modules/aaa/mod_access.c

	mod_access.c revision 1b21d7b3d97def358b2e923655edeb16613a1c31
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele/* ====================================================================
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * The Apache Software License, Version 1.1
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * Copyright (c) 2000 The Apache Software Foundation.  All rights
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * reserved.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * Redistribution and use in source and binary forms, with or without
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * modification, are permitted provided that the following conditions
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * are met:
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * 1. Redistributions of source code must retain the above copyright
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *    notice, this list of conditions and the following disclaimer.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * 2. Redistributions in binary form must reproduce the above copyright
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *    notice, this list of conditions and the following disclaimer in
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *    the documentation and/or other materials provided with the
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *    distribution.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * 3. The end-user documentation included with the redistribution,
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *    if any, must include the following acknowledgment:
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *       "This product includes software developed by the
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *        Apache Software Foundation (http://www.apache.org/)."
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *    Alternately, this acknowledgment may appear in the software itself,
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *    if and wherever such third-party acknowledgments normally appear.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * 4. The names "Apache" and "Apache Software Foundation" must
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *    not be used to endorse or promote products derived from this
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *    software without prior written permission. For written
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *    permission, please contact apache@apache.org.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * 5. Products derived from this software may not be called "Apache",
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *    nor may "Apache" appear in their name, without prior written
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *    permission of the Apache Software Foundation.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * SUCH DAMAGE.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * ====================================================================
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * This software consists of voluntary contributions made by many
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * individuals on behalf of the Apache Software Foundation.  For more
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * information on the Apache Software Foundation, please see
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * <http://www.apache.org/>.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * Portions of this software are based upon public domain software
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * originally written at the National Center for Supercomputing Applications,
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * University of Illinois, Urbana-Champaign.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele */
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele/*
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * Security options etc.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele * Module derived from code originally written by Rob McCool
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele */
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele#include "apr_strings.h"
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele#include "apr_network_io.h"
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele#include "apr_lib.h"
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele#define APR_WANT_STRFUNC
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele#include "apr_want.h"
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele#include "ap_config.h"
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele#include "httpd.h"
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele#include "http_core.h"
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele#include "http_config.h"
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele#include "http_log.h"
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele#include "http_request.h"
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele#if APR_HAVE_NETINET_IN_H
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele#include <netinet/in.h>
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele#endif
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele#if APR_HAVE_ARPA_INET_H
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele#include <arpa/inet.h>
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele#endif
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabeleenum allowdeny_type {
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    T_ENV,
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    T_ALL,
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    T_IP,
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    T_HOST,
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    T_FAIL
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele};
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabeletypedef struct {
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    int limited;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    union {
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	char *from;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	struct {
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    unsigned long net;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    unsigned long mask;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	} ip;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    } x;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    enum allowdeny_type type;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele} allowdeny;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele/* things in the 'order' array */
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele#define DENY_THEN_ALLOW 0
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele#define ALLOW_THEN_DENY 1
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele#define MUTUAL_FAILURE 2
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabeletypedef struct {
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    int order[METHODS];
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    apr_array_header_t *allows;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    apr_array_header_t *denys;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele} access_dir_conf;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabelemodule AP_MODULE_DECLARE_DATA access_module;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabelestatic void *create_access_dir_config(apr_pool_t *p, char *dummy)
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele{
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    access_dir_conf *conf =
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    (access_dir_conf *) apr_pcalloc(p, sizeof(access_dir_conf));
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    int i;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    for (i = 0; i < METHODS; ++i)
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	conf->order[i] = DENY_THEN_ALLOW;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    conf->allows = apr_array_make(p, 1, sizeof(allowdeny));
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    conf->denys = apr_array_make(p, 1, sizeof(allowdeny));
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    return (void *) conf;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele}
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabelestatic const char *order(cmd_parms *cmd, void *dv, const char *arg)
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele{
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    access_dir_conf *d = (access_dir_conf *) dv;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    int i, o;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    if (!strcasecmp(arg, "allow,deny"))
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	o = ALLOW_THEN_DENY;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    else if (!strcasecmp(arg, "deny,allow"))
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	o = DENY_THEN_ALLOW;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    else if (!strcasecmp(arg, "mutual-failure"))
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	o = MUTUAL_FAILURE;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    else
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	return "unknown order";
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    for (i = 0; i < METHODS; ++i)
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	if (cmd->limited & (1 << i))
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    d->order[i] = o;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    return NULL;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele}
