[0001]
[0002]
[0003]
[0004]
[0005]
[0006]
[0007]
[0008]
[0009]
[0010]
[0011]
[0012]
[0013]
[0014]
[0015]
[0016]
[0017]
[0018]
[0019]
[0020]
[0021]
[0022]
[0023]
[0024]
[0025]
[0026]
[0027]
[0028]
[0029]
[0030]
[0031]
[0032]
[0033]
[0034]
[0035]
[0036]
[0037]
[0038]
[0039]
[0040]
[0041]
[0042]
[0043]
[0044]
[0045]
[0046]
[0047]
[0048]
[0049]
[0050]
[0051]
[0052]
[0053]
[0054]
[0055]
[0056]
[0057]
[0058]
[0059]
[0060]
[0061]
[0062]
[0063]
[0064]
[0065]
[0066]
[0067]
[0068]
[0069]
[0070]
[0071]
[0072]
[0073]
[0074]
[0075]
[0076]
[0077]
[0078]
[0079]
[0080]
[0081]
[0082]
[0083]
[0084]
[0085]
[0086]
[0087]
[0088]
[0089]
[0090]
[0091]
[0092]
[0093]
[0094]
[0095]
[0096]
[0097]
[0098]
[0099]
[0100]
[0101]
[0102]
[0103]
[0104]
[0105]
[0106]
[0107]
[0108]
[0109]
[0110]
[0111]
[0112]
[0113]
[0114]
[0115]
[0116]
[0117]
[0118]
[0119]
[0120]
[0121]
[0122]
[0123]
[0124]
[0125]
[0126]
[0127]
[0128]
[0129]
[0130]
[0131]
[0132]
[0133]
[0134]
[0135]
[0136]
[0137]
[0138]
[0139]
[0140]
[0141]
[0142]
[0143]
[0144]
[0145]
[0146]
[0147]
[0148]
[0149]
[0150]
[0151]
[0152]
[0153]
[0154]
[0155]
[0156]
[0157]
[0158]
[0159]
[0160]
[0161]
[0162]
[0163]
[0164]
[0165]
[0166]
[0167]
[0168]
[0169]
[0170]
[0171]
[0172]
[0173]
[0174]
[0175]
[0176]
[0177]
[0178]
[0179]
[0180]
[0181]
[0182]
[0183]
[0184]
[0185]
[0186]
[0187]
[0188]
[0189]
[0190]
[0191]
[0192]
[0193]
[0194]
[0195]
[0196]
[0197]
[0198]
[0199]
[0200]
[0201]
[0202]
[0203]
[0204]
[0205]
[0206]
[0207]
[0208]
[0209]
[0210]
[0211]
[0212]
[0213]
[0214]
[0215]
[0216]
[0217]
[0218]
[0219]
[0220]
[0221]
[0222]
[0223]
[0224]
[0225]
[0226]
[0227]
[0228]
[0229]
[0230]
[0231]
[0232]
[0233]
[0234]
[0235]
[0236]
[0237]
[0238]
[0239]
[0240]
[0241]
[0242]
[0243]
[0244]
[0245]
[0246]
[0247]
[0248]
[0249]
[0250]
[0251]
[0252]
[0253]
[0254]
[0255]
[0256]
[0257]
[0258]
[0259]
[0260]
[0261]
[0262]
[0263]
[0264]
[0265]
[0266]
[0267]
[0268]
[0269]
[0270]
[0271]
[0272]
[0273]
[0274]
[0275]
[0276]
[0277]
[0278]
[0279]
[0280]
[0281]
[0282]
[0283]
[0284]
[0285]
[0286]
[0287]
[0288]
[0289]
[0290]
[0291]
[0292]
[0293]
[0294]
[0295]
[0296]
[0297]
[0298]
[0299]
[0300]
[0301]
[0302]
[0303]
[0304]
[0305]
[0306]
[0307]
[0308]
[0309]
[0310]
[0311]
[0312]
[0313]
[0314]
[0315]
[0316]
[0317]
[0318]
[0319]
[0320]
[0321]
[0322]
[0323]
[0324]
[0325]
[0326]
[0327]
[0328]
[0329]
[0330]
[0331]
[0332]
[0333]
[0334]
[0335]
[0336]
[0337]
