static authz_status dbdgroup_check_authorization(request_rec *r, const char *require_args, const void *parsed_require_args) { int i, rv; const char *w; apr_array_header_t *groups = NULL; const char *err = NULL; const ap_expr_info_t *expr = parsed_require_args; const char *require; const char *t; authz_dbd_cfg *cfg = ap_get_module_config(r->per_dir_config, &authz_dbd_module); if (!r->user) { return AUTHZ_DENIED_NO_USER; } if (groups == NULL) { groups = apr_array_make(r->pool, 4, sizeof(const char*)); rv = authz_dbd_group_query(r, cfg, groups); if (rv != OK) { return AUTHZ_GENERAL_ERROR; } } require = ap_expr_str_exec(r, expr, &err); if (err) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02590) "authz_dbd authorize: require dbd-group: Can't " "evaluate require expression: %s", err); return AUTHZ_DENIED; } t = require; while (t[0]) { w = ap_getword_white(r->pool, &t); for (i=0; i < groups->nelts; ++i) { if (!strcmp(w, ((const char**)groups->elts)[i])) { return AUTHZ_GRANTED; } } } return AUTHZ_DENIED; }
static authz_status host_check_authorization(request_rec *r, const char *require_line, const void *parsed_require_line) { const char *t, *w; const char *remotehost = NULL; int remotehost_is_ip; remotehost = ap_get_useragent_host(r, REMOTE_DOUBLE_REV, &remotehost_is_ip); if ((remotehost == NULL) || remotehost_is_ip) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01753) "access check of '%s' to %s failed, reason: unable to get the " "remote host name", require_line, r->uri); } else { const char *err = NULL; const ap_expr_info_t *expr = parsed_require_line; const char *require; require = ap_expr_str_exec(r, expr, &err); if (err) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02593) "authz_host authorize: require host: Can't " "evaluate require expression: %s", err); return AUTHZ_DENIED; } /* The 'host' provider will allow the configuration to specify a list of host names to check rather than a single name. This is different from the previous host based syntax. */ t = require; while ((w = ap_getword_conf(r->pool, &t)) && w[0]) { if (in_domain(w, remotehost)) { return AUTHZ_GRANTED; } } } /* authz_core will log the require line and the result at DEBUG */ return AUTHZ_DENIED; }
static int evaluate_query_parameters(request_rec *r, const apr_array_header_t *parsed_require_args, const void **query_parameters) { int i; apr_array_header_t *qp; const ap_expr_info_t *expr = NULL; const char *parameter; const char *err = NULL; /* evaluate the query parameters in parsed_require_args */ qp = apr_array_make(r->pool, parsed_require_args->nelts, sizeof (char *)); for (i = 0; i < parsed_require_args->nelts; i++) { expr = ((const ap_expr_info_t **)parsed_require_args->elts)[i]; parameter = ap_expr_str_exec(r, expr, &err); if (err) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO() "authz_dbd in evaluate query_parameters: Can't " "evaluate require expression: %s", err); return HTTP_INTERNAL_SERVER_ERROR; } *(const char **)apr_array_push(qp) = parameter; } *query_parameters = (void *)qp; return OK; }
static authz_status forward_dns_check_authorization(request_rec *r, const char *require_line, const void *parsed_require_line) { const char *err = NULL; const ap_expr_info_t *expr = parsed_require_line; const char *require, *t; char *w; /* the require line is an expression, which is evaluated now. */ require = ap_expr_str_exec(r, expr, &err); if (err) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(03354) "authz_host authorize: require forward-dns: " "Can't evaluate require expression: %s", err); return AUTHZ_DENIED; } /* tokenize expected list of names */ t = require; while ((w = ap_getword_conf(r->pool, &t)) && w[0]) { apr_sockaddr_t *sa; apr_status_t rv; char *hash_ptr; /* stop on apache configuration file comments */ if ((hash_ptr = ap_strchr(w, '#'))) { if (hash_ptr == w) { break; } *hash_ptr = '\0'; } /* does the client ip match one of the names? */ rv = apr_sockaddr_info_get(&sa, w, APR_UNSPEC, 0, 0, r->pool); if (rv == APR_SUCCESS) { while (sa) { int match = apr_sockaddr_equal(sa, r->useragent_addr); ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03355) "access check for %s as '%s': %s", r->useragent_ip, w, match? "yes": "no"); if (match) { return AUTHZ_GRANTED; } sa = sa->next; } } else { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(03356) "No sockaddr info for \"%s\"", w); } /* stop processing, we are in a comment */ if (hash_ptr) { break; } } return AUTHZ_DENIED; }