static void ga_child_init (apr_pool_t *p, server_rec *s) { // Parse cookie string (See RFC-2109 for format), looking for ours. // // Regexp: // At the beginning of a line, OR after a cookie delimter (followed by optional whitespace) // Look for a google_authn token, consisting of three colon-separated fields, // Each field containing one or more characters which are not cookie-delimiters (comma or semicolon). cookie_regexp= ap_pregcomp(p, "(^|[;,][ \t]*)google_authn[ \t]*=[ \t]*([^;,]+):([^;,]+):([^;,]+)", AP_REG_EXTENDED); passwd_regexp= ap_pregcomp(p, "^\\s*\"\\s*PASSWORD\\s*=\\s*(\\S+)", AP_REG_EXTENDED); #ifdef TEST_PASS password_test(p," \" PASSWORD=abc "); password_test(p," \" PASSWORD =abc "); password_test(p," \" PASSWORD = abc "); password_test(p," \" PASSWORD= abc "); password_test(p," \"PASSWORD=abc "); password_test(p," \"PASSWORD =abc "); password_test(p," \"PASSWORD = abc "); password_test(p," \"PASSWORD= abc "); password_test(p,"\" PASSWORD=abc "); password_test(p,"\" PASSWORD =abc "); password_test(p,"\" PASSWORD = abc "); password_test(p,"\" PASSWORD= abc "); password_test(p,"\"PASSWORD=abc "); password_test(p,"\"PASSWORD =abc "); password_test(p,"\"PASSWORD = abc "); password_test(p,"\"PASSWORD= abc "); password_test(p," \" PASSWORD=abc"); password_test(p," \" PASSWORD =abc"); password_test(p," \" PASSWORD = abc"); password_test(p," \" PASSWORD= abc"); password_test(p," \"PASSWORD=abc"); password_test(p," \"PASSWORD =abc"); password_test(p," \"PASSWORD = abc"); password_test(p," \"PASSWORD= abc"); password_test(p,"\" PASSWORD=abc"); password_test(p,"\" PASSWORD =abc"); password_test(p,"\" PASSWORD = abc"); password_test(p,"\" PASSWORD= abc"); password_test(p,"\"PASSWORD=abc"); password_test(p,"\"PASSWORD =abc"); password_test(p,"\"PASSWORD = abc"); password_test(p,"\"PASSWORD= abc"); cookie_test(p,"google_authn=a:b:c"); cookie_test(p,"pma_lang=en; pma_collation_connection=utf8_general_ci; pma_navi_width=200; phpMyAdmin=dsofhasouphf8975q98u; google_authn=lucky:3692581470:9fZZrZ6kMaL2dwXzrfTsqIWdi/c=:; __utma=68896193.834633149.1320516436.1357578935.1357599597.89;__utmz=68896193.1352322698.7.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmc=68896193; member_id=3; pass_hash=09812387643abcdef; ipsconnect_0989875asfdsapofjkjlnsdfau=1"); #endif }
/* Initialise the requisite data structs for our header based dos subrule * @param word1 The name of the subrule * @param word2 The http header to match * @paramm word3 The pattern */ static void *dosblock_header_config(cmd_parms *cmd, void *mconfig, char *word1, char *word2, char *word3) { server_rec *s = cmd->server; dosblock_cfg *cfg = (dosblock_cfg *)ap_get_module_config(s->module_config, &mod_dosblock_module); if(word1 !=NULL && word2 !=NULL && word3 !=NULL) { headerrulestruct *h = NULL; h = apr_palloc(cmd->pool, sizeof(headerrulestruct)); h->headername = word2; h->headerpattern = word3; /* We test the regexp and populate the table,hash only on success */ if (ap_pregcomp(cmd->pool, word3, AP_REG_EXTENDED) != NULL ) { apr_hash_set(cfg->headerrules, word1, APR_HASH_KEY_STRING, h); apr_table_set(cfg->ruletype, word1, RULEHEADER); } else { ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Failed to compile regexp %s", word3); } } return NULL; }
/* * match version against a regular expression */ static int match_version(apr_pool_t *pool, char *version_string, const char **error) { regex_t *compiled; const char *to_match; int rc; compiled = ap_pregcomp(pool, version_string, REG_EXTENDED); if (!compiled) { *error = "Unable to compile regular expression"; return 0; } *error = NULL; to_match = apr_psprintf(pool, "%d.%d.%d%s", httpd_version.major, httpd_version.minor, httpd_version.patch, httpd_version.add_string); rc = !ap_regexec(compiled, to_match, 0, NULL, 0); ap_pregfree(pool, compiled); return rc; }
