]> git.saurik.com Git - apt.git/blobdiff - test/interactive-helper/aptwebserver.cc
warn if apt-key is used in scripts/its output parsed
[apt.git] / test / interactive-helper / aptwebserver.cc
index 05b875673df6f985c8c50e1d6e6ff2050f950e3b..3e91406abdbbc98e9f49a2497a662d48294ccb58 100644 (file)
 #include <config.h>
 
-#include <apt-pkg/strutl.h>
-#include <apt-pkg/fileutl.h>
-#include <apt-pkg/error.h>
 #include <apt-pkg/cmndline.h>
 #include <apt-pkg/configuration.h>
-#include <apt-pkg/init.h>
-
-#include <vector>
-#include <string>
-#include <list>
-#include <sstream>
+#include <apt-pkg/error.h>
+#include <apt-pkg/fileutl.h>
+#include <apt-pkg/strutl.h>
 
+#include <dirent.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <pthread.h>
+#include <regex.h>
+#include <signal.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
 #include <sys/socket.h>
-#include <sys/types.h>
 #include <sys/stat.h>
-#include <netinet/in.h>
-#include <unistd.h>
-#include <errno.h>
 #include <time.h>
-#include <stdlib.h>
-#include <dirent.h>
-#include <signal.h>
+#include <unistd.h>
+
+#include <algorithm>
+#include <iostream>
+#include <sstream>
+#include <list>
+#include <string>
+#include <vector>
 
-char const * const httpcodeToStr(int const httpcode)                   /*{{{*/
+static std::string httpcodeToStr(int const httpcode)                   /*{{{*/
 {
    switch (httpcode)
    {
       // Informational 1xx
-      case 100: return "100 Continue";
-      case 101: return "101 Switching Protocols";
+      case 100: return _config->Find("aptwebserver::httpcode::100", "100 Continue");
+      case 101: return _config->Find("aptwebserver::httpcode::101", "101 Switching Protocols");
       // Successful 2xx
-      case 200: return "200 OK";
-      case 201: return "201 Created";
-      case 202: return "202 Accepted";
-      case 203: return "203 Non-Authoritative Information";
-      case 204: return "204 No Content";
-      case 205: return "205 Reset Content";
-      case 206: return "206 Partial Content";
+      case 200: return _config->Find("aptwebserver::httpcode::200", "200 OK");
+      case 201: return _config->Find("aptwebserver::httpcode::201", "201 Created");
+      case 202: return _config->Find("aptwebserver::httpcode::202", "202 Accepted");
+      case 203: return _config->Find("aptwebserver::httpcode::203", "203 Non-Authoritative Information");
+      case 204: return _config->Find("aptwebserver::httpcode::204", "204 No Content");
+      case 205: return _config->Find("aptwebserver::httpcode::205", "205 Reset Content");
+      case 206: return _config->Find("aptwebserver::httpcode::206", "206 Partial Content");
       // Redirections 3xx
-      case 300: return "300 Multiple Choices";
-      case 301: return "301 Moved Permanently";
-      case 302: return "302 Found";
-      case 303: return "303 See Other";
-      case 304: return "304 Not Modified";
-      case 305: return "304 Use Proxy";
-      case 307: return "307 Temporary Redirect";
+      case 300: return _config->Find("aptwebserver::httpcode::300", "300 Multiple Choices");
+      case 301: return _config->Find("aptwebserver::httpcode::301", "301 Moved Permanently");
+      case 302: return _config->Find("aptwebserver::httpcode::302", "302 Found");
+      case 303: return _config->Find("aptwebserver::httpcode::303", "303 See Other");
+      case 304: return _config->Find("aptwebserver::httpcode::304", "304 Not Modified");
+      case 305: return _config->Find("aptwebserver::httpcode::305", "305 Use Proxy");
+      case 307: return _config->Find("aptwebserver::httpcode::307", "307 Temporary Redirect");
       // Client errors 4xx
-      case 400: return "400 Bad Request";
-      case 401: return "401 Unauthorized";
-      case 402: return "402 Payment Required";
-      case 403: return "403 Forbidden";
-      case 404: return "404 Not Found";
-      case 405: return "405 Method Not Allowed";
-      case 406: return "406 Not Acceptable";
-      case 407: return "407 Proxy Authentication Required";
-      case 408: return "408 Request Time-out";
-      case 409: return "409 Conflict";
-      case 410: return "410 Gone";
-      case 411: return "411 Length Required";
-      case 412: return "412 Precondition Failed";
-      case 413: return "413 Request Entity Too Large";
-      case 414: return "414 Request-URI Too Large";
-      case 415: return "415 Unsupported Media Type";
-      case 416: return "416 Requested range not satisfiable";
-      case 417: return "417 Expectation Failed";
-      case 418: return "418 I'm a teapot";
+      case 400: return _config->Find("aptwebserver::httpcode::400", "400 Bad Request");
+      case 401: return _config->Find("aptwebserver::httpcode::401", "401 Unauthorized");
+      case 402: return _config->Find("aptwebserver::httpcode::402", "402 Payment Required");
+      case 403: return _config->Find("aptwebserver::httpcode::403", "403 Forbidden");
+      case 404: return _config->Find("aptwebserver::httpcode::404", "404 Not Found");
+      case 405: return _config->Find("aptwebserver::httpcode::405", "405 Method Not Allowed");
+      case 406: return _config->Find("aptwebserver::httpcode::406", "406 Not Acceptable");
+      case 407: return _config->Find("aptwebserver::httpcode::407", "407 Proxy Authentication Required");
+      case 408: return _config->Find("aptwebserver::httpcode::408", "408 Request Time-out");
+      case 409: return _config->Find("aptwebserver::httpcode::409", "409 Conflict");
+      case 410: return _config->Find("aptwebserver::httpcode::410", "410 Gone");
+      case 411: return _config->Find("aptwebserver::httpcode::411", "411 Length Required");
+      case 412: return _config->Find("aptwebserver::httpcode::412", "412 Precondition Failed");
+      case 413: return _config->Find("aptwebserver::httpcode::413", "413 Request Entity Too Large");
+      case 414: return _config->Find("aptwebserver::httpcode::414", "414 Request-URI Too Large");
+      case 415: return _config->Find("aptwebserver::httpcode::415", "415 Unsupported Media Type");
+      case 416: return _config->Find("aptwebserver::httpcode::416", "416 Requested range not satisfiable");
+      case 417: return _config->Find("aptwebserver::httpcode::417", "417 Expectation Failed");
+      case 418: return _config->Find("aptwebserver::httpcode::418", "418 I'm a teapot");
       // Server error 5xx
-      case 500: return "500 Internal Server Error";
-      case 501: return "501 Not Implemented";
-      case 502: return "502 Bad Gateway";
-      case 503: return "503 Service Unavailable";
-      case 504: return "504 Gateway Time-out";
-      case 505: return "505 HTTP Version not supported";
+      case 500: return _config->Find("aptwebserver::httpcode::500", "500 Internal Server Error");
+      case 501: return _config->Find("aptwebserver::httpcode::501", "501 Not Implemented");
+      case 502: return _config->Find("aptwebserver::httpcode::502", "502 Bad Gateway");
+      case 503: return _config->Find("aptwebserver::httpcode::503", "503 Service Unavailable");
+      case 504: return _config->Find("aptwebserver::httpcode::504", "504 Gateway Time-out");
+      case 505: return _config->Find("aptwebserver::httpcode::505", "505 HTTP Version not supported");
    }
-   return NULL;
+   return "";
 }
                                                                        /*}}}*/
-void addFileHeaders(std::list<std::string> &headers, FileFd &data)     /*{{{*/
+static bool chunkedTransferEncoding(std::list<std::string> const &headers) {
+   if (std::find(headers.begin(), headers.end(), "Transfer-Encoding: chunked") != headers.end())
+      return true;
+   if (_config->FindB("aptwebserver::chunked-transfer-encoding", false) == true)
+      return true;
+   return false;
+}
+static void addFileHeaders(std::list<std::string> &headers, FileFd &data)/*{{{*/
 {
-   std::ostringstream contentlength;
-   contentlength << "Content-Length: " << data.FileSize();
-   headers.push_back(contentlength.str());
-
-   std::string lastmodified("Last-Modified: ");
-   lastmodified.append(TimeRFC1123(data.ModificationTime()));
-   headers.push_back(lastmodified);
+   if (chunkedTransferEncoding(headers) == false)
+   {
+      std::ostringstream contentlength;
+      contentlength << "Content-Length: " << data.FileSize();
+      headers.push_back(contentlength.str());
+   }
+   if (_config->FindB("aptwebserver::support::last-modified", true) == true)
+   {
+      std::string lastmodified("Last-Modified: ");
+      lastmodified.append(TimeRFC1123(data.ModificationTime()));
+      headers.push_back(lastmodified);
+   }
 }
                                                                        /*}}}*/
-void addDataHeaders(std::list<std::string> &headers, std::string &data)        /*{{{*/
+static void addDataHeaders(std::list<std::string> &headers, std::string &data)/*{{{*/
 {
-   std::ostringstream contentlength;
-   contentlength << "Content-Length: " << data.size();
-   headers.push_back(contentlength.str());
+   if (chunkedTransferEncoding(headers) == false)
+   {
+      std::ostringstream contentlength;
+      contentlength << "Content-Length: " << data.size();
+      headers.push_back(contentlength.str());
+   }
 }
                                                                        /*}}}*/
-bool sendHead(int const client, int const httpcode, std::list<std::string> &headers)/*{{{*/
+static bool sendHead(int const client, int const httpcode, std::list<std::string> &headers)/*{{{*/
 {
    std::string response("HTTP/1.1 ");
    response.append(httpcodeToStr(httpcode));
    headers.push_front(response);
+   _config->Set("APTWebserver::Last-Status-Code", httpcode);
 
