You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mi...@apache.org on 2022/01/16 13:42:57 UTC
svn commit: r1897123 - /httpd/httpd/patches/2.4.x/httpd-2.4-ldap-expr.patch
Author: minfrin
Date: Sun Jan 16 13:42:57 2022
New Revision: 1897123
URL: http://svn.apache.org/viewvc?rev=1897123&view=rev
Log:
Propose a backport.
Added:
httpd/httpd/patches/2.4.x/httpd-2.4-ldap-expr.patch
Added: httpd/httpd/patches/2.4.x/httpd-2.4-ldap-expr.patch
URL: http://svn.apache.org/viewvc/httpd/httpd/patches/2.4.x/httpd-2.4-ldap-expr.patch?rev=1897123&view=auto
==============================================================================
--- httpd/httpd/patches/2.4.x/httpd-2.4-ldap-expr.patch (added)
+++ httpd/httpd/patches/2.4.x/httpd-2.4-ldap-expr.patch Sun Jan 16 13:42:57 2022
@@ -0,0 +1,97 @@
+Index: changes-entries/ldap-expr.txt
+===================================================================
+--- changes-entries/ldap-expr.txt (nonexistent)
++++ changes-entries/ldap-expr.txt (working copy)
+@@ -0,0 +1,4 @@
++ *) Add the ldap function to the expression API, allowing LDAP filters and
++ distinguished names based on expressions to be escaped correctly to
++ guard against LDAP injection. [Graham Leggett]
++
+Index: docs/manual/expr.xml
+===================================================================
+--- docs/manual/expr.xml (revision 1897120)
++++ docs/manual/expr.xml (working copy)
+@@ -523,6 +523,9 @@
+ <tr><td><code>filesize</code></td>
+ <td>Return size of a file (or 0 if file does not exist or is not
+ regular file)</td><td>restricted</td></tr>
++ <tr><td><code>ldap</code></td>
++ <td>Escape characters as required by LDAP distinguished name escaping
++ (RFC4514) and LDAP filter escaping (RFC4515).</td><td></td></tr>
+
+ </table>
+
+Index: docs/manual/mod/mod_authnz_ldap.xml
+===================================================================
+--- docs/manual/mod/mod_authnz_ldap.xml (revision 1897120)
++++ docs/manual/mod/mod_authnz_ldap.xml (working copy)
+@@ -519,6 +519,16 @@
+ <code>ldap-attribute</code> will be faster than the search operation
+ used by <code>ldap-filter</code> especially within a large directory.</p>
+
++ <p>When using an <a href="../expr.html">expression</a> within the filter, care
++ must be taken to ensure that LDAP filters are escaped correctly to guard against
++ LDAP injection. The ldap function can be used for this purpose.</p>
++
++<highlight language="config">
++<LocationMatch ^/dav/(?<SITENAME>[^/]+)/>
++ Require ldap-filter (memberOf=cn=%{ldap:%{unescape:%{env:MATCH_SITENAME}},ou=Websites,o=Example)
++</LocationMatch>
++</highlight>
++
+ </section>
+
+ </section>
+Index: server/util_expr_eval.c
+===================================================================
+--- server/util_expr_eval.c (revision 1897120)
++++ server/util_expr_eval.c (working copy)
+@@ -32,6 +32,10 @@
+ #include "apr_fnmatch.h"
+ #include "apr_base64.h"
+ #include "apr_sha1.h"
++#include "apr_version.h"
++#if APR_VERSION_AT_LEAST(1,5,0)
++#include "apr_escape.h"
++#endif
+
+ #include <limits.h> /* for INT_MAX */
+
+@@ -1087,9 +1091,16 @@
+ static const char *md5_func(ap_expr_eval_ctx_t *ctx, const void *data,
+ const char *arg)
+ {
+- return ap_md5(ctx->p, (const unsigned char *)arg);
++ return ap_md5(ctx->p, (const unsigned char *)arg);
+ }
+
++#if APR_VERSION_AT_LEAST(1,6,0)
++static const char *ldap_func(ap_expr_eval_ctx_t *ctx, const void *data,
++ const char *arg)
++{
++ return apr_pescape_ldap(ctx->p, arg, APR_ESCAPE_STRING, APR_ESCAPE_LDAP_ALL);
++}
++#endif
+
+ #define MAX_FILE_SIZE 10*1024*1024
+ static const char *file_func(ap_expr_eval_ctx_t *ctx, const void *data,
+@@ -1667,6 +1678,9 @@
+ { unbase64_func, "unbase64", NULL, 0 },
+ { sha1_func, "sha1", NULL, 0 },
+ { md5_func, "md5", NULL, 0 },
++#if APR_VERSION_AT_LEAST(1,6,0)
++ { ldap_func, "ldap", NULL, 0 },
++#endif
+ { NULL, NULL, NULL}
+ };
+
+Index: .
+===================================================================
+--- . (revision 1897120)
++++ . (working copy)
+
+Property changes on: .
+___________________________________________________________________
+Modified: svn:mergeinfo
+## -0,0 +0,1 ##
+ Merged /httpd/httpd/trunk:r1589986,1589995,1633528
Re: svn commit: r1897123 - /httpd/httpd/patches/2.4.x/httpd-2.4-ldap-expr.patch
Posted by Graham Leggett <mi...@sharp.fm>.
On 16 Jan 2022, at 18:54, Yann Ylavic <yl...@gmail.com> wrote:
> Maybe "ldap_escape" would be a more appropriate name, should there be
> a need for another ldap function (e.g. "ldap_unescape") later?
This doesn’t follow the existing “short” naming pattern of the existing entries. I image that we’d add something like “unldap" to match “unbase64”.
Regards,
Graham
—
Re: svn commit: r1897123 - /httpd/httpd/patches/2.4.x/httpd-2.4-ldap-expr.patch
Posted by Yann Ylavic <yl...@gmail.com>.
On Sun, Jan 16, 2022 at 2:42 PM <mi...@apache.org> wrote:
>
> +Index: server/util_expr_eval.c
> +===================================================================
> +--- server/util_expr_eval.c (revision 1897120)
> ++++ server/util_expr_eval.c (working copy)
[]
> +@@ -1667,6 +1678,9 @@
> + { unbase64_func, "unbase64", NULL, 0 },
> + { sha1_func, "sha1", NULL, 0 },
> + { md5_func, "md5", NULL, 0 },
> ++#if APR_VERSION_AT_LEAST(1,6,0)
> ++ { ldap_func, "ldap", NULL, 0 },
> ++#endif
> + { NULL, NULL, NULL}
> + };
Maybe "ldap_escape" would be a more appropriate name, should there be
a need for another ldap function (e.g. "ldap_unescape") later?
Regards;
Yann.