+Standards-Version: 3.9.1
Package: havp
Architecture: any
--- a/debian/havp.init Wed Jun 18 16:16:36 2014 +0200
+++ b/debian/havp.init Wed Jun 18 16:17:31 2014 +0200
@@ -1,11 +1,11 @@
#! /bin/sh
### BEGIN INIT INFO
# Provides: havp
-# Required-Start: $network
-# Required-Stop:
+# Required-Start: $network $remote_fs
+# Required-Stop: $remote_fs $network
# Should-Start: $named $time
# Default-Start: 2 3 4 5
-# Default-Stop: 0 6
+# Default-Stop: 0 1 6
# Short-Description: HAVP virus-scanning HTTP proxy
# Description: HAVP is a HTTP proxy that transparently scans all traffic for
# viruses and blocks all infected files.
@@ -95,9 +95,9 @@
# option to the "reload" entry above. If not, "force-reload" is
# just the same as "restart".
#
-+ $0 stop
+ $0 stop
sleep 1
-+ $0 start
+ $0 start
;;
status)
if [ ! -r $PIDFILE ]; then
--- a/debian/havp.postinst Wed Jun 18 16:16:36 2014 +0200
+++ b/debian/havp.postinst Wed Jun 18 16:17:31 2014 +0200
@@ -37,7 +37,6 @@
fi
# care for proper ownership in any case (e.g. updating from an earlier
# havp package with different paths)
- chown havp:havp /var/run/havp
chown havp:havp /var/log/havp
chown havp:havp /var/lib/havp
chown havp:havp /var/spool/havp
--- a/debian/havp.prerm Wed Jun 18 16:16:36 2014 +0200
+++ b/debian/havp.prerm Wed Jun 18 16:17:31 2014 +0200
@@ -1,4 +1,5 @@
#! /bin/sh
+set -e
# prerm script for havp
#
# see: dh_installdeb(1)
--- a/debian/patches/00list Wed Jun 18 16:16:36 2014 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,3 +0,0 @@
-03_havp.config
-04_params.cpp
-05_add_ssltimeout_option
\ No newline at end of file
--- a/debian/patches/03_havp.config.dpatch Wed Jun 18 16:16:36 2014 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,47 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 03_havp.config.dpatch by <mfladischer@home.fladi.at>
-## adapted and cleaned up by Rene Mayrhofer
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Set PID file and SCANTEMPFILE to correct locations
-
-@DPATCH@
-
---- havp-0.85/etc/havp/havp.config.in.orig 2007-03-13 11:49:25.482732863 +0100
-+++ havp-0.85/etc/havp/havp.config.in 2007-03-13 11:50:33.667542226 +0100
-@@ -16,7 +16,7 @@
- # You must remove this line for HAVP to start.
- # This makes sure you have (hopefully) reviewed the configuration. :)
- # Hint: You must enable some scanner! Find them in the end..
--REMOVETHISLINE deleteme
-+# REMOVETHISLINE deleteme
-
- #
- # For reasons of security it is recommended to run a proxy program
-@@ -103,7 +103,7 @@
- # These characters are used by system to create unique named files.
- #
- # Default:
--# SCANTEMPFILE /var/tmp/havp/havp-XXXXXX
-+# SCANTEMPFILE /var/spool/havp/havp-XXXXXX
-
- #
- # Is scanner error fatal?
-@@ -342,14 +342,14 @@
- ##### ClamAV Library Scanner (libclamav)
- #####
-
--ENABLECLAMLIB false
-+ENABLECLAMLIB true
-
- # HAVP uses libclamav hardcoded pattern directory, which usually is
--# /usr/local/share/clamav. You only need to set CLAMDBDIR, if you are
-+# /usr/share/clamav. You only need to set CLAMDBDIR, if you are
- # using non-default DatabaseDirectory setting in clamd.conf.
- #
- # Default: NONE
--# CLAMDBDIR /path/to/directory
-+# CLAMDBDIR /var/lib/clamav
-
- # Should we block encrypted archives?
- #
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/debian/patches/03_havp.config.patch Wed Jun 18 16:17:31 2014 +0200
@@ -0,0 +1,57 @@
+--- a/etc/havp/havp.config.in
++++ b/etc/havp/havp.config.in
+@@ -16,7 +16,7 @@
+ # You must remove this line for HAVP to start.
