Remove APPDIR support in database_cleanup.sh
[citadel] / webcit / context_loop.c
1 /*
2  * This is the other half of the webserver.  It handles the task of hooking
3  * up HTTP requests with the sessions they belong to, using HTTP cookies to
4  * keep track of things.  If the HTTP request doesn't belong to any currently
5  * active session, a new session is started.
6  *
7  * Copyright (c) 1996-2012 by the citadel.org team
8  *
9  * This program is open source software.  You can redistribute it and/or
10  * modify it under the terms of the GNU General Public License version 3.
11  *
12  * This program is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15  * GNU General Public License for more details.
16  */
17
18 #include "webcit.h"
19 #include "webserver.h"
20 #include "modules_init.h"
21
22 /* Only one thread may manipulate SessionList at a time... */
23 pthread_mutex_t SessionListMutex;
24
25 wcsession *SessionList = NULL;  /* Linked list of all webcit sessions */
26
27 HashList *HttpReqTypes = NULL;
28 HashList *HttpHeaderHandler = NULL;
29 extern HashList *HandlerHash;
30
31 /* the following two values start at 1 because the initial parent thread counts as one. */
32 int num_threads_existing = 1;           /* Number of worker threads which exist. */
33 int num_threads_executing = 1;          /* Number of worker threads currently executing. */
34 int verbose=0;
35
36 extern void session_loop(void);
37 void spawn_another_worker_thread(void);
38
39
40 void DestroyHttpHeaderHandler(void *V)
41 {
42         OneHttpHeader *pHdr;
43         pHdr = (OneHttpHeader*) V;
44         FreeStrBuf(&pHdr->Val);
45         free(pHdr);
46 }
47
48 void shutdown_sessions(void)
49 {
50         wcsession *sptr;
51         
52         for (sptr = SessionList; sptr != NULL; sptr = sptr->next) {
53                 sptr->killthis = 1;
54         }
55 }
56
57 void do_housekeeping(void)
58 {
59         wcsession *sptr, *ss;
60         wcsession *sessions_to_kill = NULL;
61         time_t the_time;
62
63         /*
64          * Lock the session list, moving any candidates for euthanasia into
65          * a separate list.
66          */
67         the_time = 0;
68         CtdlLogResult(pthread_mutex_lock(&SessionListMutex));
69         for (sptr = SessionList; sptr != NULL; sptr = sptr->next) {
70                 if (the_time == 0)
71                         the_time = time(NULL);
72                 /* Kill idle sessions */
73                 if ((sptr->inuse == 0) && 
74                     ((the_time - (sptr->lastreq)) > (time_t) WEBCIT_TIMEOUT))
75                 {
76                         syslog(LOG_DEBUG, "Timeout session %d", sptr->wc_session);
77                         sptr->killthis = 1;
78                 }
79
80                 /* Remove sessions flagged for kill */
81                 if (sptr->killthis) {
82
83                         /* remove session from linked list */
84                         if (sptr == SessionList) {
85                                 SessionList = SessionList->next;
86                         }
87                         else for (ss=SessionList;ss!=NULL;ss=ss->next) {
88                                 if (ss->next == sptr) {
89                                         ss->next = ss->next->next;
90                                 }
91                         }
92
93                         sptr->next = sessions_to_kill;
94                         sessions_to_kill = sptr;
95                 }
96         }
97         CtdlLogResult(pthread_mutex_unlock(&SessionListMutex));
98
99         /*
100          * Now free up and destroy the culled sessions.
101          */
102         while (sessions_to_kill != NULL) {
103                 syslog(LOG_DEBUG, "Destroying session %d", sessions_to_kill->wc_session);
104                 sptr = sessions_to_kill->next;
105                 session_destroy_modules(&sessions_to_kill);
106                 sessions_to_kill = sptr;
107         }
108 }
109
110 /*
111  * Check the size of our thread pool.  If all threads are executing, spawn another.
112  */
113 void check_thread_pool_size(void)
114 {
115         if (time_to_die) return;                /* don't expand the thread pool during shutdown */
116
117         begin_critical_section(S_SPAWNER);      /* only one of these should run at a time */
118         if (
119                 (num_threads_executing >= num_threads_existing)
120                 && (num_threads_existing < MAX_WORKER_THREADS)
121         ) {
122                 syslog(LOG_DEBUG, "%d of %d threads are executing.  Adding another worker thread.",
123                         num_threads_executing,
124                         num_threads_existing
125                 );
126                 spawn_another_worker_thread();
127         }
128         end_critical_section(S_SPAWNER);
129 }
130
131
132 /*
133  * Wake up occasionally and clean house
134  */
135 void housekeeping_loop(void)
136 {
137         while (1) {
138                 sleeeeeeeeeep(HOUSEKEEPING);
139                 do_housekeeping();
140         }
141 }
142
143
144 /*
145  * Create a Session id
146  * Generate a unique WebCit session ID (which is not the same thing as the
147  * Citadel session ID).
