Beispiel #1
0
static void ga_child_init (apr_pool_t *p, server_rec *s) {

		// 	Parse cookie string (See RFC-2109 for format), looking for ours.
		//
		// Regexp: 
		// At the beginning of a line, OR after a cookie delimter (followed by optional whitespace)
		// Look for a google_authn token, consisting of three colon-separated fields,
		// Each field containing one or more characters which are not cookie-delimiters (comma or semicolon).
		
		cookie_regexp= ap_pregcomp(p, "(^|[;,][ \t]*)google_authn[ \t]*=[ \t]*([^;,]+):([^;,]+):([^;,]+)", AP_REG_EXTENDED);
		passwd_regexp= ap_pregcomp(p, "^\\s*\"\\s*PASSWORD\\s*=\\s*(\\S+)", AP_REG_EXTENDED);

#ifdef TEST_PASS
		password_test(p," \" PASSWORD=abc ");
		password_test(p," \" PASSWORD =abc ");
		password_test(p," \" PASSWORD = abc ");
		password_test(p," \" PASSWORD= abc ");
		password_test(p," \"PASSWORD=abc ");
		password_test(p," \"PASSWORD =abc ");
		password_test(p," \"PASSWORD = abc ");
		password_test(p," \"PASSWORD= abc ");
		password_test(p,"\" PASSWORD=abc ");
		password_test(p,"\" PASSWORD =abc ");
		password_test(p,"\" PASSWORD = abc ");
		password_test(p,"\" PASSWORD= abc ");
		password_test(p,"\"PASSWORD=abc ");
		password_test(p,"\"PASSWORD =abc ");
		password_test(p,"\"PASSWORD = abc ");
		password_test(p,"\"PASSWORD= abc ");
		password_test(p," \" PASSWORD=abc");
		password_test(p," \" PASSWORD =abc");
		password_test(p," \" PASSWORD = abc");
		password_test(p," \" PASSWORD= abc");
		password_test(p," \"PASSWORD=abc");
		password_test(p," \"PASSWORD =abc");
		password_test(p," \"PASSWORD = abc");
		password_test(p," \"PASSWORD= abc");
		password_test(p,"\" PASSWORD=abc");
		password_test(p,"\" PASSWORD =abc");
		password_test(p,"\" PASSWORD = abc");
		password_test(p,"\" PASSWORD= abc");
		password_test(p,"\"PASSWORD=abc");
		password_test(p,"\"PASSWORD =abc");
		password_test(p,"\"PASSWORD = abc");
		password_test(p,"\"PASSWORD= abc");
		cookie_test(p,"google_authn=a:b:c");
		cookie_test(p,"pma_lang=en; pma_collation_connection=utf8_general_ci; pma_navi_width=200; phpMyAdmin=dsofhasouphf8975q98u; google_authn=lucky:3692581470:9fZZrZ6kMaL2dwXzrfTsqIWdi/c=:; __utma=68896193.834633149.1320516436.1357578935.1357599597.89;__utmz=68896193.1352322698.7.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmc=68896193; member_id=3; pass_hash=09812387643abcdef; ipsconnect_0989875asfdsapofjkjlnsdfau=1");
#endif

}
Beispiel #2
0
/* Initialise the requisite data structs for our header based dos subrule
 * @param word1 The name of the subrule
 * @param word2 The http header to match
 * @paramm word3 The pattern
 */
static void *dosblock_header_config(cmd_parms *cmd, void *mconfig, char *word1, char *word2, char *word3) {

    server_rec *s = cmd->server;
    dosblock_cfg *cfg = (dosblock_cfg *)ap_get_module_config(s->module_config, &mod_dosblock_module);

    if(word1 !=NULL && word2 !=NULL && word3 !=NULL)
     {
       headerrulestruct *h = NULL;
       h = apr_palloc(cmd->pool, sizeof(headerrulestruct));
       h->headername = word2;
       h->headerpattern = word3;

       /* We test the regexp and populate the table,hash only on success */
       if (ap_pregcomp(cmd->pool, word3, AP_REG_EXTENDED) != NULL )
          {
           apr_hash_set(cfg->headerrules, word1, APR_HASH_KEY_STRING, h);
           apr_table_set(cfg->ruletype, word1, RULEHEADER);
          }
       else {
           ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Failed to compile regexp %s", word3);
       }

     }
    return NULL;
}
Beispiel #3
0
/*
 * match version against a regular expression
 */
static int match_version(apr_pool_t *pool, char *version_string,
                         const char **error)
{
    regex_t *compiled;
    const char *to_match;
    int rc;

    compiled = ap_pregcomp(pool, version_string, REG_EXTENDED);
    if (!compiled) {
        *error = "Unable to compile regular expression";
        return 0;
    }