static const char* line_edit_rewriterule(cmd_parms* cmd, void* cfg, const char* from, const char* to, const char* flags) { rewriterule* rule = apr_array_push (((line_edit_cfg*)cfg)->rewriterules) ; int lflags = 0 ; rule->to = to ; if ( flags ) { rule->flags = REGFLAG(M_REGEX, flags, 'R') | REGFLAG(M_NOCASE, flags, 'i') | REGFLAG(M_NEWLINE, flags, 'm') | REGFLAG(M_ENV, flags, 'V') ; } else { rule->flags = 0 ; } if ( rule->flags & M_REGEX ) { if ( rule->flags & M_NOCASE ) { lflags |= AP_REG_ICASE; } if ( rule->flags & M_NEWLINE ) { lflags |= AP_REG_NEWLINE; } rule->from.r = ap_pregcomp(cmd->pool, from, lflags) ; } else { lflags = (rule->flags & M_NOCASE) ? 0 : 1 ; rule->length = strlen(from) ; rule->from.s = apr_strmatch_precompile(cmd->pool, from, lflags) ; } return NULL; }
/** * Handler for "AddClientEncoding" directive. * * This registers regex pattern of UserAgent: header and expected * encoding(s) from that useragent. */ static const char * add_client_encoding(cmd_parms *cmd, encoding_config *conf, char *args) { array_header *encs; char *arg; LOG(APLOG_DEBUG, cmd->server, "add_client_encoding: entered"); LOG(APLOG_DEBUG, cmd->server, "add_client_encoding: args == %s", args); if (! cmd->path) { conf = ap_get_module_config(cmd->server->module_config, &encoding_module); } encs = ap_make_array(cmd->pool, 1, sizeof(void *)); /* register useragent with UserAgent: pattern */ if (*args && (arg = ap_getword_conf_nc(cmd->pool, &args))) { LOG(APLOG_DEBUG, cmd->server, "add_client_encoding: agent: %s", arg); *(void **)ap_push_array(conf->client_encoding) = ap_pregcomp(cmd->pool, arg, REG_EXTENDED|REG_ICASE|REG_NOSUB); } /* register list of possible encodings from above useragent */ while (*args && (arg = ap_getword_conf_nc(cmd->pool, &args))) { LOG(APLOG_DEBUG, cmd->server, "add_client_encoding: encname: %s", arg); *(void **)ap_push_array(encs) = ap_pstrdup(cmd->pool, arg); } *(void **)ap_push_array(conf->client_encoding) = encs; return NULL; }
static void *cdn_config(apr_pool_t * pool, char *x) { cdn_conf *ret = apr_pcalloc(pool, sizeof(cdn_conf)); ret->doctype = DEFAULT_DOCTYPE; ret->default_encoding = XML_CHAR_ENCODING_NONE; ret->bufsz = 8192; ret->auth_header_text = "required"; ret->auth_exptime = 900; ret->default_exptime = 86400; seek_meta_ctype = ap_pregcomp(pool, "(<meta[^>]*http-equiv[ \t\r\n='\"]*content-type[^>]*>)", AP_REG_EXTENDED|AP_REG_ICASE); seek_charset = ap_pregcomp(pool, "charset=([A-Za-z0-9_-]+)", AP_REG_EXTENDED|AP_REG_ICASE); return ret; }
int mod_dirsize_handler(request_rec *r) { BUFF *pipe_output; char buf[MAX_STRING_LEN]; char *sizeink=NULL; regmatch_t pmatch[2]; r->path_info = ap_make_dirstr_parent(r->pool, r->filename); if(!ap_bspawn_child(r->pool,dirsize, (void *) r, kill_after_timeout, NULL, &pipe_output, NULL)) { ap_log_error(APLOG_MARK, APLOG_ERR, r->server, "problems with dirsize subprocess"); return HTTP_INTERNAL_SERVER_ERROR; } ap_bgets(buf, sizeof(buf), pipe_output); regex_t *cpat = ap_pregcomp(r->pool, "^(.+)\t", REG_EXTENDED); if(regexec(cpat, buf, cpat->re_nsub+1, pmatch, 0) == 0) { sizeink = ap_pregsub(r->pool, "$1", buf, cpat->re_nsub+1, pmatch); } #ifdef DEBUG r->content_type = "text/html"; ap_send_http_header(r); ap_rprintf(r, "<html>\n"); ap_rprintf(r, "<head>\n"); ap_rprintf(r, "<title>mod_dirsize</title>\n"); ap_rprintf(r, "</head>\n"); ap_rprintf(r, "<body>\n"); ap_rprintf(r, "Request: %s<br>\n", r->the_request); ap_rprintf(r, "Server Hostname: %s<br>\n", r->server->server_hostname); ap_rprintf(r, "Server Admin: %s<br>\n", r->server->server_admin); ap_rprintf(r, "Filename: %s<br>\n", r->filename); ap_rprintf(r, "ServerRoot: %s<br>\n", ap_server_root_relative(r->pool, "")); ap_rprintf(r, "Path Info: %s<br>\n", r->path_info); ap_send_fb(pipe_output, r); ap_rprintf(r, "</body>\n"); ap_rprintf(r, "</html>\n"); #else r->content_type = "text/xml"; ap_send_http_header(r); ap_rprintf(r, "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"); ap_rprintf(r, "<dirsize xmlns:html=\"http://www.w3.org/1999/html\">\n"); ap_rprintf(r, "<sizeink>%s</sizeink>\n", sizeink); ap_rprintf(r, "</dirsize>"); #endif ap_bclose(pipe_output); return(OK); }