148  */
149 int GenerateSessionID(void)
150 {
151         static int seq = (-1);
152
153         if (seq < 0) {
154                 seq = (int) time(NULL);
155         }
156                 
157         return ++seq;
158 }
159
160 wcsession *FindSession(wcsession **wclist, ParsedHttpHdrs *Hdr, pthread_mutex_t *ListMutex)
161 {
162         wcsession *sptr = NULL;
163         wcsession *TheSession = NULL;   
164         
165         if (Hdr->HR.got_auth == AUTH_BASIC) {
166                 GetAuthBasic(Hdr);
167         }
168
169         CtdlLogResult(pthread_mutex_lock(ListMutex));
170         for (sptr = *wclist; ((sptr != NULL) && (TheSession == NULL)); sptr = sptr->next) {
171                 
172                 /* If HTTP-AUTH, look for a session with matching credentials */
173                 switch (Hdr->HR.got_auth)
174                 {
175                 case AUTH_BASIC:
176                         if (    (!strcasecmp(ChrPtr(Hdr->c_username), ChrPtr(sptr->wc_username)))
177                                 && (!strcasecmp(ChrPtr(Hdr->c_password), ChrPtr(sptr->wc_password)))
178                                 && (sptr->killthis == 0)
179                         ) {
180                                 if (verbose)
181                                         syslog(LOG_DEBUG, "Matched a session with the same http-auth");
182                                 TheSession = sptr;
183                         }
184                         break;
185                 case AUTH_COOKIE:
186                         /* If cookie-session, look for a session with matching session ID */
187                         if (    (Hdr->HR.desired_session != 0)
188                                 && (sptr->wc_session == Hdr->HR.desired_session)
189                         ) {
190                                 if (verbose)
191                                         syslog(LOG_DEBUG, "Matched a session with the same cookie");
192                                 TheSession = sptr;
193                         }
194                         break;                       
195                 case NO_AUTH:
196                         /* Any unbound session is a candidate */
197                         if ( (sptr->wc_session == 0) && (sptr->inuse == 0) ) {
198                                 if (verbose)
199                                         syslog(LOG_DEBUG, "Reusing an unbound session");
200                                 TheSession = sptr;
201                         }
202                         break;
203                 }
204         }
205         CtdlLogResult(pthread_mutex_unlock(ListMutex));
206         if (TheSession == NULL) {
207                 syslog(LOG_DEBUG, "No existing session was matched");
208         }
209         return TheSession;
210 }
211
212 wcsession *CreateSession(int Lockable, int Static, wcsession **wclist, ParsedHttpHdrs *Hdr, pthread_mutex_t *ListMutex)
213 {
214         wcsession *TheSession;
215         TheSession = (wcsession *) malloc(sizeof(wcsession));
216         memset(TheSession, 0, sizeof(wcsession));
217         TheSession->Hdr = Hdr;
218         TheSession->serv_sock = (-1);
219         TheSession->lastreq = time(NULL);;
220
221         pthread_setspecific(MyConKey, (void *)TheSession);
222         
223         /* If we're recreating a session that expired, it's best to give it the same
224          * session number that it had before.  The client browser ought to pick up
225          * the new session number and start using it, but in some rare situations it
226          * doesn't, and that's a Bad Thing because it causes lots of spurious sessions
227          * to get created.
