.github/workflows/codeql-analysis.yml

@@ -0,0 +1,52 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master" ]
+  schedule:
+    - cron: '19 0 * * 5'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    # - run: |
+    #   echo "Run, Build Application using script"
+    #   ./location_of_script_within_repo/buildscript.sh
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"

Dockerfile

@@ -3,14 +3,35 @@ FROM alpine AS build
 RUN apk add --no-cache build-base
 WORKDIR /src
 COPY . .
+
+# Hardening GCC opts taken from these sources:
+# https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
+# https://security.stackexchange.com/q/24444/204684
+ENV CFLAGS=" \
+  -static                                 \
+  -O2                                     \
+  -flto                                   \
+  -D_FORTIFY_SOURCE=2                     \
+  -fstack-clash-protection                \
+  -fstack-protector-strong                \
+  -pipe                                   \
+  -Wall                                   \
+  -Werror=format-security                 \
+  -Werror=implicit-function-declaration   \
+  -Wl,-z,defs                             \
+  -Wl,-z,now                              \
+  -Wl,-z,relro                            \
+  -Wl,-z,noexecstack                      \
+"
 RUN make darkhttpd-static \
  && strip darkhttpd-static
 
 # Just the static binary
 FROM scratch
 WORKDIR /var/www/htdocs
-COPY --from=build /src/darkhttpd-static /darkhttpd
+COPY --from=build --chown=0:0 /src/darkhttpd-static /darkhttpd
+COPY --chown=0:0 passwd /etc/passwd
+COPY --chown=0:0 group /etc/group
 EXPOSE 80
 ENTRYPOINT ["/darkhttpd"]
-CMD ["."]
-
+CMD [".", "--chroot", "--uid", "nobody", "--gid", "nobody"]

README.md

@@ -19,6 +19,7 @@ Features:
 * Supports If-Modified-Since.
 * Supports Keep-Alive connections.
 * Supports IPv6.
+* Support arbitrary custom response headers.
 * Can serve 301 redirects based on Host header.
 * Uses sendfile() on FreeBSD, Solaris and Linux.
 * Can use acceptfilter on FreeBSD.
@@ -139,6 +140,13 @@ Web forward (301) requests for all hosts:
   --forward-all http://catchall.example.com
 ```
 
+Arbitrary custom response headers (in this case, allow all cross-origin
+requests):
+
+```
+./darkhttpd /var/www/htdocs --header 'Access-Control-Allow-Origin: *'
+```
+
 Commandline options can be combined:
 
 ```

darkhttpd.c

@@ -1,6 +1,6 @@
 /* darkhttpd - a simple, single-threaded, static content webserver.
  * https://unix4lyfe.org/darkhttpd/
- * Copyright (c) 2003-2022 Emil Mikulic <emikulic@gmail.com>
+ * Copyright (c) 2003-2024 Emil Mikulic <emikulic@gmail.com>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the
@@ -18,8 +18,8 @@
  */
 
 static const char
-    pkgname[]   = "darkhttpd/1.14",
-    copyright[] = "copyright (c) 2003-2022 Emil Mikulic";
+    pkgname[]   = "darkhttpd/1.15",
+    copyright[] = "copyright (c) 2003-2024 Emil Mikulic";
 
 /* Possible build options: -DDEBUG -DNO_IPV6 */
 
@@ -304,7 +304,8 @@ static char *pidfile_name = NULL;   /* NULL = no pidfile */
 static int want_chroot = 0, want_daemon = 0, want_accf = 0,
            want_keepalive = 1, want_server_id = 1;
 static char *server_hdr = NULL;
-static char *auth_key = NULL;
+static char *auth_key = NULL;       /* NULL or "Basic base64_of_password" */
+static char *custom_hdrs = NULL;
 static uint64_t num_requests = 0, total_in = 0, total_out = 0;
 static int accepting = 1;           /* set to 0 to stop accept()ing */
 static int syslog_enabled = 0;
@@ -318,26 +319,36 @@ static gid_t drop_gid = INVALID_GID;
 