    *error = NULL;

    to_match = apr_psprintf(pool, "%d.%d.%d%s",
                            httpd_version.major,
                            httpd_version.minor,
                            httpd_version.patch,
                            httpd_version.add_string);

    rc = !ap_regexec(compiled, to_match, 0, NULL, 0);

    ap_pregfree(pool, compiled);
    return rc;    
}
Beispiel #4
0
static const char* line_edit_rewriterule(cmd_parms* cmd, void* cfg,
		const char* from, const char* to, const char* flags) {
  rewriterule* rule = apr_array_push (((line_edit_cfg*)cfg)->rewriterules) ;
  int lflags = 0 ;

  rule->to = to ;
  if ( flags ) {
    rule->flags
	= REGFLAG(M_REGEX, flags, 'R')
	| REGFLAG(M_NOCASE, flags, 'i')
	| REGFLAG(M_NEWLINE, flags, 'm')
	| REGFLAG(M_ENV, flags, 'V')
	;
  } else {
    rule->flags = 0 ;
  }
  if ( rule->flags & M_REGEX ) {
    if ( rule->flags & M_NOCASE ) {
      lflags |= AP_REG_ICASE;
    }
    if ( rule->flags & M_NEWLINE ) {
      lflags |= AP_REG_NEWLINE;
    }
    rule->from.r = ap_pregcomp(cmd->pool, from, lflags) ;
  } else {
    lflags = (rule->flags & M_NOCASE) ? 0 : 1 ;
    rule->length = strlen(from) ;
    rule->from.s = apr_strmatch_precompile(cmd->pool, from, lflags) ;
  }
  return NULL;
}
Beispiel #5
0
/**
 * Handler for "AddClientEncoding" directive.
 *
 * This registers regex pattern of UserAgent: header and expected
 * encoding(s) from that useragent.
 */
static const char *
add_client_encoding(cmd_parms *cmd, encoding_config *conf, char *args) {
  array_header    *encs;
  char            *arg;

  LOG(APLOG_DEBUG, cmd->server, "add_client_encoding: entered");
  LOG(APLOG_DEBUG, cmd->server, "add_client_encoding: args == %s", args);

  if (! cmd->path) {
    conf = ap_get_module_config(cmd->server->module_config, &encoding_module);
  }

  encs = ap_make_array(cmd->pool, 1, sizeof(void *));

  /* register useragent with UserAgent: pattern */
  if (*args && (arg = ap_getword_conf_nc(cmd->pool, &args))) {
    LOG(APLOG_DEBUG, cmd->server, "add_client_encoding: agent: %s", arg);
    *(void **)ap_push_array(conf->client_encoding) =
      ap_pregcomp(cmd->pool, arg, REG_EXTENDED|REG_ICASE|REG_NOSUB);
  }

  /* register list of possible encodings from above useragent */
  while (*args && (arg = ap_getword_conf_nc(cmd->pool, &args))) {
    LOG(APLOG_DEBUG, cmd->server, "add_client_encoding: encname: %s", arg);
    *(void **)ap_push_array(encs) = ap_pstrdup(cmd->pool, arg);
  }
  *(void **)ap_push_array(conf->client_encoding) = encs;

  return NULL;
}
Beispiel #6
0
static void *cdn_config(apr_pool_t * pool, char *x)
{
  cdn_conf *ret = apr_pcalloc(pool, sizeof(cdn_conf));
  ret->doctype = DEFAULT_DOCTYPE;
  ret->default_encoding = XML_CHAR_ENCODING_NONE;
  ret->bufsz = 8192;
  ret->auth_header_text = "required";
  ret->auth_exptime = 900;
  ret->default_exptime = 86400;

  seek_meta_ctype =
    ap_pregcomp(pool, "(<meta[^>]*http-equiv[ \t\r\n='\"]*content-type[^>]*>)",
                AP_REG_EXTENDED|AP_REG_ICASE);
  seek_charset = ap_pregcomp(pool, "charset=([A-Za-z0-9_-]+)", AP_REG_EXTENDED|AP_REG_ICASE);

  return ret;
}
Beispiel #7
0
int mod_dirsize_handler(request_rec *r)
{
  BUFF *pipe_output;
  char buf[MAX_STRING_LEN];
  char *sizeink=NULL;
  regmatch_t pmatch[2];
  
  r->path_info = ap_make_dirstr_parent(r->pool, r->filename);
  
  if(!ap_bspawn_child(r->pool,dirsize, (void *) r, kill_after_timeout,
		       NULL, &pipe_output, NULL)) {
     ap_log_error(APLOG_MARK, APLOG_ERR, r->server, 
		     "problems with dirsize subprocess");
     return HTTP_INTERNAL_SERVER_ERROR;
  }
  
  ap_bgets(buf, sizeof(buf), pipe_output);
  
  regex_t *cpat = ap_pregcomp(r->pool, "^(.+)\t", REG_EXTENDED);
  if(regexec(cpat, buf, cpat->re_nsub+1, pmatch, 0) == 0) {
     sizeink = ap_pregsub(r->pool, "$1", buf, cpat->re_nsub+1, pmatch); 
  }