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabelestatic int is_ip(const char *host)
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele{
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    while ((*host == '.') || apr_isdigit(*host))
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	host++;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    return (*host == '\0');
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele}
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabelestatic const char *allow_cmd(cmd_parms *cmd, void *dv, const char *from,
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele                             const char *where_c)
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele{
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    access_dir_conf *d = (access_dir_conf *) dv;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    allowdeny *a;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    char *s;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    char *where = apr_pstrdup(cmd->pool, where_c);
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    if (strcasecmp(from, "from"))
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	return "allow and deny must be followed by 'from'";
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    a = (allowdeny *) apr_array_push(cmd->info ? d->allows : d->denys);
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    a->x.from = where;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    a->limited = cmd->limited;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    if (!strncasecmp(where, "env=", 4)) {
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	a->type = T_ENV;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	a->x.from += 4;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    }
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    else if (!strcasecmp(where, "all")) {
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	a->type = T_ALL;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    }
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    else if ((s = strchr(where, '/'))) {
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	unsigned long mask;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	a->type = T_IP;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	/* trample on where, we won't be using it any more */
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	*s++ = '\0';
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	if (!is_ip(where)
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    || (a->x.ip.net = apr_inet_addr(where)) == APR_INADDR_NONE) {
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    a->type = T_FAIL;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    return "syntax error in network portion of network/netmask";
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	}
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	/* is_ip just tests if it matches [\d.]+ */
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	if (!is_ip(s)) {
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    a->type = T_FAIL;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    return "syntax error in mask portion of network/netmask";
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	}
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	/* is it in /a.b.c.d form? */
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	if (strchr(s, '.')) {
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    mask = apr_inet_addr(s);
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    if (mask == APR_INADDR_NONE) {
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele		a->type = T_FAIL;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele		return "syntax error in mask portion of network/netmask";
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    }
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	}
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	else {
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    /* assume it's in /nnn form */
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    mask = atoi(s);
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    if (mask > 32 || mask <= 0) {
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele		a->type = T_FAIL;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele		return "invalid mask in network/netmask";
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    }
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    mask = 0xFFFFFFFFUL << (32 - mask);
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    mask = htonl(mask);
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	}
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	a->x.ip.mask = mask;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele        a->x.ip.net  = (a->x.ip.net & mask);   /* pjr - This fixes PR 4770 */
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    }
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    else if (apr_isdigit(*where) && is_ip(where)) {
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	/* legacy syntax for ip addrs: a.b.c. ==> a.b.c.0/24 for example */
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	int shift;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	char *t;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	int octet;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	a->type = T_IP;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	/* parse components */
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	s = where;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	a->x.ip.net = 0;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	a->x.ip.mask = 0;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	shift = 24;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	while (*s) {
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    t = s;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    if (!apr_isdigit(*t)) {
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele		a->type = T_FAIL;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele		return "invalid ip address";
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    }
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    while (apr_isdigit(*t)) {
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele		++t;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    }
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    if (*t == '.') {
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele		*t++ = 0;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    }
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    else if (*t) {
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele		a->type = T_FAIL;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele		return "invalid ip address";
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    }
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    if (shift < 0) {
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele		return "invalid ip address, only 4 octets allowed";
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    }
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    octet = atoi(s);
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    if (octet < 0 || octet > 255) {
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele		a->type = T_FAIL;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele		return "each octet must be between 0 and 255 inclusive";
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    }
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    a->x.ip.net |= octet << shift;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    a->x.ip.mask |= 0xFFUL << shift;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    s = t;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	    shift -= 8;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	}
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	a->x.ip.net = ntohl(a->x.ip.net);
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	a->x.ip.mask = ntohl(a->x.ip.mask);
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    }
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    else {
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele	a->type = T_HOST;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    }
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    return NULL;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele}
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabelestatic char its_an_allow;
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabelestatic const command_rec access_cmds[] =
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele{
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    AP_INIT_TAKE1("order", order, NULL, OR_LIMIT,
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele                  "'allow,deny', 'deny,allow', or 'mutual-failure'"),
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    AP_INIT_ITERATE2("allow", allow_cmd, &its_an_allow, OR_LIMIT,
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele                     "'from' followed by hostnames or IP-address wildcards"),
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    AP_INIT_ITERATE2("deny", allow_cmd, NULL, OR_LIMIT,
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele                     "'from' followed by hostnames or IP-address wildcards"),
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele    {NULL}
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele};
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele
4ab980a06412fd86f52a6d054fb7e26de155c530erikabelestatic int in_domain(const char *domain, const char *what)
{
    int dl = strlen(domain);
    int wl = strlen(what);

