`diff -urN /home/negan07/Desktop/D7000_V1.0.1.48_WW_src/Source/apps/bftpd-2.3/bftpd.fw.conf /home/negan07/Desktop/D7000_V1.0.1.50_WW_src/Source/apps/bftpd-2.3/bftpd.fw.conf
--- /home/negan07/Desktop/D7000_V1.0.1.48_WW_src/Source/apps/bftpd-2.3/bftpd.fw.conf 2017-03-23 17:00:09.000000000 +0100
+++ /home/negan07/Desktop/D7000_V1.0.1.50_WW_src/Source/apps/bftpd-2.3/bftpd.fw.conf 2017-06-22 15:33:12.000000000 +0200
@@ -281,8 +281,8 @@
directory "/" {
ALLOWCOMMAND_DELE="no"
ALLOWCOMMAND_STOR="no"
- ALLOWCOMMAND_XMKD="no"
- ALLOWCOMMAND_MKD="no"
- ALLOWCOMMAND_XMKD="yes"
- ALLOWCOMMAND_MKD="yes"
ALLOWCOMMAND_APPE="no"
ALLOWCOMMAND_XRMD="no"
ALLOWCOMMAND_RMD="no"
@@ -292,8 +292,8 @@
directory "/shares" {
ALLOWCOMMAND_DELE="no"
ALLOWCOMMAND_STOR="no"
- ALLOWCOMMAND_XMKD="no"
- ALLOWCOMMAND_MKD="no"
- ALLOWCOMMAND_XMKD="yes"
- ALLOWCOMMAND_MKD="yes"
ALLOWCOMMAND_APPE="no"
ALLOWCOMMAND_XRMD="no"
ALLOWCOMMAND_RMD="no"
diff -urN /home/negan07/Desktop/D7000_V1.0.1.48_WW_src/Source/apps/bftpd-2.3/commands.c /home/negan07/Desktop/D7000_V1.0.1.50_WW_src/Source/apps/bftpd-2.3/commands.c
--- /home/negan07/Desktop/D7000_V1.0.1.48_WW_src/Source/apps/bftpd-2.3/commands.c 2017-03-23 17:00:09.000000000 +0100
+++ /home/negan07/Desktop/D7000_V1.0.1.50_WW_src/Source/apps/bftpd-2.3/commands.c 2017-06-22 15:33:20.000000000 +0200
@@ -65,6 +65,10 @@
#undef WANT_GZIP
#endif
+extern int adminpwd_lan_protect ;
+extern int adminpwd_wan_protect ;
+extern int is_remote ;
+
int state = STATE_CONNECTED;
char user[USERLEN + 1];
struct sockaddr_in sa;
@@ -268,7 +272,15 @@
respond with code 230 'User logged in, proceed'. */
if (all_file_readable_writable()){
state = STATE_USER;
-
if(((adminpwd_lan_protect == 1) && (is_remote==0))
-
||((adminpwd_wan_protect == 1) && (is_remote==1)))
-
-
control_printf(SL_SUCCESS, "331 Password please.");
-
-
-
-
-
}
else {
@@ -320,6 +332,12 @@
}
#endif
#endif
+/* It is a temp measure to fix issue that chrome can't response "331 password please" correctly*/
-
if (password && (strcmp(password, "[email protected]") == 0)) {
-
control_printf(SL_FAILURE, "530 Login incorrect.");
-
-
}
-
if (bftpd_login(password)) {
bftpd_log("Login as user '%s' failed.\n", user);
control_printf(SL_FAILURE, "530 Login incorrect.");
@@ -1540,6 +1558,13 @@
if (pre_write_script)
run_script(pre_write_script, mapped);
-
// forbid mkdir in "/" or "/shares/" directory.
-
if (strlen(mapped) <= (strlen(dirname) + 8))
-
-
control_printf(SL_FAILURE, "451 Error: Unable to create directory.");
-
-
-
if (mkdir(mapped, 0777)) {
bftpd_log("Error: '%s' while trying to create directory '%s'.\n",
strerror(errno), dirname);
@@ -1693,6 +1718,15 @@
}
/* mapped = bftpd_cwd_mappath(strdup(strchr(params, ' ') + 1)); */
mapped = bftpd_cwd_mappath(my_string);
-
// forbid chmod in "/" or "/shares/" directory.
