modules/aaa/mod_access.c

	mod_access.c revision 928f342270fd8ca02a36f484072d35063121171f
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd/* ====================================================================
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * The Apache Software License, Version 1.1
fd9abdda70912b99b24e3bf1a38f26fde908a74cnd *
fd9abdda70912b99b24e3bf1a38f26fde908a74cnd * Copyright (c) 2000-2001 The Apache Software Foundation.  All rights
fd9abdda70912b99b24e3bf1a38f26fde908a74cnd * reserved.
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd *
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * Redistribution and use in source and binary forms, with or without
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * modification, are permitted provided that the following conditions
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * are met:
96ad5d81ee4a2cc66a4ae19893efc8aa6d06fae7jailletc *
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * 1. Redistributions of source code must retain the above copyright
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd *    notice, this list of conditions and the following disclaimer.
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen *
2e545ce2450a9953665f701bb05350f0d3f26275nd * 2. Redistributions in binary form must reproduce the above copyright
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen *    notice, this list of conditions and the following disclaimer in
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen *    the documentation and/or other materials provided with the
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd *    distribution.
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd *
af33a4994ae2ff15bc67d19ff1a7feb906745bf8rbowen * 3. The end-user documentation included with the redistribution,
3f08db06526d6901aa08c110b5bc7dde6bc39905nd *    if any, must include the following acknowledgment:
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd *       "This product includes software developed by the
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd *        Apache Software Foundation (http://www.apache.org/)."
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd *    Alternately, this acknowledgment may appear in the software itself,
3f08db06526d6901aa08c110b5bc7dde6bc39905nd *    if and wherever such third-party acknowledgments normally appear.
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd *
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * 4. The names "Apache" and "Apache Software Foundation" must
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd *    not be used to endorse or promote products derived from this
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd *    software without prior written permission. For written
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd *    permission, please contact apache@apache.org.
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd *
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * 5. Products derived from this software may not be called "Apache",
bf7fcf0c216a914407c0877aa37894fd9aecc219nilgun *    nor may "Apache" appear in their name, without prior written
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung *    permission of the Apache Software Foundation.
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd *
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
4b575a6b6704b516f22d65a3ad35696d7b9ba372rpluem * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * SUCH DAMAGE.
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * ====================================================================
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd *
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * This software consists of voluntary contributions made by many
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * individuals on behalf of the Apache Software Foundation.  For more
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * information on the Apache Software Foundation, please see
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * <http://www.apache.org/>.
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd *
2893256d86dd891d5859ef01dec4d85bf6488b69nd * Portions of this software are based upon public domain software
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * originally written at the National Center for Supercomputing Applications,
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * University of Illinois, Urbana-Champaign.
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd */
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd/*
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * Security options etc.
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd *
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd * Module derived from code originally written by Rob McCool
2893256d86dd891d5859ef01dec4d85bf6488b69nd *
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd */
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd#include "apr_strings.h"
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd#include "apr_network_io.h"
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd#include "apr_lib.h"
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd#define APR_WANT_STRFUNC
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd#define APR_WANT_BYTEFUNC
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd#include "apr_want.h"
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd#include "ap_config.h"
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd#include "httpd.h"
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd#include "http_core.h"
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd#include "http_config.h"
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd#include "http_log.h"
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd#include "http_request.h"
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd#if APR_HAVE_NETINET_IN_H
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd#include <netinet/in.h>
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd#endif
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53ndenum allowdeny_type {
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    T_ENV,
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    T_ALL,