-   headers.push_back("Server: APT webserver");
+   std::stringstream buffer;
+   _config->Dump(buffer, "aptwebserver::response-header", "%t: %v%n", false);
+   std::vector<std::string> addheaders = VectorizeString(buffer.str(), '\n');
+   for (std::vector<std::string>::const_iterator h = addheaders.begin(); h != addheaders.end(); ++h)
+      headers.push_back(*h);
 
    std::string date("Date: ");
    date.append(TimeRFC1123(time(NULL)));
    headers.push_back(date);
 
-   std::clog << ">>> RESPONSE >>>" << std::endl;
+   if (chunkedTransferEncoding(headers) == true)
+      headers.push_back("Transfer-Encoding: chunked");
+
+   std::clog << ">>> RESPONSE to " << client << " >>>" << std::endl;
    bool Success = true;
    for (std::list<std::string>::const_iterator h = headers.begin();
        Success == true && h != headers.end(); ++h)
@@ -123,72 +150,138 @@ bool sendHead(int const client, int const httpcode, std::list<std::string> &head
    return Success;
 }
                                                                        /*}}}*/
-bool sendFile(int const client, FileFd &data)                          /*{{{*/
+static bool sendFile(int const client, std::list<std::string> const &headers, FileFd &data)/*{{{*/
 {
    bool Success = true;
+   bool const chunked = chunkedTransferEncoding(headers);
    char buffer[500];
    unsigned long long actual = 0;
    while ((Success &= data.Read(buffer, sizeof(buffer), &actual)) == true)
    {
       if (actual == 0)
         break;
-      if (Success == true)
+
+      if (chunked == true)
+      {
+        std::string size;
+        strprintf(size, "%llX\r\n", actual);
+        Success &= FileFd::Write(client, size.c_str(), size.size());
+        Success &= FileFd::Write(client, buffer, actual);
+        Success &= FileFd::Write(client, "\r\n", strlen("\r\n"));
+      }
+      else
         Success &= FileFd::Write(client, buffer, actual);
    }
-   if (Success == true)
-      Success &= FileFd::Write(client, "\r\n", 2);
+   if (chunked == true)
+   {
+      char const * const finish = "0\r\n\r\n";
+      Success &= FileFd::Write(client, finish, strlen(finish));
+   }
+   if (Success == false)
+      std::cerr << "SENDFILE:" << (chunked ? " CHUNKED" : "") << " READ/WRITE ERROR to " << client << std::endl;
    return Success;
 }
                                                                        /*}}}*/
-bool sendData(int const client, std::string const &data)               /*{{{*/
+static bool sendData(int const client, std::list<std::string> const &headers, std::string const &data)/*{{{*/
 {
-   bool Success = true;
-   Success &= FileFd::Write(client, data.c_str(), data.size());
-   if (Success == true)
-      Success &= FileFd::Write(client, "\r\n", 2);
-   return Success;
+   if (chunkedTransferEncoding(headers) == true)
+   {
+      unsigned long long const ullsize = data.length();
+      std::string size;
+      strprintf(size, "%llX\r\n", ullsize);
+      char const * const finish = "\r\n0\r\n\r\n";
+      if (FileFd::Write(client, size.c_str(), size.length()) == false ||
+           FileFd::Write(client, data.c_str(), ullsize) == false ||
+           FileFd::Write(client, finish, strlen(finish)) == false)
+      {
+        std::cerr << "SENDDATA: CHUNK WRITE ERROR to " << client << std::endl;
+        return false;
+      }
+   }
+   else if (FileFd::Write(client, data.c_str(), data.size()) == false)
+   {
+      std::cerr << "SENDDATA: WRITE ERROR to " << client << std::endl;
+      return false;
+   }
+   return true;
 }
                                                                        /*}}}*/
-void sendError(int const client, int const httpcode, std::string const &request,/*{{{*/
-              bool content, std::string const &error = "")
+static void sendError(int const client, int const httpcode, std::string const &request,/*{{{*/
+              bool const content, std::string const &error, std::list<std::string> &headers)
 {
-   std::list<std::string> headers;
-   std::string response("<html><head><title>");
-   response.append(httpcodeToStr(httpcode)).append("</title></head>");
+   std::string response("<!doctype html><html><head><title>");
+   response.append(httpcodeToStr(httpcode)).append("</title><meta charset=\"utf-8\" /></head>");
    response.append("<body><h1>").append(httpcodeToStr(httpcode)).append("</h1>");
+   if (httpcode != 200)
+      response.append("<p><em>Error</em>: ");
+   else
+      response.append("<p><em>Success</em>: ");
    if (error.empty() == false)
-      response.append("<p><em>Error</em>: ").append(error).append("</p>");
-   response.append("This error is a result of the request: <pre>");
+      response.append(error);
+   else
+      response.append(httpcodeToStr(httpcode));
+   if (httpcode != 200)
+      response.append("</p>This error is a result of the request: <pre>");
+   else
+      response.append("The successfully executed operation was requested by: <pre>");
    response.append(request).append("</pre></body></html>");
+   if (httpcode != 200)
+   {
+      if (_config->FindB("aptwebserver::closeOnError", false) == true)
+        headers.push_back("Connection: close");
+   }
    addDataHeaders(headers, response);
    sendHead(client, httpcode, headers);
    if (content == true)
-      sendData(client, response);
+      sendData(client, headers, response);
+}
+static void sendSuccess(int const client, std::string const &request,
+              bool const content, std::string const &error, std::list<std::string> &headers)
+{
+   sendError(client, 200, request, content, error, headers);
 }
                                                                        /*}}}*/
-void sendRedirect(int const client, int const httpcode, std::string const &uri,/*{{{*/
+static void sendRedirect(int const client, int const httpcode, std::string const &uri,/*{{{*/
                  std::string const &request, bool content)
 {
    std::list<std::string> headers;
-   std::string response("<html><head><title>");
-   response.append(httpcodeToStr(httpcode)).append("</title></head>");
+   std::string response("<!doctype html><html><head><title>");
+   response.append(httpcodeToStr(httpcode)).append("</title><meta charset=\"utf-8\" /></head>");
    response.append("<body><h1>").append(httpcodeToStr(httpcode)).append("</h1");
    response.append("<p>You should be redirected to <em>").append(uri).append("</em></p>");
    response.append("This page is a result of the request: <pre>");
    response.append(request).append("</pre></body></html>");
    addDataHeaders(headers, response);
    std::string location("Location: ");
-   if (strncmp(uri.c_str(), "http://", 7) != 0)
-      location.append("http://").append(LookupTag(request, "Host")).append("/").append(uri);
+   if (strncmp(uri.c_str(), "http://", 7) != 0 && strncmp(uri.c_str(), "https://", 8) != 0)
+   {
+      std::string const host = LookupTag(request, "Host");
+      unsigned int const httpsport = _config->FindI("aptwebserver::port::https", 4433);
+      std::string hosthttpsport;
+      strprintf(hosthttpsport, ":%u", httpsport);
+      if (host.find(hosthttpsport) != std::string::npos)
+        location.append("https://");
+      else
+        location.append("http://");
+      location.append(host).append("/");
+      if (strncmp("/home/", uri.c_str(), strlen("/home/")) == 0 && uri.find("/public_html/") != std::string::npos)
+      {
+        std::string homeuri = SubstVar(uri, "/home/", "~");
+        homeuri = SubstVar(homeuri, "/public_html/", "/");
+        location.append(homeuri);
+      }
+      else
+        location.append(uri);
+   }
    else
       location.append(uri);
    headers.push_back(location);
    sendHead(client, httpcode, headers);
    if (content == true)
-      sendData(client, response);
+      sendData(client, headers, response);
 }
                                                                        /*}}}*/
-int filter_hidden_files(const struct dirent *a)                                /*{{{*/
+static int filter_hidden_files(const struct dirent *a)                 /*{{{*/
 {
    if (a->d_name[0] == '.')
       return 0;
@@ -202,7 +295,7 @@ int filter_hidden_files(const struct dirent *a)                             /*{{{*/
 #endif
    return 1;
 }
-int grouped_alpha_case_sort(const struct dirent **a, const struct dirent **b) {
+static int grouped_alpha_case_sort(const struct dirent **a, const struct dirent **b) {
 #ifdef _DIRENT_HAVE_D_TYPE
    if ((*a)->d_type == DT_DIR && (*b)->d_type == DT_DIR);
    else if ((*a)->d_type == DT_DIR && (*b)->d_type == DT_REG)
@@ -226,21 +319,20 @@ int grouped_alpha_case_sort(const struct dirent **a, const struct dirent **b) {
    return strcasecmp((*a)->d_name, (*b)->d_name);
 }
                                                                        /*}}}*/
-void sendDirectoryListing(int const client, std::string const &dir,    /*{{{*/
-                         std::string const &request, bool content)
+static void sendDirectoryListing(int const client, std::string const &dir,/*{{{*/
+                         std::string const &request, bool content, std::list<std::string> &headers)
 {
-   std::list<std::string> headers;
    std::ostringstream listing;
 
