From: Jan Kaluža <jkaluza@apache.org>
Date: Thu, 19 Mar 2015 07:46:35 +0000 (+0000)
Subject: * mod_access_compat, mod_authz_host: Handle '#' character.
X-Git-Tag: 2.5.0-alpha~3370
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=29e741e0d93aa527989c492e73371845b15014a3;p=apache

* mod_access_compat, mod_authz_host: Handle '#' character.
For mod_access_compat, disable '#' in hostname completely.
For mod_authz_host, treat '#' as a comment and ignore everything after that.
This allows better handling of admin errors like
'Require host localhost# Add example.com later'.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1667676 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/aaa/mod_access_compat.c b/modules/aaa/mod_access_compat.c
index 46d8da0e53..591fcebed8 100644
--- a/modules/aaa/mod_access_compat.c
+++ b/modules/aaa/mod_access_compat.c
@@ -187,6 +187,9 @@ static const char *allow_cmd(cmd_parms *cmd, void *dv, const char *from,
             return apr_psprintf(cmd->pool, "%pm", &rv);
         a->type = T_IP;
     }
+    else if (ap_strchr(where, '#')) {
+        return "No comments are allowed here";
+    }
     else { /* no slash, didn't look like an IP address => must be a host */
         a->type = T_HOST;
     }
diff --git a/modules/aaa/mod_authz_host.c b/modules/aaa/mod_authz_host.c
index 83fc6e6c71..c7bbbe015d 100644
--- a/modules/aaa/mod_authz_host.c
+++ b/modules/aaa/mod_authz_host.c
@@ -164,7 +164,8 @@ static authz_status host_check_authorization(request_rec *r,
                                              const char *require_line,
                                              const void *parsed_require_line)
 {
-    const char *t, *w;
+    const char *t;
+    char *w, *hash_ptr;
     const char *remotehost = NULL;
     int remotehost_is_ip;
 
@@ -196,9 +197,21 @@ static authz_status host_check_authorization(request_rec *r,
             from the previous host based syntax. */
         t = require;
         while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
+            /* '#' is not valid hostname character and admin could specify
+             * 'Require host localhost# Add example.com later'. We should not
+             * grant access to 'example.com' in that case. */
+            if ((hash_ptr = ap_strchr(w, '#'))) {
+                if (hash_ptr == w) {
+                    break;
+                }
+                *hash_ptr = '\0';
+            }
             if (in_domain(w, remotehost)) {
                 return AUTHZ_GRANTED;
             }
+            if (hash_ptr) {
+                break;
+            }
         }
     }