static int google_analytics_post_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s) { regex_tag_exists = ap_pregcomp(p, tag_exists, (AP_REG_EXTENDED | AP_REG_ICASE | AP_REG_NOSUB)); ap_assert(regex_tag_exists != NULL); pattern_body_end_tag = apr_strmatch_precompile(p, body_end_tag, 0); return OK; }
static const char *set_ignore_contenttype_config(cmd_parms *parms, void *mconfig, const char *arg) { dosdetector_dir_config *cfg = (dosdetector_dir_config *) mconfig; *(char **) apr_array_push(cfg->ignore_contenttype) = apr_pstrdup(parms->pool, arg); *(ap_regex_t **)apr_array_push(cfg->contenttype_regexp) = ap_pregcomp(parms->pool, arg, AP_REG_EXTENDED|AP_REG_ICASE); return NULL; }
/** * <user_agent> */ static void s_set_user_agent_data(Doc *doc, apr_pool_t *p, mod_chxj_config *conf, Node *node) { Node *child; device_table_list *t; for (child = qs_get_child_node(doc,node); child ; child = qs_get_next_node(doc,child)) { char *name = qs_get_node_name(doc,child); if (STRCASEEQ('u','U',"user_agent",name)) { Attr *attr; device_table_list *dtl; if (! conf->devices) { conf->devices = apr_pcalloc(p, sizeof(device_table_list)); conf->devices->next = NULL; conf->devices->pattern = NULL; conf->devices->table = NULL; conf->devices->tail = NULL; dtl = conf->devices; } else { for (t = conf->devices; t ; t = t->next) { if (! t->next) break; } t->next = apr_pcalloc(p, sizeof(device_table_list)); t->next->next = NULL; t->next->pattern = NULL; t->next->table = NULL; t->next->tail = NULL; dtl = t->next; } for (attr = qs_get_attr(doc,child); attr ; attr = qs_get_next_attr(doc,attr)) { char *attr_name = qs_get_attr_name(doc,attr); if (STRCASEEQ('p','P',"pattern",attr_name)) { dtl->pattern = apr_pstrdup(p, qs_get_attr_value(doc,attr)); dtl->regexp = ap_pregcomp(p, (const char *)dtl->pattern, AP_REG_EXTENDED|AP_REG_ICASE); } } s_set_device_data(doc, p, dtl, child); } } }
static const char *set_ignore_contenttype_config(cmd_parms *parms, void *mconfig, const char *arg) { dosdetector_dir_config *cfg = (dosdetector_dir_config *) mconfig; char **ignore_contenttype = (char **) cfg->ignore_contenttype->elts; *(char **) apr_array_push(cfg->ignore_contenttype) = apr_pstrdup(parms->pool, arg); int i; regex_t *regexp; for (i = 0; i < cfg->ignore_contenttype->nelts; i++) { regexp = (regex_t *)ap_pregcomp(parms->pool, (char *)ignore_contenttype[i], REG_EXTENDED|REG_ICASE); *(regex_t **)apr_array_push(cfg->contenttype_regexp) = regexp; } return NULL; }
static void set_and_comp_regexp(cookie_dir_rec *dcfg, apr_pool_t *p, const char *cookie_name) { int danger_chars = 0; const char *sp = cookie_name; /* The goal is to end up with this regexp, * ^cookie_name=([^;,]+)|[;,][ \t]+cookie_name=([^;,]+) * with cookie_name obviously substituted either * with the real cookie name set by the user in httpd.conf, or with the * default COOKIE_NAME. */ /* Anyway, we need to escape the cookie_name before pasting it * into the regex */ while (*sp) { if (!apr_isalnum(*sp)) { ++danger_chars; } ++sp; } if (danger_chars) { char *cp; cp = apr_palloc(p, sp - cookie_name + danger_chars + 1); /* 1 == \0 */ sp = cookie_name; cookie_name = cp; while (*sp) { if (!apr_isalnum(*sp)) { *cp++ = '\\'; } *cp++ = *sp++; } *cp = '\0'; } dcfg->regexp_string = apr_pstrcat(p, "^", cookie_name, "=([^;,]+)|[;,][ \t]*", cookie_name, "=([^;,]+)", NULL); dcfg->regexp = ap_pregcomp(p, dcfg->regexp_string, AP_REG_EXTENDED); ap_assert(dcfg->regexp != NULL); }