228          */     
229         if (Hdr->HR.desired_session == 0) {
230                 TheSession->wc_session = GenerateSessionID();
231                 syslog(LOG_DEBUG, "Created new session %d", TheSession->wc_session);
232         }
233         else {
234                 TheSession->wc_session = Hdr->HR.desired_session;
235                 syslog(LOG_DEBUG, "Re-created session %d", TheSession->wc_session);
236         }
237         Hdr->HR.Static = Static;
238         session_new_modules(TheSession);
239
240         if (Lockable) {
241                 pthread_mutex_init(&TheSession->SessionMutex, NULL);
242
243                 if (ListMutex != NULL)
244                         CtdlLogResult(pthread_mutex_lock(ListMutex));
245
246                 if (wclist != NULL) {
247                         TheSession->nonce = rand();
248                         TheSession->next = *wclist;
249                         *wclist = TheSession;
250                 }
251                 if (ListMutex != NULL)
252                         CtdlLogResult(pthread_mutex_unlock(ListMutex));
253         }
254         return TheSession;
255 }
256
257
258 /* If it's a "force 404" situation then display the error and bail. */
259 void do_404(void)
260 {
261         hprintf("HTTP/1.1 404 Not found\r\n");
262         hprintf("Content-Type: text/plain\r\n");
263         wc_printf("Not found\r\n");
264         end_burst();
265 }
266
267 int ReadHttpSubject(ParsedHttpHdrs *Hdr, StrBuf *Line, StrBuf *Buf)
268 {
269         const char *Args;
270         void *vLine, *vHandler;
271         const char *Pos = NULL;
272
273         Hdr->HR.ReqLine = Line;
274         /* The requesttype... GET, POST... */
275         StrBufExtract_token(Buf, Hdr->HR.ReqLine, 0, ' ');
276         if (GetHash(HttpReqTypes, SKEY(Buf), &vLine) &&
277             (vLine != NULL))
278         {
279                 Hdr->HR.eReqType = *(long*)vLine;
280         }
281         else {
282                 Hdr->HR.eReqType = eGET;
283                 return 1;
284         }
285         StrBufCutLeft(Hdr->HR.ReqLine, StrLength(Buf) + 1);
286
287         /* the HTTP Version... */
288         StrBufExtract_token(Buf, Hdr->HR.ReqLine, 1, ' ');
289         StrBufCutRight(Hdr->HR.ReqLine, StrLength(Buf) + 1);
290         
291         if (StrLength(Buf) == 0) {
292                 Hdr->HR.eReqType = eGET;
293                 return 1;
294         }
295
296         StrBufAppendBuf(Hdr->this_page, Hdr->HR.ReqLine, 0);
297
298         /* chop Filename / query arguments */
299         Args = strchr(ChrPtr(Hdr->HR.ReqLine), '?');
300         if (Args == NULL) /* whe're not that picky about params... TODO: this will spoil '&' in filenames.*/
301                 Args = strchr(ChrPtr(Hdr->HR.ReqLine), '&');
302         if (Args != NULL) {
303                 Args ++; /* skip the ? */
304                 StrBufPlain(Hdr->PlainArgs, 
305                             Args, 
306                             StrLength(Hdr->HR.ReqLine) -
307                             (Args - ChrPtr(Hdr->HR.ReqLine)));
308                 StrBufCutAt(Hdr->HR.ReqLine, 0, Args - 1);
309         } /* don't parse them yet, maybe we don't even care... */
310         
311         /* now lookup what we are going to do with this... */
312         /* skip first slash */
313         StrBufExtract_NextToken(Buf, Hdr->HR.ReqLine, &Pos, '/');
314         do {
315                 StrBufExtract_NextToken(Buf, Hdr->HR.ReqLine, &Pos, '/');
316
317                 GetHash(HandlerHash, SKEY(Buf), &vHandler),
318                 Hdr->HR.Handler = (WebcitHandler*) vHandler;
319                 if (Hdr->HR.Handler == NULL)
320                         break;
321                 /*
322                  * If the request is prefixed by "/webcit" then chop that off.  This
323                  * allows a front end web server to forward all /webcit requests to us
324                  * while still using the same web server port for other things.
