Commit graph

438 commits

Author SHA1 Message Date
KLuka
4aa0eb97e4 Disable HTTP fallback via "/plain" URL (CVE-2015-8400)
* Disabled all methods of HTTP fallback when HTTPS is enabled. This
  is enforced on server side so that even modified client code (JS)
  can not redirect client from HTTPS to HTTP, like it was possible
  before (issue #355).
* Current solution unfortunately also disables automatic upgrade from
  HTTP to HTTPS (when available), since all non-SSL connections are
  droped immediately.
2015-12-03 17:47:26 +01:00
KLuka
aaa00551bf Issue #119, #312, #354: Soft keyboard icon
* Added logic that enables soft keyboard icon by default on some
  clients like Kindle, PS Vita, iPad, ...
2015-11-17 19:43:22 +01:00
KLuka
106bc0aa85 Issue #354: iOS client compatibility
* Added more iOS clients that should use workaround to prevent ever
  groving console.
2015-11-17 19:36:10 +01:00
KLuka
f67073d33e Issue #350: Support for middle click paste
* Added limited support for middle click pasting. For most browsers
  and operating systems middle click pasting works only for concent
  selected in current shellinabox window.
2015-10-20 20:40:20 +02:00
Marc Singer
c87588613a Update version for release. 2015-10-10 10:54:36 -07:00
KLuka
e30c33d323 Issue #347: Added dummy release in Debian changelog
* This is needed so that manualy built Debian packages will contain
  latest version.
2015-09-17 10:39:43 +02:00
KLuka
973f1527bd Updated preview image in README 2015-09-06 21:32:13 +02:00
KLuka
cde2e92378 Issue #341: Fixed reverse video rendering
* Added new CSS class for handling reverse video with default terminal
  colors. For colors given with value 0-255 background and foreground
  values are just switched.
* New CSS classes were also added to Black On White and White On Black
  color themes.
2015-09-03 19:01:48 +02:00
KLuka
7dd9d4300c Minor improvements
* Use stdout for usage and version information. Patch taken from
  issue #344.
* Removed automatic usage display when command line parsing fails.
* Added version information in debug output.
2015-09-03 19:00:16 +02:00
KLuka
b58542eb99 Added CGI session key in HTTP response header
* Session key is returned in first HTTP response if CGI mode is used.
  Header filed is named 'X-ShellInABox-Session'. This can be used by
  some special applications that need unique token.
2015-09-03 18:04:15 +02:00
KLuka
8d3c5cdc3d Raised version to 2.19 2015-09-01 13:13:13 -04:00
Benji Wiebe
09e790bb27 Added config.cache to gitignore 2015-09-01 13:06:21 -04:00
KLuka
b828574899 Issue #103: Child process cleanup under PAM session
* Added signal handling in PAM session process. Now SIGHUP signals are
  forward to child process, which is the actual service. Launcher process
  uses this type of signals to terminate service on http connection
  timeout.
2015-08-30 22:48:14 +02:00
Luka Krajger
eb2968b1d0 Merge pull request #340 from BenjiWiebe/master
Added autoconf/automake stuff for compatibility with older auto* versions
2015-08-30 19:10:04 +02:00
Benji Wiebe
36f512cc63 Added explanatory comments 2015-08-28 23:42:09 -05:00
Benji Wiebe
284265651b Added autoconf/automake stuff for compatibility with older auto* versions 2015-08-28 23:15:13 -05:00
Luka Krajger
0d522a05ca Merge pull request #339 from BenjiWiebe/master
Added --disable-utmp-logging option
2015-08-28 20:44:16 +02:00
Benji Wiebe
3ff0ad5768 Added --disable-utmp-logging option 2015-08-27 23:16:06 -05:00
Luka Krajger
6f30739e33 Merge pull request #338 from BenjiWiebe/master
Kill children with HUP instead of TERM at end of session
2015-08-27 23:49:37 +02:00
Benji Wiebe
7f5064efcd Reset sigaction for SIGHUP to default in child 2015-08-27 14:08:39 -05:00
Benji Wiebe
145abf1fcc Kill children with HUP instead of TERM at end of session 2015-08-27 13:26:42 -05:00
KLuka
48a65d6bcb Fixed handling of large HTTP requests
* Protection against large HTTP requests was fixed by adding some null
  pointer checks. Too large HTTP requests are now correctly handled by
  returning error code and closing connection.
2015-08-26 23:27:06 +02:00
KLuka
6c9f98bf34 Logging and debuging
* Added prefixes to all log messages. Prefix should describe source of
  message, like "config", "http", "ssl", "server", etc... This should
  give users more info to figure out what went wrong or what is going
  on. Prefixes also make automatic processing easier.
* Usage is not displayed by default when given command line options are
  incorrect. This way it is easier to notice actual error.
2015-08-23 19:25:36 +02:00
KLuka
d74e60b6a7 Added system logging for important errors
* Messages with "fatal" or "error" log level are now also passed to
  syslogd service with help of vsyslog() function.
* On systems that use syslog service, these messages will be available
  in default system log files like /var/log/syslog or /var/log/messages.
2015-08-21 18:08:11 +02:00
KLuka
dfd885c011 Raised version 2015-08-21 17:44:06 +02:00
Marc Singer
acba554b6b Package release commit. 2015-08-07 20:53:15 -07:00
Luka Krajger
02838e530f Merge pull request #332 from KLuka/ssl
SSL patches
2015-08-06 18:22:07 +02:00
KLuka
1f54ff5f71 Added prefix to SSL related debug messages 2015-08-06 18:11:32 +02:00
KLuka
eacb2fcb81 Disable secure client-initiated renegotiation
* In case that this SSL feature is abused it is possible to overload the
  server. Other web servers disable this feature by default, but users
  are able to change it with configuration. This is not possible with
  shellinabox as this feature is not needed.
* Solution was implemented similary as in Lighttpd web server.
2015-08-06 18:06:11 +02:00
KLuka
f0437832d3 Added support for Perfect Forward Secrecy (#331)
* Support for PFS is enabled with help of chiper suits that use ECDHE
  key exchange. OpenSSL added support for eliptic curve operations (EC)
  in version 0.9.8. Note that there are also some library distributions
  which don't support EC operations.
* Added precompiler guards for builds with OpenSSL older than 0.9.8 and
  builds with '--enable-runtime-loading' configure script option.
* Cleaned up some SSL related code.
2015-08-05 17:57:05 +02:00
KLuka
477818e088 Fixed broken visual bell style in default CSS 2015-07-27 20:08:47 +02:00
KLuka
7cc877cdd8 Clean up build and lintian warnings (#328)
* Added wrapper macros to suppress compiler warnings about unused return
  values of setres*id() functions. We don't need checks at that point
  as it does't affect our program.
* Added marco in configure.ac script to overwrite default AR_FLAGS,which
  were causing build warnings.
* Removed debian/watch file as is not needed anymore, because now this
  is native Debian package.
2015-07-27 19:57:19 +02:00
Marc Singer
8ac3a4efcf Release to guarantee upgrade. 2015-07-24 11:54:39 -07:00
Marc Singer
7794fa4f64 Merge remote-tracking branch 'refs/remotes/origin/master' 2015-07-24 09:44:50 -07:00
Marc Singer
001613b538 Changing to native package.
o Debian source type is 3.0 native.
o Properly builds package elements ready for release.
o Merging Alexandre's changelog entry with this one and retaining 2.15
  version number.
2015-07-24 09:23:27 -07:00
Marc Singer
655d0a3b0d Improving cleanliness.
o Some files in the demo/ directory were committed and should not have
  been.  These are removed.
o Cleaning includes removing demo/ directory transients.
o Debian rules explicitly perform demo/ cleanup so that source tarball
  is correct.
o Resolves #329
2015-07-24 09:23:27 -07:00
KLuka
9dcef5688f Added Github url in context menu "About..." popup 2015-07-24 16:08:05 +02:00
Luka Krajger
f8f937608c Merge pull request #325 from sroeder/master
Added @ character to the list of valid username characters.