    struct dirent **namelist;
    int const counter = scandir(dir.c_str(), &namelist, filter_hidden_files, grouped_alpha_case_sort);
    if (counter == -1)
    {
-      sendError(client, 500, request, content);
+      sendError(client, 500, request, content, "scandir failed", headers);
       return;
    }
 
-   listing << "<html><head><title>Index of " << dir << "</title>"
+   listing << "<!doctype html><html><head><title>Index of " << dir << "</title><meta charset=\"utf-8\" />"
           << "<style type=\"text/css\"><!-- td {padding: 0.02em 0.5em 0.02em 0.5em;}"
           << "tr:nth-child(even){background-color:#dfdfdf;}"
           << "h1, td:nth-child(3){text-align:center;}"
@@ -248,7 +340,7 @@ void sendDirectoryListing(int const client, std::string const &dir, /*{{{*/
           << "</head>" << std::endl
           << "<body><h1>Index of " << dir << "</h1>" << std::endl
           << "<table><tr><th>#</th><th>Name</th><th>Size</th><th>Last-Modified</th></tr>" << std::endl;
-   if (dir != ".")
+   if (dir != "./")
       listing << "<tr><td>d</td><td><a href=\"..\">Parent Directory</a></td><td>-</td><td>-</td></tr>";
    for (int i = 0; i < counter; ++i) {
       struct stat fs;
@@ -275,18 +367,18 @@ void sendDirectoryListing(int const client, std::string const &dir,       /*{{{*/
    addDataHeaders(headers, response);
    sendHead(client, 200, headers);
    if (content == true)
-      sendData(client, response);
+      sendData(client, headers, response);
 }
                                                                        /*}}}*/
-bool parseFirstLine(int const client, std::string const &request,      /*{{{*/
-                   std::string &filename, bool &sendContent,
-                   bool &closeConnection)
+static bool parseFirstLine(int const client, std::string const &request,/*{{{*/
+                   std::string &filename, std::string &params, bool &sendContent,
+                   bool &closeConnection, std::list<std::string> &headers)
 {
    if (strncmp(request.c_str(), "HEAD ", 5) == 0)
       sendContent = false;
    if (strncmp(request.c_str(), "GET ", 4) != 0)
    {
-      sendError(client, 501, request, true);
+      sendError(client, 501, request, true, "", headers);
       return false;
    }
 
@@ -297,7 +389,7 @@ bool parseFirstLine(int const client, std::string const &request,   /*{{{*/
    if (lineend == std::string::npos || filestart == std::string::npos ||
         fileend == std::string::npos || filestart == fileend)
    {
-      sendError(client, 500, request, sendContent, "Filename can't be extracted");
+      sendError(client, 500, request, sendContent, "Filename can't be extracted", headers);
       return false;
    }
 
@@ -309,16 +401,116 @@ bool parseFirstLine(int const client, std::string const &request,        /*{{{*/
       closeConnection = strcasecmp(LookupTag(request, "Connection", "Keep-Alive").c_str(), "close") == 0;
    else
    {
-      sendError(client, 500, request, sendContent, "Not a HTTP/1.{0,1} request");
+      sendError(client, 500, request, sendContent, "Not a HTTP/1.{0,1} request", headers);
       return false;
    }
 
