From f4c5d953a30a7eebb274e8c38aa0e1b236190ee2 Mon Sep 17 00:00:00 2001
From: Alexander Azarov <self@alaz.me>
Date: Mon, 11 Nov 2024 17:33:36 +0000
Subject: [PATCH] fix(sslocal): disallow HTTP/SOCKS4 proxying when
 authentication required

---
 .../src/local/socks/server/server.rs          | 26 +++++++++++++------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/crates/shadowsocks-service/src/local/socks/server/server.rs b/crates/shadowsocks-service/src/local/socks/server/server.rs
index b56a04b8830c..1b6761e05bd0 100644
--- a/crates/shadowsocks-service/src/local/socks/server/server.rs
+++ b/crates/shadowsocks-service/src/local/socks/server/server.rs
@@ -176,8 +176,13 @@ impl SocksTcpHandler {
         match version_buffer[0] {
             #[cfg(feature = "local-socks4")]
             0x04 => {
-                let handler = Socks4TcpHandler::new(self.context, self.balancer, self.mode);
-                handler.handle_socks4_client(self.stream, self.peer_addr).await
+                if self.socks5_auth.auth_required() {
+                    error!("SOCKS4 disabled when authentication is configured");
+                    Err(io::Error::new(ErrorKind::Other, "SOCKS4 unsupported"))
+                } else {
+                    let handler = Socks4TcpHandler::new(self.context, self.balancer, self.mode);
+                    handler.handle_socks4_client(self.stream, self.peer_addr).await
+                }
             }
 
             0x05 => {
@@ -193,12 +198,17 @@ impl SocksTcpHandler {
 
             #[cfg(feature = "local-http")]
             b'G' | b'g' | b'H' | b'h' | b'P' | b'p' | b'D' | b'd' | b'C' | b'c' | b'O' | b'o' | b'T' | b't' => {
-                // GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH
-                match self.http_handler.serve_connection(self.stream, self.peer_addr).await {
-                    Ok(..) => Ok(()),
-                    Err(err) => {
-                        error!("HTTP connection {} handler failed with error: {}", self.peer_addr, err);
-                        Err(io::Error::new(ErrorKind::Other, err))
+                if self.socks5_auth.auth_required() {
+                    error!("HTTP disabled when authentication is configured");
+                    Err(io::Error::new(ErrorKind::Other, "HTTP unsupported"))
+                } else {
+                    // GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH
+                    match self.http_handler.serve_connection(self.stream, self.peer_addr).await {
+                        Ok(..) => Ok(()),
+                        Err(err) => {
+                            error!("HTTP connection {} handler failed with error: {}", self.peer_addr, err);
+                            Err(io::Error::new(ErrorKind::Other, err))
+                        }
                     }
                 }
             }