325                  */
326                 if ((Hdr->HR.Handler->Flags & URLNAMESPACE) != 0)
327                         continue;
328                 break;
329         } while (1);
330         /* remove the handlername from the URL */
331         if ((Pos != NULL) && (Pos != StrBufNOTNULL)){
332                 StrBufCutLeft(Hdr->HR.ReqLine, 
333                               Pos - ChrPtr(Hdr->HR.ReqLine));
334         }
335
336         if (Hdr->HR.Handler != NULL) {
337                 if ((Hdr->HR.Handler->Flags & BOGUS) != 0) {
338                         return 1;
339                 }
340                 Hdr->HR.DontNeedAuth = (
341                         ((Hdr->HR.Handler->Flags & ISSTATIC) != 0) ||
342                         ((Hdr->HR.Handler->Flags & ANONYMOUS) != 0)
343                 );
344         }
345         else {
346                 /* If this is a "flat" request for the root, display the configured landing page. */
347                 int return_value;
348                 StrBuf *NewLine = NewStrBuf();
349                 Hdr->HR.DontNeedAuth = 1;
350                 StrBufAppendPrintf(NewLine, "GET /landing?go=%s?failvisibly=1 HTTP/1.0", ChrPtr(Buf));
351                 if (verbose) syslog(LOG_DEBUG, "Replacing with: %s", ChrPtr(NewLine));
352                 return_value = ReadHttpSubject(Hdr, NewLine, Buf);
353                 FreeStrBuf(&NewLine);
354                 return return_value;
355         }
356
357         return 0;
358 }
359
360 int AnalyseHeaders(ParsedHttpHdrs *Hdr)
361 {
362         OneHttpHeader *pHdr;
363         void *vHdr;
364         long HKLen;
365         const char *HashKey;
366         HashPos *at = GetNewHashPos(Hdr->HTTPHeaders, 0);
367         
368         while (GetNextHashPos(Hdr->HTTPHeaders, at, &HKLen, &HashKey, &vHdr) && 
369                (vHdr != NULL)) {
370                 pHdr = (OneHttpHeader *)vHdr;
371                 if (pHdr->HaveEvaluator)
372                         pHdr->H(pHdr->Val, Hdr);
373
374         }
375         DeleteHashPos(&at);
376         return 0;
377 }
378
379 /*const char *nix(void *vptr) {return ChrPtr( (StrBuf*)vptr);}*/
380
381 /*
382  * Read in the request
383  */
384 int ReadHTTPRequest (ParsedHttpHdrs *Hdr)
385 {
386         const char *pch, *pchs, *pche;
387         OneHttpHeader *pHdr;
388         StrBuf *Line, *LastLine, *HeaderName;
389         int nLine = 0;
390         void *vF;
391         int isbogus = 0;
392
393         HeaderName = NewStrBuf();
394         LastLine = NULL;
395         do {
396                 nLine ++;
397                 Line = NewStrBufPlain(NULL, SIZ / 4);
398
399                 if (ClientGetLine(Hdr, Line) < 0) {
400                         FreeStrBuf(&Line);
401                         isbogus = 1;
402                         break;
403                 }
404
405                 if (StrLength(Line) == 0) {
406                         FreeStrBuf(&Line);
407                         continue;
408                 }
409                 if (nLine == 1) {
410                         Hdr->HTTPHeaders = NewHash(1, NULL);
411                         pHdr = (OneHttpHeader*) malloc(sizeof(OneHttpHeader));
412                         memset(pHdr, 0, sizeof(OneHttpHeader));
413                         pHdr->Val = Line;
414                         Put(Hdr->HTTPHeaders, HKEY("GET /"), pHdr, DestroyHttpHeaderHandler);
415                         if (verbose || strstr(ChrPtr(Line), "sslg") == NULL)
416                                 syslog(LOG_DEBUG, "%s", ChrPtr(Line));
417                         isbogus = ReadHttpSubject(Hdr, Line, HeaderName);
418                         if (isbogus) break;
419                         continue;
420                 }
421
422                 /* Do we need to Unfold? */
423                 if ((LastLine != NULL) && 
424                     (isspace(*ChrPtr(Line)))) {
425                         pch = pchs = ChrPtr(Line);
426                         pche = pchs + StrLength(Line);
427                         while (isspace(*pch) && (pch < pche))
428                                 pch ++;
429                         StrBufCutLeft(Line, pch - pchs);
430                         StrBufAppendBuf(LastLine, Line, 0);
431
432                         FreeStrBuf(&Line);
433                         continue;
434                 }
435
436                 StrBufSanitizeAscii(Line, (char)0xa7);
437                 StrBufExtract_token(HeaderName, Line, 0, ':');
438
439                 pchs = ChrPtr(Line);
440                 pche = pchs + StrLength(Line);
441                 pch = pchs + StrLength(HeaderName) + 1;
442                 pche = pchs + StrLength(Line);
443                 while ((pch < pche) && isspace(*pch))
444                         pch ++;
445                 StrBufCutLeft(Line, pch - pchs);
446
447                 StrBufUpCase(HeaderName);
448
449                 pHdr = (OneHttpHeader*) malloc(sizeof(OneHttpHeader));
450                 memset(pHdr, 0, sizeof(OneHttpHeader));
451                 pHdr->Val = Line;
452
453                 if (GetHash(HttpHeaderHandler, SKEY(HeaderName), &vF) &&
454                     (vF != NULL))
455                 {
456                         OneHttpHeader *FHdr = (OneHttpHeader*) vF;
457                         pHdr->H = FHdr->H;
458                         pHdr->HaveEvaluator = 1;
459                 }
460                 Put(Hdr->HTTPHeaders, SKEY(HeaderName), pHdr, DestroyHttpHeaderHandler);
461                 LastLine = Line;
462         } while (Line != NULL);
463
464         FreeStrBuf(&HeaderName);
465
466         return isbogus;
467 }
468
469 void OverrideRequest(ParsedHttpHdrs *Hdr, const char *Line, long len)
470 {
471         StrBuf *Buf = NewStrBuf();
472
473         if (Hdr->HR.ReqLine != NULL) {
474                 FlushStrBuf(Hdr->HR.ReqLine);
475                 StrBufPlain(Hdr->HR.ReqLine, Line, len);
476         }
477         else {
478                 Hdr->HR.ReqLine = NewStrBufPlain(Line, len);
479         }
480         ReadHttpSubject(Hdr, Hdr->HR.ReqLine, Buf);
481
482         FreeStrBuf(&Buf);
483 }
484
485 /*
486  * handle one request
487  *
488  * This loop gets called once for every HTTP connection made to WebCit.  At
489  * this entry point we have an HTTP socket with a browser allegedly on the
490  * other end, but we have not yet bound to a WebCit session.