[0338]
[0339]
[0340]
[0341]
[0342]
[0343]
[0344]
[0345]
[0346]
[0347]
[0348]
[0349]
[0350]
[0351]
[0352]
[0353]
[0354]
[0355]
[0356]
[0357]
[0358]
[0359]
[0360]
[0361]
[0362]
[0363]
[0364]
[0365]
[0366]
[0367]
[0368]
[0369]
[0370]
[0371]
[0372]
[0373]
[0374]
[0375]
[0376]
[0377]
[0378]
[0379]
[0380]
[0381]
[0382]
[0383]
[0384]
[0385]
[0386]
[0387]
[0388]
[0389]
[0390]
[0391]
[0392]
[0393]
[0394]
[0395]
[0396]
[0397]
[0398]
[0399]
[0400]
[0401]
[0402]
[0403]
[0404]
[0405]
[0406]
[0407]
[0408]
[0409]
[0410]
[0411]
[0412]
[0413]
[0414]
[0415]
[0416]
[0417]
[0418]
[0419]
[0420]
[0421]
[0422]
[0423]
[0424]
[0425]
[0426]
[0427]
[0428]
[0429]
[0430]
[0431]
[0432]
[0433]
[0434]
[0435]
[0436]
[0437]
[0438]
[0439]
[0440]
[0441]
[0442]
[0443]
[0444]
[0445]
[0446]
[0447]
[0448]
[0449]
[0450]
[0451]
[0452]
[0453]
[0454]
[0455]
[0456]
[0457]
[0458]
[0459]
[0460]
[0461]
[0462]
[0463]
[0464]
[0465]
[0466]
[0467]
[0468]
[0469]
[0470]
[0471]
[0472]
[0473]
[0474]
[0475]
[0476]
[0477]
[0478]
[0479]
[0480]
[0481]
[0482]
[0483]
[0484]
[0485]
[0486]
[0487]
[0488]
[0489]
[0490]
[0491]
[0492]
[0493]
[0494]
[0495]
[0496]
[0497]
[0498]
[0499]
[0500]
[0501]
[0502]
[0503]
[0504]
[0505]
[0506]
[0507]
[0508]
[0509]
[0510]
[0511]
[0512]
[0513]
[0514]
[0515]
[0516]
[0517]
[0518]
[0519]
[0520]
[0521]
[0522]
[0523]
[0524]
[0525]
[0526]
[0527]
[0528]
[0529]
[0530]
[0531]
[0532]
[0533]
[0534]
[0535]
[0536]
[0537]
[0538]
[0539]
[0540]
[0541]
[0542]
[0543]
[0544]
[0545]
[0546]
[0547]
[0548]
[0549]
[0550]
[0551]
[0552]
[0553]
[0554]
[0555]
[0556]
[0557]
[0558]
[0559]
[0560]
[0561]
[0562]
[0563]
[0564]
[0565]
[0566]
[0567]
[0568]
[0569]
[0570]
[0571]
[0572]
[0573]
[0574]
[0575]
[0576]
[0577]
[0578]
[0579]
[0580]
[0581]
[0582]
[0583]
[0584]
[0585]
[0586]
[0587]
[0588]
[0589]
/*****************************************************************************/
/*
CSPreport.c
Content Security Policy Report[er]
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
When POSTed to, this utility appends a timestamp and CSP report JSON to the
file specified by the CSPREPORT_FILE logical name. This file must be located
somewhere the scripting account has read+write access to. When accessed using
a GET the utility accesses the stored CSP reports and returns a formatted HTML
report listing each. GET requests (reporting) must be subject to
authentication and authorisation.
