1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * Security options etc.
20 * Module derived from code originally written by Rob McCool
24 #include "apr_strings.h"
25 #include "apr_network_io.h"
28 #define APR_WANT_STRFUNC
29 #define APR_WANT_BYTEFUNC
32 #include "ap_config.h"
34 #include "http_core.h"
35 #include "http_config.h"
37 #include "http_protocol.h"
38 #include "http_request.h"
42 #if APR_HAVE_NETINET_IN_H
43 #include <netinet/in.h>
60 enum allowdeny_type type;
63 /* things in the 'order' array */
64 #define DENY_THEN_ALLOW 0
65 #define ALLOW_THEN_DENY 1
66 #define MUTUAL_FAILURE 2
70 apr_array_header_t *allows;
71 apr_array_header_t *denys;
72 int *satisfy; /* for every method one */
73 } access_compat_dir_conf;
75 module AP_MODULE_DECLARE_DATA access_compat_module;
77 static void *create_access_compat_dir_config(apr_pool_t *p, char *dummy)
80 access_compat_dir_conf *conf =
81 (access_compat_dir_conf *)apr_pcalloc(p, sizeof(access_compat_dir_conf));
83 for (i = 0; i < METHODS; ++i) {
84 conf->order[i] = DENY_THEN_ALLOW;
86 conf->allows = apr_array_make(p, 1, sizeof(allowdeny));
87 conf->denys = apr_array_make(p, 1, sizeof(allowdeny));
88 conf->satisfy = apr_palloc(p, sizeof(*conf->satisfy) * METHODS);
89 for (i = 0; i < METHODS; ++i) {
90 conf->satisfy[i] = SATISFY_NOSPEC;
96 static const char *order(cmd_parms *cmd, void *dv, const char *arg)
98 access_compat_dir_conf *d = (access_compat_dir_conf *) dv;
101 ap_log_error(APLOG_MARK, APLOG_INFO, 0, cmd->server,
102 "The 'Order' directive has been deprecated. "
103 "Consider using '<SatisfyAll><SatisfyOne>' directives.");
105 if (!strcasecmp(arg, "allow,deny"))
107 else if (!strcasecmp(arg, "deny,allow"))
109 else if (!strcasecmp(arg, "mutual-failure"))
112 return "unknown order";
114 for (i = 0; i < METHODS; ++i)
115 if (cmd->limited & (AP_METHOD_BIT << i))
121 static const char *satisfy(cmd_parms *cmd, void *dv, const char *arg)
123 access_compat_dir_conf *d = (access_compat_dir_conf *) dv;
124 int satisfy = SATISFY_NOSPEC;
127 ap_log_error(APLOG_MARK, APLOG_INFO, 0, cmd->server,
128 "The 'Satisfy' directive has been deprecated. "
129 "Consider using '<SatisfyAll><SatisfyOne>' directives.");
131 if (!strcasecmp(arg, "all")) {
132 satisfy = SATISFY_ALL;
134 else if (!strcasecmp(arg, "any")) {
135 satisfy = SATISFY_ANY;
138 return "Satisfy either 'any' or 'all'.";
141 for (i = 0; i < METHODS; ++i) {
142 if (cmd->limited & (AP_METHOD_BIT << i)) {
143 d->satisfy[i] = satisfy;
150 static const char *allow_cmd(cmd_parms *cmd, void *dv, const char *from,
153 access_compat_dir_conf *d = (access_compat_dir_conf *) dv;
155 char *where = apr_pstrdup(cmd->pool, where_c);
160 ap_log_error(APLOG_MARK, APLOG_INFO, 0, cmd->server,
161 "The 'Allow/Deny' directives have been deprecated. "
162 "Consider using one of the host providers in mod_authz_host.");
164 if (strcasecmp(from, "from"))
165 return "allow and deny must be followed by 'from'";
167 a = (allowdeny *) apr_array_push(cmd->info ? d->allows : d->denys);
169 a->limited = cmd->limited;
171 if (!strncasecmp(where, "env=", 4)) {
176 else if (!strcasecmp(where, "all")) {
179 else if ((s = ap_strchr(where, '/'))) {
181 rv = apr_ipsubnet_create(&a->x.ip, where, s, cmd->pool);
182 if(APR_STATUS_IS_EINVAL(rv)) {
183 /* looked nothing like an IP address */
184 return "An IP address was expected";
186 else if (rv != APR_SUCCESS) {
187 apr_strerror(rv, msgbuf, sizeof msgbuf);
188 return apr_pstrdup(cmd->pool, msgbuf);
192 else if (!APR_STATUS_IS_EINVAL(rv = apr_ipsubnet_create(&a->x.ip, where,
194 if (rv != APR_SUCCESS) {
195 apr_strerror(rv, msgbuf, sizeof msgbuf);
196 return apr_pstrdup(cmd->pool, msgbuf);
200 else { /* no slash, didn't look like an IP address => must be a host */
207 static char its_an_allow;
209 static const command_rec access_compat_cmds[] =
211 AP_INIT_TAKE1("order", order, NULL, OR_LIMIT,
212 "'allow,deny', 'deny,allow', or 'mutual-failure'"),
213 AP_INIT_ITERATE2("allow", allow_cmd, &its_an_allow, OR_LIMIT,
214 "'from' followed by hostnames or IP-address wildcards"),
215 AP_INIT_ITERATE2("deny", allow_cmd, NULL, OR_LIMIT,
216 "'from' followed by hostnames or IP-address wildcards"),
217 AP_INIT_TAKE1("Satisfy", satisfy, NULL, OR_AUTHCFG,
218 "access policy if both allow and require used ('all' or 'any')"),
222 static int in_domain(const char *domain, const char *what)
224 int dl = strlen(domain);
225 int wl = strlen(what);
227 if ((wl - dl) >= 0) {
228 if (strcasecmp(domain, &what[wl - dl]) != 0) {
232 /* Make sure we matched an *entire* subdomain --- if the user
233 * said 'allow from good.com', we don't want people from nogood.com
234 * to be able to get in.