#ifdef DEBUG  
  r->content_type = "text/html";
  ap_send_http_header(r);

  ap_rprintf(r, "<html>\n");
  ap_rprintf(r, "<head>\n");
  ap_rprintf(r, "<title>mod_dirsize</title>\n");
  ap_rprintf(r, "</head>\n");
  ap_rprintf(r, "<body>\n");
  ap_rprintf(r, "Request: %s<br>\n", r->the_request);
  ap_rprintf(r, "Server Hostname: %s<br>\n", r->server->server_hostname);
  ap_rprintf(r, "Server Admin: %s<br>\n", r->server->server_admin);
  ap_rprintf(r, "Filename: %s<br>\n", r->filename);
  ap_rprintf(r, "ServerRoot: %s<br>\n", ap_server_root_relative(r->pool, ""));
  ap_rprintf(r, "Path Info: %s<br>\n", r->path_info);
  
  ap_send_fb(pipe_output, r);

  ap_rprintf(r, "</body>\n");
  ap_rprintf(r, "</html>\n");
#else
  r->content_type = "text/xml";
  ap_send_http_header(r);
  
  ap_rprintf(r, "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n");
  ap_rprintf(r, "<dirsize xmlns:html=\"http://www.w3.org/1999/html\">\n");
  ap_rprintf(r, "<sizeink>%s</sizeink>\n", sizeink);
  ap_rprintf(r, "</dirsize>");
#endif
  
  ap_bclose(pipe_output);

  return(OK);
}
Beispiel #8
0
static int google_analytics_post_config(apr_pool_t *p, apr_pool_t *plog,
										apr_pool_t *ptemp, server_rec *s)
{
	regex_tag_exists = ap_pregcomp(p, tag_exists, (AP_REG_EXTENDED | AP_REG_ICASE | AP_REG_NOSUB));
	ap_assert(regex_tag_exists != NULL);

	pattern_body_end_tag = apr_strmatch_precompile(p, body_end_tag, 0);
	return OK;
}
Beispiel #9
0
static const char *set_ignore_contenttype_config(cmd_parms *parms, void *mconfig,
        const char *arg)
{
    dosdetector_dir_config *cfg = (dosdetector_dir_config *) mconfig;

    *(char **) apr_array_push(cfg->ignore_contenttype) = apr_pstrdup(parms->pool, arg);
    *(ap_regex_t **)apr_array_push(cfg->contenttype_regexp)
        = ap_pregcomp(parms->pool, arg, AP_REG_EXTENDED|AP_REG_ICASE);

    return NULL;
}
Beispiel #10
0
/**
 * <user_agent>
 */
static void
s_set_user_agent_data(Doc *doc, apr_pool_t *p, mod_chxj_config *conf, Node *node) 
{
  Node              *child;
  device_table_list *t;

  for (child = qs_get_child_node(doc,node);
       child ;
       child = qs_get_next_node(doc,child)) {
    char *name = qs_get_node_name(doc,child);
    if (STRCASEEQ('u','U',"user_agent",name)) {
      Attr *attr;
      device_table_list *dtl;

      if (! conf->devices) {
        conf->devices = apr_pcalloc(p, sizeof(device_table_list));
        conf->devices->next    = NULL;
        conf->devices->pattern = NULL;
        conf->devices->table   = NULL;
        conf->devices->tail    = NULL;
        dtl = conf->devices;
      }
      else {
        for (t = conf->devices; t ; t = t->next) {
          if (! t->next)
            break;
        }
        t->next = apr_pcalloc(p, sizeof(device_table_list));
        t->next->next    = NULL;
        t->next->pattern = NULL;
        t->next->table   = NULL;
        t->next->tail    = NULL;
        dtl = t->next;
      }

      for (attr = qs_get_attr(doc,child); 
           attr ; 
           attr = qs_get_next_attr(doc,attr)) {
        char *attr_name = qs_get_attr_name(doc,attr);

        if (STRCASEEQ('p','P',"pattern",attr_name)) {
            dtl->pattern = apr_pstrdup(p, qs_get_attr_value(doc,attr));
            dtl->regexp = ap_pregcomp(p, (const char *)dtl->pattern, AP_REG_EXTENDED|AP_REG_ICASE);
        }
      }
      s_set_device_data(doc, p, dtl, child);
    }
  }
}
Beispiel #11
0
static const char *set_ignore_contenttype_config(cmd_parms *parms, void *mconfig,
					 const char *arg)
{
    dosdetector_dir_config *cfg = (dosdetector_dir_config *) mconfig;
    char **ignore_contenttype = (char **) cfg->ignore_contenttype->elts;

    *(char **) apr_array_push(cfg->ignore_contenttype) = apr_pstrdup(parms->pool, arg);

	int i;
	regex_t *regexp;
	for (i = 0; i < cfg->ignore_contenttype->nelts; i++) {
        regexp = (regex_t *)ap_pregcomp(parms->pool, (char *)ignore_contenttype[i], REG_EXTENDED|REG_ICASE);
		*(regex_t **)apr_array_push(cfg->contenttype_regexp) = regexp;
    }

    return NULL;
}
Beispiel #12
0
static void set_and_comp_regexp(cookie_dir_rec *dcfg,
                                apr_pool_t *p,
                                const char *cookie_name)
{
    int danger_chars = 0;
    const char *sp = cookie_name;

    /* The goal is to end up with this regexp,
     * ^cookie_name=([^;,]+)|[;,][ \t]+cookie_name=([^;,]+)
     * with cookie_name obviously substituted either
     * with the real cookie name set by the user in httpd.conf, or with the
     * default COOKIE_NAME. */