static const char *set_sqlalias_filter(cmd_parms *cmd, void *mconfig, const char *arg) { ap_regex_t *regexp = NULL; server_rec *s = cmd->server; sqlalias_conf_t *s_cfg = (sqlalias_conf_t *) ap_get_module_config(s->module_config, &sqlalias_module); sqlalias_filter_entry *filter; filter = (sqlalias_filter_entry *) apr_array_push(s_cfg->filters); filter->pattern = apr_pstrdup(cmd->pool, (char *) arg); if ((regexp = (ap_regex_t *)ap_pregcomp(cmd->pool, filter->pattern, 0)) == NULL) { return apr_pstrcat(cmd->pool, "SQLAliasFilter: cannot compile regular expression '", filter->pattern , "'", NULL); } filter->regexp = regexp; return NULL; }
/* Initialise the requisite data structs for our url based dos subrule * @param word1 The name of the subrule * @param word2 The pattern */ static void *dosblock_url_config(cmd_parms *cmd, void *mconfig, char *word1, char *word2) { server_rec *s = cmd->server; dosblock_cfg *cfg = (dosblock_cfg *)ap_get_module_config(s->module_config, &mod_dosblock_module); if(word1 !=NULL && word2 !=NULL) { /* We test the regexp and populate the table only on success */ if (ap_pregcomp(cmd->pool, word2, AP_REG_EXTENDED) != NULL ) { apr_table_set(cfg->urlrules, word1, word2); apr_table_set(cfg->ruletype, word1, RULEURL); } else { ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Failed to compile regexp %s", word2); } } return NULL; }
extern apr_status_t check_regular_expression(request_rec *r, char *haystack, char *needle) { ap_regex_t *regexp = (ap_regex_t *)NULL; ap_regmatch_t regmatch[AP_MAX_REG_MATCH]; // Validation Check if (haystack == (char *)NULL) { return DECLINED; } if (needle == (char *)NULL) { return DECLINED; } if (strlen(haystack) > 0) { regexp = (ap_regex_t *)ap_pregcomp(r->pool, (const char *)haystack, REG_EXTENDED|REG_ICASE); if (regexp != (ap_regex_t *)NULL && ap_regexec(regexp, (const char*)needle, regexp->re_nsub + 1, regmatch, 0) == 0) { ap_pregfree(r->pool, regexp); return APR_SUCCESS; } ap_pregfree(r->pool, regexp); } return DECLINED; }
static apr_status_t parse_request_uri(request_rec *r, char **uri, char **size) { int nmatch = 10; ap_regmatch_t match[nmatch]; ap_regex_t *reg; reg = ap_pregcomp(r->pool, "^/(original|large|medium|small)/(.*)$", AP_REG_EXTENDED); if (ap_regexec(reg, r->unparsed_uri, nmatch, match, 0) == 0) { *size = ap_pregsub(r->pool, "$1", r->unparsed_uri, nmatch, match); *uri = ap_pregsub(r->pool, "$2", r->unparsed_uri, nmatch, match); ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Parse URI: %s, %s", *size, *uri); ap_pregfree(r->pool, reg); return APR_SUCCESS; } else { return APR_EGENERAL; } }
static const char *set_pattern(cmd_parms *cmd, void *cfg, const char *line) { char *from = NULL; char *to = NULL; char *flags = NULL; char *ourline; char delim; subst_pattern_t *nscript; int is_pattern = 0; int ignore_case = 0; int flatten = 1; ap_regex_t *r = NULL; if (apr_tolower(*line) != 's') { return "Bad Substitute format, must be an s/// pattern"; } ourline = apr_pstrdup(cmd->pool, line); delim = *++ourline; if (delim) from = ++ourline; if (from) { if (*ourline != delim) { while (*++ourline && *ourline != delim); } if (*ourline) { *ourline = '\0'; to = ++ourline; } } if (to) { if (*ourline != delim) { while (*++ourline && *ourline != delim); } if (*ourline) { *ourline = '\0'; flags = ++ourline; } } if (!delim || !from || !