WARNING: depending on the CSP options selected and applied a busy site can
generate *LOTS* of report entries!
Example mapping configuration for POSTing violation reports.
# WASD_CONFIG_MAP
set * response=csp="img-src the.host.name; \
report-uri /cgi-bin/cspreport;"
And for the CSP "report-only" option.
# WASD_CONFIG_MAP
set * response=cspro="default-src the.host.name; \
report-uri /cgi-bin/cspreport;"
The utility can be run as a CGI or CGIplus script.
/cgi-bin/cspreport
CGIplus is more responsive and efficient.
/cgiplus-bin/cspreport
When using CGIplus don't forget HTTPD/DO=DCL=DELETE to restart script.
The report file name may contain "YYYY" to have the year substituted, "MM" the
month, "DD" the day, and "HH" the hour substituted as digits. For example,
$ DEFINE /SYSTEM CSPREPORT_FILE "LOGS:CSPREPORT_yyyymmdd.LOG"
would record all CSP reports for the day in a single file. Maximum granularity
is one hour.
Using a browser and accessing the script with no trailing path provides a
report of the current file's content.
/cgi-bin/cspreport
A wildcard trailing path provides a clickable list of the current file names.
/cgi-bin/cspreport/*
A file name path provides the content of that file.
/cgi-bin/cspreport/cspreport_20200216.log
LOGICAL NAMES
-------------
CSPREPORT_DBUG turns on all "if (dbug)" statements
CSPREPORT_FILE locates the report storage file
CSPREPORT_MAX integer defines maximum report size accepted
BUILD DETAILS
-------------
$ @BUILD_CSPREPORT
$ @BUILD_CSPREPORT LINK
COPYRIGHT
---------
Copyright (C) 2020,2021 Mark G.Daniel
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
VERSION HISTORY
---------------
15-FEB-2020 MGD v1.0.0, initial development
*/
/*****************************************************************************/
#define SOFTWAREVN "1.0.0"
#define SOFTWARENM "CSPREPORT"
#ifdef __ALPHA
# define SOFTWAREID SOFTWARENM " AXP-" SOFTWAREVN
#endif
#ifdef __ia64
# define SOFTWAREID SOFTWARENM " IA64-" SOFTWAREVN
#endif
#ifdef __VAX
# error VAX no longer implemented
#endif
#ifdef __x86_64
# define SOFTWAREID SOFTWARENM " X86-" SOFTWAREVN
#endif
/* standard C header files */
#include <ctype.h>
#include <errno.h>
#include <stat.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/* VMS header files */
#include <rmsdef.h>
#include <fab.h>
#include <nam.h>
#include <starlet.h>
/* application related header file */
#include "../misc/cgilib.h"
#define REPORT_SIZE_MAX 4096 /* bytes */
/* global storage */
int dbug,
IsCgiPlus,
ReportSizeMax = REPORT_SIZE_MAX;
unsigned long Delta100mS [2] = { -1000000, -1 };
unsigned long BinTime [2];
unsigned short NumTime [7];
char *ReportFilePtr;
void OutputReport (char*);
void PostReport (void);
void ProcessRequest (void);
char* ReportFileName (void);
int ReportList (char*);
/*****************************************************************************/
/*
*/
main (int argc, char* argv[])
{
char *cptr;
/*********/
/* begin */
/*********/
if (dbug = (getenv ("CSPREPORT_DBUG") != NULL))
{
CgiLibEnvironmentSetDebug (dbug);