    /* Anyway, we need to escape the cookie_name before pasting it
     * into the regex
     */
    while (*sp) {
        if (!apr_isalnum(*sp)) {
            ++danger_chars;
        }
        ++sp;
    }

    if (danger_chars) {
        char *cp;
        cp = apr_palloc(p, sp - cookie_name + danger_chars + 1); /* 1 == \0 */
        sp = cookie_name;
        cookie_name = cp;
        while (*sp) {
            if (!apr_isalnum(*sp)) {
                *cp++ = '\\';
            }
            *cp++ = *sp++;
        }
        *cp = '\0';
    }

    dcfg->regexp_string = apr_pstrcat(p, "^",
                                      cookie_name,
                                      "=([^;,]+)|[;,][ \t]*",
                                      cookie_name,
                                      "=([^;,]+)", NULL);

    dcfg->regexp = ap_pregcomp(p, dcfg->regexp_string, AP_REG_EXTENDED);
    ap_assert(dcfg->regexp != NULL);
}
Beispiel #13
0
static const char *set_sqlalias_filter(cmd_parms *cmd, void *mconfig, const char *arg)
{
	ap_regex_t *regexp = NULL;

	server_rec *s = cmd->server;
	sqlalias_conf_t *s_cfg = (sqlalias_conf_t *) ap_get_module_config(s->module_config, &sqlalias_module);

	sqlalias_filter_entry *filter;

	filter = (sqlalias_filter_entry *) apr_array_push(s_cfg->filters);
	filter->pattern = apr_pstrdup(cmd->pool, (char *) arg);

	if ((regexp = (ap_regex_t *)ap_pregcomp(cmd->pool, filter->pattern, 0)) == NULL) {
		return apr_pstrcat(cmd->pool, "SQLAliasFilter: cannot compile regular expression '", filter->pattern , "'", NULL);
	}

	filter->regexp = regexp;
	return NULL;
}
Beispiel #14
0
/* Initialise the requisite data structs for our url based dos subrule
 * @param word1 The name of the subrule
 * @param word2 The pattern
 */
static void *dosblock_url_config(cmd_parms *cmd, void *mconfig, char *word1, char *word2) {
    server_rec *s = cmd->server;
    dosblock_cfg *cfg = (dosblock_cfg *)ap_get_module_config(s->module_config, &mod_dosblock_module);

    if(word1 !=NULL && word2 !=NULL)
      {
        /* We test the regexp and populate the table only on success */
        if (ap_pregcomp(cmd->pool, word2, AP_REG_EXTENDED) != NULL )
            {
             apr_table_set(cfg->urlrules, word1, word2);
             apr_table_set(cfg->ruletype, word1, RULEURL);
            }
        else {
             ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Failed to compile regexp %s", word2);
            }
      }

    return NULL;
}
Beispiel #15
0
extern apr_status_t check_regular_expression(request_rec *r, char *haystack, char *needle) {
    ap_regex_t *regexp = (ap_regex_t *)NULL;
    ap_regmatch_t regmatch[AP_MAX_REG_MATCH];

    // Validation Check
    if (haystack == (char *)NULL) { return DECLINED; }
    if (needle == (char *)NULL) { return DECLINED; }

    if (strlen(haystack) > 0) {
        regexp = (ap_regex_t *)ap_pregcomp(r->pool, (const char *)haystack, REG_EXTENDED|REG_ICASE);
        if (regexp != (ap_regex_t *)NULL &&
            ap_regexec(regexp, (const char*)needle, regexp->re_nsub + 1, regmatch, 0) == 0) {
            ap_pregfree(r->pool, regexp);
            return APR_SUCCESS;
        }
        ap_pregfree(r->pool, regexp);
    }

    return DECLINED;
}
Beispiel #16
0
static apr_status_t parse_request_uri(request_rec *r, char **uri, char **size)
{
    int            nmatch = 10;
    ap_regmatch_t  match[nmatch];
    ap_regex_t    *reg;

    reg = ap_pregcomp(r->pool, "^/(original|large|medium|small)/(.*)$",
                      AP_REG_EXTENDED);
    if (ap_regexec(reg, r->unparsed_uri, nmatch, match, 0) == 0) {
        *size = ap_pregsub(r->pool, "$1", r->unparsed_uri, nmatch, match);
        *uri  = ap_pregsub(r->pool, "$2", r->unparsed_uri, nmatch, match);
        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                      "Parse URI: %s, %s", *size, *uri);
        ap_pregfree(r->pool, reg);

        return APR_SUCCESS;
    }
    else {
        return APR_EGENERAL;
    }
}
Beispiel #17
0
static const char *set_pattern(cmd_parms *cmd, void *cfg, const char *line)
{
    char *from = NULL;
    char *to = NULL;
    char *flags = NULL;
    char *ourline;
    char delim;
    subst_pattern_t *nscript;
    int is_pattern = 0;
    int ignore_case = 0;
    int flatten = 1;
    ap_regex_t *r = NULL;