*from || !to) { return "Bad Substitute format, must be a complete s/// pattern"; } if (flags) { while (*flags) { delim = apr_tolower(*flags); /* re-use */ if (delim == 'i') ignore_case = 1; else if (delim == 'n') is_pattern = 1; else if (delim == 'f') flatten = 1; else if (delim == 'q') flatten = 0; else return "Bad Substitute flag, only s///[infq] are supported"; flags++; } } /* first see if we can compile the regex */ if (!is_pattern) { r = ap_pregcomp(cmd->pool, from, AP_REG_EXTENDED | (ignore_case ? AP_REG_ICASE : 0)); if (!r) return "Substitute could not compile regex"; } nscript = apr_array_push(((subst_dir_conf *) cfg)->patterns); /* init the new entries */ nscript->pattern = NULL; nscript->regexp = NULL; nscript->replacement = NULL; nscript->patlen = 0; if (is_pattern) { nscript->patlen = strlen(from); nscript->pattern = apr_strmatch_precompile(cmd->pool, from, !ignore_case); } else { nscript->regexp = r; } nscript->replacement = to; nscript->replen = strlen(to); nscript->flatten = flatten; return NULL; }
/* Here-in lies the meat */ static int dosblock_main(request_rec *r) { const apr_table_entry_t *dosrulemap_elts = NULL; const apr_array_header_t *dosrulemap_arr = NULL; char *subrule=NULL, *dosrulematch=NULL, *urlpattern=NULL; char *req_header = NULL; int matchfound = 0; int gotlock = 0; dosblockipc_data *base = NULL; apr_status_t rs; dosblock_cfg *cfg = (dosblock_cfg *)ap_get_module_config(r->server->module_config, &mod_dosblock_module); /* Here we try to find if the request matches a dos rule */ dosrulemap_arr = apr_table_elts(cfg->dosrulemap); if (dosrulemap_arr) { dosrulemap_elts = (const apr_table_entry_t *)dosrulemap_arr->elts; int i; for (i=0; i<dosrulemap_arr->nelts; ++i) { subrule = dosrulemap_elts[i].val; char *subrule_type = (char *)apr_table_get(cfg->ruletype, subrule); if (subrule_type == NULL) continue; /* Check if it is a url based subrule */ if (0 == apr_strnatcmp(subrule_type, RULEURL)) { urlpattern = (char *)apr_table_get(cfg->urlrules, subrule); if (urlpattern == NULL) continue; ap_regex_t *pattern = ap_pregcomp(r->pool, urlpattern, AP_REG_EXTENDED); if (0 == ap_regexec(pattern, r->uri, 0, NULL, 0)) /* This is where the dos url subrule would match */ { dosrulematch = dosrulemap_elts[i].key; matchfound = 1; break; } } /* Check if it is a header based subrule */ else if (0 == apr_strnatcmp(subrule_type, RULEHEADER)) { headerrulestruct *h = NULL; h = apr_hash_get(cfg->headerrules, subrule, APR_HASH_KEY_STRING); if (h == NULL) continue; req_header = (char *)apr_table_get(r->headers_in, h->headername); if (req_header == NULL) continue; ap_regex_t *pattern = ap_pregcomp(r->pool, h->headerpattern, AP_REG_EXTENDED); if (0 == ap_regexec(pattern, req_header, 0, NULL, 0)) /* This is where the dos header subrule would match */ { dosrulematch = dosrulemap_elts[i].key; matchfound = 1; break; } } } } if (matchfound && dosrulematch) { int blocked = 0; /* apr_table_set(r->headers_out, "DOSRULE_MATCHED", dosrulematch);*/ /* Check if we have the corresponding shared memory segment for * the matching dos rule. If not we do not go further. */ if (!apr_hash_get(cfg->dosrule_shm_map, dosrulematch, APR_HASH_KEY_STRING)) { return DECLINED; } apr_int64_t index = apr_atoi64(apr_hash_get(cfg->dosrule_shm_map, dosrulematch, APR_HASH_KEY_STRING)); /* Take the mutex lock here. Be careful of not 'returning' before releasing the lock*/ rs = apr_global_mutex_lock(dosblockipc_mutex[index]); if (APR_SUCCESS == rs) { gotlock = 1; } else { /* Some error, log and bail */ ap_log_error(APLOG_MARK, APLOG_ERR, rs, r->server, "Child %ld failed to acquire lock", (long int)getpid()); } base = (dosblockipc_data *)apr_shm_baseaddr_get(dosblockipc_shm[index]); /* check if the Dos rule is already blocked */ if (base->ds.isblocked) { /* The dos rule is blocked at this moment. Need to check the time stamp * (time till blockage) and act accordingly */ apr_time_t time_now = apr_time_now(); apr_time_t time_to_blockage = base->ds.t; /* apr_table_set(r->headers_out, "Blocked