842ae4bd224140319ae7feec1872b93dfd491143fielding/* Licensed to the Apache Software Foundation (ASF) under one or more
842ae4bd224140319ae7feec1872b93dfd491143fielding * contributor license agreements. See the NOTICE file distributed with
842ae4bd224140319ae7feec1872b93dfd491143fielding * this work for additional information regarding copyright ownership.
842ae4bd224140319ae7feec1872b93dfd491143fielding * The ASF licenses this file to You under the Apache License, Version 2.0
842ae4bd224140319ae7feec1872b93dfd491143fielding * (the "License"); you may not use this file except in compliance with
842ae4bd224140319ae7feec1872b93dfd491143fielding * the License. You may obtain a copy of the License at
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes *
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes * http://www.apache.org/licenses/LICENSE-2.0
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes *
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes * Unless required by applicable law or agreed to in writing, software
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes * distributed under the License is distributed on an "AS IS" BASIS,
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes * See the License for the specific language governing permissions and
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes * limitations under the License.
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes */
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes/*
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes * Security options etc.
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes *
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes * Module derived from code originally written by Rob McCool
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes *
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes */
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes#include "apr_strings.h"
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes#include "apr_network_io.h"
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes#include "apr_md5.h"
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes#define APR_WANT_STRFUNC
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes#define APR_WANT_BYTEFUNC
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes#include "apr_want.h"
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes#include "ap_config.h"
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes#include "httpd.h"
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes#include "http_core.h"
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes#include "http_config.h"
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes#include "http_log.h"
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes#include "http_protocol.h"
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes#include "http_request.h"
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes#include "mod_auth.h"
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes#if APR_HAVE_NETINET_IN_H
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes#include <netinet/in.h>
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes#endif
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholesenum allowdeny_type {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes T_ENV,
da90e7a4d1c2f3da6c8861da63b41ba8e5f4d531jim T_NENV,
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes T_ALL,
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes T_IP,
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes T_HOST,
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes T_FAIL
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes};
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholestypedef struct {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes apr_int64_t limited;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes union {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes char *from;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes apr_ipsubnet_t *ip;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes } x;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes enum allowdeny_type type;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes} allowdeny;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes/* things in the 'order' array */
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes#define DENY_THEN_ALLOW 0
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes#define ALLOW_THEN_DENY 1
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes#define MUTUAL_FAILURE 2
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholestypedef struct {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes int order[METHODS];
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes apr_array_header_t *allows;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes apr_array_header_t *denys;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes int *satisfy; /* for every method one */
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes} access_compat_dir_conf;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholesmodule AP_MODULE_DECLARE_DATA access_compat_module;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholesstatic void *create_access_compat_dir_config(apr_pool_t *p, char *dummy)
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes{
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes int i;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes access_compat_dir_conf *conf =
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes (access_compat_dir_conf *)apr_pcalloc(p, sizeof(access_compat_dir_conf));
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes for (i = 0; i < METHODS; ++i) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes conf->order[i] = DENY_THEN_ALLOW;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes conf->allows = apr_array_make(p, 1, sizeof(allowdeny));
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes conf->denys = apr_array_make(p, 1, sizeof(allowdeny));
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes conf->satisfy = apr_palloc(p, sizeof(*conf->satisfy) * METHODS);
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes for (i = 0; i < METHODS; ++i) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes conf->satisfy[i] = SATISFY_NOSPEC;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes return (void *)conf;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes}
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholesstatic const char *order(cmd_parms *cmd, void *dv, const char *arg)
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes{
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes access_compat_dir_conf *d = (access_compat_dir_conf *) dv;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes int i, o;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes if (!strcasecmp(arg, "allow,deny"))
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes o = ALLOW_THEN_DENY;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes else if (!strcasecmp(arg, "deny,allow"))
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes o = DENY_THEN_ALLOW;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes else if (!strcasecmp(arg, "mutual-failure"))
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes o = MUTUAL_FAILURE;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes else
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes return "unknown order";