fprintf (stdout, "Content-Type: text/plain\r\n\r\n");
}
if (!(ReportFilePtr = getenv ("CSPREPORT_FILE")))
{
CgiLibResponseHeader (500, "text/plain");
fprintf (stdout, "CSPREPORT_FILE not defined!\n");
return;
}
if (cptr = getenv ("CSPREPORT_MAX"))
{
ReportSizeMax = atol(cptr);
if (ReportSizeMax <= 0) ReportSizeMax = REPORT_SIZE_MAX;
}
CgiLibEnvironmentInit (argc, argv, 0);
IsCgiPlus = CgiLibEnvironmentIsCgiPlus ();
if (IsCgiPlus)
{
for (;;)
{
/* block waiting for the next request */
CgiLibVar ("");
ProcessRequest ();
CgiLibCgiPlusEOF ();
}
}
else
ProcessRequest ();
}
/*****************************************************************************/
/*
*/
void ProcessRequest (void)
{
char *cptr;
/*********/
/* begin */
/*********/
if (dbug) fprintf (stdout, "ProcessRequest()\n");
sys$gettim (&BinTime);
sys$numtim (&NumTime, &BinTime);
cptr = CgiLibVar ("WWW_REQUEST_METHOD");
if (!strcmp (cptr, "POST"))
PostReport ();
else
if (!strcmp (cptr, "GET"))
{
cptr = CgiLibVar ("WWW_PATH_INFO");
if (strchr (cptr,'*'))
{
if (!ReportList (cptr)) OutputReport (NULL);
}
else
OutputReport (cptr);
}
else
{
CgiLibResponseHeader (403, "text/plain");
fprintf (stdout, "Hmmm...\n");
return;
}
}
/*****************************************************************************/
/*
Append the JSON formatted report POSTed by the browser.
*/
void PostReport (void)
{
int retry,
Context,
PostBufferCount;
char *cptr,
*VariablePtr,
*PostBufferPtr;
FILE *rfp;
/*********/
/* begin */
/*********/
if (dbug) fprintf (stdout, "PostReport()\n");
cptr = CgiLibVar ("WWW_CONTENT_LENGTH");
if (atol(cptr) > ReportSizeMax)
{
CgiLibResponseHeader (400, "text/plain");
fprintf (stdout, "Report exceeds maximum size!\n");
return;
}
/* read the POSTed request body */
CgiLibReadRequestBody (&PostBufferPtr, &PostBufferCount);
if (PostBufferPtr == NULL || PostBufferCount == 0)
{
CgiLibResponseHeader (400, "text/plain");
fprintf (stdout, "No report in the POST!\n");
return;
}
cptr = CgiLibVar ("WWW_CONTENT_TYPE");
if (!strcmp (cptr, "application/csp-report"))
{
/* try to open the file for 10 seconds */
for (retry = 100; retry; retry--)
{
rfp = fopen (ReportFileName(), "a+", "shr=get,put");
if (rfp) break;
if (vaxc$errno != RMS$_FLK) break;
sys$schdwk (0, 0, &Delta100mS, 0);
sys$hiber ();
continue;
}
if (!rfp)
{
CgiLibResponseHeader (500, "text/plain");
fprintf (stdout, "Report fopen() %%X%08.08X!\n", vaxc$errno);
}
else
{
fprintf (rfp,
"%04.04u-%02.02u-%02.02u %02.02u:%02.02u:%02.02u\n%s\n",
NumTime[0], NumTime[1], NumTime[2],
NumTime[3], NumTime[4], NumTime[5],
PostBufferPtr);
fclose (rfp);
}
CgiLibResponseHeader (200, "text/plain", "Content-Length: 0\r\n");
}
else
{
CgiLibResponseHeader (400, "text/plain");
fprintf (stdout, "Content not \"application/csp-report\"!\n");
}
free (PostBufferPtr);
}
/*****************************************************************************/
/*
If |fname| is NULL or empty return the content of the current report file,
otherwise the content of the specified file name (nam, not fill specification).