till", apr_psprintf(r->pool, "%d",time_to_blockage)); */ if(cfg->verbosity) ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Dos rule %s is blocked", dosrulematch); if (time_now < time_to_blockage) { /* Keep blocking */ blocked = 1; if(cfg->verbosity) ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Keep dos rule %s blocked", dosrulematch); } else { /* Time to unblock */ base->ds.isblocked = 0; base->ds.t = 0; /* apr_table_set(r->headers_out, "Time-to-unblock", "Unblock"); */ if(cfg->verbosity) ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Time to unblock dos rule %s", dosrulematch); } } /* Here we age entries, try to account for the matched hit, calculate the * rate and take some action if needed. */ int i; apr_int64_t sum_counter = 0; int hit_accounted = 0; /* Loop through the array of structs */ for (i=0; i<ARSIZE; i++) { if (base->dh[i].t) { if ((r->request_time - base->dh[i].t)/APR_USEC_PER_SEC > ARSIZE ) { /* Ageing entries */ base->dh[i].t = 0; base->dh[i].counter = 0; if(cfg->verbosity) ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Ageing entry for dos rule %s", dosrulematch); continue; } if (base->dh[i].t/APR_USEC_PER_SEC == r->request_time/APR_USEC_PER_SEC ) { /* There is already an entry for this sec. Increment the corresponding * counter */ base->dh[i].counter++; sum_counter+= base->dh[i].counter; hit_accounted = 1; /*apr_table_set(r->headers_out, "Entry-for-this-sec", "Exists"); */ if(cfg->verbosity) ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "We have an Entry-for-this-sec for dos rule %s", dosrulematch); continue; } sum_counter+= base->dh[i].counter; } } /* Add an element in our array of structs for this second if the hit was not accounted above */ if (! hit_accounted) { if(cfg->verbosity) ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Hit is not accounted for dos rule %s", dosrulematch); if ((ARSIZE - base->next) == 0) base->next = 0; base->dh[base->next].t = r->request_time; base->dh[base->next].counter = 1; sum_counter+= base->dh[base->next].counter; base->next++; /*apr_table_set(r->headers_out, "Entry-for-this-sec", "Does-not-Exist");*/ if(cfg->verbosity) ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "We do not have an entry for this second (dos rule %s) and sum of counter is %" APR_INT64_T_FMT, dosrulematch, sum_counter); } if ( ! blocked) { float rate = (float)sum_counter/ARSIZE; /* Get the configured rate threshold */ dosrulestruct *d = apr_hash_get(cfg->dosrules, dosrulematch, APR_HASH_KEY_STRING); if(cfg->verbosity) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Non Blocked dos rule %s sum of counter is %" APR_INT64_T_FMT, dosrulematch, sum_counter); ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Non Blocked dos rule %s rate is %f", dosrulematch, rate); ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Non Blocked dos rule %s configured rate is %" APR_INT64_T_FMT, dosrulematch, apr_atoi64(d->threshold)); } if (rate > apr_atoi64(d->threshold)) { /* Block it */ base->ds.isblocked = 1; base->ds.t = (apr_time_now() + (apr_atoi64(d->timetoblock)*APR_USEC_PER_SEC)); base->ds.rate_when_blocked = rate; if(cfg->verbosity) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Non Blocked dos rule %s getting blocked after rate calulation", dosrulematch); ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Non Blocked dos rule %s getting blocked till %" APR_TIME_T_FMT, dosrulematch, base->ds.t); } blocked = 1; } } /* Release the lock. We have to be careful of not 'returning' before * releasing the lock */ if (gotlock) rs = apr_global_mutex_unlock(dosblockipc_mutex[index]); /* Swallowing the result because what are we going to do with it at * this stage */ if (blocked) return HTTP_SERVICE_UNAVAILABLE; } else { /* apr_table_set(r->headers_out, "DOSRULE_MATCHED", "None");*/ } return DECLINED; }
