httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From minf...@apache.org
Subject svn commit: r1589986 - in /httpd/httpd/trunk: CHANGES docs/manual/expr.xml docs/manual/mod/mod_authnz_ldap.xml server/util_expr_eval.c
Date Fri, 25 Apr 2014 10:55:05 GMT
Author: minfrin
Date: Fri Apr 25 10:55:04 2014
New Revision: 1589986

URL: http://svn.apache.org/r1589986
Log:
Add the ldap function to the expression API, allowing LDAP filters and
distinguished names based on expressions to be escaped correctly to
guard against LDAP injection.

Note: this requires at least APR v1.6.0 or above for the apr_escape API.

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/docs/manual/expr.xml
    httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml
    httpd/httpd/trunk/server/util_expr_eval.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1589986&r1=1589985&r2=1589986&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Fri Apr 25 10:55:04 2014
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) Add the ldap function to the expression API, allowing LDAP filters and
+     distinguished names based on expressions to be escaped correctly to
+     guard against LDAP injection. [Graham Leggett]
+
   *) Add module mod_ssl_ct, which provides an implementation of Certificate
      Transparency (RFC 6962) for httpd.  [Jeff Trawick]
 

Modified: httpd/httpd/trunk/docs/manual/expr.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/expr.xml?rev=1589986&r1=1589985&r2=1589986&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/expr.xml (original)
+++ httpd/httpd/trunk/docs/manual/expr.xml Fri Apr 25 10:55:04 2014
@@ -514,6 +514,9 @@ listfunction ::= listfuncname "<strong>(
     <tr><td><code>filesize</code></td>
         <td>Return size of a file (or 0 if file does not exist or is not
             regular file)</td><td>yes</td></tr>
+    <tr><td><code>ldap</code></td>
+        <td>Escape characters as required by LDAP distinguished name escaping
+            (RFC4514) and LDAP filter escaping (RFC4515).</td><td></td></tr>
 
     </table>
 

Modified: httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml?rev=1589986&r1=1589985&r2=1589986&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml Fri Apr 25 10:55:04 2014
@@ -496,6 +496,16 @@ AuthLDAPMaxSubGroupDepth 1
     <code>ldap-attribute</code> will be faster than the search operation
     used by <code>ldap-filter</code> especially within a large directory.</p>
 
+    <p>When using an <a href="../expr.html">expression</a> within the filter,
care
+    must be taken to ensure that LDAP filters are escaped correctly to guard against
+    LDAP injection. The ldap function can be used for this purpose.</p>
+
+<highlight language="config">
+&lt;LocationMatch ^/dav/(?<SITENAME>[^/]+)/&gt;
+  Require ldap-filter (memberOf=cn=%{ldap:%{unescape:%{env:MATCH_SITENAME}},ou=Websites,o=Example)
+&lt;/LocationMatch&gt;
+</highlight>
+
 </section>
 
 </section>

Modified: httpd/httpd/trunk/server/util_expr_eval.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util_expr_eval.c?rev=1589986&r1=1589985&r2=1589986&view=diff
==============================================================================
--- httpd/httpd/trunk/server/util_expr_eval.c (original)
+++ httpd/httpd/trunk/server/util_expr_eval.c Fri Apr 25 10:55:04 2014
@@ -31,6 +31,7 @@
 #include "apr_fnmatch.h"
 #include "apr_base64.h"
 #include "apr_sha1.h"
+#include "apr_escape.h"
 
 #include <limits.h>     /* for INT_MAX */
 
@@ -1061,6 +1062,12 @@ static const char *md5_func(ap_expr_eval
 	return ap_md5(ctx->p, (const unsigned char *)arg);
 }
 
+static const char *ldap_func(ap_expr_eval_ctx_t *ctx, const void *data,
+                               const char *arg)
+{
+        return apr_pescape_ldap(ctx->p, arg, APR_ESCAPE_STRING, APR_ESCAPE_LDAP_ALL);
+}
+
 
 #define MAX_FILE_SIZE 10*1024*1024
 static const char *file_func(ap_expr_eval_ctx_t *ctx, const void *data,
@@ -1645,6 +1652,7 @@ static const struct expr_provider_single
     { unbase64_func,        "unbase64",       NULL, 0 },
     { sha1_func,            "sha1",           NULL, 0 },
     { md5_func,             "md5",            NULL, 0 },
+    { ldap_func,            "ldap",           NULL, 0 },
     { NULL, NULL, NULL}
 };
 



Mime
View raw message