    if ((wl - dl) >= 0) {
	if (strcasecmp(domain, &what[wl - dl]) != 0)
	    return 0;

	/* Make sure we matched an *entire* subdomain --- if the user
	 * said 'allow from good.com', we don't want people from nogood.com
	 * to be able to get in.
	 */

	if (wl == dl)
	    return 1;		/* matched whole thing */
	else
	    return (domain[0] == '.' || what[wl - dl - 1] == '.');
    }
    else
	return 0;
}

static int find_allowdeny(request_rec *r, apr_array_header_t *a, int method)
{
    allowdeny *ap = (allowdeny *) a->elts;
    int mmask = (1 << method);
    int i;
    int gothost = 0;
    const char *remotehost = NULL;

    for (i = 0; i < a->nelts; ++i) {
	if (!(mmask & ap[i].limited))
	    continue;

	switch (ap[i].type) {
	case T_ENV:
	    if (apr_table_get(r->subprocess_env, ap[i].x.from)) {
		return 1;
	    }
	    break;

	case T_ALL:
	    return 1;

	case T_IP:
            /* XXX handle IPv6 with separate T_IP6 type or add common
             *     address masking operations to APR */
	    if (ap[i].x.ip.net != APR_INADDR_NONE
		&& (r->connection->remote_addr->sa.sin.sin_addr.s_addr
		    & ap[i].x.ip.mask) == ap[i].x.ip.net) {
		return 1;
	    }
	    break;

	case T_HOST:
	    if (!gothost) {
		remotehost = ap_get_remote_host(r->connection, r->per_dir_config,
					    REMOTE_DOUBLE_REV);

		if ((remotehost == NULL) || is_ip(remotehost))
		    gothost = 1;
		else
		    gothost = 2;
	    }

	    if ((gothost == 2) && in_domain(ap[i].x.from, remotehost))
		return 1;
	    break;

	case T_FAIL:
	    /* do nothing? */
	    break;
	}
    }

    return 0;
}

static int check_dir_access(request_rec *r)
{
    int method = r->method_number;
    access_dir_conf *a =
    (access_dir_conf *)
    ap_get_module_config(r->per_dir_config, &access_module);
    int ret = OK;

    if (a->order[method] == ALLOW_THEN_DENY) {
	ret = HTTP_FORBIDDEN;
	if (find_allowdeny(r, a->allows, method))
	    ret = OK;
	if (find_allowdeny(r, a->denys, method))
	    ret = HTTP_FORBIDDEN;
    }
    else if (a->order[method] == DENY_THEN_ALLOW) {
	if (find_allowdeny(r, a->denys, method))
	    ret = HTTP_FORBIDDEN;
	if (find_allowdeny(r, a->allows, method))
	    ret = OK;
    }
    else {
	if (find_allowdeny(r, a->allows, method)
	    && !find_allowdeny(r, a->denys, method))
	    ret = OK;
	else
	    ret = HTTP_FORBIDDEN;
    }

    if (ret == HTTP_FORBIDDEN
	&& (ap_satisfies(r) != SATISFY_ANY || !ap_some_auth_required(r))) {
	ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
		  "client denied by server configuration: %s",
		  r->filename);
    }

    return ret;
}

static void register_hooks(apr_pool_t *p)
{
    ap_hook_access_checker(check_dir_access,NULL,NULL,APR_HOOK_MIDDLE);
}

module AP_MODULE_DECLARE_DATA access_module =
{
    STANDARD20_MODULE_STUFF,
    create_access_dir_config,	/* dir config creater */
    NULL,			/* dir merger --- default is to override */
    NULL,			/* server config */
    NULL,			/* merge server config */
    access_cmds,
    register_hooks		/* register hooks */
};