Compare commits
2 Commits
httpblackl
...
feature/KA
| Author | SHA1 | Date | |
|---|---|---|---|
|
9050c6d011 | ||
|
|
20ab9b26fa |
@@ -51,6 +51,9 @@ build_ubuntu_bionic:
|
||||
- *prepare_artfacts
|
||||
script:
|
||||
- bash builder/build-package ubuntu bionic
|
||||
only:
|
||||
variables:
|
||||
- $CI_COMMIT_MESSAGE =~ /\[full [Cc][Ii]\]/
|
||||
artifacts:
|
||||
paths:
|
||||
- output/
|
||||
@@ -67,6 +70,9 @@ build_ubuntu_bionic_arm:
|
||||
- *prepare_artfacts
|
||||
script:
|
||||
- bash builder/build-package ubuntu bionic
|
||||
only:
|
||||
variables:
|
||||
- $CI_COMMIT_MESSAGE =~ /\[full [Cc][Ii]\]/
|
||||
artifacts:
|
||||
paths:
|
||||
- output/
|
||||
@@ -80,7 +86,7 @@ build_ubuntu_bionic_libjpeg_turbo:
|
||||
after_script:
|
||||
- *prepare_artfacts
|
||||
script:
|
||||
- bash builder/build-package ubuntu bionic +libjpeg-turbo_latest
|
||||
- bash builder/build-package ubuntu focal +libjpeg-turbo_latest
|
||||
artifacts:
|
||||
paths:
|
||||
- output/
|
||||
@@ -114,9 +120,6 @@ build_ubuntu_focal_arm:
|
||||
- *prepare_artfacts
|
||||
script:
|
||||
- bash builder/build-package ubuntu focal;
|
||||
only:
|
||||
variables:
|
||||
- $CI_COMMIT_MESSAGE =~ /\[full [Cc][Ii]\]/
|
||||
artifacts:
|
||||
paths:
|
||||
- output/
|
||||
|
||||
@@ -1,14 +1,15 @@
|
||||
FROM ubuntu:18.04
|
||||
FROM ubuntu:20.04
|
||||
|
||||
ENV KASMVNC_BUILD_OS ubuntu
|
||||
ENV KASMVNC_BUILD_OS_CODENAME bionic
|
||||
ENV XORG_VER 1.20.10
|
||||
ENV KASMVNC_BUILD_OS_CODENAME focal
|
||||
ENV XORG_VER 1.20.8
|
||||
|
||||
RUN sed -i 's$# deb-src$deb-src$' /etc/apt/sources.list
|
||||
|
||||
RUN apt-get update && \
|
||||
apt-get -y install sudo
|
||||
|
||||
RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata
|
||||
RUN apt-get update && apt-get -y build-dep xorg-server libxfont-dev
|
||||
RUN apt-get update && apt-get -y install cmake git libgnutls28-dev vim wget tightvncserver
|
||||
RUN apt-get update && apt-get -y install libpng-dev libtiff-dev libgif-dev libavcodec-dev libssl-dev
|
||||
@@ -25,12 +26,6 @@ RUN cd /tmp/libwebp-1.0.2 && \
|
||||
./configure --enable-static --disable-shared && \
|
||||
make && make install
|
||||
|
||||
# Fix for older required libs
|
||||
#RUN cd /tmp && wget http://launchpadlibrarian.net/347526424/libxfont1-dev_1.5.2-4ubuntu2_amd64.deb && \
|
||||
# wget http://launchpadlibrarian.net/347526425/libxfont1_1.5.2-4ubuntu2_amd64.deb && \
|
||||
# dpkg -i libxfont1_1.5.2-4ubuntu2_amd64.deb && \
|
||||
# dpkg -i libxfont1-dev_1.5.2-4ubuntu2_amd64.deb
|
||||
|
||||
RUN useradd -m docker && echo "docker:docker" | chpasswd && adduser docker sudo
|
||||
|
||||
COPY --chown=docker:docker . /src
|
||||
@@ -1,5 +1,7 @@
|
||||
FROM ubuntu:bionic
|
||||
FROM ubuntu:20.04
|
||||
|
||||
RUN apt-get update && \
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata
|
||||
RUN apt-get update && \
|
||||
apt-get -y install vim build-essential devscripts equivs
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
FROM ubuntu:bionic
|
||||
FROM ubuntu:20.04
|
||||
|
||||
ENV DISPLAY=:1 \
|
||||
VNC_PORT=8443 \
|
||||
@@ -1,82 +0,0 @@
|
||||
/* Copyright (C) 2021 Kasm
|
||||
*
|
||||
* This is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 2 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This software is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this software; if not, write to the Free Software
|
||||
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
|
||||
* USA.