+ # This makes sure you have (hopefully) reviewed the configuration. :)
+ # Hint: You must enable some scanner! Find them in the end..
+-REMOVETHISLINE deleteme
++# REMOVETHISLINE deleteme
+
+ #
+ # For reasons of security it is recommended to run a proxy program
+@@ -113,7 +113,7 @@
+ # These characters are used by system to create unique named files.
+ #
+ # Default:
+-# SCANTEMPFILE /var/tmp/havp/havp-XXXXXX
++# SCANTEMPFILE /var/spool/havp/havp-XXXXXX
+
+ #
+ # Directory for ClamAV and other scanner created tempfiles.
+@@ -237,6 +237,13 @@
+ # Default:
+ # FAILSCANERROR true
+
++# SSL connections may be silent for a while (mostly when "abused"
++# for other communication than HTTP). HAVP disconnects these connections
++# after several seconds.
++#
++# Default:
++# SSLTIMEOUT 20
++
+ #
+ # When scanning takes longer than this, it will be aborted.
+ # Timer is started after HAVP has fully received all data.
+@@ -428,14 +435,14 @@
+ ##### ClamAV Library Scanner (libclamav)
+ #####
+
+-ENABLECLAMLIB false
++ENABLECLAMLIB true
+
+ # HAVP uses libclamav hardcoded pattern directory, which usually is
+-# /usr/local/share/clamav. You only need to set CLAMDBDIR, if you are
++# /usr/share/clamav. You only need to set CLAMDBDIR, if you are
+ # using non-default DatabaseDirectory setting in clamd.conf.
+ #
+ # Default: NONE
+-# CLAMDBDIR /path/to/directory
++# CLAMDBDIR /var/lib/clamav
+
+ # Should we block broken executables?
+ #
+@@ -661,4 +668,3 @@
+ # Default: NONE
+ # DRWEBSERVER 127.0.0.1
+ # DRWEBPORT 3000
+-
--- a/debian/patches/04_params.cpp.dpatch Wed Jun 18 16:16:36 2014 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,21 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 04_params.cpp.dpatch by <mfladischer@home.fladi.at>
-## adapted and cleaned up by Rene Mayrhofer
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Set PID file and SCANTEMPFILE to correct locations
-
-@DPATCH@
-
---- havp-0.85/havp/params.cpp.orig 2007-03-13 11:50:45.812848266 +0100
-+++ havp-0.85/havp/params.cpp 2007-03-13 11:51:19.209457684 +0100
-@@ -62,7 +62,7 @@
- SetConfig("BLACKLIST", BLACKLISTFILE);
- SetConfig("TEMPLATEPATH", TEMPLATEPATH);
-- SetConfig("TEMPDIR", "/var/tmp");
-+ SetConfig("TEMPDIR", "/var/spool/havp");
-- SetConfig("SCANTEMPFILE", "/var/tmp/havp/havp-XXXXXX");
-+ SetConfig("SCANTEMPFILE", "/var/spool/havp/havp-XXXXXX");
- SetConfig("PIDFILE", PIDFILE);
- SetConfig("TRANSPARENT", "false");
- SetConfig("RANGE", "false");
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/debian/patches/04_params.cpp.patch Wed Jun 18 16:17:31 2014 +0200
@@ -0,0 +1,13 @@
+--- a/havp/params.cpp
++++ b/havp/params.cpp
+@@ -70,8 +70,8 @@
+ SetConfig("WHITELIST", WHITELISTFILE);
+ SetConfig("BLACKLIST", BLACKLISTFILE);
+ SetConfig("TEMPLATEPATH", TEMPLATEPATH);
+- SetConfig("TEMPDIR", "/var/tmp");
+- SetConfig("SCANTEMPFILE", "/var/tmp/havp/havp-XXXXXX");
++ SetConfig("TEMPDIR", "/var/spool/havp");
++ SetConfig("SCANTEMPFILE", "/var/spool/havp/havp-XXXXXX");
+ SetConfig("PIDFILE", PIDFILE);
+ SetConfig("TRANSPARENT", "false");
+ SetConfig("RANGE", "false");
--- a/debian/patches/05_add_ssltimeout_option.dpatch Wed Jun 18 16:16:36 2014 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,44 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 05_add_ssltimeout_option.dpatch by Rene Mayrhofer, adapted from a patch by
