You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by mi...@apache.org on 2022/01/16 13:42:57 UTC

svn commit: r1897123 - /httpd/httpd/patches/2.4.x/httpd-2.4-ldap-expr.patch

Author: minfrin
Date: Sun Jan 16 13:42:57 2022
New Revision: 1897123

URL: http://svn.apache.org/viewvc?rev=1897123&view=rev
Log:
Propose a backport.

Added:
    httpd/httpd/patches/2.4.x/httpd-2.4-ldap-expr.patch

Added: httpd/httpd/patches/2.4.x/httpd-2.4-ldap-expr.patch
URL: http://svn.apache.org/viewvc/httpd/httpd/patches/2.4.x/httpd-2.4-ldap-expr.patch?rev=1897123&view=auto
==============================================================================
--- httpd/httpd/patches/2.4.x/httpd-2.4-ldap-expr.patch (added)
+++ httpd/httpd/patches/2.4.x/httpd-2.4-ldap-expr.patch Sun Jan 16 13:42:57 2022
@@ -0,0 +1,97 @@
+Index: changes-entries/ldap-expr.txt
+===================================================================
+--- changes-entries/ldap-expr.txt	(nonexistent)
++++ changes-entries/ldap-expr.txt	(working copy)
+@@ -0,0 +1,4 @@
++  *) Add the ldap function to the expression API, allowing LDAP filters and
++     distinguished names based on expressions to be escaped correctly to
++     guard against LDAP injection. [Graham Leggett]
++
+Index: docs/manual/expr.xml
+===================================================================
+--- docs/manual/expr.xml	(revision 1897120)
++++ docs/manual/expr.xml	(working copy)
+@@ -523,6 +523,9 @@
+     <tr><td><code>filesize</code></td>
+         <td>Return size of a file (or 0 if file does not exist or is not
+             regular file)</td><td>restricted</td></tr>
++    <tr><td><code>ldap</code></td>
++        <td>Escape characters as required by LDAP distinguished name escaping
++            (RFC4514) and LDAP filter escaping (RFC4515).</td><td></td></tr>
+ 
+     </table>
+ 
+Index: docs/manual/mod/mod_authnz_ldap.xml
+===================================================================
+--- docs/manual/mod/mod_authnz_ldap.xml	(revision 1897120)
++++ docs/manual/mod/mod_authnz_ldap.xml	(working copy)
+@@ -519,6 +519,16 @@
+     <code>ldap-attribute</code> will be faster than the search operation
+     used by <code>ldap-filter</code> especially within a large directory.</p>
+ 
++    <p>When using an <a href="../expr.html">expression</a> within the filter, care
++    must be taken to ensure that LDAP filters are escaped correctly to guard against
++    LDAP injection. The ldap function can be used for this purpose.</p>
++
++<highlight language="config">
++&lt;LocationMatch ^/dav/(?<SITENAME>[^/]+)/&gt;
++  Require ldap-filter (memberOf=cn=%{ldap:%{unescape:%{env:MATCH_SITENAME}},ou=Websites,o=Example)
++&lt;/LocationMatch&gt;
++</highlight>
++
+ </section>
+ 
+ </section>
+Index: server/util_expr_eval.c
+===================================================================
+--- server/util_expr_eval.c	(revision 1897120)
++++ server/util_expr_eval.c	(working copy)
+@@ -32,6 +32,10 @@
+ #include "apr_fnmatch.h"
+ #include "apr_base64.h"
+ #include "apr_sha1.h"
++#include "apr_version.h"
++#if APR_VERSION_AT_LEAST(1,5,0)
++#include "apr_escape.h"
++#endif
+ 
+ #include <limits.h>     /* for INT_MAX */
+ 
+@@ -1087,9 +1091,16 @@
+ static const char *md5_func(ap_expr_eval_ctx_t *ctx, const void *data,
+                                const char *arg)
+ {
+-	return ap_md5(ctx->p, (const unsigned char *)arg);
++    return ap_md5(ctx->p, (const unsigned char *)arg);
+ }
+ 
++#if APR_VERSION_AT_LEAST(1,6,0)
++static const char *ldap_func(ap_expr_eval_ctx_t *ctx, const void *data,
++                               const char *arg)
++{
++    return apr_pescape_ldap(ctx->p, arg, APR_ESCAPE_STRING, APR_ESCAPE_LDAP_ALL);
++}
++#endif
+ 
+ #define MAX_FILE_SIZE 10*1024*1024
+ static const char *file_func(ap_expr_eval_ctx_t *ctx, const void *data,
+@@ -1667,6 +1678,9 @@
+     { unbase64_func,        "unbase64",       NULL, 0 },
+     { sha1_func,            "sha1",           NULL, 0 },
+     { md5_func,             "md5",            NULL, 0 },
++#if APR_VERSION_AT_LEAST(1,6,0)
++    { ldap_func,            "ldap",           NULL, 0 },
++#endif
+     { NULL, NULL, NULL}
+ };
+ 
+Index: .
+===================================================================
+--- .	(revision 1897120)
++++ .	(working copy)
+
+Property changes on: .
+___________________________________________________________________
+Modified: svn:mergeinfo
+## -0,0 +0,1 ##
+   Merged /httpd/httpd/trunk:r1589986,1589995,1633528

Re: svn commit: r1897123 - /httpd/httpd/patches/2.4.x/httpd-2.4-ldap-expr.patch

Posted by Graham Leggett <mi...@sharp.fm>.

On 16 Jan 2022, at 18:54, Yann Ylavic <yl...@gmail.com> wrote:

> Maybe "ldap_escape" would be a more appropriate name, should there be
> a need for another ldap function (e.g. "ldap_unescape") later?

This doesn’t follow the existing “short” naming pattern of the existing entries. I image that we’d add something like “unldap" to match “unbase64”.

Regards,
Graham
—

Re: svn commit: r1897123 - /httpd/httpd/patches/2.4.x/httpd-2.4-ldap-expr.patch

Posted by Yann Ylavic <yl...@gmail.com>.

On Sun, Jan 16, 2022 at 2:42 PM <mi...@apache.org> wrote:
>
> +Index: server/util_expr_eval.c
> +===================================================================
> +--- server/util_expr_eval.c    (revision 1897120)
> ++++ server/util_expr_eval.c    (working copy)
[]
> +@@ -1667,6 +1678,9 @@
> +     { unbase64_func,        "unbase64",       NULL, 0 },
> +     { sha1_func,            "sha1",           NULL, 0 },
> +     { md5_func,             "md5",            NULL, 0 },
> ++#if APR_VERSION_AT_LEAST(1,6,0)
> ++    { ldap_func,            "ldap",           NULL, 0 },
> ++#endif
> +     { NULL, NULL, NULL}
> + };

Maybe "ldap_escape" would be a more appropriate name, should there be
a need for another ldap function (e.g. "ldap_unescape") later?

Regards;
Yann.