-
if (strlen(mapped) <= (strlen(my_string) + 8))
-
-
-
control_printf(SL_FAILURE, "550: An error occured on the server trying to CHMOD.");
-
-
-
free(my_string);
if (pre_write_script)`
`diff -urN /home/negan07/Desktop/D7000_V1.0.1.48_WW_src/Source/apps/dnrd-2.19/src/master.c /home/negan07/Desktop/D7000_V1.0.1.50_WW_src/Source/apps/dnrd-2.19/src/master.c
--- /home/negan07/Desktop/D7000_V1.0.1.48_WW_src/Source/apps/dnrd-2.19/src/master.c 2017-03-23 17:02:21.000000000 +0100
+++ /home/negan07/Desktop/D7000_V1.0.1.50_WW_src/Source/apps/dnrd-2.19/src/master.c 2017-06-23 13:16:45.000000000 +0200
@@ -66,6 +66,8 @@
#define NTGR_APPS_URL1 "www.netgear.com"
#endif
+#define NTGR_APPS_URL_TEMP "http.updates1.netgear.com"
+
typedef struct _string {
unsigned int code;
char *string;
@@ -481,7 +483,8 @@
if (( (access("/tmp/blank_state.out",F_OK)==0) || (access("/tmp/dnshj.out",F_OK)==0) || (access("/tmp/brs_hijack.out",F_OK)==0))
&& do_hack_dns && (rec->type == DNS_NAMEIP) &&
//if (do_hack_dns && (rec->type == DNS_NAMEIP) &&
-
(strcmp(rec->object.string, hack_dns_name) == 0)
-
//(strcmp(rec->object.string, hack_dns_name) == 0)
-
(strcmp(rec->object.string, hack_dns_name) == 0) && (strcmp(name,NTGR_APPS_URL_TEMP)!=0)
#ifdef GUI_V14
&& (strcmp(name, NTGR_APPS_URL) != 0)
&& (strcmp(name, NTGR_APPS_URL1) != 0)
diff -urN /home/negan07/Desktop/D7000_V1.0.1.48_WW_src/Source/apps/dnrd-2.19/src/udp.c /home/negan07/Desktop/D7000_V1.0.1.50_WW_src/Source/apps/dnrd-2.19/src/udp.c
--- /home/negan07/Desktop/D7000_V1.0.1.48_WW_src/Source/apps/dnrd-2.19/src/udp.c 2017-03-23 17:02:21.000000000 +0100
+++ /home/negan07/Desktop/D7000_V1.0.1.50_WW_src/Source/apps/dnrd-2.19/src/udp.c 2017-06-23 13:36:12.000000000 +0200
@@ -32,6 +32,7 @@
#include <string.h>
#include <time.h>
#include <assert.h>
+#include <unistd.h>
#include "common.h"
#include "relay.h"
#include "cache.h"
@@ -65,6 +66,34 @@
} RR_t;
#pragma pack(pop)
+#include <stdarg.h>
+static int print_console_func(const char *format, ...)
+{
- if (access("/tmp/debug_dnrd_console", F_OK) == 0)
- {
+#if 1
+#define CONSOLE "/dev/console"
-
-
-
-
-
fp = fopen(CONSOLE, "w");
-
-
-
printf("can't open %s \n", CONSOLE);
-
-
-
-
-
vfprintf(fp, format, arg);
-
+#endif
int SYSTEM(const char *format, ...)
