You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jeff Trawick <tr...@gmail.com> on 2014/04/25 13:04:25 UTC
Re: svn commit: r1589986 - in /httpd/httpd/trunk: CHANGES
docs/manual/expr.xml docs/manual/mod/mod_authnz_ldap.xml server/util_expr_eval.c
On Fri, Apr 25, 2014 at 6:55 AM, <mi...@apache.org> wrote:
> Author: minfrin
> Date: Fri Apr 25 10:55:04 2014
> New Revision: 1589986
>
> URL: http://svn.apache.org/r1589986
> Log:
> Add the ldap function to the expression API, allowing LDAP filters and
> distinguished names based on expressions to be escaped correctly to
> guard against LDAP injection.
>
> Note: this requires at least APR v1.6.0 or above for the apr_escape API.
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/docs/manual/expr.xml
> httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml
> httpd/httpd/trunk/server/util_expr_eval.c
>
> Modified: httpd/httpd/trunk/CHANGES
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1589986&r1=1589985&r2=1589986&view=diff
>
> ==============================================================================
> --- httpd/httpd/trunk/CHANGES [utf-8] (original)
> +++ httpd/httpd/trunk/CHANGES [utf-8] Fri Apr 25 10:55:04 2014
> @@ -1,6 +1,10 @@
> -*- coding:
> utf-8 -*-
> Changes with Apache 2.5.0
>
> + *) Add the ldap function to the expression API, allowing LDAP filters
> and
> + distinguished names based on expressions to be escaped correctly to
> + guard against LDAP injection. [Graham Leggett]
> +
> *) Add module mod_ssl_ct, which provides an implementation of
> Certificate
> Transparency (RFC 6962) for httpd. [Jeff Trawick]
>
>
> Modified: httpd/httpd/trunk/docs/manual/expr.xml
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/expr.xml?rev=1589986&r1=1589985&r2=1589986&view=diff
>
> ==============================================================================
> --- httpd/httpd/trunk/docs/manual/expr.xml (original)
> +++ httpd/httpd/trunk/docs/manual/expr.xml Fri Apr 25 10:55:04 2014
> @@ -514,6 +514,9 @@ listfunction ::= listfuncname "<strong>(
> <tr><td><code>filesize</code></td>
> <td>Return size of a file (or 0 if file does not exist or is not
> regular file)</td><td>yes</td></tr>
> + <tr><td><code>ldap</code></td>
> + <td>Escape characters as required by LDAP distinguished name
> escaping
> + (RFC4514) and LDAP filter escaping
> (RFC4515).</td><td></td></tr>
>
> </table>
>
>
> Modified: httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml?rev=1589986&r1=1589985&r2=1589986&view=diff
>
> ==============================================================================
> --- httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml (original)
> +++ httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml Fri Apr 25
> 10:55:04 2014
> @@ -496,6 +496,16 @@ AuthLDAPMaxSubGroupDepth 1
> <code>ldap-attribute</code> will be faster than the search operation
> used by <code>ldap-filter</code> especially within a large
> directory.</p>
>
> + <p>When using an <a href="../expr.html">expression</a> within the
> filter, care
> + must be taken to ensure that LDAP filters are escaped correctly to
> guard against
> + LDAP injection. The ldap function can be used for this purpose.</p>
> +
> +<highlight language="config">
> +<LocationMatch ^/dav/(?<SITENAME>[^/]+)/>
> + Require ldap-filter
> (memberOf=cn=%{ldap:%{unescape:%{env:MATCH_SITENAME}},ou=Websites,o=Example)
> +</LocationMatch>
> +</highlight>
> +
> </section>
>
> </section>
>
> Modified: httpd/httpd/trunk/server/util_expr_eval.c
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util_expr_eval.c?rev=1589986&r1=1589985&r2=1589986&view=diff
>
> ==============================================================================
> --- httpd/httpd/trunk/server/util_expr_eval.c (original)
> +++ httpd/httpd/trunk/server/util_expr_eval.c Fri Apr 25 10:55:04 2014
> @@ -31,6 +31,7 @@
> #include "apr_fnmatch.h"
> #include "apr_base64.h"
> #include "apr_sha1.h"
>
Unless httpd trunk as a whole already prereqs 1.5.x, please ifdef this
based on version of apr:
> +#include "apr_escape.h"
>
> #include <limits.h> /* for INT_MAX */
>
> @@ -1061,6 +1062,12 @@ static const char *md5_func(ap_expr_eval
> return ap_md5(ctx->p, (const unsigned char *)arg);
> }
>
> Please ifdef this based on version of apr:
> +static const char *ldap_func(ap_expr_eval_ctx_t *ctx, const void *data,
> + const char *arg)
> +{
> + return apr_pescape_ldap(ctx->p, arg, APR_ESCAPE_STRING,
> APR_ESCAPE_LDAP_ALL);
> +}
> +
>
> #define MAX_FILE_SIZE 10*1024*1024
> static const char *file_func(ap_expr_eval_ctx_t *ctx, const void *data,
> @@ -1645,6 +1652,7 @@ static const struct expr_provider_single
> { unbase64_func, "unbase64", NULL, 0 },
> { sha1_func, "sha1", NULL, 0 },
> { md5_func, "md5", NULL, 0 },
>
Same:
> + { ldap_func, "ldap", NULL, 0 },
> { NULL, NULL, NULL}
> };
>
>
>
>
--
Born in Roswell... married an alien...
http://emptyhammock.com/
http://edjective.org/
Re: svn commit: r1589986 - in /httpd/httpd/trunk: CHANGES docs/manual/expr.xml docs/manual/mod/mod_authnz_ldap.xml server/util_expr_eval.c
Posted by Graham Leggett <mi...@sharp.fm>.
On 25 Apr 2014, at 1:04 PM, Jeff Trawick <tr...@gmail.com> wrote:
> Unless httpd trunk as a whole already prereqs 1.5.x, please ifdef this based on version of apr:
>
> +#include "apr_escape.h"
>
> #include <limits.h> /* for INT_MAX */
>
> @@ -1061,6 +1062,12 @@ static const char *md5_func(ap_expr_eval
> return ap_md5(ctx->p, (const unsigned char *)arg);
> }
>
> Please ifdef this based on version of apr:
>
> +static const char *ldap_func(ap_expr_eval_ctx_t *ctx, const void *data,
> + const char *arg)
> +{
> + return apr_pescape_ldap(ctx->p, arg, APR_ESCAPE_STRING, APR_ESCAPE_LDAP_ALL);
> +}
> +
>
> #define MAX_FILE_SIZE 10*1024*1024
> static const char *file_func(ap_expr_eval_ctx_t *ctx, const void *data,
> @@ -1645,6 +1652,7 @@ static const struct expr_provider_single
> { unbase64_func, "unbase64", NULL, 0 },
> { sha1_func, "sha1", NULL, 0 },
> { md5_func, "md5", NULL, 0 },
>
> Same:
>
> + { ldap_func, "ldap", NULL, 0 },
> { NULL, NULL, NULL}
> };
>
>
>
Done in r1589995.
Regards,
Graham
--