On Fri, Apr 25, 2014 at 6:55 AM, <minf...@apache.org> wrote: > Author: minfrin > Date: Fri Apr 25 10:55:04 2014 > New Revision: 1589986 > > URL: http://svn.apache.org/r1589986 > Log: > Add the ldap function to the expression API, allowing LDAP filters and > distinguished names based on expressions to be escaped correctly to > guard against LDAP injection. > > Note: this requires at least APR v1.6.0 or above for the apr_escape API. > > Modified: > httpd/httpd/trunk/CHANGES > httpd/httpd/trunk/docs/manual/expr.xml > httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml > httpd/httpd/trunk/server/util_expr_eval.c > > Modified: httpd/httpd/trunk/CHANGES > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1589986&r1=1589985&r2=1589986&view=diff > > ============================================================================== > --- httpd/httpd/trunk/CHANGES [utf-8] (original) > +++ httpd/httpd/trunk/CHANGES [utf-8] Fri Apr 25 10:55:04 2014 > @@ -1,6 +1,10 @@ > -*- coding: > utf-8 -*- > Changes with Apache 2.5.0 > > + *) Add the ldap function to the expression API, allowing LDAP filters > and > + distinguished names based on expressions to be escaped correctly to > + guard against LDAP injection. [Graham Leggett] > + > *) Add module mod_ssl_ct, which provides an implementation of > Certificate > Transparency (RFC 6962) for httpd. [Jeff Trawick] > > > Modified: httpd/httpd/trunk/docs/manual/expr.xml > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/expr.xml?rev=1589986&r1=1589985&r2=1589986&view=diff > > ============================================================================== > --- httpd/httpd/trunk/docs/manual/expr.xml (original) > +++ httpd/httpd/trunk/docs/manual/expr.xml Fri Apr 25 10:55:04 2014 > @@ -514,6 +514,9 @@ listfunction ::= listfuncname "<strong>( > <tr><td><code>filesize</code></td> > <td>Return size of a file (or 0 if file does not exist or is not > regular file)</td><td>yes</td></tr> > + <tr><td><code>ldap</code></td> > + <td>Escape characters as required by LDAP distinguished name > escaping > + (RFC4514) and LDAP filter escaping > (RFC4515).</td><td></td></tr> > > </table> > > > Modified: httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml?rev=1589986&r1=1589985&r2=1589986&view=diff > > ============================================================================== > --- httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml (original) > +++ httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml Fri Apr 25 > 10:55:04 2014 > @@ -496,6 +496,16 @@ AuthLDAPMaxSubGroupDepth 1 > <code>ldap-attribute</code> will be faster than the search operation > used by <code>ldap-filter</code> especially within a large > directory.</p> > > + <p>When using an <a href="../expr.html">expression</a> within the > filter, care > + must be taken to ensure that LDAP filters are escaped correctly to > guard against > + LDAP injection. The ldap function can be used for this purpose.</p> > + > +<highlight language="config"> > +<LocationMatch ^/dav/(?<SITENAME>[^/]+)/> > + Require ldap-filter > (memberOf=cn=%{ldap:%{unescape:%{env:MATCH_SITENAME}},ou=Websites,o=Example) > +</LocationMatch> > +</highlight> > + > </section> > > </section> > > Modified: httpd/httpd/trunk/server/util_expr_eval.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util_expr_eval.c?rev=1589986&r1=1589985&r2=1589986&view=diff > > ============================================================================== > --- httpd/httpd/trunk/server/util_expr_eval.c (original) > +++ httpd/httpd/trunk/server/util_expr_eval.c Fri Apr 25 10:55:04 2014 > @@ -31,6 +31,7 @@ > #include "apr_fnmatch.h" > #include "apr_base64.h" > #include "apr_sha1.h" >
Unless httpd trunk as a whole already prereqs 1.5.x, please ifdef this based on version of apr: > +#include "apr_escape.h" > > #include <limits.h> /* for INT_MAX */ > > @@ -1061,6 +1062,12 @@ static const char *md5_func(ap_expr_eval > return ap_md5(ctx->p, (const unsigned char *)arg); > } > > Please ifdef this based on version of apr: > +static const char *ldap_func(ap_expr_eval_ctx_t *ctx, const void *data, > + const char *arg) > +{ > + return apr_pescape_ldap(ctx->p, arg, APR_ESCAPE_STRING, > APR_ESCAPE_LDAP_ALL); > +} > + > > #define MAX_FILE_SIZE 10*1024*1024 > static const char *file_func(ap_expr_eval_ctx_t *ctx, const void *data, > @@ -1645,6 +1652,7 @@ static const struct expr_provider_single > { unbase64_func, "unbase64", NULL, 0 }, > { sha1_func, "sha1", NULL, 0 }, > { md5_func, "md5", NULL, 0 }, > Same: > + { ldap_func, "ldap", NULL, 0 }, > { NULL, NULL, NULL} > }; > > > > -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/