 /* Default mimetype mappings - make sure this array is NULL terminated. */
 static const char *default_extension_map[] = {
-    "application/ogg"      " ogg",
+    "application/json"     " json",
     "application/pdf"      " pdf",
     "application/wasm"     " wasm",
     "application/xml"      " xsl xml",
     "application/xml-dtd"  " dtd",
     "application/xslt+xml" " xslt",
     "application/zip"      " zip",
+    "audio/flac"           " flac",
     "audio/mpeg"           " mp2 mp3 mpga",
+    "audio/ogg"            " ogg opus oga spx",
+    "audio/wav"            " wav",
+    "audio/x-m4a"          " m4a",
+    "font/woff"            " woff",
+    "font/woff2"           " woff2",
+    "image/apng"           " apng",
+    "image/avif"           " avif",
     "image/gif"            " gif",
     "image/jpeg"           " jpeg jpe jpg",
     "image/png"            " png",
     "image/svg+xml"        " svg",
+    "image/webp"           " webp",
     "text/css"             " css",
     "text/html"            " html htm",
     "text/javascript"      " js",
     "text/plain"           " txt asc",
     "video/mpeg"           " mpeg mpe mpg",
     "video/quicktime"      " qt mov",
+    "video/webm"           " webm",
     "video/x-msvideo"      " avi",
-    "video/mp4"            " mp4",
+    "video/mp4"            " mp4 m4v",
     NULL
 };
 
@@ -930,11 +941,17 @@ static void usage(const char *argv0) {
     "\t\tit will be closed. Set to zero to disable timeouts.\n\n",
     timeout_secs);
     printf("\t--auth username:password\n"
-    "\t\tEnable basic authentication.\n\n");
+    "\t\tEnable basic authentication. This is *INSECURE*: passwords\n"
+    "\t\tare sent unencrypted over HTTP, plus the password is visible\n"
+    "\t\tin ps(1) to other users on the system.\n\n");
     printf("\t--forward-https\n"
     "\t\tIf the client requested HTTP, forward to HTTPS.\n"
     "\t\tThis is useful if darkhttpd is behind a reverse proxy\n"
     "\t\tthat supports SSL.\n\n");
+    printf("\t--header 'Header: Value'\n"
+    "\t\tAdd a custom header to all responses.\n"
+    "\t\tThis option can be specified multiple times, in which case\n"
+    "\t\tthe headers are added in order of appearance.\n\n");
 #ifdef HAVE_INET6
     printf("\t--ipv6\n"
     "\t\tListen on IPv6 address.\n\n");
@@ -1025,6 +1042,8 @@ static void parse_commandline(const int argc, char *argv[]) {
     if (getuid() == 0)
         bindport = 80;
 
+    custom_hdrs = strdup("");
+
     wwwroot = xstrdup(argv[1]);
     /* Strip ending slash. */
     len = strlen(wwwroot);
@@ -1151,6 +1170,15 @@ static void parse_commandline(const int argc, char *argv[]) {
         else if (strcmp(argv[i], "--forward-https") == 0) {
             forward_to_https = 1;
         }
+        else if (strcmp(argv[i], "--header") == 0) {
+            if (++i >= argc)
+                errx(1, "missing argument after --header");
+            if (strchr(argv[i], '\n') != NULL || strstr(argv[i], ": ") == NULL)
+                errx(1, "malformed argument after --header");
+            char *old_custom_hdrs = custom_hdrs;
+            xasprintf(&custom_hdrs, "%s%s\r\n", old_custom_hdrs, argv[i]);
+            free(old_custom_hdrs);
+        }
 #ifdef HAVE_INET6
         else if (strcmp(argv[i], "--ipv6") == 0) {
             inet6 = 1;
@@ -1347,7 +1375,7 @@ static void log_connection(const struct connection *conn) {
         use_safe(user_agent)
         );
     fflush(logfile);
-  }    
+  }
 #define free_safe(x) if (safe_##x) free(safe_##x)
 
     free_safe(method);
@@ -1536,12 +1564,13 @@ static void default_reply(struct connection *conn,
      "%s" /* server */
      "Accept-Ranges: bytes\r\n"
      "%s" /* keep-alive */
+     "%s" /* custom headers */
      "Content-Length: %llu\r\n"
      "Content-Type: text/html; charset=UTF-8\r\n"
      "%s"
      "\r\n",
      errcode, errname, date, server_hdr, keep_alive(conn),
-     llu(conn->reply_length),
+     custom_hdrs, llu(conn->reply_length),
      (auth_key != NULL ? auth_header : ""));
 
     conn->reply_type = REPLY_GENERATED;
@@ -1580,10 +1609,12 @@ static void redirect(struct connection *conn, const char *format, ...) {
      /* "Accept-Ranges: bytes\r\n" - not relevant here */
      "Location: %s\r\n"
      "%s" /* keep-alive */
+     "%s" /* custom headers */
      "Content-Length: %llu\r\n"
      "Content-Type: text/html; charset=UTF-8\r\n"
      "\r\n",
-     date, server_hdr, where, keep_alive(conn), llu(conn->reply_length));
+     date, server_hdr, where, keep_alive(conn),
+     custom_hdrs, llu(conn->reply_length));
 
