protocol: sandbox more network processes + fix some gemini bugs

author: bptato <nincsnevem662@gmail.com> 2024-11-02 12:41:00 +0100
committer: bptato <nincsnevem662@gmail.com> 2024-11-02 13:33:18 +0100
commit: 8c99938d27afedea3f4f93d5b21e4148ca535af4 (patch)
tree: aa5f9eb0d01d23e26c727a4921a88c475e8b9601 /adapter
parent: 86a93ce37d1768d2bee6c12ef62c97d9f2428b50 (diff)
download: chawan-8c99938d27afedea3f4f93d5b21e4148ca535af4.tar.gz
6 files changed, 15 insertions, 9 deletions
diff --git a/adapter/protocol/ftp.nim b/adapter/protocol/ftp.nim
index c62fe61f..97a860cc 100644
--- a/adapter/protocol/ftp.nim
+++ b/adapter/protocol/ftp.nim
@@ -106,6 +106,7 @@ proc main() =
     os.sdie(401, "Unauthorized", obuf)
   discard os.sendCommand(ps, "TYPE", "I", obuf) # request raw data
   let passive = os.passiveMode(ps, host, ipv6)
+  enterNetworkSandbox()
   var path = percentDecode(getEnvEmpty("MAPPED_URI_PATH", "/"))
   if os.sendCommand(ps, "CWD", path, obuf) == 250:
     if path[^1] != '/':
diff --git a/adapter/protocol/gemini.nim b/adapter/protocol/gemini.nim
index 29e10310..a030428f 100644
--- a/adapter/protocol/gemini.nim
+++ b/adapter/protocol/gemini.nim
@@ -165,7 +165,7 @@ proc readResponse(os: PosixStream; ssl: ptr SSL; reqBuf: string) =
   var n = 0
   while n < buffer.len:
     let m = SSL_read(ssl, addr buffer[n], cint(buffer.len - n))
-    if m == 0:
+    if m <= 0:
       break
     n += m
   let status0 = buffer[0]
@@ -174,7 +174,7 @@ proc readResponse(os: PosixStream; ssl: ptr SSL; reqBuf: string) =
     os.die("InvalidResponse", "invalid status code")
   while n < 1024 + 3: # max meta len is 1024
     let m = SSL_read(ssl, addr buffer[n], cint(buffer.len - n))
-    if m == 0:
+    if m <= 0:
       break
     n += m
   let i = buffer.find("\r\n")
@@ -211,11 +211,10 @@ proc readResponse(os: PosixStream; ssl: ptr SSL; reqBuf: string) =
       os.sendDataLoop(buffer.toOpenArray(0, int(n) - 1))
   of '3': # redirect
     # META is the redirection URL.
-    let c = if status1 == '0':
-      '7' # temporary
-    else:
-      '1' # permanent
-    os.sendDataLoop("Status: 30" & c & "\nLocation: " & meta & "\n\n")
+    # Using an HTTP permanent redirect would send another POST and
+    # break redirection after form submission (search), so we send
+    # See Other.
+    os.sendDataLoop("Status: 303\nLocation: " & meta & "\n\n")
   of '4': # temporary failure
     # META is additional information.
     let tmp = case status1
@@ -284,8 +283,10 @@ proc main() =
   var storedDigest: string
   var theirDigest: string
   var theirTime: Time
-  case os.connect(ssl, host, port, knownHosts, storedDigest, theirDigest,
+  let res = os.connect(ssl, host, port, knownHosts, storedDigest, theirDigest,
     theirTime, tmpEntry)
+  enterNetworkSandbox()
+  case res
   of ccrFoundValid:
     discard SSL_write(ssl, cstring(reqBuf), cint(reqBuf.len))
     os.readResponse(ssl, reqBuf)
diff --git a/adapter/protocol/gopher.nim b/adapter/protocol/gopher.nim
index b97ced2b..218e2da4 100644
--- a/adapter/protocol/gopher.nim
+++ b/adapter/protocol/gopher.nim
@@ -27,6 +27,7 @@ Content-Type: text/html
 proc loadRegular(os: PosixStream; t: GopherType; path: var string;
     host, port, query: string) =
   let ps = os.connectSocket(host, port)
+  enterNetworkSandbox()
   if query != "":
     path &= '\t'
     path &= query
diff --git a/adapter/protocol/lcgi.nim b/adapter/protocol/lcgi.nim
index 590c63c8..5a7bf718 100644
--- a/adapter/protocol/lcgi.nim
+++ b/adapter/protocol/lcgi.nim
@@ -4,10 +4,12 @@ import std/posix
 import std/strutils
 
 import io/dynstream
+import utils/sandbox
 import utils/twtstr
 
 export dynstream
 export twtstr
+export sandbox
 
 export STDIN_FILENO, STDOUT_FILENO
 
diff --git a/adapter/protocol/lcgi_ssl.nim b/adapter/protocol/lcgi_ssl.nim
index 977336c7..aca51a9b 100644
--- a/adapter/protocol/lcgi_ssl.nim
+++ b/adapter/protocol/lcgi_ssl.nim
@@ -2,7 +2,7 @@ import std/posix
 
 import lcgi
 
-export lcgi, dynstream, twtstr
+export lcgi, dynstream, twtstr, sandbox
 
 const libssl = staticExec("pkg-config --libs --silence-errors libssl libcrypto")
 
diff --git a/adapter/protocol/sftp.nim b/adapter/protocol/sftp.nim
index 2182a574..a2f1071c 100644
--- a/adapter/protocol/sftp.nim
+++ b/adapter/protocol/sftp.nim
@@ -251,6 +251,7 @@ proc main() =
     os.die("InternalError", "handshake failed")
   #TODO check known hosts file...
   os.authenticate(session, host)
+  enterNetworkSandbox()
   let sftpSession = libssh2_sftp_init(session)
   let path = percentDecode(getEnvEmpty("MAPPED_URI_PATH", "/"))
   let handle = sftpSession.libssh2_sftp_opendir(cstring(path))
author	bptato <nincsnevem662@gmail.com>	2024-11-02 12:41:00 +0100
committer	bptato <nincsnevem662@gmail.com>	2024-11-02 13:33:18 +0100
commit	8c99938d27afedea3f4f93d5b21e4148ca535af4 (patch)
tree	aa5f9eb0d01d23e26c727a4921a88c475e8b9601 /adapter
parent	86a93ce37d1768d2bee6c12ef62c97d9f2428b50 (diff)
download	chawan-8c99938d27afedea3f4f93d5b21e4148ca535af4.tar.gz