modules/aaa/mod_allowmethods.c

135c1278adef96d36fd421c536b1acc54a341cfbsf/* Licensed to the Apache Software Foundation (ASF) under one or more
135c1278adef96d36fd421c536b1acc54a341cfbsf * contributor license agreements.  See the NOTICE file distributed with
135c1278adef96d36fd421c536b1acc54a341cfbsf * this work for additional information regarding copyright ownership.
135c1278adef96d36fd421c536b1acc54a341cfbsf * The ASF licenses this file to You under the Apache License, Version 2.0
135c1278adef96d36fd421c536b1acc54a341cfbsf * (the "License"); you may not use this file except in compliance with
135c1278adef96d36fd421c536b1acc54a341cfbsf * the License.  You may obtain a copy of the License at
135c1278adef96d36fd421c536b1acc54a341cfbsf *
135c1278adef96d36fd421c536b1acc54a341cfbsf *     http://www.apache.org/licenses/LICENSE-2.0
135c1278adef96d36fd421c536b1acc54a341cfbsf *
135c1278adef96d36fd421c536b1acc54a341cfbsf * Unless required by applicable law or agreed to in writing, software
135c1278adef96d36fd421c536b1acc54a341cfbsf * distributed under the License is distributed on an "AS IS" BASIS,
135c1278adef96d36fd421c536b1acc54a341cfbsf * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
135c1278adef96d36fd421c536b1acc54a341cfbsf * See the License for the specific language governing permissions and
135c1278adef96d36fd421c536b1acc54a341cfbsf * limitations under the License.
135c1278adef96d36fd421c536b1acc54a341cfbsf */
135c1278adef96d36fd421c536b1acc54a341cfbsf
135c1278adef96d36fd421c536b1acc54a341cfbsf#include "httpd.h"
135c1278adef96d36fd421c536b1acc54a341cfbsf#include "http_core.h"
135c1278adef96d36fd421c536b1acc54a341cfbsf#include "http_config.h"
135c1278adef96d36fd421c536b1acc54a341cfbsf#include "http_protocol.h"
135c1278adef96d36fd421c536b1acc54a341cfbsf#include "http_request.h"
135c1278adef96d36fd421c536b1acc54a341cfbsf#include "http_log.h"
135c1278adef96d36fd421c536b1acc54a341cfbsf#include "apr_strings.h"
135c1278adef96d36fd421c536b1acc54a341cfbsf
135c1278adef96d36fd421c536b1acc54a341cfbsf/**
135c1278adef96d36fd421c536b1acc54a341cfbsf * This module makes it easy to restrict what HTTP methods can be ran against
135c1278adef96d36fd421c536b1acc54a341cfbsf * a server.
135c1278adef96d36fd421c536b1acc54a341cfbsf *
135c1278adef96d36fd421c536b1acc54a341cfbsf * It provides one comand:
135c1278adef96d36fd421c536b1acc54a341cfbsf *    AllowMethods
135c1278adef96d36fd421c536b1acc54a341cfbsf * This command takes a list of HTTP methods to allow.
135c1278adef96d36fd421c536b1acc54a341cfbsf *
135c1278adef96d36fd421c536b1acc54a341cfbsf *  The most common configuration should be like this:
135c1278adef96d36fd421c536b1acc54a341cfbsf *   <Directory />
135c1278adef96d36fd421c536b1acc54a341cfbsf *    AllowMethods GET HEAD OPTIONS
135c1278adef96d36fd421c536b1acc54a341cfbsf *   </Directory>
135c1278adef96d36fd421c536b1acc54a341cfbsf *   <Directory /special/cgi-bin>
135c1278adef96d36fd421c536b1acc54a341cfbsf *      AllowMethods GET HEAD OPTIONS POST
135c1278adef96d36fd421c536b1acc54a341cfbsf *   </Directory>
135c1278adef96d36fd421c536b1acc54a341cfbsf *  Non-matching methods will be returned a status 405 (method not allowed)
5bfaaf573bacb45c1cf290ce85ecc676587e8a64jim *
135c1278adef96d36fd421c536b1acc54a341cfbsf *  To allow all methods, and effectively turn off mod_allowmethods, use:
135c1278adef96d36fd421c536b1acc54a341cfbsf *    AllowMethods reset
135c1278adef96d36fd421c536b1acc54a341cfbsf */
135c1278adef96d36fd421c536b1acc54a341cfbsf
135c1278adef96d36fd421c536b1acc54a341cfbsftypedef struct am_conf_t {
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    int allowed_set;
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    apr_int64_t allowed;
135c1278adef96d36fd421c536b1acc54a341cfbsf} am_conf_t;
135c1278adef96d36fd421c536b1acc54a341cfbsf
135c1278adef96d36fd421c536b1acc54a341cfbsfmodule AP_MODULE_DECLARE_DATA allowmethods_module;
135c1278adef96d36fd421c536b1acc54a341cfbsf
135c1278adef96d36fd421c536b1acc54a341cfbsfstatic int am_check_access(request_rec *r)
135c1278adef96d36fd421c536b1acc54a341cfbsf{
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    int method = r->method_number;
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    am_conf_t *conf;
5bfaaf573bacb45c1cf290ce85ecc676587e8a64jim
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    conf = (am_conf_t *) ap_get_module_config(r->per_dir_config,
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc                                              &allowmethods_module);
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    if (!conf || conf->allowed == 0) {
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc        return DECLINED;
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    }
5bfaaf573bacb45c1cf290ce85ecc676587e8a64jim
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    r->allowed = conf->allowed;
135c1278adef96d36fd421c536b1acc54a341cfbsf
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    if (conf->allowed & (AP_METHOD_BIT << method)) {
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc        return DECLINED;
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    }
5bfaaf573bacb45c1cf290ce85ecc676587e8a64jim
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01623)
135c1278adef96d36fd421c536b1acc54a341cfbsf                  "client method denied by server configuration: '%s' to %s%s",
135c1278adef96d36fd421c536b1acc54a341cfbsf                  r->method,
135c1278adef96d36fd421c536b1acc54a341cfbsf                  r->filename ? "" : "uri ",
135c1278adef96d36fd421c536b1acc54a341cfbsf                  r->filename ? r->filename : r->uri);
5bfaaf573bacb45c1cf290ce85ecc676587e8a64jim
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    return HTTP_METHOD_NOT_ALLOWED;
135c1278adef96d36fd421c536b1acc54a341cfbsf}
135c1278adef96d36fd421c536b1acc54a341cfbsf