238 return 1; /* matched whole thing */
241 return (domain[0] == '.' || what[wl - dl - 1] == '.');
249 static int find_allowdeny(request_rec *r, apr_array_header_t *a, int method)
252 allowdeny *ap = (allowdeny *) a->elts;
253 apr_int64_t mmask = (AP_METHOD_BIT << method);
256 const char *remotehost = NULL;
258 for (i = 0; i < a->nelts; ++i) {
259 if (!(mmask & ap[i].limited)) {
263 switch (ap[i].type) {
265 if (apr_table_get(r->subprocess_env, ap[i].x.from)) {
274 if (apr_ipsubnet_test(ap[i].x.ip, r->connection->remote_addr)) {
281 int remotehost_is_ip;
283 remotehost = ap_get_remote_host(r->connection,
288 if ((remotehost == NULL) || remotehost_is_ip) {
296 if ((gothost == 2) && in_domain(ap[i].x.from, remotehost)) {
310 static int ap_satisfies(request_rec *r)
312 access_compat_dir_conf *conf = (access_compat_dir_conf *)
313 ap_get_module_config(r->per_dir_config, &access_compat_module);
315 return conf->satisfy[r->method_number];
318 static int check_dir_access(request_rec *r)
320 int method = r->method_number;
322 access_compat_dir_conf *a = (access_compat_dir_conf *)
323 ap_get_module_config(r->per_dir_config, &access_compat_module);
325 if (a->order[method] == ALLOW_THEN_DENY) {
326 ret = HTTP_FORBIDDEN;
327 if (find_allowdeny(r, a->allows, method)) {
330 if (find_allowdeny(r, a->denys, method)) {
331 ret = HTTP_FORBIDDEN;
334 else if (a->order[method] == DENY_THEN_ALLOW) {
335 if (find_allowdeny(r, a->denys, method)) {
336 ret = HTTP_FORBIDDEN;
338 if (find_allowdeny(r, a->allows, method)) {
343 if (find_allowdeny(r, a->allows, method)
344 && !find_allowdeny(r, a->denys, method)) {
348 ret = HTTP_FORBIDDEN;
353 apr_table_setn(r->notes, AUTHZ_ACCESS_PASSED_NOTE, "Y");
356 apr_table_setn(r->notes, AUTHZ_ACCESS_PASSED_NOTE, "N");
357 /* If Satisfy is Any and authorization is required, then
358 defer to the authorization stage */
359 if ((ap_satisfies(r) == SATISFY_ANY) && ap_some_auth_required(r)) {
364 if (ret == HTTP_FORBIDDEN) {
365 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
366 "client denied by server configuration: %s%s",
367 r->filename ? "" : "uri ",
368 r->filename ? r->filename : r->uri);
374 static void register_hooks(apr_pool_t *p)
376 APR_REGISTER_OPTIONAL_FN(ap_satisfies);
378 /* This can be access checker since we don't require r->user to be set. */
379 ap_hook_access_checker(check_dir_access,NULL,NULL,APR_HOOK_MIDDLE);
382 module AP_MODULE_DECLARE_DATA access_compat_module =
384 STANDARD20_MODULE_STUFF,
385 create_access_compat_dir_config, /* dir config creater */
386 NULL, /* dir merger --- default is to override */
387 NULL, /* server config */
388 NULL, /* merge server config */
390 register_hooks /* register hooks */