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    T_IP,
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    T_HOST,
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    T_FAIL
2893256d86dd891d5859ef01dec4d85bf6488b69nd};
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
5383fa753e1bcd3a04ec34ba9810d671302380f2colmtypedef struct {
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    int limited;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    union {
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	char *from;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	struct {
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	    unsigned long net;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	    unsigned long mask;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	} ip;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    } x;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    enum allowdeny_type type;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd} allowdeny;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
2893256d86dd891d5859ef01dec4d85bf6488b69nd/* things in the 'order' array */
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd#define DENY_THEN_ALLOW 0
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd#define ALLOW_THEN_DENY 1
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd#define MUTUAL_FAILURE 2
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53ndtypedef struct {
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    int order[METHODS];
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    apr_array_header_t *allows;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    apr_array_header_t *denys;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd} access_dir_conf;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53ndmodule AP_MODULE_DECLARE_DATA access_module;
2893256d86dd891d5859ef01dec4d85bf6488b69nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53ndstatic void *create_access_dir_config(apr_pool_t *p, char *dummy)
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd{
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    access_dir_conf *conf =
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    (access_dir_conf *) apr_pcalloc(p, sizeof(access_dir_conf));
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    int i;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    for (i = 0; i < METHODS; ++i)
2893256d86dd891d5859ef01dec4d85bf6488b69nd	conf->order[i] = DENY_THEN_ALLOW;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    conf->allows = apr_array_make(p, 1, sizeof(allowdeny));
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    conf->denys = apr_array_make(p, 1, sizeof(allowdeny));
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    return (void *) conf;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd}
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53ndstatic const char *order(cmd_parms *cmd, void *dv, const char *arg)
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd{
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    access_dir_conf *d = (access_dir_conf *) dv;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    int i, o;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    if (!strcasecmp(arg, "allow,deny"))
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	o = ALLOW_THEN_DENY;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    else if (!strcasecmp(arg, "deny,allow"))
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	o = DENY_THEN_ALLOW;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    else if (!strcasecmp(arg, "mutual-failure"))
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	o = MUTUAL_FAILURE;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    else
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	return "unknown order";
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    for (i = 0; i < METHODS; ++i)
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	if (cmd->limited & (1 << i))
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	    d->order[i] = o;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    return NULL;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd}
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53ndstatic int is_ip(const char *host)
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd{
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    while ((*host == '.') || apr_isdigit(*host))
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	host++;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    return (*host == '\0');
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd}
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53ndstatic const char *allow_cmd(cmd_parms *cmd, void *dv, const char *from,
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd                             const char *where_c)
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd{
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    access_dir_conf *d = (access_dir_conf *) dv;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    allowdeny *a;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    char *s;
2893256d86dd891d5859ef01dec4d85bf6488b69nd    char *where = apr_pstrdup(cmd->pool, where_c);
2893256d86dd891d5859ef01dec4d85bf6488b69nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    if (strcasecmp(from, "from"))
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	return "allow and deny must be followed by 'from'";
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    a = (allowdeny *) apr_array_push(cmd->info ? d->allows : d->denys);
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    a->x.from = where;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    a->limited = cmd->limited;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    if (!strncasecmp(where, "env=", 4)) {
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	a->type = T_ENV;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	a->x.from += 4;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
2893256d86dd891d5859ef01dec4d85bf6488b69nd    }
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    else if (!strcasecmp(where, "all")) {
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	a->type = T_ALL;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    }