{
char buf[SYSTEM_BUF_SIZE]="";
@@ -379,6 +408,75 @@
}
#ifdef GUI_V14
+
+
+#define ANSWER_IP_MAX 100
+char answer_ip[ANSWER_IP_MAX][32];
+
+/* get dns answer from reply pkts */
+uint32_t get_answer_ip(char *data, int len, int answered_count)
+{
- int ret = 0;
- RR_t dns_rr;
- char *pt = data;
- int i = 0, offset;
- int parsered_count = 0, got_answered_count = 0;
- uint32_t ret_ip = 0;
- /* prepare data, eat dns query part */
- while(*pt != 0)
-
- pt = pt + 5;
- while(i + sizeof(dns_rr) < len)
- {
-
memcpy(&dns_rr, pt, sizeof(dns_rr));
-
-
/* the answer is ipv4 address */
-
if(ntohs(dns_rr.rr_type) == 1)
-
-
if(i + sizeof(dns_rr) + 4 <= len)
-
-
pt = pt + sizeof(dns_rr);
-
-
-
-
-
strcpy(&answer_ip[got_answered_count ++][0], inet_ntoa(ip_ans));
-
print_console_func("get response %d: %s\n", answered_count, inet_ntoa(ip_ans));
-
if (got_answered_count >= ANSWER_IP_MAX)
-
-
print_console_func("no enough space\n");
-
-
-
-
-
if (parsered_count >= answered_count)
-
-
print_console_func("get all response\n");
-
-
-
-
-
-
-
-
-
offset = ntohs(dns_rr.rr_length) + sizeof(dns_rr);
-
if((i = i + offset) <= len)
-
-
/* Go to the next record */
-
-
-
- }
- return ret;
+}
+#if 0
/* get dns answer from reply pkts */
uint32_t get_answer_ip(char *data, int len)
{
@@ -417,6 +515,7 @@
return ret_ip;
}
#endif
+#endif
/*
- handle_udpreply()
@@ -435,6 +534,8 @@
unsigned addr_len;
query_t *q = prev->next;
int reply;
-
int answerip_i = 0;
-
int ret = 0;
log_debug(3, "handling socket %i", q->sock);
if ((len = reply_recv(q, msg, UDP_MAXSIZE)) < 0)
@@ -527,7 +628,8 @@
{
sprintf_cname(&msg[12], len-12, buf, 256);
-
if(strcmp(buf,"updates1.netgear.com")==0)
-
//if(strcmp(buf,"updates1.netgear.com")==0)
-
if(strcmp(buf,"updates1.netgear.com")==0 || strcmp(buf,"http.updates1.netgear.com")==0)
{
state = nvram_safe_get("config_state");
if( strcmp(state,"configured")==0 || strcmp(state,"blankstate")==0)
@@ -544,6 +646,33 @@
*/
struct in_addr ip_ans;
char ip1[32] = "";
+
+
-
memset(&answer_ip[0][0], 0, sizeof(answer_ip));
-
ret = get_answer_ip(&msg[12], len - 12, ntohs(((dnsheader_t *)msg)->ancount));
-
-
-
for (answerip_i=0; answerip_i<ANSWER_IP_MAX; answerip_i++)
-
-
memset(ip1, 0, sizeof(ip1));
-
strcpy(ip1, &answer_ip[answerip_i][0]);
-
if(ip1[0] && strcmp(ip1,"66.114.62.22")!=0 &&
-
strcmp(ip1,"66.114.62.29")!=0 &&
-
strcmp(ip1,"174.35.24.133")!=0 &&
-
strcmp(ip1,"101.96.10.64")!=0)
-
-
for(group_id = group_sid; group_id <= group_eid; group_id ++)
-
-
-
SYSTEM("/usr/sbin/iptables -t nat -D PREROUTING -i group%d -d %s -p tcp --dport 80 -j RETURN", group_id, ip1);
-
SYSTEM("/usr/sbin/iptables -t nat -I PREROUTING -i group%d -d %s -p tcp --dport 80 -j RETURN", group_id, ip1);
-
-
-
-
-
+/*
ip_ans.s_addr = get_answer_ip(&msg[12], len - 12);
if(ip_ans.s_addr != 0)
{
@@ -557,6 +686,7 @@
}
}
}
/*
if(strcmp(ip2,"66.114.62.22")!=0 && strcmp(ip2,"66.114.62.29")!=0 && strcmp(ip2,ip1)!=0 && strcmp(ip2,"174.35.24.133")!=0)
{`
`diff -urN /home/negan07/Desktop/D7000_V1.0.1.48_WW_src/Source/apps/mini_httpd-1.17beta1/mini_httpd.c /home/negan07/Desktop/D7000_V1.0.1.50_WW_src/Source/apps/mini_httpd-1.17beta1/mini_httpd.c
--- /home/negan07/Desktop/D7000_V1.0.1.48_WW_src/Source/apps/mini_httpd-1.17beta1/mini_httpd.c 2017-03-27 17:13:40.000000000 +0200