491  *
492  * The job of this function is to locate the correct session and bind to it,
493  * or create a session if necessary and bind to it, then run the WebCit
494  * transaction loop.  Afterwards, we unbind from the session.  When this
495  * function returns, the worker thread is then free to handle another
496  * transaction.
497  */
498 void context_loop(ParsedHttpHdrs *Hdr)
499 {
500         int isbogus = 0;
501         wcsession *TheSession;
502         struct timeval tx_start;
503         struct timeval tx_finish;
504         int session_may_be_reused = 1;
505         time_t now;
506         
507         gettimeofday(&tx_start, NULL);          /* start a stopwatch for performance timing */
508
509         /*
510          * Find out what it is that the web browser is asking for
511          */
512         isbogus = ReadHTTPRequest(Hdr);
513
514         Hdr->HR.dav_depth = 32767; /* TODO: find a general way to have non-0 defaults */
515
516         if (!isbogus) {
517                 isbogus = AnalyseHeaders(Hdr);
518         }
519
520         if (    (isbogus)
521                 || ((Hdr->HR.Handler != NULL)
522                 && ((Hdr->HR.Handler->Flags & BOGUS) != 0))
523         ) {
524                 wcsession *Bogus;
525                 Bogus = CreateSession(0, 1, NULL, Hdr, NULL);
526                 do_404();
527                 syslog(LOG_WARNING, "HTTP: 404 [%ld.%06ld] %s %s",
528                         ((tx_finish.tv_sec*1000000 + tx_finish.tv_usec) - (tx_start.tv_sec*1000000 + tx_start.tv_usec)) / 1000000,
529                         ((tx_finish.tv_sec*1000000 + tx_finish.tv_usec) - (tx_start.tv_sec*1000000 + tx_start.tv_usec)) % 1000000,
530                         ReqStrs[Hdr->HR.eReqType],
531                         ChrPtr(Hdr->this_page)
532                         );
533                 session_detach_modules(Bogus);
534                 session_destroy_modules(&Bogus);
535                 return;
536         }
537
538         if ((Hdr->HR.Handler != NULL) && ((Hdr->HR.Handler->Flags & ISSTATIC) != 0))
539         {
540                 wcsession *Static;
541                 Static = CreateSession(0, 1, NULL, Hdr, NULL);
542                 
543                 Hdr->HR.Handler->F();
544
545                 /* How long did this transaction take? */
546                 gettimeofday(&tx_finish, NULL);
547                 
548                 if (verbose)
549                         syslog(LOG_DEBUG, "HTTP: 200 [%ld.%06ld] %s %s",
550                                ((tx_finish.tv_sec*1000000 + tx_finish.tv_usec) - (tx_start.tv_sec*1000000 + tx_start.tv_usec)) / 1000000,
551                                ((tx_finish.tv_sec*1000000 + tx_finish.tv_usec) - (tx_start.tv_sec*1000000 + tx_start.tv_usec)) % 1000000,
552                                ReqStrs[Hdr->HR.eReqType],
553                                ChrPtr(Hdr->this_page)
554                 );
555                 session_detach_modules(Static);
556                 session_destroy_modules(&Static);
557                 return;
558         }
559
560         if (Hdr->HR.got_auth == AUTH_BASIC) {
561                 CheckAuthBasic(Hdr);
562         }
563
564         if (Hdr->HR.got_auth) {
565                 session_may_be_reused = 0;
566         }
567
568         /*
569          * See if there's an existing session open with any of:
570          * - The desired Session ID
571          * - A matching http-auth username and password
572          * - An unbound session flagged as reusable
573          */
574         TheSession = FindSession(&SessionList, Hdr, &SessionListMutex);
575
576         /*
577          * If there were no qualifying sessions, then create a new one.