    if (apr_tolower(*line) != 's') {
        return "Bad Substitute format, must be an s/// pattern";
    }
    ourline = apr_pstrdup(cmd->pool, line);
    delim = *++ourline;
    if (delim)
        from = ++ourline;
    if (from) {
        if (*ourline != delim) {
            while (*++ourline && *ourline != delim);
        }
        if (*ourline) {
            *ourline = '\0';
            to = ++ourline;
        }
    }
    if (to) {
        if (*ourline != delim) {
            while (*++ourline && *ourline != delim);
        }
        if (*ourline) {
            *ourline = '\0';
            flags = ++ourline;
        }
    }

    if (!delim || !from || !*from || !to) {
        return "Bad Substitute format, must be a complete s/// pattern";
    }

    if (flags) {
        while (*flags) {
            delim = apr_tolower(*flags);    /* re-use */
            if (delim == 'i')
                ignore_case = 1;
            else if (delim == 'n')
                is_pattern = 1;
            else if (delim == 'f')
                flatten = 1;
            else if (delim == 'q')
                flatten = 0;
            else
                return "Bad Substitute flag, only s///[infq] are supported";
            flags++;
        }
    }

    /* first see if we can compile the regex */
    if (!is_pattern) {
        r = ap_pregcomp(cmd->pool, from, AP_REG_EXTENDED |
                        (ignore_case ? AP_REG_ICASE : 0));
        if (!r)
            return "Substitute could not compile regex";
    }
    nscript = apr_array_push(((subst_dir_conf *) cfg)->patterns);
    /* init the new entries */
    nscript->pattern = NULL;
    nscript->regexp = NULL;
    nscript->replacement = NULL;
    nscript->patlen = 0;

    if (is_pattern) {
        nscript->patlen = strlen(from);
        nscript->pattern = apr_strmatch_precompile(cmd->pool, from,
                                                   !ignore_case);
    }
    else {
        nscript->regexp = r;
    }

    nscript->replacement = to;
    nscript->replen = strlen(to);
    nscript->flatten = flatten;

    return NULL;
}
Beispiel #18
0
/* Here-in lies the meat */
static int dosblock_main(request_rec *r) {
    const apr_table_entry_t *dosrulemap_elts = NULL;
    const apr_array_header_t *dosrulemap_arr = NULL;
    char *subrule=NULL, *dosrulematch=NULL, *urlpattern=NULL;
    char *req_header = NULL;
    int matchfound = 0;
    int gotlock = 0;
    dosblockipc_data *base = NULL;
    apr_status_t rs;
    dosblock_cfg *cfg = (dosblock_cfg *)ap_get_module_config(r->server->module_config, &mod_dosblock_module);

    /* Here we try to find if the request matches a dos rule */
    dosrulemap_arr = apr_table_elts(cfg->dosrulemap);

    if (dosrulemap_arr) {
        dosrulemap_elts = (const apr_table_entry_t *)dosrulemap_arr->elts;
        int i;
        for (i=0; i<dosrulemap_arr->nelts; ++i)
         {
           subrule = dosrulemap_elts[i].val;
           char *subrule_type =  (char *)apr_table_get(cfg->ruletype, subrule);
           if (subrule_type == NULL)
             continue;
           /* Check if it is a url based subrule */
           if (0 == apr_strnatcmp(subrule_type, RULEURL))
              {
               urlpattern = (char *)apr_table_get(cfg->urlrules, subrule);
               if (urlpattern == NULL)
                 continue;
               ap_regex_t *pattern = ap_pregcomp(r->pool, urlpattern, AP_REG_EXTENDED);
               if (0 == ap_regexec(pattern, r->uri, 0, NULL, 0))
               /* This is where the dos url subrule would match */
                 {
                   dosrulematch = dosrulemap_elts[i].key;
                   matchfound = 1;
                   break;
                 }
              }
           /* Check if it is a header based subrule */
            else if (0 == apr_strnatcmp(subrule_type, RULEHEADER))
             {
              headerrulestruct *h = NULL;
              h = apr_hash_get(cfg->headerrules, subrule, APR_HASH_KEY_STRING);
              if (h == NULL)
                continue;
              req_header = (char *)apr_table_get(r->headers_in, h->headername);
              if (req_header == NULL)
                continue;
              ap_regex_t *pattern = ap_pregcomp(r->pool, h->headerpattern, AP_REG_EXTENDED);
              if (0 == ap_regexec(pattern, req_header, 0, NULL, 0))
               /* This is where the dos header subrule would match */
                {
                  dosrulematch = dosrulemap_elts[i].key;
                  matchfound = 1;
                  break;
                }
             }
         }
       }

    if (matchfound && dosrulematch) {
      int blocked = 0;
      /* apr_table_set(r->headers_out, "DOSRULE_MATCHED", dosrulematch);*/
      /*  Check if we have the corresponding shared memory segment for
       *  the matching dos rule. If not we do not go further.
       */
      if (!apr_hash_get(cfg->dosrule_shm_map, dosrulematch, APR_HASH_KEY_STRING))
       {
          return DECLINED;
        }
      apr_int64_t index = apr_atoi64(apr_hash_get(cfg->dosrule_shm_map, dosrulematch, APR_HASH_KEY_STRING));