-## Heiko Schlittermann
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Add SSLTIMEOUT config option
-
-@DPATCH@
-
---- a/havp/default.h.in
-+++ b/havp/default.h.in
-@@ -36,6 +36,7 @@
- "USESYSLOG","SYSLOGNAME","SYSLOGFACILITY","SYSLOGLEVEL","SYSLOGVIRUSLEVEL","IGNOREVIRUS", \
- "DISPLAYINITIALMESSAGES","DBRELOAD","SCANTEMPFILE","TEMPLATEPATH","DISABLELOCKINGFOR", \
- "PARENTPROXY","PARENTPORT","MAXSERVERS","FORWARDED_IP","X_FORWARDED_FOR","FAILSCANERROR", \
-+ "SSLTIMEOUT", \
- "MAXDOWNLOADSIZE","SCANNERTIMEOUT","STREAMUSERAGENT","STREAMSCANSIZE","SCANIMAGES", \
- "SKIPMIME","SCANMIME", \
- "ENABLECLAMLIB","CLAMDBDIR","CLAMBLOCKBROKEN","CLAMBLOCKMAX","CLAMBLOCKENCRYPTED", \
-diff --git a/havp/params.cpp b/havp/params.cpp
-index 0f83c0c..5a18913 100644
---- a/havp/params.cpp
-+++ b/havp/params.cpp
-@@ -86,6 +86,7 @@ void Params::SetDefaults()
- SetConfig("SCANNERTIMEOUT", "10");
- SetConfig("IGNOREVIRUS", "");
- SetConfig("DISABLELOCKINGFOR","AVG:ALL");
-+ SetConfig("SSLTIMEOUT", "20");
- //SCANNERS
- SetConfig("ENABLECLAMLIB","false");
- SetConfig("CLAMDBDIR","");
-diff --git a/havp/sockethandler.cpp b/havp/sockethandler.cpp
-index 28a119a..4cb5f24 100644
---- a/havp/sockethandler.cpp
-+++ b/havp/sockethandler.cpp
-@@ -582,7 +582,7 @@ int SocketHandler::CheckForSSLData( int sockBrowser, int sockServer )
- fds = sockServer;
- }
-
-- Timeout.tv_sec = 20;
-+ Timeout.tv_sec = Timeout.tv_sec = Params::GetConfigInt("SSLTIMEOUT");;
- Timeout.tv_usec = 0;
-
- int ret = select_eintr(fds+1, &readfd, NULL, NULL, &Timeout);
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/debian/patches/05_add_ssltimeout_option.patch Wed Jun 18 16:17:31 2014 +0200
@@ -0,0 +1,47 @@
+--- a/havp/default.h.in
++++ b/havp/default.h.in
+@@ -36,6 +36,7 @@
+ "USESYSLOG","SYSLOGNAME","SYSLOGFACILITY","SYSLOGLEVEL","SYSLOGVIRUSLEVEL","IGNOREVIRUS", \
+ "DISPLAYINITIALMESSAGES","DBRELOAD","SCANTEMPFILE","TEMPLATEPATH","DISABLELOCKINGFOR", \
+ "PARENTPROXY","PARENTPORT","MAXSERVERS","FORWARDED_IP","X_FORWARDED_FOR","FAILSCANERROR", \
++ "SSLTIMEOUT", \
+ "MAXDOWNLOADSIZE","SCANNERTIMEOUT","STREAMUSERAGENT","STREAMSCANSIZE","SCANIMAGES", \
+ "SKIPMIME","SCANMIME", \
+ "ENABLECLAMLIB","CLAMDBDIR","CLAMBLOCKBROKEN","CLAMBLOCKMAX","CLAMBLOCKENCRYPTED", \
+--- a/havp/params.cpp
++++ b/havp/params.cpp
+@@ -86,6 +86,7 @@
+ SetConfig("SCANNERTIMEOUT", "10");
+ SetConfig("IGNOREVIRUS", "");
+ SetConfig("DISABLELOCKINGFOR","AVG:ALL");
++ SetConfig("SSLTIMEOUT", "20");
+ //SCANNERS
+ SetConfig("ENABLECLAMLIB","false");
+ SetConfig("CLAMDBDIR","");
+--- a/havp/sockethandler.cpp
++++ b/havp/sockethandler.cpp
+@@ -582,7 +582,7 @@
+ fds = sockServer;
+ }
+
+- Timeout.tv_sec = 20;
++ Timeout.tv_sec = Params::GetConfigInt("SSLTIMEOUT");
+ Timeout.tv_usec = 0;
+
+ int ret = select_eintr(fds+1, &readfd, NULL, NULL, &Timeout);
+--- a/etc/havp/havp.config.in
++++ b/etc/havp/havp.config.in
+@@ -255,6 +255,13 @@
+ # Default:
+ # SCANNERTIMEOUT 10
+
++# SSL connections may be silent for a while (mostly when "abused"
++# for other communication than HTTP). HAVP disconnects these connections
++# after several seconds.
