From: Jim Jagielski Date: Sun, 5 Jan 2014 16:12:20 +0000 (+0000) Subject: Merge r1554188 from trunk: X-Git-Tag: 2.4.8~288 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9eba5d4a714a16eaa4ea779e0960780ecbcb8c84;p=apache Merge r1554188 from trunk: mod_authnz_host: Support the expression parser within the require directives. Submitted by: minfrin Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1555545 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 4a22d57d19..b61d12795b 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,9 @@ Changes with Apache 2.4.8 + *) mod_authnz_host: Support the expression parser within the require + directives. [Graham Leggett] + *) mod_authnz_groupfile: Support the expression parser within the require directives. [Graham Leggett] diff --git a/STATUS b/STATUS index 155d2ca710..2790a42515 100644 --- a/STATUS +++ b/STATUS @@ -98,11 +98,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_authz_host: Support the expression parser within the require directives. - trunk patch: http://svn.apache.org/r1554188 - 2.4.x patch: trunk works (modulo CHANGES and log-message-tags) - +1: minfrin, jim, covener - * mod_authz_user: Support the expression parser within the require directives. trunk patch: http://svn.apache.org/r1554195 2.4.x patch: trunk works (modulo CHANGES and log-message-tags) diff --git a/docs/manual/expr.xml b/docs/manual/expr.xml index d5a41ba29c..fcd1ea1280 100644 --- a/docs/manual/expr.xml +++ b/docs/manual/expr.xml @@ -58,6 +58,8 @@ Require ldap-filter Require dbd-group Require dbm-group +Require group +Require host SSLRequire LogMessage mod_include diff --git a/docs/manual/mod/mod_authz_host.xml b/docs/manual/mod/mod_authz_host.xml index 29a40caaa6..bd4515a3d3 100644 --- a/docs/manual/mod/mod_authz_host.xml +++ b/docs/manual/mod/mod_authz_host.xml @@ -58,7 +58,7 @@ address)

Apache's Require directive is used during the authorization phase to ensure that a user is allowed or denied access to a resource. mod_authz_host extends the - authorization types with ip and host. + authorization types with ip, host and local. Other authorization types may also be used but may require that additional authorization modules be loaded.

@@ -66,6 +66,9 @@ address) access an area of the server. Access can be controlled by hostname, IP Address, or IP Address range.

+

Since v2.5.0, expressions are supported + within the host require directives.

+
Require ip

The ip provider allows access to the server @@ -118,6 +121,8 @@ Require ip 2001:db8::a00:20ff:fea7:ccea Require ip 2001:db8::a00:20ff:fea7:ccea/10 +

Note: As the IP addresses are parsed on startup, expressions are + not evaluated at request time.

diff --git a/modules/aaa/mod_authz_host.c b/modules/aaa/mod_authz_host.c index f4d5c41cb8..f5f1a0ddbc 100644 --- a/modules/aaa/mod_authz_host.c +++ b/modules/aaa/mod_authz_host.c @@ -179,10 +179,22 @@ static authz_status host_check_authorization(request_rec *r, "remote host name", require_line, r->uri); } else { + const char *err = NULL; + const ap_expr_info_t *expr = parsed_require_line; + const char *require; + + require = ap_expr_str_exec(r, expr, &err); + if (err) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02593) + "authz_host authorize: require host: Can't " + "evaluate require expression: %s", err); + return AUTHZ_DENIED; + } + /* The 'host' provider will allow the configuration to specify a list of host names to check rather than a single name. This is different from the previous host based syntax. */ - t = require_line; + t = require; while ((w = ap_getword_conf(r->pool, &t)) && w[0]) { if (in_domain(w, remotehost)) { return AUTHZ_GRANTED; @@ -212,6 +224,25 @@ static authz_status local_check_authorization(request_rec *r, return AUTHZ_DENIED; } +static const char *host_parse_config(cmd_parms *cmd, const char *require_line, + const void **parsed_require_line) +{ + const char *expr_err = NULL; + ap_expr_info_t *expr = apr_pcalloc(cmd->pool, sizeof(*expr)); + + expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT, + &expr_err, NULL); + + if (expr_err) + return apr_pstrcat(cmd->temp_pool, + "Cannot parse expression in require line: ", + expr_err, NULL); + + *parsed_require_line = expr; + + return NULL; +} + static const authz_provider authz_ip_provider = { &ip_check_authorization, @@ -221,7 +252,7 @@ static const authz_provider authz_ip_provider = static const authz_provider authz_host_provider = { &host_check_authorization, - NULL, + &host_parse_config, }; static const authz_provider authz_local_provider =