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletcstatic void *am_create_conf(apr_pool_t *p, char *dummy)
135c1278adef96d36fd421c536b1acc54a341cfbsf{
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    am_conf_t *conf = apr_pcalloc(p, sizeof(am_conf_t));
5bfaaf573bacb45c1cf290ce85ecc676587e8a64jim
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    conf->allowed = 0;
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    conf->allowed_set = 0;
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    return conf;
135c1278adef96d36fd421c536b1acc54a341cfbsf}
135c1278adef96d36fd421c536b1acc54a341cfbsf
70ad0d9ff31ed8da58193eff4bf240247d1d6bddjailletcstatic void *am_merge_conf(apr_pool_t *pool, void *a, void *b)
70ad0d9ff31ed8da58193eff4bf240247d1d6bddjailletc{
70ad0d9ff31ed8da58193eff4bf240247d1d6bddjailletc    am_conf_t *base = (am_conf_t *)a;
70ad0d9ff31ed8da58193eff4bf240247d1d6bddjailletc    am_conf_t *add = (am_conf_t *)b;
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    am_conf_t *conf = apr_palloc(pool, sizeof(am_conf_t));
5bfaaf573bacb45c1cf290ce85ecc676587e8a64jim
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    if (add->allowed_set) {
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc        conf->allowed = add->allowed;
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc        conf->allowed_set = add->allowed_set;
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    }
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    else {
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc        conf->allowed = base->allowed;
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc        conf->allowed_set = base->allowed_set;
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    }
135c1278adef96d36fd421c536b1acc54a341cfbsf
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    return conf;
135c1278adef96d36fd421c536b1acc54a341cfbsf}
135c1278adef96d36fd421c536b1acc54a341cfbsf
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletcstatic const char *am_allowmethods(cmd_parms *cmd, void *d, int argc,
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc                                   char *const argv[])
135c1278adef96d36fd421c536b1acc54a341cfbsf{
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    int i;
70ad0d9ff31ed8da58193eff4bf240247d1d6bddjailletc    am_conf_t *conf = (am_conf_t *)d;
135c1278adef96d36fd421c536b1acc54a341cfbsf
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    if (argc == 0) {
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc        return "AllowMethods: No method or 'reset' keyword given";
135c1278adef96d36fd421c536b1acc54a341cfbsf    }
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    if (argc == 1) {
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc        if (strcasecmp("reset", argv[0]) == 0) {
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc            conf->allowed = 0;
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc            conf->allowed_set = 1;
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc            return NULL;
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc        }
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    }
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    for (i = 0; i < argc; i++) {
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc        int m;
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc        m = ap_method_number_of(argv[i]);
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc        if (m == M_INVALID) {
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc            return apr_pstrcat(cmd->pool, "AllowMethods: Invalid Method '",
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc                               argv[i], "'", NULL);
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc        }
135c1278adef96d36fd421c536b1acc54a341cfbsf
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc        conf->allowed |= (AP_METHOD_BIT << m);
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    }
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    conf->allowed_set = 1;
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    return NULL;
135c1278adef96d36fd421c536b1acc54a341cfbsf}
135c1278adef96d36fd421c536b1acc54a341cfbsf
135c1278adef96d36fd421c536b1acc54a341cfbsfstatic void am_register_hooks(apr_pool_t * p)
135c1278adef96d36fd421c536b1acc54a341cfbsf{
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    ap_hook_access_checker(am_check_access, NULL, NULL, APR_HOOK_REALLY_FIRST);
135c1278adef96d36fd421c536b1acc54a341cfbsf}
135c1278adef96d36fd421c536b1acc54a341cfbsf
135c1278adef96d36fd421c536b1acc54a341cfbsfstatic const command_rec am_cmds[] = {
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    AP_INIT_TAKE_ARGV("AllowMethods", am_allowmethods, NULL,
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc                      ACCESS_CONF,
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc                      "only allow specific methods"),
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    {NULL}
135c1278adef96d36fd421c536b1acc54a341cfbsf};
135c1278adef96d36fd421c536b1acc54a341cfbsf
636d0d3e03f5f4f2fefae0f20c36e288755e79f6rjungAP_DECLARE_MODULE(allowmethods) = {
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    STANDARD20_MODULE_STUFF,
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    am_create_conf,
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    am_merge_conf,
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    NULL,
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    NULL,
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    am_cmds,
cf9acd789f86df61f77c735ec3a45b0f5c88bacbjailletc    am_register_hooks,
135c1278adef96d36fd421c536b1acc54a341cfbsf};