    filename = request.substr(filestart, fileend - filestart);
    if (filename.find(' ') != std::string::npos)
    {
-      sendError(client, 500, request, sendContent, "Filename contains an unencoded space");
+      sendError(client, 500, request, sendContent, "Filename contains an unencoded space", headers);
+      return false;
+   }
+
+   std::string host = LookupTag(request, "Host", "");
+   if (host.empty() == true)
+   {
+      // RFC 2616 ยง14.23 requires Host
+      sendError(client, 400, request, sendContent, "Host header is required", headers);
       return false;
    }
+   host = "http://" + host;
+
+   // Proxies require absolute uris, so this is a simple proxy-fake option
+   std::string const absolute = _config->Find("aptwebserver::request::absolute", "uri,path");
+   if (strncmp(host.c_str(), filename.c_str(), host.length()) == 0 && APT::String::Startswith(filename, "/_config/") == false)
+   {
+      if (absolute.find("uri") == std::string::npos)
+      {
+        sendError(client, 400, request, sendContent, "Request is absoluteURI, but configured to not accept that", headers);
+        return false;
+      }
+
+      // strip the host from the request to make it an absolute path
+      filename.erase(0, host.length());
+
+      std::string const authConf = _config->Find("aptwebserver::proxy-authorization", "");
+      std::string auth = LookupTag(request, "Proxy-Authorization", "");
+      if (authConf.empty() != auth.empty())
+      {
+        if (auth.empty())
+           sendError(client, 407, request, sendContent, "Proxy requires authentication", headers);
+        else
+           sendError(client, 407, request, sendContent, "Client wants to authenticate to proxy, but proxy doesn't need it", headers);
+       return false;
+      }
+      if (authConf.empty() == false)
+      {
+        char const * const basic = "Basic ";
+        if (strncmp(auth.c_str(), basic, strlen(basic)) == 0)
+        {
+           auth.erase(0, strlen(basic));
+           if (auth != authConf)
+           {
+              sendError(client, 407, request, sendContent, "Proxy-Authentication doesn't match", headers);
+              return false;
+           }
+        }
+        else
+        {
+           std::list<std::string> headers;
+           headers.push_back("Proxy-Authenticate: Basic");
+           sendError(client, 407, request, sendContent, "Unsupported Proxy-Authentication Scheme", headers);
+           return false;
+        }
+      }
+   }
+   else if (absolute.find("path") == std::string::npos && APT::String::Startswith(filename, "/_config/") == false)
+   {
+      sendError(client, 400, request, sendContent, "Request is absolutePath, but configured to not accept that", headers);
+      return false;
+   }
+
+   if (APT::String::Startswith(filename, "/_config/") == false)
+   {
+      std::string const authConf = _config->Find("aptwebserver::authorization", "");
+      std::string auth = LookupTag(request, "Authorization", "");
+      if (authConf.empty() != auth.empty())
+      {
+        if (auth.empty())
+           sendError(client, 401, request, sendContent, "Server requires authentication", headers);
+        else
+           sendError(client, 401, request, sendContent, "Client wants to authenticate to server, but server doesn't need it", headers);
+        return false;
+      }
+      if (authConf.empty() == false)
+      {
+        char const * const basic = "Basic ";
+        if (strncmp(auth.c_str(), basic, strlen(basic)) == 0)
+        {
+           auth.erase(0, strlen(basic));
+           if (auth != authConf)
+           {
+              sendError(client, 401, request, sendContent, "Authentication doesn't match", headers);
+              return false;
+           }
+        }
+        else
+        {
+           headers.push_back("WWW-Authenticate: Basic");
+           sendError(client, 401, request, sendContent, "Unsupported Authentication Scheme", headers);
+           return false;
+        }
+      }
+   }
+
+   size_t paramspos = filename.find('?');
+   if (paramspos != std::string::npos)
+   {
+      params = filename.substr(paramspos + 1);
+      filename.erase(paramspos);
+   }
+
    filename = DeQuoteString(filename);
 
    // this is not a secure server, but at least prevent the obvious โ€ฆ
@@ -327,21 +519,291 @@ bool parseFirstLine(int const client, std::string const &request,        /*{{{*/
        filename.find_first_of("\r\n\t\f\v") != std::string::npos ||
        filename.find("/../") != std::string::npos)
    {
-      sendError(client, 400, request, sendContent, "Filename contains illegal character (sequence)");
+      std::list<std::string> headers;
+      sendError(client, 400, request, sendContent, "Filename contains illegal character (sequence)", headers);
       return false;
    }
 