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
#include <config.h>
|
||||
#endif
|
||||
|
||||
#include <arpa/inet.h>
|
||||
#include <errno.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netdb.h>
|
||||
#include <pthread.h>
|
||||
#include <stdlib.h>
|
||||
#include <time.h>
|
||||
|
||||
#include <map>
|
||||
#include <string>
|
||||
|
||||
#include <network/Blacklist.h>
|
||||
#include <rfb/Blacklist.h>
|
||||
|
||||
static std::map<std::string, unsigned> hits;
|
||||
static std::map<std::string, time_t> blacklist;
|
||||
|
||||
static pthread_mutex_t hitmutex = PTHREAD_MUTEX_INITIALIZER;
|
||||
static pthread_mutex_t blmutex = PTHREAD_MUTEX_INITIALIZER;
|
||||
|
||||
unsigned char bl_isBlacklisted(const char *addr) {
|
||||
const unsigned char count = blacklist.count(addr);
|
||||
if (!count)
|
||||
return 0;
|
||||
|
||||
const time_t now = time(NULL);
|
||||
const unsigned timeout = rfb::Blacklist::initialTimeout;
|
||||
|
||||
if (pthread_mutex_lock(&blmutex))
|
||||
abort();
|
||||
|
||||
if (now - timeout > blacklist[addr]) {
|
||||
blacklist.erase(addr);
|
||||
pthread_mutex_unlock(&blmutex);
|
||||
|
||||
if (pthread_mutex_lock(&hitmutex))
|
||||
abort();
|
||||
hits.erase(addr);
|
||||
pthread_mutex_unlock(&hitmutex);
|
||||
return 0;
|
||||
} else {
|
||||
blacklist[addr] = now;
|
||||
pthread_mutex_unlock(&blmutex);
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
void bl_addFailure(const char *addr) {
|
||||
if (pthread_mutex_lock(&hitmutex))
|
||||
abort();
|
||||
const unsigned num = ++hits[addr];
|
||||
pthread_mutex_unlock(&hitmutex);
|
||||
|
||||
if (num >= (unsigned) rfb::Blacklist::threshold) {
|
||||
if (pthread_mutex_lock(&blmutex))
|
||||
abort();
|
||||
blacklist[addr] = time(NULL);
|
||||
pthread_mutex_unlock(&blmutex);
|
||||
}
|
||||
}
|
||||
@@ -1,33 +0,0 @@
|
||||
/* Copyright (C) 2021 Kasm
|
||||
*
|
||||
* This is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 2 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This software is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this software; if not, write to the Free Software
|
||||
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
|
||||
* USA.
|
||||
*/
|
||||
|
||||
#ifndef __NETWORK_BLACKLIST_H__
|
||||
#define __NETWORK_BLACKLIST_H__
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
unsigned char bl_isBlacklisted(const char *);
|
||||
void bl_addFailure(const char *);
|
||||
|
||||
#ifdef __cplusplus
|
||||
} // extern C
|
||||
#endif
|
||||
|
||||
#endif // __NETWORK_TCP_SOCKET_H__
|
||||
@@ -2,7 +2,6 @@ include_directories(${CMAKE_SOURCE_DIR}/common ${CMAKE_SOURCE_DIR}/unix/kasmvncp
|
||||
|
||||
set(NETWORK_SOURCES
|
||||
GetAPIMessager.cxx
|
||||
Blacklist.cxx
|
||||
Socket.cxx
|
||||
TcpSocket.cxx
|
||||
websocket.c
|
||||
|
||||
@@ -32,7 +32,6 @@
|
||||
#include <openssl/sha.h> /* sha1 hash */
|
||||
#include "websocket.h"
|
||||
#include "kasmpasswd.h"
|
||||
#include <network/Blacklist.h>
|
||||
|
||||
/*
|
||||
* Global state
|
||||
@@ -1204,7 +1203,7 @@ nope:
|
||||
return 1;
|
||||
}
|
||||
|
||||
ws_ctx_t *do_handshake(int sock, const char *ip) {
|
||||
ws_ctx_t *do_handshake(int sock) {
|
||||
char handshake[4096], response[4096], sha1[29], trailer[17];
|
||||
char *scheme, *pre;
|
||||
headers_t *headers;
|
||||
@@ -1272,20 +1271,10 @@ ws_ctx_t *do_handshake(int sock, const char *ip) {
|
||||
usleep(10);
|
||||
}
|
||||
|
||||
if (bl_isBlacklisted(ip)) {
|
||||
wserr("IP %s is blacklisted, dropping\n", ip);
|
||||
sprintf(response, "HTTP/1.1 401 Forbidden\r\n"
|
||||
"\r\n");
|
||||
ws_send(ws_ctx, response, strlen(response));
|
||||
free_ws_ctx(ws_ctx);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
unsigned char owner = 0;
|
||||
if (!settings.disablebasicauth) {
|
||||
const char *hdr = strstr(handshake, "Authorization: Basic ");
|
||||
if (!hdr) {
|
||||
bl_addFailure(ip);
|
||||
handler_emsg("BasicAuth required, but client didn't send any. 401 Unauth\n");
|
||||
sprintf(response, "HTTP/1.1 401 Unauthorized\r\n"
|
||||
"WWW-Authenticate: Basic realm=\"Websockify\"\r\n"
|
||||
@@ -1299,7 +1288,6 @@ ws_ctx_t *do_handshake(int sock, const char *ip) {
|
||||
const char *end = strchr(hdr, '\r');
|
||||
if (!end || end - hdr > 256) {
|
||||
handler_emsg("Client sent invalid BasicAuth, dropping connection\n");
|
||||
bl_addFailure(ip);
|
||||
free_ws_ctx(ws_ctx);
|
||||
return NULL;
|
||||
}
|
||||
@@ -1369,7 +1357,6 @@ ws_ctx_t *do_handshake(int sock, const char *ip) {
|
||||
|
||||
if (len <= 0 || strcmp(authbuf, response)) {
|
||||
handler_emsg("BasicAuth user/pw did not match\n");
|
||||
bl_addFailure(ip);
|
||||
sprintf(response, "HTTP/1.1 401 Forbidden\r\n"
|
||||
"\r\n");
|
||||
ws_send(ws_ctx, response, strlen(response));
|
||||
@@ -1458,7 +1445,7 @@ void *subthread(void *ptr) {
|
||||
|
||||
ws_ctx_t *ws_ctx;
|
||||
|
||||
ws_ctx = do_handshake(csock, pass->ip);
|
||||
ws_ctx = do_handshake(csock);
|
||||
if (ws_ctx == NULL) {
|
||||
handler_msg("No connection after handshake\n");
|
||||
goto out; // Child process exits
|
||||
|
||||
Reference in New Issue
Block a user