++#
++# Default:
++# SSLTIMEOUT 20
++
+ #
+ # Allow HTTP Range requests?
+ #
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/debian/patches/series Wed Jun 18 16:17:31 2014 +0200
@@ -0,0 +1,3 @@
+03_havp.config.patch
+04_params.cpp.patch
+05_add_ssltimeout_option.patch
--- a/debian/rules Wed Jun 18 16:16:36 2014 +0200
+++ b/debian/rules Wed Jun 18 16:17:31 2014 +0200
@@ -72,11 +72,12 @@
install: build
dh_testdir
dh_testroot
- dh_clean -k
+ dh_prep
dh_installdirs
# Add here commands to install the package into debian/havp.
$(MAKE) install DESTDIR=$(CURDIR)/debian/havp
+ rmdir $(CURDIR)/debian/havp/var/run/havp
# clean up to make lintian shut up...
rm -r $(CURDIR)/debian/havp/var/tmp
@@ -96,7 +97,7 @@
dh_installdocs
dh_installexamples
dh_installlogrotate
- dh_installinit --error-handler=init_error
+ dh_installinit --error-handler=init_error
dh_installman havp.1
dh_link
dh_strip
@@ -110,12 +111,12 @@
patch: patch-stamp
patch-stamp:
- dpatch apply-all
- dpatch cat-all >patch-stamp
+ dh_quilt_patch
+ touch patch-stamp
unpatch:
- dpatch deapply-all
- rm -rf patch-stamp debian/patched
+ dh_quilt_unpatch
+ rm -rf patch-stamp
binary: binary-indep binary-arch
.PHONY: build clean binary-indep binary-arch binary install
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/debian/source/format Wed Jun 18 16:17:31 2014 +0200
@@ -0,0 +1,1 @@
+3.0 (quilt)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/debian/source/options Wed Jun 18 16:17:31 2014 +0200
@@ -0,0 +1,1 @@
+tar-ignore
--- a/etc/havp/havp.config.in Wed Jun 18 16:16:36 2014 +0200
+++ b/etc/havp/havp.config.in Wed Jun 18 16:17:31 2014 +0200
@@ -16,7 +16,7 @@
# You must remove this line for HAVP to start.
# This makes sure you have (hopefully) reviewed the configuration. :)
# Hint: You must enable some scanner! Find them in the end..
-REMOVETHISLINE deleteme
+# REMOVETHISLINE deleteme
#
# For reasons of security it is recommended to run a proxy program
@@ -113,7 +113,7 @@
# These characters are used by system to create unique named files.
#
# Default:
-# SCANTEMPFILE /var/tmp/havp/havp-XXXXXX
+# SCANTEMPFILE /var/spool/havp/havp-XXXXXX
#
# Directory for ClamAV and other scanner created tempfiles.
@@ -237,6 +237,13 @@
# Default:
# FAILSCANERROR true
+# SSL connections may be silent for a while (mostly when "abused"
+# for other communication than HTTP). HAVP disconnects these connections
+# after several seconds.