     free(where);
     conn->reply_type = REPLY_GENERATED;
@@ -2015,10 +2046,12 @@ static void generate_dir_listing(struct connection *conn, const char *path,
      "%s" /* server */
      "Accept-Ranges: bytes\r\n"
      "%s" /* keep-alive */
+     "%s" /* custom headers */
      "Content-Length: %llu\r\n"
      "Content-Type: text/html; charset=UTF-8\r\n"
      "\r\n",
-     date, server_hdr, keep_alive(conn), llu(conn->reply_length));
+     date, server_hdr, keep_alive(conn), custom_hdrs,
+     llu(conn->reply_length));
 
     conn->reply_type = REPLY_GENERATED;
     conn->http_code = 200;
@@ -2158,8 +2191,10 @@ static void process_get(struct connection *conn) {
          "%s" /* server */
          "Accept-Ranges: bytes\r\n"
          "%s" /* keep-alive */
+         "%s" /* custom headers */
          "\r\n",
-         rfc1123_date(date, now), server_hdr, keep_alive(conn));
+         rfc1123_date(date, now), server_hdr, keep_alive(conn),
+         custom_hdrs);
         conn->reply_length = 0;
         conn->reply_type = REPLY_GENERATED;
         conn->header_only = 1;
@@ -2219,13 +2254,15 @@ static void process_get(struct connection *conn) {
             "%s" /* server */
             "Accept-Ranges: bytes\r\n"
             "%s" /* keep-alive */
+            "%s" /* custom headers */
             "Content-Length: %llu\r\n"
             "Content-Range: bytes %llu-%llu/%llu\r\n"
             "Content-Type: %s\r\n"
             "Last-Modified: %s\r\n"
             "\r\n"
             ,
             rfc1123_date(date, now), server_hdr, keep_alive(conn),
+            custom_hdrs,
             llu(conn->reply_length), llu(from), llu(to),
             llu(filestat.st_size), mimetype, lastmod
         );
@@ -2243,18 +2280,46 @@ static void process_get(struct connection *conn) {
             "%s" /* server */
             "Accept-Ranges: bytes\r\n"
             "%s" /* keep-alive */
+            "%s" /* custom headers */
             "Content-Length: %llu\r\n"
             "Content-Type: %s\r\n"
             "Last-Modified: %s\r\n"
             "\r\n"
             ,
             rfc1123_date(date, now), server_hdr, keep_alive(conn),
-            llu(conn->reply_length), mimetype, lastmod
+            custom_hdrs, llu(conn->reply_length), mimetype, lastmod
         );
         conn->http_code = 200;
     }
 }
 
+/* Returns 1 if passwords are equal, runtime is proportional to the length of
+ * user_input to avoid leaking the secret's length and contents through timing
+ * information.
+ */
+int password_equal(const char *user_input, const char *secret) {
+    size_t i = 0;
+    size_t j = 0;
+    char out = 0;
+
+    while (1) {
+        /* Out stays zero if the strings are the same. */
+        out |= user_input[i] ^ secret[j];
+
+        /* Stop at end of user_input. */
+        if (user_input[i] == 0) break;
+        i++;
+
+        /* Don't go past end of secret. */
+        if (secret[j] != 0) j++;
+    }
+
+    /* Check length after loop, otherwise early exit would leak length. */
+    out |= (i != j); /* Secret was shorter. */
+    out |= (secret[j] != 0); /* Secret was longer; j is not the end. */
+    return out == 0;
+}
+
 /* Process a request: build the header and reply, advance state. */
 static void process_request(struct connection *conn) {
     num_requests++;
@@ -2269,8 +2334,7 @@ static void process_request(struct connection *conn) {
     /* fail if: (auth_enabled) AND (client supplied invalid credentials) */
     else if (auth_key != NULL &&
             (conn->authorization == NULL ||
-             strcmp(conn->authorization, auth_key)))
-    {
+             !password_equal(conn->authorization, auth_key))) {
         default_reply(conn, 401, "Unauthorized",
             "Access denied due to invalid credentials.");
     }
@@ -2880,6 +2944,7 @@ int main(int argc, char **argv) {
         free(wwwroot);
         free(server_hdr);
         free(auth_key);
+        free(custom_hdrs);
     }
 
     /* usage stats */

devel/Makefile

@@ -8,6 +8,7 @@ clean:
 		test.out.stdout \
 		test.pyc \
 		test_make_safe_uri \
+		test_password_equal \
 		a.out darkhttpd.gcda darkhttpd.gcno \
 		fuzz_darkhttpd.o fuzz_llvm_make_safe_uri fuzz_socket
 	rm -rf tmp.fuzz tmp.httpd.tests

devel/open_sockets.py

@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 # Opens sockets until they run out.
-import sys, socket
+import socket
 from time import time
 
 def main():