    // nuke the first character which is a / as we assured above
    filename.erase(0, 1);
    if (filename.empty() == true)
-      filename = ".";
+      filename = "./";
+   // support ~user/ uris to refer to /home/user/public_html/ as a kind-of special directory
+   else if (filename[0] == '~')
+   {
+      // /home/user is actually not entirely correct, but good enough for now
+      size_t dashpos = filename.find('/');
+      if (dashpos != std::string::npos)
+      {
+        std::string home = filename.substr(1, filename.find('/') - 1);
+        std::string pubhtml = filename.substr(filename.find('/') + 1);
+        filename = "/home/" + home + "/public_html/" + pubhtml;
+      }
+      else
+        filename = "/home/" + filename.substr(1) + "/public_html/";
+   }
+
+   // if no filename is given, but a valid directory see if we can use an index or
+   // have to resort to a autogenerated directory listing later on
+   if (DirectoryExists(filename) == true)
+   {
+      std::string const directoryIndex = _config->Find("aptwebserver::directoryindex");
+      if (directoryIndex.empty() == false && directoryIndex == flNotDir(directoryIndex) &&
+           RealFileExists(filename + directoryIndex) == true)
+        filename += directoryIndex;
+   }
+
    return true;
 }
                                                                        /*}}}*/
+static bool handleOnTheFlyReconfiguration(int const client, std::string const &request,/*{{{*/
+      std::vector<std::string> parts, std::list<std::string> &headers)
+{
+   size_t const pcount = parts.size();
+   for (size_t i = 0; i < pcount; ++i)
+      parts[i] = DeQuoteString(parts[i]);
+   if (pcount == 4 && parts[1] == "set")
+   {
+      _config->Set(parts[2], parts[3]);
+      sendSuccess(client, request, true, "Option '" + parts[2] + "' was set to '" + parts[3] + "'!", headers);
+      return true;
+   }
+   else if (pcount == 4 && parts[1] == "find")
+   {
+      std::string response = _config->Find(parts[2], parts[3]);
+      addDataHeaders(headers, response);
+      sendHead(client, 200, headers);
+      sendData(client, headers, response);
+      return true;
+   }
+   else if (pcount == 3 && parts[1] == "find")
+   {
+      if (_config->Exists(parts[2]) == true)
+      {
+        std::string response = _config->Find(parts[2]);
+        addDataHeaders(headers, response);
+        sendHead(client, 200, headers);
+        sendData(client, headers, response);
+        return true;
+      }
+      sendError(client, 404, request, true, "Requested Configuration option doesn't exist", headers);
+      return false;
+   }
+   else if (pcount == 3 && parts[1] == "clear")
+   {
+      _config->Clear(parts[2]);
+      sendSuccess(client, request, true, "Option '" + parts[2] + "' was cleared.", headers);
+      return true;
+   }
+
+   sendError(client, 400, request, true, "Unknown on-the-fly configuration request", headers);
+   return false;
+}
+                                                                       /*}}}*/
+static void * handleClient(void * voidclient)                          /*{{{*/
+{
+   int client = *((int*)(voidclient));
+   std::clog << "ACCEPT client " << client << std::endl;
+   bool closeConnection = false;
+   while (closeConnection == false)
+   {
+      std::vector<std::string> messages;
+      if (ReadMessages(client, messages) == false)
+        break;
+
+      std::list<std::string> headers;
+      for (std::vector<std::string>::const_iterator m = messages.begin();
+           m != messages.end() && closeConnection == false; ++m) {
+        // if we announced a closing in previous response, do the close now
+        if (std::find(headers.begin(), headers.end(), std::string("Connection: close")) != headers.end())
+        {
+           closeConnection = true;
+           break;
+        }
+        headers.clear();
+
+        std::clog << ">>> REQUEST from " << client << " >>>" << std::endl << *m
+           << std::endl << "<<<<<<<<<<<<<<<<" << std::endl;
+        std::string filename;
+        std::string params;
+        bool sendContent = true;
+        if (parseFirstLine(client, *m, filename, params, sendContent, closeConnection, headers) == false)
+           continue;
+
+        // special webserver command request
+        if (filename.length() > 1 && filename[0] == '_')
+        {
+           std::vector<std::string> parts = VectorizeString(filename, '/');
+           if (parts[0] == "_config")
+           {
+              handleOnTheFlyReconfiguration(client, *m, parts, headers);
+              continue;
+           }
+        }
+
+        // string replacements in the requested filename
+        ::Configuration::Item const *Replaces = _config->Tree("aptwebserver::redirect::replace");
+        if (Replaces != NULL)
+        {
+           std::string redirect = "/" + filename;
+           for (::Configuration::Item *I = Replaces->Child; I != NULL; I = I->Next)
+              redirect = SubstVar(redirect, I->Tag, I->Value);
+           if (redirect.empty() == false && redirect[0] == '/')
+              redirect.erase(0,1);
+           if (redirect != filename)
+           {
+              sendRedirect(client, _config->FindI("aptwebserver::redirect::httpcode", 301), redirect, *m, sendContent);
+              continue;
+           }
+        }
+
+        ::Configuration::Item const *Overwrite = _config->Tree("aptwebserver::overwrite");
+        if (Overwrite != NULL)
+        {
+           for (::Configuration::Item *I = Overwrite->Child; I != NULL; I = I->Next)
+           {
+              regex_t *pattern = new regex_t;
+              int const res = regcomp(pattern, I->Tag.c_str(), REG_EXTENDED | REG_ICASE | REG_NOSUB);
+              if (res != 0)
+              {
+                 char error[300];
+                 regerror(res, pattern, error, sizeof(error));
+                 sendError(client, 500, *m, sendContent, error, headers);
+                 continue;
+              }
+              if (regexec(pattern, filename.c_str(), 0, 0, 0) == 0)
+              {
+                 filename = _config->Find("aptwebserver::overwrite::" + I->Tag + "::filename", filename);
+                 if (filename[0] == '/')
+                    filename.erase(0,1);
+                 regfree(pattern);
+                 break;
+              }