578          */
579         if ((TheSession == NULL) || (TheSession->killthis != 0)) {
580                 TheSession = CreateSession(1, 0, &SessionList, Hdr, &SessionListMutex);
581         }
582
583         /*
584          * Reject transactions which require http-auth, if http-auth was not provided
585          */
586         if (    (StrLength(Hdr->c_username) == 0)
587                 && (!Hdr->HR.DontNeedAuth)
588                 && (Hdr->HR.Handler != NULL)
589                 && ((XHTTP_COMMANDS & Hdr->HR.Handler->Flags) == XHTTP_COMMANDS)
590         ) {
591                 syslog(LOG_DEBUG, "http-auth required but not provided");
592                 OverrideRequest(Hdr, HKEY("GET /401 HTTP/1.0"));
593                 Hdr->HR.prohibit_caching = 1;                           
594         }
595
596         /*
597          * A future improvement might be to check the session integrity
598          * at this point before continuing.
599          */
600
601         /*
602          * Bind to the session and perform the transaction
603          */
604         now = time(NULL);;
605         CtdlLogResult(pthread_mutex_lock(&TheSession->SessionMutex));
606         pthread_setspecific(MyConKey, (void *)TheSession);
607         
608         TheSession->inuse = 1;                          /* mark the session as bound */
609         TheSession->isFailure = 0;                      /* reset evntually existing error flags */
610         TheSession->lastreq = now;                      /* log */
611         TheSession->Hdr = Hdr;
612
613         /*
614          * If a language was requested via a cookie, select that language now.
615          */
616         if (StrLength(Hdr->c_language) > 0) {
617                 if (verbose)
618                         syslog(LOG_DEBUG, "Session cookie requests language '%s'", ChrPtr(Hdr->c_language));
619                 set_selected_language(ChrPtr(Hdr->c_language));
620                 go_selected_language();
621         }
622
623         /*
624          * do the transaction
625          */
626         session_attach_modules(TheSession);
627         session_loop();
628
629         /* How long did this transaction take? */
630         gettimeofday(&tx_finish, NULL);
631
632         if (verbose || strstr(ChrPtr(Hdr->this_page), "sslg") == NULL) {
633                 syslog(LOG_INFO, "HTTP: 200 [%ld.%06ld] %s %s",
634                        ((tx_finish.tv_sec*1000000 + tx_finish.tv_usec) - (tx_start.tv_sec*1000000 + tx_start.tv_usec)) / 1000000,
635                        ((tx_finish.tv_sec*1000000 + tx_finish.tv_usec) - (tx_start.tv_sec*1000000 + tx_start.tv_usec)) % 1000000,
636                        ReqStrs[Hdr->HR.eReqType],
637                        ChrPtr(Hdr->this_page)
638                         );
639         }
640         session_detach_modules(TheSession);
641
642         /* If *this* very transaction did not explicitly specify a session cookie,
643          * and it did not log in, we want to flag the session as a candidate for
644          * re-use by the next unbound client that comes along.  This keeps our session
645          * table from getting bombarded with new sessions when, for example, a web
646          * spider crawls the site without using cookies.
647          */
648         if ((session_may_be_reused) && (!TheSession->logged_in)) {
649                 TheSession->wc_session = 0;             /* flag as available for re-use */
650                 TheSession->selected_language = -1;     /* clear any non-default language setting */
651         }
652
653         TheSession->Hdr = NULL;
654         TheSession->inuse = 0;                                  /* mark the session as unbound */
655         CtdlLogResult(pthread_mutex_unlock(&TheSession->SessionMutex));
656 }
657
658 void tmplput_nonce(StrBuf *Target, WCTemplputParams *TP)
659 {
660         wcsession *WCC = WC;
661         StrBufAppendPrintf(Target, "%ld",