/* * Get the stuff from LDAP */ static int getldaphome(request_rec *r, vhx_config_rec *vhr, const char *hostname, vhx_request_t *reqc) { /* LDAP associated variable and stuff */ const char **vals = NULL; char *filtbuf = NULL; int result = 0; const char *dn = NULL; util_ldap_connection_t *ldc = NULL; int failures = 0; VH_AP_LOG_RERROR(APLOG_MARK, APLOG_DEBUG, 0, r, "getldaphome(): BEGIN ***,pid=%d",getpid()); /* Check for illegal characters in hostname that would mess up the LDAP query */ ap_regex_t *cpat = ap_pregcomp(r->pool, "\\[\\/\\*\\(\\)&\\]", REG_EXTENDED|REG_ICASE); if(cpat != NULL) { if (ap_regexec(cpat, hostname, 0, NULL, 0) == 0 ) { VH_AP_LOG_RERROR(APLOG_MARK, APLOG_WARNING, 0, r, "%s: (getldaphome) bad characters in hostname %s", VH_NAME, hostname); return DECLINED; } } start_over: if (vhr->ldap_host) { VH_AP_LOG_RERROR(APLOG_MARK, APLOG_DEBUG, 0, r, "getldaphome(): util_ldap_connection_find(r,%s,%d,%s,%s,%d,%d);",vhr->ldap_host, vhr->ldap_port, vhr->ldap_binddn, vhr->ldap_bindpw, vhr->ldap_deref, vhr->ldap_secure); ldc = util_ldap_connection_find(r, vhr->ldap_host, vhr->ldap_port, vhr->ldap_binddn, vhr->ldap_bindpw, vhr->ldap_deref, vhr->ldap_secure); } else { return DECLINED; } filtbuf = apr_psprintf(r->pool, "(&(%s)(|(apacheServerName=%s)(apacheServerAlias=%s)))", vhr->ldap_filter, hostname, hostname); VH_AP_LOG_RERROR(APLOG_MARK, APLOG_DEBUG, 0, r, "getldaphome(): filtbuf = %s",filtbuf); //VH_AP_LOG_RERROR(APLOG_MARK, APLOG_DEBUG, 0, r, "getldaphome(): %s %s %d %s %s",vhr->ldap_url,vhr->ldap_basedn,vhr->ldap_scope,ldap_attributes[0],filtbuf); result = util_ldap_cache_getuserdn(r, ldc, vhr->ldap_url, vhr->ldap_basedn, vhr->ldap_scope, ldap_attributes, filtbuf, &dn, &vals); util_ldap_connection_close(ldc); // sanity check - if server is down, retry it up to 5 times if (result == LDAP_SERVER_DOWN) { if (failures++ <= 5) { apr_sleep(1000000); goto start_over; } } if ((result == LDAP_NO_SUCH_OBJECT)) { VH_AP_LOG_RERROR(APLOG_MARK, APLOG_DEBUG, 0, r, "getldaphome(): virtual host %s not found", hostname); return DECLINED; } /* handle bind failure */ if (result != LDAP_SUCCESS) { VH_AP_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r, "%s: (getldaphome) translate failed; virtual host %s; URI %s LDAP Error: [%s]", VH_NAME, hostname, r->uri, ldap_err2string(result)); return DECLINED; } int i = 0; while (ldap_attributes[i]) { if (apr_strnatcasecmp (ldap_attributes[i], "apacheServerName") == 0) { reqc->name = apr_pstrdup (r->pool, vals[i]); } else if (apr_strnatcasecmp (ldap_attributes[i], "apacheServerAdmin") == 0) { reqc->admin = apr_pstrdup (r->pool, vals[i]); } else if (apr_strnatcasecmp (ldap_attributes[i], "apacheDocumentRoot") == 0) { reqc->docroot = apr_pstrdup (r->pool, vals[i]); } else if (apr_strnatcasecmp (ldap_attributes[i], "homeDirectory") == 0) { reqc->homedirectory = apr_pstrdup (r->pool, vals[i]); } else if (apr_strnatcasecmp (ldap_attributes[i], "phpOptions") == 0) { reqc->phpoptions = apr_pstrdup (r->pool, vals[i]); } else if (apr_strnatcasecmp (ldap_attributes[i], "uidNumber") == 0) { reqc->uid = apr_pstrdup(r->pool, vals[i]); } else if (apr_strnatcasecmp (ldap_attributes[i], "gidNumber") == 0) { reqc->gid = apr_pstrdup(r->pool, vals[i]); } else if (apr_strnatcasecmp (ldap_attributes[i], "apacheChrootDir") == 0) { reqc->chroot_dir = apr_pstrdup(r->pool, vals[i]); } i++; } reqc->vhost_found = VH_VHOST_INFOS_FOUND; VH_AP_LOG_RERROR(APLOG_MARK, APLOG_DEBUG, 0, r, "getldaphome(): END ***"); /* If we don't have a document root then we can't honour the request */ if (reqc->docroot == NULL) { VH_AP_LOG_RERROR(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, r, "%s: (getldaphome) no document root found for %s", VH_NAME, hostname); return DECLINED; } /* We have a document root so, this is ok */ return OK; }