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes for (i = 0; i < METHODS; ++i)
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes if (cmd->limited & (AP_METHOD_BIT << i))
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes d->order[i] = o;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes return NULL;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes}
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholesstatic const char *satisfy(cmd_parms *cmd, void *dv, const char *arg)
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes{
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes access_compat_dir_conf *d = (access_compat_dir_conf *) dv;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes int satisfy = SATISFY_NOSPEC;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes int i;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes if (!strcasecmp(arg, "all")) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes satisfy = SATISFY_ALL;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes else if (!strcasecmp(arg, "any")) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes satisfy = SATISFY_ANY;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes else {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes return "Satisfy either 'any' or 'all'.";
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes for (i = 0; i < METHODS; ++i) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes if (cmd->limited & (AP_METHOD_BIT << i)) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes d->satisfy[i] = satisfy;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes return NULL;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes}
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholesstatic const char *allow_cmd(cmd_parms *cmd, void *dv, const char *from,
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes const char *where_c)
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes{
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes access_compat_dir_conf *d = (access_compat_dir_conf *) dv;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes allowdeny *a;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes char *where = apr_pstrdup(cmd->pool, where_c);
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes char *s;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes apr_status_t rv;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes if (strcasecmp(from, "from"))
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes return "allow and deny must be followed by 'from'";
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes a = (allowdeny *) apr_array_push(cmd->info ? d->allows : d->denys);
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes a->x.from = where;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes a->limited = cmd->limited;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
da90e7a4d1c2f3da6c8861da63b41ba8e5f4d531jim if (!strncasecmp(where, "env=!", 5)) {
da90e7a4d1c2f3da6c8861da63b41ba8e5f4d531jim a->type = T_NENV;
da90e7a4d1c2f3da6c8861da63b41ba8e5f4d531jim a->x.from += 5;
da90e7a4d1c2f3da6c8861da63b41ba8e5f4d531jim
da90e7a4d1c2f3da6c8861da63b41ba8e5f4d531jim }
da90e7a4d1c2f3da6c8861da63b41ba8e5f4d531jim else if (!strncasecmp(where, "env=", 4)) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes a->type = T_ENV;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes a->x.from += 4;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes else if (!strcasecmp(where, "all")) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes a->type = T_ALL;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes else if ((s = ap_strchr(where, '/'))) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes *s++ = '\0';
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes rv = apr_ipsubnet_create(&a->x.ip, where, s, cmd->pool);
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes if(APR_STATUS_IS_EINVAL(rv)) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes /* looked nothing like an IP address */
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes return "An IP address was expected";
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes else if (rv != APR_SUCCESS) {
dfa7a2996e64469379184e08a1246557ddeb2783sf return apr_psprintf(cmd->pool, "%pm", &rv);
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes a->type = T_IP;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes else if (!APR_STATUS_IS_EINVAL(rv = apr_ipsubnet_create(&a->x.ip, where,
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes NULL, cmd->pool))) {
dfa7a2996e64469379184e08a1246557ddeb2783sf if (rv != APR_SUCCESS)
dfa7a2996e64469379184e08a1246557ddeb2783sf return apr_psprintf(cmd->pool, "%pm", &rv);
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes a->type = T_IP;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
a1ad96ae397dcfc3d5599181ccc29381c7674cc6jkaluza else if (ap_strchr(where, '#')) {
a1ad96ae397dcfc3d5599181ccc29381c7674cc6jkaluza return "No comments are allowed here";
a1ad96ae397dcfc3d5599181ccc29381c7674cc6jkaluza }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes else { /* no slash, didn't look like an IP address => must be a host */
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes a->type = T_HOST;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes return NULL;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes}
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholesstatic char its_an_allow;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholesstatic const command_rec access_compat_cmds[] =
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes{
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes AP_INIT_TAKE1("order", order, NULL, OR_LIMIT,
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes "'allow,deny', 'deny,allow', or 'mutual-failure'"),
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes AP_INIT_ITERATE2("allow", allow_cmd, &its_an_allow, OR_LIMIT,
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes "'from' followed by hostnames or IP-address wildcards"),
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes AP_INIT_ITERATE2("deny", allow_cmd, NULL, OR_LIMIT,
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes "'from' followed by hostnames or IP-address wildcards"),
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes AP_INIT_TAKE1("Satisfy", satisfy, NULL, OR_AUTHCFG,
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes "access policy if both allow and require used ('all' or 'any')"),
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes {NULL}
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes};
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholesstatic int in_domain(const char *domain, const char *what)
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes{
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes int dl = strlen(domain);
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes int wl = strlen(what);
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes if ((wl - dl) >= 0) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes if (strcasecmp(domain, &what[wl - dl]) != 0) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes return 0;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes /* Make sure we matched an *entire* subdomain --- if the user
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes * said 'allow from good.com', we don't want people from nogood.com
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes * to be able to get in.