      /* Take the mutex lock here. Be careful of not 'returning' before releasing the lock*/
      rs = apr_global_mutex_lock(dosblockipc_mutex[index]);
      if (APR_SUCCESS == rs) {
          gotlock = 1;
      }
      else {
        /* Some error, log and bail */
        ap_log_error(APLOG_MARK, APLOG_ERR, rs, r->server, "Child %ld failed to acquire lock", (long int)getpid());
      }
      base = (dosblockipc_data *)apr_shm_baseaddr_get(dosblockipc_shm[index]);
      /* check if the Dos rule is already blocked */
      if (base->ds.isblocked)
       {
        /* The dos rule is blocked at this moment. Need to check the time stamp
         * (time till blockage) and act accordingly
         */
        apr_time_t time_now = apr_time_now();
        apr_time_t time_to_blockage = base->ds.t;
        /* apr_table_set(r->headers_out, "Blocked till", apr_psprintf(r->pool, "%d",time_to_blockage)); */
        if(cfg->verbosity)
           ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Dos rule %s is blocked", dosrulematch);
        if (time_now < time_to_blockage)
         {
          /* Keep blocking */
           blocked = 1;
           if(cfg->verbosity)
             ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Keep dos rule %s blocked", dosrulematch);

         }
        else {
          /* Time to unblock */
           base->ds.isblocked = 0;
           base->ds.t = 0;
           /* apr_table_set(r->headers_out, "Time-to-unblock", "Unblock"); */
           if(cfg->verbosity)
             ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Time to unblock dos rule %s", dosrulematch);

          }
      }
      /* Here we age entries, try to account for the matched hit, calculate the
       * rate and take some action if needed.
       */
      int i;
      apr_int64_t sum_counter = 0;
      int hit_accounted = 0;

      /* Loop through the array of structs */
      for (i=0; i<ARSIZE; i++) {
        if (base->dh[i].t) {
          if ((r->request_time - base->dh[i].t)/APR_USEC_PER_SEC > ARSIZE ) {
            /* Ageing entries */
             base->dh[i].t = 0;
             base->dh[i].counter = 0;
             if(cfg->verbosity)
               ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Ageing entry for dos rule %s", dosrulematch);
             continue;
           }
          if (base->dh[i].t/APR_USEC_PER_SEC == r->request_time/APR_USEC_PER_SEC )
            {
              /* There is already an entry for this sec. Increment the corresponding
               * counter
               */
              base->dh[i].counter++;
              sum_counter+= base->dh[i].counter;
              hit_accounted = 1;
              /*apr_table_set(r->headers_out, "Entry-for-this-sec", "Exists"); */
              if(cfg->verbosity)
                ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "We have an Entry-for-this-sec for dos rule %s", dosrulematch);
             continue;
            }
          sum_counter+= base->dh[i].counter;
          }
        }

      /* Add an element in our array of structs for this second if the hit was not accounted above */
      if (! hit_accounted) {
        if(cfg->verbosity)
          ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Hit is not accounted for dos rule %s", dosrulematch);
        if ((ARSIZE - base->next) ==  0)
          base->next = 0;
        base->dh[base->next].t = r->request_time;
        base->dh[base->next].counter = 1;
        sum_counter+= base->dh[base->next].counter;
        base->next++;
        /*apr_table_set(r->headers_out, "Entry-for-this-sec", "Does-not-Exist");*/
        if(cfg->verbosity)
          ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "We do not have an entry for this second (dos rule %s) and sum of counter is %" APR_INT64_T_FMT, dosrulematch, sum_counter);
      }

      if ( ! blocked) {
        float rate = (float)sum_counter/ARSIZE;
        /* Get the configured rate threshold */
        dosrulestruct *d = apr_hash_get(cfg->dosrules, dosrulematch, APR_HASH_KEY_STRING);
        if(cfg->verbosity) {
          ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Non Blocked dos rule %s sum of counter is %" APR_INT64_T_FMT, dosrulematch, sum_counter);
          ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Non Blocked dos rule %s rate is %f", dosrulematch, rate);
          ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Non Blocked dos rule %s configured  rate is %" APR_INT64_T_FMT, dosrulematch, apr_atoi64(d->threshold));
        }
        if (rate > apr_atoi64(d->threshold))
         {
           /* Block it */
           base->ds.isblocked = 1;
           base->ds.t = (apr_time_now() + (apr_atoi64(d->timetoblock)*APR_USEC_PER_SEC));
           base->ds.rate_when_blocked = rate;
           if(cfg->verbosity) {
             ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Non Blocked dos rule %s getting blocked after rate calulation", dosrulematch);
             ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Non Blocked dos rule %s getting blocked till %" APR_TIME_T_FMT, dosrulematch, base->ds.t);
           }
           blocked = 1;
         }
      }

      /* Release the lock. We have to be careful of not 'returning' before
       * releasing the lock
       */
      if (gotlock)
        rs = apr_global_mutex_unlock(dosblockipc_mutex[index]);
      /* Swallowing the result because what are we going to do with it at
       * this stage
       */
      if (blocked)
        return HTTP_SERVICE_UNAVAILABLE;
   }
    else {
      /* apr_table_set(r->headers_out, "DOSRULE_MATCHED", "None");*/
    }

    return DECLINED;
}
Beispiel #19
0
/*
 *  Get the stuff from LDAP
 */
static int getldaphome(request_rec *r, vhx_config_rec *vhr, const char *hostname, vhx_request_t *reqc)
{
	/* LDAP associated variable and stuff */
	const char 		**vals = NULL;
	char 			*filtbuf = NULL;
	int 			result = 0;
	const char 		*dn = NULL;
	util_ldap_connection_t 	*ldc = NULL;
	int 			failures = 0;