+#
+# Default:
+# SSLTIMEOUT 20
+
#
# When scanning takes longer than this, it will be aborted.
# Timer is started after HAVP has fully received all data.
@@ -248,6 +255,13 @@
# Default:
# SCANNERTIMEOUT 10
+# SSL connections may be silent for a while (mostly when "abused"
+# for other communication than HTTP). HAVP disconnects these connections
+# after several seconds.
+#
+# Default:
+# SSLTIMEOUT 20
+
#
# Allow HTTP Range requests?
#
@@ -428,14 +442,14 @@
##### ClamAV Library Scanner (libclamav)
#####
-ENABLECLAMLIB false
+ENABLECLAMLIB true
# HAVP uses libclamav hardcoded pattern directory, which usually is
-# /usr/local/share/clamav. You only need to set CLAMDBDIR, if you are
+# /usr/share/clamav. You only need to set CLAMDBDIR, if you are
# using non-default DatabaseDirectory setting in clamd.conf.
#
# Default: NONE
-# CLAMDBDIR /path/to/directory
+# CLAMDBDIR /var/lib/clamav
# Should we block broken executables?
#
@@ -661,4 +675,3 @@
# Default: NONE
# DRWEBSERVER 127.0.0.1
# DRWEBPORT 3000
-
--- a/havp/default.h.in Wed Jun 18 16:16:36 2014 +0200
+++ b/havp/default.h.in Wed Jun 18 16:17:31 2014 +0200
@@ -36,6 +36,7 @@
"USESYSLOG","SYSLOGNAME","SYSLOGFACILITY","SYSLOGLEVEL","SYSLOGVIRUSLEVEL","IGNOREVIRUS", \
"DISPLAYINITIALMESSAGES","DBRELOAD","SCANTEMPFILE","TEMPLATEPATH","DISABLELOCKINGFOR", \
"PARENTPROXY","PARENTPORT","MAXSERVERS","FORWARDED_IP","X_FORWARDED_FOR","FAILSCANERROR", \
+ "SSLTIMEOUT", \
"MAXDOWNLOADSIZE","SCANNERTIMEOUT","STREAMUSERAGENT","STREAMSCANSIZE","SCANIMAGES", \
"SKIPMIME","SCANMIME", \
"ENABLECLAMLIB","CLAMDBDIR","CLAMBLOCKBROKEN","CLAMBLOCKMAX","CLAMBLOCKENCRYPTED", \
--- a/havp/params.cpp Wed Jun 18 16:16:36 2014 +0200
+++ b/havp/params.cpp Wed Jun 18 16:17:31 2014 +0200
@@ -70,8 +70,8 @@
SetConfig("WHITELIST", WHITELISTFILE);
SetConfig("BLACKLIST", BLACKLISTFILE);
SetConfig("TEMPLATEPATH", TEMPLATEPATH);
- SetConfig("TEMPDIR", "/var/tmp");
- SetConfig("SCANTEMPFILE", "/var/tmp/havp/havp-XXXXXX");
+ SetConfig("TEMPDIR", "/var/spool/havp");
+ SetConfig("SCANTEMPFILE", "/var/spool/havp/havp-XXXXXX");
SetConfig("PIDFILE", PIDFILE);
SetConfig("TRANSPARENT", "false");
SetConfig("RANGE", "false");
@@ -86,6 +86,7 @@
SetConfig("SCANNERTIMEOUT", "10");
SetConfig("IGNOREVIRUS", "");
SetConfig("DISABLELOCKINGFOR","AVG:ALL");
+ SetConfig("SSLTIMEOUT", "20");
//SCANNERS
SetConfig("ENABLECLAMLIB","false");
SetConfig("CLAMDBDIR","");
--- a/havp/sockethandler.cpp Wed Jun 18 16:16:36 2014 +0200
+++ b/havp/sockethandler.cpp Wed Jun 18 16:17:31 2014 +0200
@@ -582,7 +582,7 @@
fds = sockServer;
}
- Timeout.tv_sec = 20;
+ Timeout.tv_sec = Params::GetConfigInt("SSLTIMEOUT");
Timeout.tv_usec = 0;
int ret = select_eintr(fds+1, &readfd, NULL, NULL, &Timeout);