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes */
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes if (wl == dl) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes return 1; /* matched whole thing */
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes else {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes return (domain[0] == '.' || what[wl - dl - 1] == '.');
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes else {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes return 0;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes}
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholesstatic int find_allowdeny(request_rec *r, apr_array_header_t *a, int method)
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes{
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes allowdeny *ap = (allowdeny *) a->elts;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes apr_int64_t mmask = (AP_METHOD_BIT << method);
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes int i;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes int gothost = 0;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes const char *remotehost = NULL;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes for (i = 0; i < a->nelts; ++i) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes if (!(mmask & ap[i].limited)) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes continue;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes switch (ap[i].type) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes case T_ENV:
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes if (apr_table_get(r->subprocess_env, ap[i].x.from)) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes return 1;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes break;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
da90e7a4d1c2f3da6c8861da63b41ba8e5f4d531jim case T_NENV:
da90e7a4d1c2f3da6c8861da63b41ba8e5f4d531jim if (!apr_table_get(r->subprocess_env, ap[i].x.from)) {
da90e7a4d1c2f3da6c8861da63b41ba8e5f4d531jim return 1;
da90e7a4d1c2f3da6c8861da63b41ba8e5f4d531jim }
da90e7a4d1c2f3da6c8861da63b41ba8e5f4d531jim break;
da90e7a4d1c2f3da6c8861da63b41ba8e5f4d531jim
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes case T_ALL:
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes return 1;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes case T_IP:
a221184be5b40f8349982d94cda02b98068ce0d8minfrin if (apr_ipsubnet_test(ap[i].x.ip, r->useragent_addr)) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes return 1;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes break;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes case T_HOST:
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes if (!gothost) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes int remotehost_is_ip;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes remotehost = ap_get_remote_host(r->connection,
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes r->per_dir_config,
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes REMOTE_DOUBLE_REV,
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes &remotehost_is_ip);
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes if ((remotehost == NULL) || remotehost_is_ip) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes gothost = 1;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes else {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes gothost = 2;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes if ((gothost == 2) && in_domain(ap[i].x.from, remotehost)) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes return 1;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes break;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes case T_FAIL:
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes /* do nothing? */
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes break;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes return 0;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes}
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
0d26b42fc1735e110c6dc83b114c56257b20070bbnicholesstatic int access_compat_ap_satisfies(request_rec *r)
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes{
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes access_compat_dir_conf *conf = (access_compat_dir_conf *)
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes ap_get_module_config(r->per_dir_config, &access_compat_module);
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes return conf->satisfy[r->method_number];
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes}
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholesstatic int check_dir_access(request_rec *r)
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes{
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes int method = r->method_number;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes int ret = OK;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes access_compat_dir_conf *a = (access_compat_dir_conf *)
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes ap_get_module_config(r->per_dir_config, &access_compat_module);
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes if (a->order[method] == ALLOW_THEN_DENY) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes ret = HTTP_FORBIDDEN;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes if (find_allowdeny(r, a->allows, method)) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes ret = OK;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes if (find_allowdeny(r, a->denys, method)) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes ret = HTTP_FORBIDDEN;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes else if (a->order[method] == DENY_THEN_ALLOW) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes if (find_allowdeny(r, a->denys, method)) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes ret = HTTP_FORBIDDEN;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes if (find_allowdeny(r, a->allows, method)) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes ret = OK;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes else {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes if (find_allowdeny(r, a->allows, method)
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes && !find_allowdeny(r, a->denys, method)) {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes ret = OK;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes else {
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes ret = HTTP_FORBIDDEN;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes if (ret == HTTP_FORBIDDEN) {
185aa71728867671e105178b4c66fbc22b65ae26sf ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01797)
6eebc35261655d22ef6798bc1a46cf620a09ad49trawick "client denied by server configuration: %s%s",
6eebc35261655d22ef6798bc1a46cf620a09ad49trawick r->filename ? "" : "uri ",
6eebc35261655d22ef6798bc1a46cf620a09ad49trawick r->filename ? r->filename : r->uri);
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes }
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes return ret;
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes}
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholesstatic void register_hooks(apr_pool_t *p)
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes{
0d26b42fc1735e110c6dc83b114c56257b20070bbnicholes APR_REGISTER_OPTIONAL_FN(access_compat_ap_satisfies);
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes /* This can be access checker since we don't require r->user to be set. */
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisd ap_hook_check_access(check_dir_access, NULL, NULL, APR_HOOK_MIDDLE,
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisd AP_AUTH_INTERNAL_PER_CONF);
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes}
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes
36ef8f77bffe75d1aa327882be1b5bdbe2ff567asfAP_DECLARE_MODULE(access_compat) =
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes{
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes STANDARD20_MODULE_STUFF,
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes create_access_compat_dir_config, /* dir config creater */
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes NULL, /* dir merger --- default is to override */
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes NULL, /* server config */
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes NULL, /* merge server config */
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes access_compat_cmds,
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes register_hooks /* register hooks */
bbb1d2f82de322f7ce7746301a5f6cb3ce625663bnicholes};