	VH_AP_LOG_RERROR(APLOG_MARK, APLOG_DEBUG, 0, r, "getldaphome(): BEGIN ***,pid=%d",getpid());


	/* Check for illegal characters in hostname that would mess up the LDAP query */
	ap_regex_t *cpat = ap_pregcomp(r->pool, "\\[\\/\\*\\(\\)&\\]", REG_EXTENDED|REG_ICASE); 
	if(cpat != NULL) {
		if (ap_regexec(cpat, hostname, 0, NULL, 0) == 0 ) {
			VH_AP_LOG_RERROR(APLOG_MARK, APLOG_WARNING, 0, r, "%s: (getldaphome) bad characters in hostname %s", VH_NAME, hostname);
			return DECLINED;
		}
	}

start_over:

	if (vhr->ldap_host) {
		VH_AP_LOG_RERROR(APLOG_MARK, APLOG_DEBUG, 0, r, "getldaphome(): util_ldap_connection_find(r,%s,%d,%s,%s,%d,%d);",vhr->ldap_host, vhr->ldap_port, vhr->ldap_binddn, vhr->ldap_bindpw, vhr->ldap_deref, vhr->ldap_secure);
		ldc = util_ldap_connection_find(r, vhr->ldap_host, vhr->ldap_port, vhr->ldap_binddn,
				vhr->ldap_bindpw, vhr->ldap_deref, vhr->ldap_secure);
	} else {
		return DECLINED;
	}

	filtbuf = apr_psprintf(r->pool, "(&(%s)(|(apacheServerName=%s)(apacheServerAlias=%s)))", vhr->ldap_filter, hostname, hostname);

	VH_AP_LOG_RERROR(APLOG_MARK, APLOG_DEBUG, 0, r, "getldaphome(): filtbuf = %s",filtbuf);
	//VH_AP_LOG_RERROR(APLOG_MARK, APLOG_DEBUG, 0, r, "getldaphome(): %s %s %d %s %s",vhr->ldap_url,vhr->ldap_basedn,vhr->ldap_scope,ldap_attributes[0],filtbuf);

	result = util_ldap_cache_getuserdn(r, ldc, vhr->ldap_url, vhr->ldap_basedn, vhr->ldap_scope, ldap_attributes, filtbuf, &dn, &vals);
	util_ldap_connection_close(ldc);

	// sanity check - if server is down, retry it up to 5 times 
	if (result == LDAP_SERVER_DOWN) {
		if (failures++ <= 5) {
			apr_sleep(1000000);
			goto start_over;
		}
	}
	if ((result == LDAP_NO_SUCH_OBJECT)) {
		VH_AP_LOG_RERROR(APLOG_MARK, APLOG_DEBUG, 0, r,
				"getldaphome(): virtual host %s not found",
				hostname);
		return DECLINED;
	}

	/* handle bind failure */
	if (result != LDAP_SUCCESS) {
		VH_AP_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r,
				"%s: (getldaphome) translate failed; virtual host %s; URI %s LDAP Error: [%s]", 
				VH_NAME, hostname, r->uri, ldap_err2string(result));
		return DECLINED;
	}

	int i = 0;
	while (ldap_attributes[i]) {
		if (apr_strnatcasecmp (ldap_attributes[i], "apacheServerName") == 0) {
			reqc->name = apr_pstrdup (r->pool, vals[i]);
		}
		else if (apr_strnatcasecmp (ldap_attributes[i], "apacheServerAdmin") == 0) {
			reqc->admin = apr_pstrdup (r->pool, vals[i]);
		}
		else if (apr_strnatcasecmp (ldap_attributes[i], "apacheDocumentRoot") == 0) {
			reqc->docroot = apr_pstrdup (r->pool, vals[i]);
		}
		else if (apr_strnatcasecmp (ldap_attributes[i], "homeDirectory") == 0) {
			reqc->homedirectory = apr_pstrdup (r->pool, vals[i]);
		}
		else if (apr_strnatcasecmp (ldap_attributes[i], "phpOptions") == 0) {
			reqc->phpoptions = apr_pstrdup (r->pool, vals[i]);
		}
		else if (apr_strnatcasecmp (ldap_attributes[i], "uidNumber") == 0) {
			reqc->uid = apr_pstrdup(r->pool, vals[i]);
		}
		else if (apr_strnatcasecmp (ldap_attributes[i], "gidNumber") == 0) {
			reqc->gid = apr_pstrdup(r->pool, vals[i]);
		}
		else if (apr_strnatcasecmp (ldap_attributes[i], "apacheChrootDir") == 0) {
			reqc->chroot_dir = apr_pstrdup(r->pool, vals[i]);
		}
		i++;
	}

	reqc->vhost_found = VH_VHOST_INFOS_FOUND;

	VH_AP_LOG_RERROR(APLOG_MARK, APLOG_DEBUG, 0, r, "getldaphome(): END ***");