+              regfree(pattern);
+           }
+        }
+
+        // deal with the request
+        unsigned int const httpsport = _config->FindI("aptwebserver::port::https", 4433);
+        std::string hosthttpsport;
+        strprintf(hosthttpsport, ":%u", httpsport);
+        if (_config->FindB("aptwebserver::support::http", true) == false &&
+              LookupTag(*m, "Host").find(hosthttpsport) == std::string::npos)
+        {
+           sendError(client, 400, *m, sendContent, "HTTP disabled, all requests must be HTTPS", headers);
+           continue;
+        }
+        else if (RealFileExists(filename) == true)
+        {
+           FileFd data(filename, FileFd::ReadOnly);
+           std::string condition = LookupTag(*m, "If-Modified-Since", "");
+           if (_config->FindB("aptwebserver::support::modified-since", true) == true && condition.empty() == false)
+           {
+              time_t cache;
+              if (RFC1123StrToTime(condition.c_str(), cache) == true &&
+                    cache >= data.ModificationTime())
+              {
+                 sendHead(client, 304, headers);
+                 continue;
+              }
+           }
+
+           if (_config->FindB("aptwebserver::support::range", true) == true)
+              condition = LookupTag(*m, "Range", "");
+           else
+              condition.clear();
+           if (condition.empty() == false && strncmp(condition.c_str(), "bytes=", 6) == 0)
+           {
+              time_t cache;
+              std::string ifrange;
+              if (_config->FindB("aptwebserver::support::if-range", true) == true)
+                 ifrange = LookupTag(*m, "If-Range", "");
+              bool validrange = (ifrange.empty() == true ||
+                    (RFC1123StrToTime(ifrange.c_str(), cache) == true &&
+                     cache <= data.ModificationTime()));
+
+              // FIXME: support multiple byte-ranges (APT clients do not do this)
+              if (condition.find(',') == std::string::npos)
+              {
+                 size_t start = 6;
+                 unsigned long long filestart = strtoull(condition.c_str() + start, NULL, 10);
+                 // FIXME: no support for last-byte-pos being not the end of the file (APT clients do not do this)
+                 size_t dash = condition.find('-') + 1;
+                 unsigned long long fileend = strtoull(condition.c_str() + dash, NULL, 10);
+                 unsigned long long filesize = data.FileSize();
+                 if ((fileend == 0 || (fileend == filesize && fileend >= filestart)) &&
+                       validrange == true)
+                 {
+                    if (filesize > filestart)
+                    {
+                       data.Skip(filestart);
+                        // make sure to send content-range before conent-length
+                        // as regression test for LP: #1445239
+                       std::ostringstream contentrange;
+                       contentrange << "Content-Range: bytes " << filestart << "-"
+                          << filesize - 1 << "/" << filesize;
+                       headers.push_back(contentrange.str());
+                       std::ostringstream contentlength;
+                       contentlength << "Content-Length: " << (filesize - filestart);
+                       headers.push_back(contentlength.str());
+                       sendHead(client, 206, headers);
+                       if (sendContent == true)
+                          sendFile(client, headers, data);
+                       continue;
+                    }
+                    else
+                    {
+                       if (_config->FindB("aptwebserver::support::content-range", true) == true)
+                       {
+                          std::ostringstream contentrange;
+                          contentrange << "Content-Range: bytes */" << filesize;
+                          headers.push_back(contentrange.str());
+                       }
+                       sendError(client, 416, *m, sendContent, "", headers);
+                       continue;
+                    }
+                 }
+              }
+           }
+
+           addFileHeaders(headers, data);
+           sendHead(client, 200, headers);
+           if (sendContent == true)
+              sendFile(client, headers, data);
+        }
+        else if (DirectoryExists(filename) == true)
+        {
+           if (filename[filename.length()-1] == '/')
+              sendDirectoryListing(client, filename, *m, sendContent, headers);
+           else
+              sendRedirect(client, 301, filename.append("/"), *m, sendContent);
+        }
+        else
+           sendError(client, 404, *m, sendContent, "", headers);
+      }
+
+      // if we announced a closing in the last response, do the close now
+      if (std::find(headers.begin(), headers.end(), std::string("Connection: close")) != headers.end())
+        closeConnection = true;
+
+      if (_error->PendingError() == true)
+        break;
+      _error->DumpErrors(std::cerr);
+   }
+   _error->DumpErrors(std::cerr);
+   close(client);
+   std::clog << "CLOSE client " << client << std::endl;
+   return NULL;
+}
+                                                                       /*}}}*/
+
 int main(int const argc, const char * argv[])
 {
    CommandLine::Args Args[] = {
       {0, "port", "aptwebserver::port", CommandLine::HasArg},
+      {0, "request-absolute", "aptwebserver::request::absolute", CommandLine::HasArg},
+      {0, "authorization", "aptwebserver::authorization", CommandLine::HasArg},
+      {0, "proxy-authorization", "aptwebserver::proxy-authorization", CommandLine::HasArg},
       {'c',"config-file",0,CommandLine::ConfigFile},
       {'o',"option",0,CommandLine::ArbItem},
       {0,0,0,0}
@@ -357,6 +819,9 @@ int main(int const argc, const char * argv[])
    // create socket, bind and listen to it {{{
    // ignore SIGPIPE, this can happen on write() if the socket closes connection
    signal(SIGPIPE, SIG_IGN);
+   // we don't care for our slaves, so ignore their death
+   signal(SIGCHLD, SIG_IGN);
+
    int sock = socket(AF_INET6, SOCK_STREAM, 0);
    if(sock < 0)
    {
@@ -365,7 +830,7 @@ int main(int const argc, const char * argv[])
       return 1;
    }
 