662                            (WCC != NULL)? WCC->nonce:0);                   
663 }
664
665 void tmplput_current_user(StrBuf *Target, WCTemplputParams *TP)
666 {
667         StrBufAppendTemplate(Target, TP, WC->wc_fullname, 0);
668 }
669
670 void Header_HandleContentLength(StrBuf *Line, ParsedHttpHdrs *hdr)
671 {
672         hdr->HR.ContentLength = StrToi(Line);
673 }
674
675 void Header_HandleContentType(StrBuf *Line, ParsedHttpHdrs *hdr)
676 {
677         hdr->HR.ContentType = Line;
678 }
679
680
681 void Header_HandleHost(StrBuf *Line, ParsedHttpHdrs *hdr)
682 {
683         if (hdr->HostHeader != NULL) {
684                 FreeStrBuf(&hdr->HostHeader);
685         }
686         hdr->HostHeader = NewStrBuf();
687         StrBufAppendPrintf(hdr->HostHeader, "%s://", (is_https ? "https" : "http") );
688         StrBufAppendBuf(hdr->HostHeader, Line, 0);
689 }
690
691 void Header_HandleXFFHost(StrBuf *Line, ParsedHttpHdrs *hdr)
692 {
693         if (!follow_xff) return;
694
695         if (hdr->HostHeader != NULL) {
696                 FreeStrBuf(&hdr->HostHeader);
697         }
698
699         hdr->HostHeader = NewStrBuf();
700         StrBufAppendPrintf(hdr->HostHeader, "http://"); /* this is naive; do something about it */
701         StrBufAppendBuf(hdr->HostHeader, Line, 0);
702 }
703
704
705 void Header_HandleXFF(StrBuf *Line, ParsedHttpHdrs *hdr)
706 {
707         hdr->HR.browser_host = Line;
708
709         while (StrBufNum_tokens(hdr->HR.browser_host, ',') > 1) {
710                 StrBufRemove_token(hdr->HR.browser_host, 0, ',');
711         }
712         StrBufTrim(hdr->HR.browser_host);
713 }
714
715 void Header_HandleIfModSince(StrBuf *Line, ParsedHttpHdrs *hdr)
716 {
717         hdr->HR.if_modified_since = httpdate_to_timestamp(Line);
718 }
719
720 void Header_HandleAcceptEncoding(StrBuf *Line, ParsedHttpHdrs *hdr)
721 {
722         /*
723          * Can we compress?
724          */
725         if (strstr(&ChrPtr(Line)[16], "gzip")) {
726                 hdr->HR.gzip_ok = 1;
727         }
728 }
729
730 void Header_HandleContentRange(StrBuf *Line, ParsedHttpHdrs *hdr)
731 {
732         const char *PRange = ChrPtr(Line);
733
734         while ((*PRange != '=') && (*PRange != '\0'))
735                 PRange ++;
736         if (*PRange == '=')
737                 PRange ++;
738         if ((*PRange == '\0'))
739                 return;
740         hdr->HaveRange = 1;
741         hdr->RangeStart = atol(PRange);
742
743         while (isdigit(*PRange))
744                 PRange++;
745
746         if (*PRange == '-')
747                 PRange ++;
748         if ((*PRange == '\0'))
749                 hdr->RangeTil = -1;
750         else
751                 hdr->RangeTil = atol(PRange);
752 }
753
754 const char *ReqStrs[eNONE] = {
755         "GET",
756         "POST",
757         "OPTIONS",
758         "PROPFIND",
759         "PUT",
760         "DELETE",
761         "HEAD",
762         "MOVE",
763         "COPY",
764         "REPORT"
765 };
766
767 void
768 ServerStartModule_CONTEXT
769 (void)
770 {
771         long *v;
772         HttpReqTypes = NewHash(1, NULL);
773         HttpHeaderHandler = NewHash(1, NULL);
774
775         v = malloc(sizeof(long));
776         *v = eGET;
777         Put(HttpReqTypes, HKEY("GET"), v, NULL);
778
779         v = malloc(sizeof(long));
780         *v = ePOST;
781         Put(HttpReqTypes, HKEY("POST"), v, NULL);
782
783         v = malloc(sizeof(long));
784         *v = eOPTIONS;
785         Put(HttpReqTypes, HKEY("OPTIONS"), v, NULL);
786
787         v = malloc(sizeof(long));
788         *v = ePROPFIND;
789         Put(HttpReqTypes, HKEY("PROPFIND"), v, NULL);
790
791         v = malloc(sizeof(long));
792         *v = ePUT;
793         Put(HttpReqTypes, HKEY("PUT"), v, NULL);
794
795         v = malloc(sizeof(long));
796         *v = eDELETE;
797         Put(HttpReqTypes, HKEY("DELETE"), v, NULL);
798
799         v = malloc(sizeof(long));
