diff options
| author | Stefan Fritsch <sf@sfritsch.de> | 2016-04-09 13:46:36 +0200 |
|---|---|---|
| committer | Stefan Fritsch <sf@sfritsch.de> | 2016-04-09 13:46:36 +0200 |
| commit | 48eddd3d39fa2668ee29198ebfb33c41d4738c21 (patch) | |
| tree | 247d4f813b86ea354d18d337b09bb137caab8e15 /modules/aaa/mod_authz_host.c | |
| parent | d5325781b38052fbdf4cc28a6c6d3052b9424b51 (diff) | |
| download | apache2-48eddd3d39fa2668ee29198ebfb33c41d4738c21.tar.gz | |
Imported Upstream version 2.4.20
Diffstat (limited to 'modules/aaa/mod_authz_host.c')
| -rw-r--r-- | modules/aaa/mod_authz_host.c | 80 |
1 files changed, 76 insertions, 4 deletions
diff --git a/modules/aaa/mod_authz_host.c b/modules/aaa/mod_authz_host.c index 83fc6e6c..dff1d322 100644 --- a/modules/aaa/mod_authz_host.c +++ b/modules/aaa/mod_authz_host.c @@ -168,10 +168,7 @@ static authz_status host_check_authorization(request_rec *r, const char *remotehost = NULL; int remotehost_is_ip; - remotehost = ap_get_remote_host(r->connection, - r->per_dir_config, - REMOTE_DOUBLE_REV, - &remotehost_is_ip); + remotehost = ap_get_useragent_host(r, REMOTE_DOUBLE_REV, &remotehost_is_ip); if ((remotehost == NULL) || remotehost_is_ip) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01753) @@ -206,6 +203,71 @@ static authz_status host_check_authorization(request_rec *r, return AUTHZ_DENIED; } +static authz_status +forward_dns_check_authorization(request_rec *r, + const char *require_line, + const void *parsed_require_line) +{ + const char *err = NULL; + const ap_expr_info_t *expr = parsed_require_line; + const char *require, *t; + char *w; + + /* the require line is an expression, which is evaluated now. */ + require = ap_expr_str_exec(r, expr, &err); + if (err) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(03354) + "Can't evaluate require expression: %s", err); + return AUTHZ_DENIED; + } + + /* tokenize expected list of names */ + t = require; + while ((w = ap_getword_conf(r->pool, &t)) && w[0]) { + + apr_sockaddr_t *sa; + apr_status_t rv; + char *hash_ptr; + + /* stop on apache configuration file comments */ + if ((hash_ptr = ap_strchr(w, '#'))) { + if (hash_ptr == w) { + break; + } + *hash_ptr = '\0'; + } + + /* does the client ip match one of the names? */ + rv = apr_sockaddr_info_get(&sa, w, APR_UNSPEC, 0, 0, r->pool); + if (rv == APR_SUCCESS) { + + while (sa) { + int match = apr_sockaddr_equal(sa, r->useragent_addr); + + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03355) + "access check for %s as '%s': %s", + r->useragent_ip, w, match? "yes": "no"); + if (match) { + return AUTHZ_GRANTED; + } + + sa = sa->next; + } + } + else { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(03356) + "No sockaddr info for \"%s\"", w); + } + + /* stop processing, we are in a comment */ + if (hash_ptr) { + break; + } + } + + return AUTHZ_DENIED; +} + static authz_status local_check_authorization(request_rec *r, const char *require_line, const void *parsed_require_line) @@ -255,6 +317,12 @@ static const authz_provider authz_host_provider = &host_parse_config, }; +static const authz_provider authz_forward_dns_provider = +{ + &forward_dns_check_authorization, + &host_parse_config, +}; + static const authz_provider authz_local_provider = { &local_check_authorization, @@ -299,6 +367,10 @@ static void register_hooks(apr_pool_t *p) ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "host", AUTHZ_PROVIDER_VERSION, &authz_host_provider, AP_AUTH_INTERNAL_PER_CONF); + ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "forward-dns", + AUTHZ_PROVIDER_VERSION, + &authz_forward_dns_provider, + AP_AUTH_INTERNAL_PER_CONF); ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "local", AUTHZ_PROVIDER_VERSION, &authz_local_provider, AP_AUTH_INTERNAL_PER_CONF); |