-   int const port = _config->FindI("aptwebserver::port", 8080);
+   int port = _config->FindI("aptwebserver::port", 8080);
 
    // ensure that we accept all connections: v4 or v6
    int const iponly = 0;
@@ -387,120 +852,108 @@ int main(int const argc, const char * argv[])
       return 2;
    }
 
-   std::clog << "Serving ANY file on port: " << port << std::endl;
-
-   listen(sock, 1);
-   /*}}}*/
+   if (port == 0)
+   {
+      struct sockaddr_in6 addr;
+      socklen_t addrlen = sizeof(sockaddr_in6);
+      if (getsockname(sock, (struct sockaddr*) &addr, &addrlen) != 0)
+        _error->Errno("getsockname", "Could not get chosen port number");
+      else
+        port = ntohs(addr.sin6_port);
+   }
+   std::string const portfilename = _config->Find("aptwebserver::portfile", "");
+   if (portfilename.empty() == false)
+   {
+      FileFd portfile(portfilename, FileFd::WriteOnly | FileFd::Create | FileFd::Empty);
+      std::string portcontent;
+      strprintf(portcontent, "%d", port);
+      portfile.Write(portcontent.c_str(), portcontent.size());
+      portfile.Sync();
+   }
+   _config->Set("aptwebserver::port::http", port);
 
-   std::vector<std::string> messages;
-   int client;
-   while ((client = accept(sock, NULL, NULL)) != -1)
+   FileFd pidfile;
+   if (_config->FindB("aptwebserver::fork", false) == true)
    {
-      std::clog << "ACCEPT client " << client
-               << " on socket " << sock << std::endl;
+      std::string const pidfilename = _config->Find("aptwebserver::pidfile", "aptwebserver.pid");
+      int const pidfilefd = GetLock(pidfilename);
+      if (pidfilefd < 0 || pidfile.OpenDescriptor(pidfilefd, FileFd::WriteOnly) == false)
+      {
+        _error->Errno("aptwebserver", "Couldn't acquire lock on pidfile '%s'", pidfilename.c_str());
+        _error->DumpErrors(std::cerr);
+        return 3;
+      }
 