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    else if ((s = strchr(where, '/'))) {
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	unsigned long mask;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	a->type = T_IP;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	/* trample on where, we won't be using it any more */
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	*s++ = '\0';
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	if (!is_ip(where)
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	    || (a->x.ip.net = apr_inet_addr(where)) == APR_INADDR_NONE) {
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	    a->type = T_FAIL;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	    return "syntax error in network portion of network/netmask";
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	}
2893256d86dd891d5859ef01dec4d85bf6488b69nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	/* is_ip just tests if it matches [\d.]+ */
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	if (!is_ip(s)) {
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	    a->type = T_FAIL;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	    return "syntax error in mask portion of network/netmask";
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	}
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	/* is it in /a.b.c.d form? */
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	if (strchr(s, '.')) {
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	    mask = apr_inet_addr(s);
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	    if (mask == APR_INADDR_NONE) {
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd		a->type = T_FAIL;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd		return "syntax error in mask portion of network/netmask";
2893256d86dd891d5859ef01dec4d85bf6488b69nd	    }
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	}
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	else {
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	    /* assume it's in /nnn form */
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	    mask = atoi(s);
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	    if (mask > 32 || mask <= 0) {
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd		a->type = T_FAIL;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd		return "invalid mask in network/netmask";
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	    }
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	    mask = 0xFFFFFFFFUL << (32 - mask);
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	    mask = htonl(mask);
2893256d86dd891d5859ef01dec4d85bf6488b69nd	}
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	a->x.ip.mask = mask;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd        a->x.ip.net  = (a->x.ip.net & mask);   /* pjr - This fixes PR 4770 */
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    }
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    else if (apr_isdigit(*where) && is_ip(where)) {
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	/* legacy syntax for ip addrs: a.b.c. ==> a.b.c.0/24 for example */
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	int shift;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	char *t;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	int octet;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	a->type = T_IP;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	/* parse components */
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	s = where;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	a->x.ip.net = 0;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	a->x.ip.mask = 0;
829881b33014c4321c1e9ea5ec84826b177fe871humbedooh	shift = 24;
829881b33014c4321c1e9ea5ec84826b177fe871humbedooh	while (*s) {
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	    t = s;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	    if (!apr_isdigit(*t)) {
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd		a->type = T_FAIL;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd		return "invalid ip address";
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	    }
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	    while (apr_isdigit(*t)) {
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd		++t;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	    }
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	    if (*t == '.') {
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd		*t++ = 0;
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd	    }
bf7fcf0c216a914407c0877aa37894fd9aecc219nilgun	    else if (*t) {
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung		a->type = T_FAIL;
727872d18412fc021f03969b8641810d8896820bhumbedooh		return "invalid ip address";
0d0ba3a410038e179b695446bb149cce6264e0abnd	    }
727872d18412fc021f03969b8641810d8896820bhumbedooh	    if (shift < 0) {
cc7e1025de9ac63bd4db6fe7f71c158b2cf09fe4humbedooh		return "invalid ip address, only 4 octets allowed";
0d0ba3a410038e179b695446bb149cce6264e0abnd	    }
cc7e1025de9ac63bd4db6fe7f71c158b2cf09fe4humbedooh	    octet = atoi(s);
727872d18412fc021f03969b8641810d8896820bhumbedooh	    if (octet < 0 || octet > 255) {
0d0ba3a410038e179b695446bb149cce6264e0abnd		a->type = T_FAIL;
0d0ba3a410038e179b695446bb149cce6264e0abnd		return "each octet must be between 0 and 255 inclusive";
0d0ba3a410038e179b695446bb149cce6264e0abnd	    }
ac082aefa89416cbdc9a1836eaf3bed9698201c8humbedooh	    a->x.ip.net |= octet << shift;
0d0ba3a410038e179b695446bb149cce6264e0abnd	    a->x.ip.mask |= 0xFFUL << shift;
0d0ba3a410038e179b695446bb149cce6264e0abnd	    s = t;
0d0ba3a410038e179b695446bb149cce6264e0abnd	    shift -= 8;
727872d18412fc021f03969b8641810d8896820bhumbedooh	}
0d0ba3a410038e179b695446bb149cce6264e0abnd	a->x.ip.net = ntohl(a->x.ip.net);
0d0ba3a410038e179b695446bb149cce6264e0abnd	a->x.ip.mask = ntohl(a->x.ip.mask);
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh    }
205f749042ed530040a4f0080dbcb47ceae8a374rjung    else {
af33a4994ae2ff15bc67d19ff1a7feb906745bf8rbowen	a->type = T_HOST;
0d0ba3a410038e179b695446bb149cce6264e0abnd    }
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd    return NULL;
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd}
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd
static char its_an_allow;