* This allows login with "bad" username, even if shellinabox is configured to
  run with SSH service. For LOGIN service this was always possible.
2015-07-21 18:43:27 +02:00
Scott Roeder
34bbeab314 Added @ character to the list of valid username characters. 2015-07-21 12:27:24 +04:00
KLuka
b4de69ed5c Fixed option --service for running custom scripts
* Full path of command is passed to function execvp(), when we launch
  user defined service. This was broken since commit b3309b2.
2015-07-17 13:43:01 +02:00
KLuka
458cd7aa8f Minor improvments
* Added "reconnect" and "onsessionchange" message types to use with
  embedded terminal. Usage examples were added to misc/embedded.html
  file.
* Improved code for unix domain socket functionality.
2015-07-09 21:51:43 +02:00
KLuka
bdca920abc Another update for unix domain sockets support
* Changed initialization of variables and handling of unix socket path.
* Added fixes for command line argument parsing, that I forgot in previous
  commit.
2015-07-07 10:48:14 +02:00
KLuka
c6186530bb Minor fixes for unix domain sockets
* Improved user input checking and error handling for code from #320.
* Added some guards for unlinking socket file in server init and destroy
  functions.
* Added peer name handling for AF_UNIX type connections in HTTP handling
  code.
2015-07-06 22:02:54 +02:00
Luka Krajger
c7b41ad4ce Merge pull request #320 from rkd77/unixdomain
Unix domain sockets support.
2015-07-06 21:14:22 +02:00
Witold Filipczyk
4d8ec30100 Unix domain sockets support.
The socket is not removed on shutdown, but the rest seems to work.
2015-07-01 13:06:04 +02:00
Luka Krajger
8f38e7873b Merge pull request #317 from KLuka/messages
Message passing to embedded shellinabox

* Added ability to pass messages to or from shellinabox embedded iframe.
* Added example file.
2015-06-19 09:22:18 +02:00
KLuka
fb4ebaf01f Improved message passing info and examples 2015-06-17 18:11:59 +02:00
KLuka
4f32ae3f2f Message passing examples for embedded shellinabox
* Added misc/embedded.html file with more info and actual examples
  on message passing to or from embedded shellinabox frame.
2015-06-16 22:30:02 +02:00
KLuka
1676f1a887 Message passing support for embedded shellinabox
* Added basic support for message passing to or from embedded
  shellinabox iframe. Now we can write to terminal, read the
  terminal output and request session status from parent window.
* This functionality must be enabled with command line parameter
  "--messages-origin ORIGIN". Value ORIGIN, which is compared with
  message against received message origin, must be set to specific
  url, or to "*" to allow messages from any origin.
2015-06-16 18:54:39 +02:00
KLuka
bcac95b9fa Issue #63, #315: only one line is displayed
* Changed detection for when terminal is embedded in another element.
  Now we allow one pixel difference between calculated terminal width
  and body width. This needs to be done because some browsers report
  wrong width in offsetWidth property, when browser zoom is in use.
* Updated README
2015-06-12 15:53:57 +02:00