*/
void OutputReport (char *fname)
{
int retry;
char *cptr, *sptr, *zptr;
char line [1024],
FileName [256];
FILE *rfp;
/*********/
/* begin */
/*********/
if (dbug) fprintf (stdout, "OutputReport() |%s|\n", fname);
if (!CgiLibVar ("WWW_REMOTE_USER")[0])
{
CgiLibResponseHeader (403, "text/plain");
fprintf (stdout, "Must be authenticated!\n");
return;
}
if (fname && fname[0] && fname[0] != '/')
{
zptr = (sptr = FileName) + sizeof(FileName)-1;
for (cptr = ReportFileName(); *cptr && sptr < zptr; *sptr++ = *cptr++);
if (sptr > FileName) sptr--;;
while (sptr > FileName && *sptr != ']' && *sptr != ':') sptr--;
if (sptr > FileName) sptr++;
if (*fname == '/') fname++;
for (cptr = fname; *cptr && sptr < zptr; *sptr++ = *cptr++);
*sptr = '\0';
fname = FileName;
}
else
fname = ReportFileName();
/* try to open the file for 10 seconds */
for (retry = 100; retry; retry--)
{
rfp = fopen (fname, "r", "shr=get,put");
if (rfp) break;
if (vaxc$errno != RMS$_FLK) break;
sys$schdwk (0, 0, &Delta100mS, 0);
sys$hiber ();
continue;
}
if (!rfp)
{
CgiLibResponseHeader (500, "text/plain");
fprintf (stdout, "Report fopen() %s %s.\n",
fname, strerror(errno));
return;
}
CgiLibResponseHeader (200, "text/html");
fprintf (stdout,
"<!DOCTYPE html>\n<html>\n<head>\n</head>\n<body>\n<pre>\n%s %s\n",
SOFTWAREID, fname);
while (fgets (line, sizeof(line), rfp))
{
for (cptr = line; *cptr; cptr++);
if (cptr > line && *(cptr-1) == '\n') *(cptr-1) = '\0';
if (line[0] == '{')
fprintf (stdout,
"<script>\n\
var report = JSON.parse(\'%s\');\n\
document.write(JSON.stringify(report,undefined,4));</script>\n",
line);
else
fprintf (stdout, "%s ", line);
}
fprintf (stdout, "<script>document.close()</script>\n\
</pre>\n</body>\n</html>\n");
fclose (rfp);
}
/*****************************************************************************/
/*
Generate a clickable list of file names containing CSP reports.
*/
int ReportList (char *wcard)
{
int count, status;
char *aptr, *cptr, *sptr;
char size [32],
FileName [256],
FileSpec [256],
ExpFileName [256];
struct stat stbuf;
struct FAB SearchFab;
struct NAM SearchNam;
/*********/
/* begin */
/*********/
if (dbug) fprintf (stdout, "ReportList() |%s|\n", wcard);
strcpy (FileSpec, ReportFilePtr);
if (!(sptr = strstr (FileSpec, "YYYY")))
sptr = strstr (FileSpec, "yyyy");
if (!sptr) return (0);
for (cptr = sptr; *cptr; cptr++);
if (cptr > sptr) cptr--;
while (cptr > sptr && *cptr != '.') cptr--;
if (cptr <= sptr) return (0);
/* modify the "YYYY" into a wildcard and move the file type up */
*sptr++ = '*';
while (*cptr) *sptr++ = *cptr++;
*sptr = '\0';
if (dbug) fprintf (stdout, "|%s|\n", FileSpec);
/* initialize the file access block */
SearchFab = cc$rms_fab;
SearchFab.fab$l_fna = FileSpec;
SearchFab.fab$b_fns = strlen(FileSpec);
SearchFab.fab$l_nam = &SearchNam;
SearchNam = cc$rms_nam;
SearchNam.nam$l_esa = ExpFileName;
SearchNam.nam$b_ess = sizeof(ExpFileName)-1;
SearchNam.nam$l_rsa = FileName;
SearchNam.nam$b_rss = sizeof(FileName)-1;
if ((status = sys$parse (&SearchFab, 0, 0)) & 1 == 0)
