Return-Path: X-Original-To: apmail-httpd-cvs-archive@www.apache.org Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id DF8FF1148E for ; Fri, 25 Apr 2014 10:55:42 +0000 (UTC) Received: (qmail 19734 invoked by uid 500); 25 Apr 2014 10:55:40 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 19455 invoked by uid 500); 25 Apr 2014 10:55:29 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 19442 invoked by uid 99); 25 Apr 2014 10:55:27 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 Apr 2014 10:55:27 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 Apr 2014 10:55:25 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 72B912388860; Fri, 25 Apr 2014 10:55:05 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1589986 - in /httpd/httpd/trunk: CHANGES docs/manual/expr.xml docs/manual/mod/mod_authnz_ldap.xml server/util_expr_eval.c Date: Fri, 25 Apr 2014 10:55:05 -0000 To: cvs@httpd.apache.org From: minfrin@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20140425105505.72B912388860@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: minfrin Date: Fri Apr 25 10:55:04 2014 New Revision: 1589986 URL: http://svn.apache.org/r1589986 Log: Add the ldap function to the expression API, allowing LDAP filters and distinguished names based on expressions to be escaped correctly to guard against LDAP injection. Note: this requires at least APR v1.6.0 or above for the apr_escape API. Modified: httpd/httpd/trunk/CHANGES httpd/httpd/trunk/docs/manual/expr.xml httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml httpd/httpd/trunk/server/util_expr_eval.c Modified: httpd/httpd/trunk/CHANGES URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1589986&r1=1589985&r2=1589986&view=diff ============================================================================== --- httpd/httpd/trunk/CHANGES [utf-8] (original) +++ httpd/httpd/trunk/CHANGES [utf-8] Fri Apr 25 10:55:04 2014 @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) Add the ldap function to the expression API, allowing LDAP filters and + distinguished names based on expressions to be escaped correctly to + guard against LDAP injection. [Graham Leggett] + *) Add module mod_ssl_ct, which provides an implementation of Certificate Transparency (RFC 6962) for httpd. [Jeff Trawick] Modified: httpd/httpd/trunk/docs/manual/expr.xml URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/expr.xml?rev=1589986&r1=1589985&r2=1589986&view=diff ============================================================================== --- httpd/httpd/trunk/docs/manual/expr.xml (original) +++ httpd/httpd/trunk/docs/manual/expr.xml Fri Apr 25 10:55:04 2014 @@ -514,6 +514,9 @@ listfunction ::= listfuncname "( filesize Return size of a file (or 0 if file does not exist or is not regular file)yes + ldap + Escape characters as required by LDAP distinguished name escaping + (RFC4514) and LDAP filter escaping (RFC4515). Modified: httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml?rev=1589986&r1=1589985&r2=1589986&view=diff ============================================================================== --- httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml (original) +++ httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml Fri Apr 25 10:55:04 2014 @@ -496,6 +496,16 @@ AuthLDAPMaxSubGroupDepth 1 ldap-attribute will be faster than the search operation used by ldap-filter especially within a large directory.

+

When using an expression within the filter, care + must be taken to ensure that LDAP filters are escaped correctly to guard against + LDAP injection. The ldap function can be used for this purpose.

+ + +<LocationMatch ^/dav/(?[^/]+)/> + Require ldap-filter (memberOf=cn=%{ldap:%{unescape:%{env:MATCH_SITENAME}},ou=Websites,o=Example) +</LocationMatch> + + Modified: httpd/httpd/trunk/server/util_expr_eval.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util_expr_eval.c?rev=1589986&r1=1589985&r2=1589986&view=diff ============================================================================== --- httpd/httpd/trunk/server/util_expr_eval.c (original) +++ httpd/httpd/trunk/server/util_expr_eval.c Fri Apr 25 10:55:04 2014 @@ -31,6 +31,7 @@ #include "apr_fnmatch.h" #include "apr_base64.h" #include "apr_sha1.h" +#include "apr_escape.h" #include /* for INT_MAX */ @@ -1061,6 +1062,12 @@ static const char *md5_func(ap_expr_eval return ap_md5(ctx->p, (const unsigned char *)arg); } +static const char *ldap_func(ap_expr_eval_ctx_t *ctx, const void *data, + const char *arg) +{ + return apr_pescape_ldap(ctx->p, arg, APR_ESCAPE_STRING, APR_ESCAPE_LDAP_ALL); +} + #define MAX_FILE_SIZE 10*1024*1024 static const char *file_func(ap_expr_eval_ctx_t *ctx, const void *data, @@ -1645,6 +1652,7 @@ static const struct expr_provider_single { unbase64_func, "unbase64", NULL, 0 }, { sha1_func, "sha1", NULL, 0 }, { md5_func, "md5", NULL, 0 }, + { ldap_func, "ldap", NULL, 0 }, { NULL, NULL, NULL} };