800         *v = eHEAD;
801         Put(HttpReqTypes, HKEY("HEAD"), v, NULL);
802
803         v = malloc(sizeof(long));
804         *v = eMOVE;
805         Put(HttpReqTypes, HKEY("MOVE"), v, NULL);
806
807         v = malloc(sizeof(long));
808         *v = eCOPY;
809         Put(HttpReqTypes, HKEY("COPY"), v, NULL);
810
811         v = malloc(sizeof(long));
812         *v = eREPORT;
813         Put(HttpReqTypes, HKEY("REPORT"), v, NULL);
814 }
815
816 void 
817 ServerShutdownModule_CONTEXT
818 (void)
819 {
820         DeleteHash(&HttpReqTypes);
821         DeleteHash(&HttpHeaderHandler);
822 }
823
824 void RegisterHeaderHandler(const char *Name, long Len, Header_Evaluator F)
825 {
826         OneHttpHeader *pHdr;
827         pHdr = (OneHttpHeader*) malloc(sizeof(OneHttpHeader));
828         memset(pHdr, 0, sizeof(OneHttpHeader));
829         pHdr->H = F;
830         Put(HttpHeaderHandler, Name, Len, pHdr, DestroyHttpHeaderHandler);
831 }
832
833
834 void 
835 InitModule_CONTEXT
836 (void)
837 {
838         RegisterHeaderHandler(HKEY("RANGE"), Header_HandleContentRange);
839         RegisterHeaderHandler(HKEY("CONTENT-LENGTH"), Header_HandleContentLength);
840         RegisterHeaderHandler(HKEY("CONTENT-TYPE"), Header_HandleContentType);
841         RegisterHeaderHandler(HKEY("X-FORWARDED-HOST"), Header_HandleXFFHost); /* Apache way... */
842         RegisterHeaderHandler(HKEY("X-REAL-IP"), Header_HandleXFFHost);        /* NGinX way... */
843         RegisterHeaderHandler(HKEY("HOST"), Header_HandleHost);
844         RegisterHeaderHandler(HKEY("X-FORWARDED-FOR"), Header_HandleXFF);
845         RegisterHeaderHandler(HKEY("ACCEPT-ENCODING"), Header_HandleAcceptEncoding);
846         RegisterHeaderHandler(HKEY("IF-MODIFIED-SINCE"), Header_HandleIfModSince);
847
848         RegisterNamespace("CURRENT_USER", 0, 1, tmplput_current_user, NULL, CTX_NONE);
849         RegisterNamespace("NONCE", 0, 0, tmplput_nonce, NULL, 0);
850
851         WebcitAddUrlHandler(HKEY("404"), "", 0, do_404, ANONYMOUS|COOKIEUNNEEDED);
852 /*
853  * Look for commonly-found probes of malware such as worms, viruses, trojans, and Microsoft Office.
854  * Short-circuit these requests so we don't have to send them through the full processing loop.
855  */
856         WebcitAddUrlHandler(HKEY("scripts"), "", 0, do_404, ANONYMOUS|BOGUS);           /* /root.exe - Worms and trojans and viruses, oh my! */
857         WebcitAddUrlHandler(HKEY("c"), "", 0, do_404, ANONYMOUS|BOGUS);         /* /winnt */
858         WebcitAddUrlHandler(HKEY("MSADC"), "", 0, do_404, ANONYMOUS|BOGUS);
859         WebcitAddUrlHandler(HKEY("_vti"), "", 0, do_404, ANONYMOUS|BOGUS);              /* Broken Microsoft DAV implementation */
860         WebcitAddUrlHandler(HKEY("MSOffice"), "", 0, do_404, ANONYMOUS|BOGUS);          /* Stoopid MSOffice thinks everyone is IIS */
861         WebcitAddUrlHandler(HKEY("nonexistenshit"), "", 0, do_404, ANONYMOUS|BOGUS);    /* Exploit found in the wild January 2009 */
862 }
863         
864
865 void 
866 HttpNewModule_CONTEXT
867 (ParsedHttpHdrs *httpreq)
868 {
869         httpreq->PlainArgs = NewStrBufPlain(NULL, SIZ);
870         httpreq->this_page = NewStrBufPlain(NULL, SIZ);
871 }
872
873 void 
874 HttpDetachModule_CONTEXT
875 (ParsedHttpHdrs *httpreq)
876 {
877         FlushStrBuf(httpreq->PlainArgs);
878         FlushStrBuf(httpreq->HostHeader);
879         FlushStrBuf(httpreq->this_page);
880         FlushStrBuf(httpreq->PlainArgs);
881         DeleteHash(&httpreq->HTTPHeaders);
882         memset(&httpreq->HR, 0, sizeof(HdrRefs));
883 }
884
885 void 
886 HttpDestroyModule_CONTEXT
887 (ParsedHttpHdrs *httpreq)
888 {
889         FreeStrBuf(&httpreq->this_page);
890         FreeStrBuf(&httpreq->PlainArgs);
891         FreeStrBuf(&httpreq->this_page);
892         FreeStrBuf(&httpreq->PlainArgs);
893         FreeStrBuf(&httpreq->HostHeader);
894         DeleteHash(&httpreq->HTTPHeaders);
895
896 }