1
/* Licensed to the Apache Software Foundation (ASF) under one or more
2
* contributor license agreements. See the NOTICE file distributed with
3
* this work for additional information regarding copyright ownership.
4
* The ASF licenses this file to You under the Apache License, Version 2.0
5
* (the "License"); you may not use this file except in compliance with
6
* the License. You may obtain a copy of the License at
8
* http://www.apache.org/licenses/LICENSE-2.0
10
* Unless required by applicable law or agreed to in writing, software
11
* distributed under the License is distributed on an "AS IS" BASIS,
12
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
* See the License for the specific language governing permissions and
14
* limitations under the License.
18
* Security options etc.
20
* Module derived from code originally written by Rob McCool
24
#include "apr_strings.h"
25
#include "apr_network_io.h"
28
#define APR_WANT_STRFUNC
29
#define APR_WANT_BYTEFUNC
32
#include "ap_config.h"
34
#include "http_core.h"
35
#include "http_config.h"
37
#include "http_request.h"
39
#if APR_HAVE_NETINET_IN_H
40
#include <netinet/in.h>
57
enum allowdeny_type type;
60
/* things in the 'order' array */
61
#define DENY_THEN_ALLOW 0
62
#define ALLOW_THEN_DENY 1
63
#define MUTUAL_FAILURE 2
67
apr_array_header_t *allows;
68
apr_array_header_t *denys;
69
} authz_host_dir_conf;
71
module AP_MODULE_DECLARE_DATA authz_host_module;
73
static void *create_authz_host_dir_config(apr_pool_t *p, char *dummy)
76
authz_host_dir_conf *conf =
77
(authz_host_dir_conf *)apr_pcalloc(p, sizeof(authz_host_dir_conf));
79
for (i = 0; i < METHODS; ++i) {
80
conf->order[i] = DENY_THEN_ALLOW;
82
conf->allows = apr_array_make(p, 1, sizeof(allowdeny));
83
conf->denys = apr_array_make(p, 1, sizeof(allowdeny));
88
static const char *order(cmd_parms *cmd, void *dv, const char *arg)
90
authz_host_dir_conf *d = (authz_host_dir_conf *) dv;
93
if (!strcasecmp(arg, "allow,deny"))
95
else if (!strcasecmp(arg, "deny,allow"))
97
else if (!strcasecmp(arg, "mutual-failure"))
100
return "unknown order";
102
for (i = 0; i < METHODS; ++i)
103
if (cmd->limited & (AP_METHOD_BIT << i))
109
static const char *allow_cmd(cmd_parms *cmd, void *dv, const char *from,
112
authz_host_dir_conf *d = (authz_host_dir_conf *) dv;
114
char *where = apr_pstrdup(cmd->pool, where_c);
119
if (strcasecmp(from, "from"))
120
return "allow and deny must be followed by 'from'";
122
a = (allowdeny *) apr_array_push(cmd->info ? d->allows : d->denys);
124
a->limited = cmd->limited;
126
if (!strncasecmp(where, "env=", 4)) {
131
else if (!strcasecmp(where, "all")) {
134
else if ((s = ap_strchr(where, '/'))) {
136
rv = apr_ipsubnet_create(&a->x.ip, where, s, cmd->pool);
137
if(APR_STATUS_IS_EINVAL(rv)) {
138
/* looked nothing like an IP address */
139
return "An IP address was expected";
141
else if (rv != APR_SUCCESS) {
142
apr_strerror(rv, msgbuf, sizeof msgbuf);
143
return apr_pstrdup(cmd->pool, msgbuf);
147
else if (!APR_STATUS_IS_EINVAL(rv = apr_ipsubnet_create(&a->x.ip, where,
149
if (rv != APR_SUCCESS) {
150
apr_strerror(rv, msgbuf, sizeof msgbuf);
151
return apr_pstrdup(cmd->pool, msgbuf);
155
else { /* no slash, didn't look like an IP address => must be a host */
162
static char its_an_allow;
164
static const command_rec authz_host_cmds[] =
166
AP_INIT_TAKE1("order", order, NULL, OR_LIMIT,
167
"'allow,deny', 'deny,allow', or 'mutual-failure'"),
168
AP_INIT_ITERATE2("allow", allow_cmd, &its_an_allow, OR_LIMIT,
169
"'from' followed by hostnames or IP-address wildcards"),
170
AP_INIT_ITERATE2("deny", allow_cmd, NULL, OR_LIMIT,
171
"'from' followed by hostnames or IP-address wildcards"),
175
static int in_domain(const char *domain, const char *what)
177
int dl = strlen(domain);
178
int wl = strlen(what);
180
if ((wl - dl) >= 0) {
181
if (strcasecmp(domain, &what[wl - dl]) != 0) {
185
/* Make sure we matched an *entire* subdomain --- if the user
186
* said 'allow from good.com', we don't want people from nogood.com
187
* to be able to get in.
191
return 1; /* matched whole thing */
194
return (domain[0] == '.' || what[wl - dl - 1] == '.');
202
static int find_allowdeny(request_rec *r, apr_array_header_t *a, int method)
205
allowdeny *ap = (allowdeny *) a->elts;
206
apr_int64_t mmask = (AP_METHOD_BIT << method);
209
const char *remotehost = NULL;
211
for (i = 0; i < a->nelts; ++i) {
212
if (!(mmask & ap[i].limited)) {
216
switch (ap[i].type) {
218
if (apr_table_get(r->subprocess_env, ap[i].x.from)) {
227
if (apr_ipsubnet_test(ap[i].x.ip, r->connection->remote_addr)) {
234
int remotehost_is_ip;
236
remotehost = ap_get_remote_host(r->connection,
241
if ((remotehost == NULL) || remotehost_is_ip) {
249
if ((gothost == 2) && in_domain(ap[i].x.from, remotehost)) {
263
static int check_dir_access(request_rec *r)
265
int method = r->method_number;
267
authz_host_dir_conf *a = (authz_host_dir_conf *)
268
ap_get_module_config(r->per_dir_config, &authz_host_module);
270
if (a->order[method] == ALLOW_THEN_DENY) {
271
ret = HTTP_FORBIDDEN;
272
if (find_allowdeny(r, a->allows, method)) {
275
if (find_allowdeny(r, a->denys, method)) {
276
ret = HTTP_FORBIDDEN;
279
else if (a->order[method] == DENY_THEN_ALLOW) {
280
if (find_allowdeny(r, a->denys, method)) {
281
ret = HTTP_FORBIDDEN;
283
if (find_allowdeny(r, a->allows, method)) {
288
if (find_allowdeny(r, a->allows, method)
289
&& !find_allowdeny(r, a->denys, method)) {
293
ret = HTTP_FORBIDDEN;
297
if (ret == HTTP_FORBIDDEN
298
&& (ap_satisfies(r) != SATISFY_ANY || !ap_some_auth_required(r))) {
299
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
300
"client denied by server configuration: %s",
307
static void register_hooks(apr_pool_t *p)
309
/* This can be access checker since we don't require r->user to be set. */
310
ap_hook_access_checker(check_dir_access,NULL,NULL,APR_HOOK_MIDDLE);
313
module AP_MODULE_DECLARE_DATA authz_host_module =
315
STANDARD20_MODULE_STUFF,
316
create_authz_host_dir_config, /* dir config creater */
317
NULL, /* dir merger --- default is to override */
318
NULL, /* server config */
319
NULL, /* merge server config */
321
register_hooks /* register hooks */