check that we can really read the file

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-merge-1.4.x@681 152afb58-edef-0310-8abb-c4023f1b3aa9

src/base.h

@@ -551,6 +551,9 @@ typedef struct {
 	stat_cache  *stat_cache;
 	
 	fdevent_handler_t event_handler;
+
+	uid_t uid;
+	gid_t gid;
 } server;
 
 

src/response.c

@@ -409,7 +409,29 @@ handler_t http_response_prepare(server *srv, connection *con) {
 					
 					return HANDLER_FINISHED;
 				}
+			} else if (!S_ISREG(sce->st.st_mode)) {
+				/* any special handling of non-reg files ?*/
+
+
 			}
+
+			/* can we read the file ? */
+			if (!(sce->st.st_mode & S_IROTH) &&
+			    !(srv->gid == sce->st.st_gid && 
+			      sce->st.st_mode & S_IRGRP) &&
+			    !(srv->uid == sce->st.st_uid &&
+			      sce->st.st_mode & S_IRUSR)) {
+
+				con->http_status = 403;
+	
+				if (con->conf.log_request_handling) {
+					log_error_write(srv, __FILE__, __LINE__,  "s",  "-- access denied");
+					log_error_write(srv, __FILE__, __LINE__,  "sb", "Path         :", con->physical.path);
+				}
+			
+				buffer_reset(con->physical.path);
+				return HANDLER_FINISHED;
+			}	
 		} else {
 			switch (errno) {
 			case EACCES:

src/server.c

@@ -659,6 +659,9 @@ int main (int argc, char **argv) {
 	/* network is up, let's deamonize ourself */
 	if (srv->srvconf.dont_daemonize == 0) daemonize();
 #endif
+
+	srv->gid = getgid();
+	srv->uid = getuid();
 	
 	/* write pid file */
 	if (pid_fd != -1) {