	/* If we don't have a document root then we can't honour the request */
	if (reqc->docroot == NULL) {
		VH_AP_LOG_RERROR(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, r, "%s: (getldaphome) no document root found for %s", VH_NAME, hostname);
		return DECLINED;
	}

	/* We have a document root so, this is ok */
	return OK;
}
Beispiel #20
0
static const char *filter_provider(cmd_parms *cmd, void *CFG, const char *args)
{
    mod_filter_cfg *cfg = CFG;
    int flags;
    ap_filter_provider_t *provider;
    const char *rxend;
    const char *c;
    char *str;
    const char *eq;
    ap_filter_rec_t* frec;
    ap_filter_rec_t* provider_frec;

    /* insist on exactly four arguments */
    const char *fname = ap_getword_conf(cmd->pool, &args) ;
    const char *pname = ap_getword_conf(cmd->pool, &args) ;
    const char *condition = ap_getword_conf(cmd->pool, &args) ;
    const char *match = ap_getword_conf(cmd->pool, &args) ;
    eq = ap_getword_conf(cmd->pool, &args) ;
    if ( !*fname || !*pname || !*match || !*condition || *eq ) {
        return "usage: FilterProvider filter provider condition match" ;
    }

    /* fname has been declared with DeclareFilter, so we can look it up */
    frec = apr_hash_get(cfg->live_filters, fname, APR_HASH_KEY_STRING);

    /* or if provider is mod_filter itself, we can also look it up */
    if (!frec) {
        c = filter_declare(cmd, CFG, fname, NULL);
        if ( c ) {
            return c;
        }
        frec = apr_hash_get(cfg->live_filters, fname, APR_HASH_KEY_STRING);
    }

    if (!frec) {
        return apr_psprintf(cmd->pool, "Undeclared smart filter %s", fname);
    }

    /* if provider has been registered, we can look it up */
    provider_frec = ap_get_output_filter_handle(pname);
    if (!provider_frec) {
        provider_frec = apr_hash_get(cfg->live_filters, pname,
                                     APR_HASH_KEY_STRING);
    }
    if (!provider_frec) {
        return apr_psprintf(cmd->pool, "Unknown filter provider %s", pname);
    }

    provider = apr_palloc(cmd->pool, sizeof(ap_filter_provider_t));
    if (*match == '!') {
        provider->not = 1;
        ++match;
    }
    else {
        provider->not = 0;
    }

    switch (*match++) {
    case '<':
        if (*match == '=') {
            provider->match_type = INT_LE;
            ++match;
        }
        else {
            provider->match_type = INT_LT;
        }
        provider->match.number = atoi(match);
        break;
    case '>':
        if (*match == '=') {
            provider->match_type = INT_GE;
            ++match;
        }
        else {
            provider->match_type = INT_GT;
        }
        provider->match.number = atoi(match);
        break;
    case '=':
        provider->match_type = INT_EQ;
        provider->match.number = atoi(match);
        break;
    case '/':
        provider->match_type = REGEX_MATCH;
        rxend = ap_strchr_c(match, '/');
        if (!rxend) {
              return "Bad regexp syntax";
        }
        flags = AP_REG_NOSUB;        /* we're not mod_rewrite:-) */
        for (c = rxend+1; *c; ++c) {
            switch (*c) {
            case 'i': flags |= AP_REG_ICASE; break;
            }
        }
        provider->match.regex = ap_pregcomp(cmd->pool,
                                            apr_pstrndup(cmd->pool,
                                                         match,
                                                         rxend-match),
                                            flags);
        break;
    case '*':
        provider->match_type = DEFINED;
        provider->match.number = -1;
        break;
    case '$':
        provider->match_type = STRING_CONTAINS;
        str = apr_pstrdup(cmd->pool, match);
        ap_str_tolower(str);
        provider->match.string = str;
        break;
    default:
        provider->match_type = STRING_MATCH;
        provider->match.string = apr_pstrdup(cmd->pool, match-1);
        break;
    }
    provider->frec = provider_frec;
    provider->next = frec->providers;
    frec->providers = provider;

    /* determine what a filter will dispatch this provider on */
    eq = ap_strchr_c(condition, '=');
    if (eq) {
        str = apr_pstrdup(cmd->pool, eq+1);
        if (!strncasecmp(condition, "env=", 4)) {
            provider->dispatch = SUBPROCESS_ENV;
        }
        else if (!strncasecmp(condition, "req=", 4)) {
            provider->dispatch = REQUEST_HEADERS;
        }
        else if (!strncasecmp(condition, "resp=", 5)) {
            provider->dispatch = RESPONSE_HEADERS;
        }
        else {
            return "FilterProvider: unrecognized dispatch table";
        }
    }
    else {
        if (!strcasecmp(condition, "handler")) {
            provider->dispatch = HANDLER;
        }
        else {
            provider->dispatch = RESPONSE_HEADERS;
        }
        str = apr_pstrdup(cmd->pool, condition);
        ap_str_tolower(str);
    }

    if (   (provider->dispatch == RESPONSE_HEADERS)
        && !strcasecmp(str, "content-type")) {
        provider->dispatch = CONTENT_TYPE;
    }
    provider->value = str;

    return NULL;
}