-      while (ReadMessages(client, messages))
+      pid_t child = fork();
+      if (child < 0)
       {
-        bool closeConnection = false;
-        for (std::vector<std::string>::const_iterator m = messages.begin();
-             m != messages.end() && closeConnection == false; ++m) {
-           std::clog << ">>> REQUEST >>>>" << std::endl << *m
-                     << std::endl << "<<<<<<<<<<<<<<<<" << std::endl;
-           std::list<std::string> headers;
-           std::string filename;
-           bool sendContent = true;
-           if (parseFirstLine(client, *m, filename, sendContent, closeConnection) == false)
-              continue;
+        _error->Errno("aptwebserver", "Forking failed");
+        _error->DumpErrors(std::cerr);
+        return 4;
+      }
+      else if (child != 0)
+      {
+        // successfully forked: ready to serve!
+        std::string pidcontent;
+        strprintf(pidcontent, "%d", child);
+        pidfile.Write(pidcontent.c_str(), pidcontent.size());
+        pidfile.Sync();
+        if (_error->PendingError() == true)
+        {
+           _error->DumpErrors(std::cerr);
+           return 5;
+        }
+        std::cout << "Successfully forked as " << child << std::endl;
+        return 0;
+      }
+   }
 
-           std::string host = LookupTag(*m, "Host", "");
-           if (host.empty() == true)
-           {
-              // RFC 2616 ยง14.23 requires Host
-              sendError(client, 400, *m, sendContent, "Host header is required");
-              continue;
-           }
+   std::clog << "Serving ANY file on port: " << port << std::endl;
 
-           // string replacements in the requested filename
-           ::Configuration::Item const *Replaces = _config->Tree("aptwebserver::redirect::replace");
-           if (Replaces != NULL)
-           {
-              std::string redirect = "/" + filename;
-              for (::Configuration::Item *I = Replaces->Child; I != NULL; I = I->Next)
-                 redirect = SubstVar(redirect, I->Tag, I->Value);
-              redirect.erase(0,1);
-              if (redirect != filename)
-              {
-                 sendRedirect(client, 301, redirect, *m, sendContent);
-                 continue;
-              }
-           }
+   int const slaves = _config->FindI("aptwebserver::slaves", SOMAXCONN);
+   std::cerr << "SLAVES: " << slaves << std::endl;
+   listen(sock, slaves);
+   /*}}}*/
 
-           ::Configuration::Item const *Overwrite = _config->Tree("aptwebserver::overwrite");
-           if (Overwrite != NULL)
-           {
-              for (::Configuration::Item *I = Overwrite->Child; I != NULL; I = I->Next)
-              {
-                 regex_t *pattern = new regex_t;
-                 int const res = regcomp(pattern, I->Tag.c_str(), REG_EXTENDED | REG_ICASE | REG_NOSUB);
-                 if (res != 0)
-                 {
-                    char error[300];
-                    regerror(res, pattern, error, sizeof(error));
-                    sendError(client, 500, *m, sendContent, error);
-                    continue;
-                 }
-                 if (regexec(pattern, filename.c_str(), 0, 0, 0) == 0)
-                 {
-                     filename = _config->Find("aptwebserver::overwrite::" + I->Tag + "::filename", filename);
-                     if (filename[0] == '/')
-                        filename.erase(0,1);
-                     regfree(pattern);
-                     break;
-                 }
-                 regfree(pattern);
-              }
-           }
+   _config->CndSet("aptwebserver::response-header::Server", "APT webserver");
+   _config->CndSet("aptwebserver::response-header::Accept-Ranges", "bytes");
+   _config->CndSet("aptwebserver::directoryindex", "index.html");
 
-           // deal with the request
-           if (RealFileExists(filename) == true)
-           {
-              FileFd data(filename, FileFd::ReadOnly);
-              std::string condition = LookupTag(*m, "If-Modified-Since", "");
-              if (condition.empty() == false)
-              {
-                 time_t cache;
-                 if (RFC1123StrToTime(condition.c_str(), cache) == true &&
-                       cache >= data.ModificationTime())
-                 {
-                    sendHead(client, 304, headers);
-                    continue;
-                 }
-              }
+   std::list<int> accepted_clients;
 
-              addFileHeaders(headers, data);
-              sendHead(client, 200, headers);
-              if (sendContent == true)
-                 sendFile(client, data);
-           }
-           else if (DirectoryExists(filename) == true)
-           {
-              if (filename == "." || filename[filename.length()-1] == '/')
-                 sendDirectoryListing(client, filename, *m, sendContent);
-              else
-                 sendRedirect(client, 301, filename.append("/"), *m, sendContent);
-           }
-           else
-              sendError(client, 404, *m, sendContent);
-        }
+   while (true)
+   {
+      int client = accept(sock, NULL, NULL);
+      if (client == -1)
+      {
+        if (errno == EINTR)
+           continue;
+        _error->Errno("accept", "Couldn't accept client on socket %d", sock);
         _error->DumpErrors(std::cerr);
-        messages.clear();
-        if (closeConnection == true)
-           break;
+        return 6;
       }
 
-      std::clog << "CLOSE client " << client
-               << " on socket " << sock << std::endl;
-      close(client);
+      pthread_attr_t attr;
+      if (pthread_attr_init(&attr) != 0 || pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED) != 0)
+      {
+        _error->Errno("pthread_attr", "Couldn't set detach attribute for a fresh thread to handle client %d on socket %d", client, sock);
+        _error->DumpErrors(std::cerr);
+        close(client);
+        continue;
+      }
+
+      pthread_t tid;
+      // thats rather dirty, but we need to store the client socket somewhere safe
+      accepted_clients.push_front(client);
+      if (pthread_create(&tid, &attr, &handleClient, &(*accepted_clients.begin())) != 0)
+      {
+        _error->Errno("pthread_create", "Couldn't create a fresh thread to handle client %d on socket %d", client, sock);
+        _error->DumpErrors(std::cerr);
+        close(client);
+        continue;
+      }
    }
+   pidfile.Close();
+
    return 0;
 }