{
CgiLibResponseHeader (500, "text/plain");
fprintf (stdout, "Report $parse() %s %%X%08.08X.\n",
FileSpec, status);
return (-1);
}
if (!(sptr = CgiLibVar ("WWW_SCRIPT_NAME")))
{
CgiLibResponseHeader (500, "text/plain");
fprintf (stdout, "Script name?\n");
return (-1);
}
count = 0;
while ((status = sys$search (&SearchFab, 0, 0)) & 1)
{
*SearchNam.nam$l_ver = '\0';
if (dbug) fprintf (stdout, "FileName |%s|\n", FileName);
if (stat (FileName, &stbuf))
{
status = vaxc$errno;
break;
}
if (!count)
{
CgiLibResponseHeader (200, "text/html");
fprintf (stdout,
"<!DOCTYPE html>\n<html>\n<head>\n</head>\n<body>\n<pre>\n%s %s\n",
SOFTWAREID, FileSpec);
}
count++;
if (stbuf.st_size < 1000)
sprintf (size, "%uB", stbuf.st_size);
else
if (stbuf.st_size < 1000000)
sprintf (size, "%ukB", stbuf.st_size / 1000);
else
if (stbuf.st_size < 1000000000)
sprintf (size, "%uMB", stbuf.st_size / 1000000);
else
sprintf (size, "%uGB", stbuf.st_size / 1000000000);
fprintf (stdout, "<a href=\"%s/%s\">%s</a> %s\n",
sptr, SearchNam.nam$l_name, SearchNam.nam$l_name, size);
*SearchNam.nam$l_ver = ';';
}
if (dbug) fprintf (stdout, "%%X%08.08X\n", status);
if (status != RMS$_FNF && status != RMS$_NMF)
{
if (!count) CgiLibResponseHeader (500, "text/plain");
fprintf (stdout, "Report $parse() %s %%X%08.08X.\n",
FileSpec, status);
return (-1);
}
if (count) fprintf (stdout, "</pre>\n</body>\n</html>\n");
return (count);
}
/*****************************************************************************/
/*
Return a pointer to the report (possibly time-stamped) file name.
If the file name contains "YYYY" then add time components at those locations.
*/
char* ReportFileName (void)
{
static int PrevDay = -1,
PrevHour = -1;
static char FileName [256];
static char *year, *month, *day, *hour;
char buf [32];
/*********/
/* begin */
/*********/
if (dbug) fprintf (stdout, "ReportFileName() |%s|%s|\n",
ReportFilePtr, FileName);
/* minimum report file granularity is one hour */
if (NumTime[3] == PrevHour && NumTime[2] == PrevDay) return (FileName);
PrevHour = NumTime[3];
PrevDay = NumTime[2];
/* (re)build the file name */
strcpy (FileName, ReportFilePtr);
year = month = day = hour = NULL;
if (!(year = strstr (FileName, "YYYY")))
year = strstr (FileName, "yyyy");
if (year)
{
sprintf (buf, "%4.4u", NumTime[0]);
year[0] = buf[0];
year[1] = buf[1];
year[2] = buf[2];
year[3] = buf[3];
if (!(month = strstr (FileName, "MM")))
month = strstr (FileName, "mm");
if (month)
{
sprintf (buf, "%02.02u", NumTime[1]);
month[0] = buf[0];
month[1] = buf[1];
}
if (!(day = strstr (FileName, "DD")))
day = strstr (FileName, "dd");
if (day)
{
sprintf (buf, "%02.02u", NumTime[2]);
day[0] = buf[0];
day[1] = buf[1];
}
if (!(hour = strstr (FileName, "HH")))
hour = strstr (FileName, "hh");
if (hour)
{
sprintf (buf, "%02.02u", NumTime[4]);
hour[0] = buf[0];
hour[1] = buf[1];
}
}
if (dbug) fprintf (stdout, "|%s|\n", FileName);
return (FileName);
}
/*****************************************************************************/