static const command_rec access_cmds[] =
{
    AP_INIT_TAKE1("order", order, NULL, OR_LIMIT,
                  "'allow,deny', 'deny,allow', or 'mutual-failure'"),
    AP_INIT_ITERATE2("allow", allow_cmd, &its_an_allow, OR_LIMIT,
                     "'from' followed by hostnames or IP-address wildcards"),
    AP_INIT_ITERATE2("deny", allow_cmd, NULL, OR_LIMIT,
                     "'from' followed by hostnames or IP-address wildcards"),
    {NULL}
};

static int in_domain(const char *domain, const char *what)
{
    int dl = strlen(domain);
    int wl = strlen(what);

    if ((wl - dl) >= 0) {
	if (strcasecmp(domain, &what[wl - dl]) != 0)
	    return 0;

	/* Make sure we matched an *entire* subdomain --- if the user
	 * said 'allow from good.com', we don't want people from nogood.com
	 * to be able to get in.
	 */

	if (wl == dl)
	    return 1;		/* matched whole thing */
	else
	    return (domain[0] == '.' || what[wl - dl - 1] == '.');
    }
    else
	return 0;
}

static int find_allowdeny(request_rec *r, apr_array_header_t *a, int method)
{
    allowdeny *ap = (allowdeny *) a->elts;
    int mmask = (1 << method);
    int i;
    int gothost = 0;
    const char *remotehost = NULL;

    for (i = 0; i < a->nelts; ++i) {
	if (!(mmask & ap[i].limited))
	    continue;

	switch (ap[i].type) {
	case T_ENV:
	    if (apr_table_get(r->subprocess_env, ap[i].x.from)) {
		return 1;
	    }
	    break;

	case T_ALL:
	    return 1;

	case T_IP:
            /* XXX handle IPv6 with separate T_IP6 type or add common
             *     address masking operations to APR */
	    if (ap[i].x.ip.net != APR_INADDR_NONE
		&& (r->connection->remote_addr->sa.sin.sin_addr.s_addr
		    & ap[i].x.ip.mask) == ap[i].x.ip.net) {
		return 1;
	    }
	    break;

	case T_HOST:
	    if (!gothost) {
                int remotehost_is_ip;

		remotehost = ap_get_remote_host(r->connection, r->per_dir_config,
                                                REMOTE_DOUBLE_REV, &remotehost_is_ip);

		if ((remotehost == NULL) || remotehost_is_ip)
		    gothost = 1;
		else
		    gothost = 2;
	    }

	    if ((gothost == 2) && in_domain(ap[i].x.from, remotehost))
		return 1;
	    break;

	case T_FAIL:
	    /* do nothing? */
	    break;
	}
    }

    return 0;
}

static int check_dir_access(request_rec *r)
{
    int method = r->method_number;
    access_dir_conf *a =
    (access_dir_conf *)
    ap_get_module_config(r->per_dir_config, &access_module);
    int ret = OK;

    if (a->order[method] == ALLOW_THEN_DENY) {
	ret = HTTP_FORBIDDEN;
	if (find_allowdeny(r, a->allows, method))
	    ret = OK;
	if (find_allowdeny(r, a->denys, method))
	    ret = HTTP_FORBIDDEN;
    }
    else if (a->order[method] == DENY_THEN_ALLOW) {
	if (find_allowdeny(r, a->denys, method))
	    ret = HTTP_FORBIDDEN;
	if (find_allowdeny(r, a->allows, method))
	    ret = OK;
    }
    else {
	if (find_allowdeny(r, a->allows, method)
	    && !find_allowdeny(r, a->denys, method))
	    ret = OK;
	else
	    ret = HTTP_FORBIDDEN;
    }

    if (ret == HTTP_FORBIDDEN
	&& (ap_satisfies(r) != SATISFY_ANY || !ap_some_auth_required(r))) {
	ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
		  "client denied by server configuration: %s",
		  r->filename);
    }

    return ret;
}

static void register_hooks(apr_pool_t *p)
{
    ap_hook_access_checker(check_dir_access,NULL,NULL,APR_HOOK_MIDDLE);
}

module AP_MODULE_DECLARE_DATA access_module =
{
    STANDARD20_MODULE_STUFF,
    create_access_dir_config,	/* dir config creater */
    NULL,			/* dir merger --- default is to override */
    NULL,			/* server config */
    NULL,			/* merge server config */
    access_cmds,
    register_hooks		/* register hooks */
};