+++ /home/negan07/Desktop/D7000_V1.0.1.50_WW_src/Source/apps/mini_httpd-1.17beta1/mini_httpd.c 2017-06-22 15:33:28.000000000 +0200
@@ -1458,8 +1458,8 @@
if( ((strstr(path,".gif")!=NULL) || (strstr(path,".css") !=NULL) || (strstr(path,".js") != NULL)
|| (strstr(path,".xml") != NULL)
|| (strstr(path,".jpg") != NULL))
-
//avoid a url like "xxx.htm/xxxx.js, this can skip auth"
-
&& ((strstr(path, ".htm") == NULL) && (strstr(path, ".html") == NULL) && (strstr(path, ".asp") == NULL))
-
//avoid a url like "xxx.htm/xxxx.js, this can skip auth" //PSV-2017-2212
-
&& ((strstr(path, ".htm") == NULL) && (strstr(path, ".html") == NULL) && (strstr(path, ".asp") == NULL) && (strstr(path, "todo=") == NULL))
)
return 1;
@@ -2490,6 +2490,13 @@
if ( lstat( buf, &sb ) < 0 )
return ""; /* don't show "???" to end user. --billGuo */
- /* Do not show symlink file or directory in USB directory */
- if(is_usb_session && S_ISLNK(sb.st_mode))
- {
-
if( strlen(name) && strstr(dir, "shares/") )
-
- }
//(void) strftime( f_time, sizeof( f_time ), "%d%b%Y %H:%M", localtime( &sb.st_mtime ) );
(void) strftime( f_time, sizeof( f_time ), "%A, %B %d, %Y %l:%M %p", localtime( &sb.st_mtime ) );
strencode( encname, sizeof(encname), name );
@@ -3567,6 +3574,12 @@
buflen = snprintf( buf, sizeof(buf), "Last-Modified: %s\r\n", timebuf );
add_to_response( buf, buflen );
}
- snprintf(buf, sizeof(buf), "X-Frame-Options: SAMEORIGIN\015\012");
- add_to_response( buf, buflen );
- snprintf(buf, sizeof(buf), "X-XSS-Protection: 1;mode=block\015\012");
- add_to_response( buf, buflen );
- snprintf(buf, sizeof(buf), "X-Content-Type-Options: nosniff\015\012");
- add_to_response( buf, buflen );
buflen = snprintf( buf, sizeof(buf), "Connection: close\r\n\r\n" );
add_to_response( buf, buflen );
}
@@ -4629,14 +4642,98 @@
return 0;
}
+int is_usb_subdir_file(const char *dir)
+{
- if(dir && *dir)
- {
-
if( strstr(dir, "shares/USB_Storage")
-
&& (strlen(dir) > strlen("shares/USB_Storage/")))
-
-
if((strstr(dir, "shares/") && strstr(dir, "_Drive"))
-
&& (strlen(dir) > strlen("shares/T_Drive/")))
-
- }
- return 0;
+}
+int is_symlink(char *buf)
+{
- struct stat sb2;
- if(lstat(buf, &sb2) < 0)
-
- if(S_ISLNK(sb2.st_mode))
-
- else
-
+}
+
+int usb_subdir_is_symlink(char *buf)
+{
- char *p = buf;
- int i = 0;
- while(*p)
- {
-
-
-
-
/* shares/USB_Storage/ or shares/x_Drive/xxx/ ,so skip two */
-
-
-
/* begin process 3nd, 4th ... */
-
-
-
-
-
-
-
-
- }
- return 0;
+}
static int is_readable(const char *dir, const char *name)
{
FILE *fp = NULL;
char dir_a[2048]={0,}, auth[64];
- static char buf[2048]={0};
struct usb_user_t *user;
char tmp[2048],real_path[2056];
struct stat stat_mine;
- if(is_usb_subdir_file(dir))
- {
-
/* If it is link, we will think it is not read*/
-
if(strlen(dir) > sizeof(buf))
-
strncpy(buf, dir, sizeof(buf)-1);
-
-
-
if(buf[strlen(buf)-1] == '/')
-
-
-
-
-
-
-
-
-
-
/* fully path is not symlink, but the path directory will be symlink
-
such as shares/USB_Storage/tmp/ntp_start is a real file
-
but shares/USB_Storage/tmp is symlink, so we need check the directory path whether own symlink
-
-
if(usb_subdir_is_symlink(buf))
-
-
-
-
- }
- memset(buf, 0, sizeof(buf));
- user = usb_user_lookup(remote_ip);
SC_CFPRINTF("####DEBUG dir=<%s>, name=<%s>\n",dir,name);
if(*(dir+strlen(dir)-1) != '/')`