Return-Path:
X-Original-To: apmail-httpd-cvs-archive@www.apache.org
Delivered-To: apmail-httpd-cvs-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
by minotaur.apache.org (Postfix) with SMTP id DF8FF1148E
for ;
Fri, 25 Apr 2014 10:55:42 +0000 (UTC)
Received: (qmail 19734 invoked by uid 500); 25 Apr 2014 10:55:40 -0000
Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org
Received: (qmail 19455 invoked by uid 500); 25 Apr 2014 10:55:29 -0000
Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help:
list-unsubscribe:
List-Post:
List-Id:
Delivered-To: mailing list cvs@httpd.apache.org
Received: (qmail 19442 invoked by uid 99); 25 Apr 2014 10:55:27 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 Apr 2014 10:55:27 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 Apr 2014 10:55:25 +0000
Received: from eris.apache.org (localhost [127.0.0.1])
by eris.apache.org (Postfix) with ESMTP id 72B912388860;
Fri, 25 Apr 2014 10:55:05 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1589986 - in /httpd/httpd/trunk: CHANGES
docs/manual/expr.xml
docs/manual/mod/mod_authnz_ldap.xml server/util_expr_eval.c
Date: Fri, 25 Apr 2014 10:55:05 -0000
To: cvs@httpd.apache.org
From: minfrin@apache.org
X-Mailer: svnmailer-1.0.9
Message-Id: <20140425105505.72B912388860@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org
Author: minfrin
Date: Fri Apr 25 10:55:04 2014
New Revision: 1589986
URL: http://svn.apache.org/r1589986
Log:
Add the ldap function to the expression API, allowing LDAP filters and
distinguished names based on expressions to be escaped correctly to
guard against LDAP injection.
Note: this requires at least APR v1.6.0 or above for the apr_escape API.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/manual/expr.xml
httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml
httpd/httpd/trunk/server/util_expr_eval.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1589986&r1=1589985&r2=1589986&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Fri Apr 25 10:55:04 2014
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.0
+ *) Add the ldap function to the expression API, allowing LDAP filters and
+ distinguished names based on expressions to be escaped correctly to
+ guard against LDAP injection. [Graham Leggett]
+
*) Add module mod_ssl_ct, which provides an implementation of Certificate
Transparency (RFC 6962) for httpd. [Jeff Trawick]
Modified: httpd/httpd/trunk/docs/manual/expr.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/expr.xml?rev=1589986&r1=1589985&r2=1589986&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/expr.xml (original)
+++ httpd/httpd/trunk/docs/manual/expr.xml Fri Apr 25 10:55:04 2014
@@ -514,6 +514,9 @@ listfunction ::= listfuncname "(
filesize |
Return size of a file (or 0 if file does not exist or is not
regular file) | yes |
+ ldap |
+ Escape characters as required by LDAP distinguished name escaping
+ (RFC4514) and LDAP filter escaping (RFC4515). | |
Modified: httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml?rev=1589986&r1=1589985&r2=1589986&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml Fri Apr 25 10:55:04 2014
@@ -496,6 +496,16 @@ AuthLDAPMaxSubGroupDepth 1
ldap-attribute
will be faster than the search operation
used by ldap-filter
especially within a large directory.
+ When using an expression within the filter, care
+ must be taken to ensure that LDAP filters are escaped correctly to guard against
+ LDAP injection. The ldap function can be used for this purpose.
+
+
+<LocationMatch ^/dav/(?[^/]+)/>
+ Require ldap-filter (memberOf=cn=%{ldap:%{unescape:%{env:MATCH_SITENAME}},ou=Websites,o=Example)
+</LocationMatch>
+
+
Modified: httpd/httpd/trunk/server/util_expr_eval.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util_expr_eval.c?rev=1589986&r1=1589985&r2=1589986&view=diff
==============================================================================
--- httpd/httpd/trunk/server/util_expr_eval.c (original)
+++ httpd/httpd/trunk/server/util_expr_eval.c Fri Apr 25 10:55:04 2014
@@ -31,6 +31,7 @@
#include "apr_fnmatch.h"
#include "apr_base64.h"
#include "apr_sha1.h"
+#include "apr_escape.h"
#include /* for INT_MAX */
@@ -1061,6 +1062,12 @@ static const char *md5_func(ap_expr_eval
return ap_md5(ctx->p, (const unsigned char *)arg);
}
+static const char *ldap_func(ap_expr_eval_ctx_t *ctx, const void *data,
+ const char *arg)
+{
+ return apr_pescape_ldap(ctx->p, arg, APR_ESCAPE_STRING, APR_ESCAPE_LDAP_ALL);
+}
+
#define MAX_FILE_SIZE 10*1024*1024
static const char *file_func(ap_expr_eval_ctx_t *ctx, const void *data,
@@ -1645,6 +1652,7 @@ static const struct expr_provider_single
{ unbase64_func, "unbase64", NULL, 0 },
{ sha1_func, "sha1", NULL, 0 },
{ md5_func, "md5", NULL, 0 },
+ { ldap_func, "ldap", NULL, 0 },
{ NULL, NULL, NULL}
};