static const char *filter_provider(cmd_parms *cmd, void *CFG, const char *args) { mod_filter_cfg *cfg = CFG; int flags; ap_filter_provider_t *provider; const char *rxend; const char *c; char *str; const char *eq; ap_filter_rec_t* frec; ap_filter_rec_t* provider_frec; /* insist on exactly four arguments */ const char *fname = ap_getword_conf(cmd->pool, &args) ; const char *pname = ap_getword_conf(cmd->pool, &args) ; const char *condition = ap_getword_conf(cmd->pool, &args) ; const char *match = ap_getword_conf(cmd->pool, &args) ; eq = ap_getword_conf(cmd->pool, &args) ; if ( !*fname || !*pname || !*match || !*condition || *eq ) { return "usage: FilterProvider filter provider condition match" ; } /* fname has been declared with DeclareFilter, so we can look it up */ frec = apr_hash_get(cfg->live_filters, fname, APR_HASH_KEY_STRING); /* or if provider is mod_filter itself, we can also look it up */ if (!frec) { c = filter_declare(cmd, CFG, fname, NULL); if ( c ) { return c; } frec = apr_hash_get(cfg->live_filters, fname, APR_HASH_KEY_STRING); } if (!frec) { return apr_psprintf(cmd->pool, "Undeclared smart filter %s", fname); } /* if provider has been registered, we can look it up */ provider_frec = ap_get_output_filter_handle(pname); if (!provider_frec) { provider_frec = apr_hash_get(cfg->live_filters, pname, APR_HASH_KEY_STRING); } if (!provider_frec) { return apr_psprintf(cmd->pool, "Unknown filter provider %s", pname); } provider = apr_palloc(cmd->pool, sizeof(ap_filter_provider_t)); if (*match == '!') { provider->not = 1; ++match; } else { provider->not = 0; } switch (*match++) { case '<': if (*match == '=') { provider->match_type = INT_LE; ++match; } else { provider->match_type = INT_LT; } provider->match.number = atoi(match); break; case '>': if (*match == '=') { provider->match_type = INT_GE; ++match; } else { provider->match_type = INT_GT; } provider->match.number = atoi(match); break; case '=': provider->match_type = INT_EQ; provider->match.number = atoi(match); break; case '/': provider->match_type = REGEX_MATCH; rxend = ap_strchr_c(match, '/'); if (!rxend) { return "Bad regexp syntax"; } flags = AP_REG_NOSUB; /* we're not mod_rewrite:-) */ for (c = rxend+1; *c; ++c) { switch (*c) { case 'i': flags |= AP_REG_ICASE; break; } } provider->match.regex = ap_pregcomp(cmd->pool, apr_pstrndup(cmd->pool, match, rxend-match), flags); break; case '*': provider->match_type = DEFINED; provider->match.number = -1; break; case '$': provider->match_type = STRING_CONTAINS; str = apr_pstrdup(cmd->pool, match); ap_str_tolower(str); provider->match.string = str; break; default: provider->match_type = STRING_MATCH; provider->match.string = apr_pstrdup(cmd->pool, match-1); break; } provider->frec = provider_frec; provider->next = frec->providers; frec->providers = provider; /* determine what a filter will dispatch this provider on */ eq = ap_strchr_c(condition, '='); if (eq) { str = apr_pstrdup(cmd->pool, eq+1); if (!strncasecmp(condition, "env=", 4)) { provider->dispatch = SUBPROCESS_ENV; } else if (!strncasecmp(condition, "req=", 4)) { provider->dispatch = REQUEST_HEADERS; } else if (!strncasecmp(condition, "resp=", 5)) { provider->dispatch = RESPONSE_HEADERS; } else { return "FilterProvider: unrecognized dispatch table"; } } else { if (!strcasecmp(condition, "handler")) { provider->dispatch = HANDLER; } else { provider->dispatch = RESPONSE_HEADERS; } str = apr_pstrdup(cmd->pool, condition); ap_str_tolower(str); } if ( (provider->dispatch == RESPONSE_HEADERS) && !strcasecmp(str, "content-type")) { provider->dispatch = CONTENT_TYPE; } provider->value = str; return NULL; }