MINOR: acl: add new matches for header/path/url length

This patch introduces hdr_len, path_len and url_len for matching these
respective parts lengths against integers. This can be used to detect
abuse or empty headers.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index c6785c290d2f10616b51a15686a8187a841ae69c..9bcc16ee446a3705d0ca70d24d78016e8b801e9c 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -7717,6 +7717,13 @@ hdr_ip(<header>) <ip_address>
   X-Client-IP. See "hdr" for more information on header matching. Use the
   shdr_ip() variant for response headers sent by the server.
 
+hdr_len <integer>
+hdr_len(<header>) <integer>
+  Returns true when at least one of the headers has a length which matches the
+  values or ranges specified. This may be used to detect empty or too large
+  headers. See "hdr" for more information on header matching. Use the
+  shdr_len() variant for response headers sent by the server.
+
 hdr_reg <regex>
 hdr_reg(<header>) <regex>
   Returns true when one of the headers matches of the regular expressions. It
@@ -7781,6 +7788,10 @@ path_end <string>
   Returns true when the path ends with one of the strings. This may be used to
   control file name extension.
 
+path_len <integer>
+  Returns true when the path length matches the values or ranges specified.
+  This may be used to detect abusive requests for instance.
+
 path_reg <regex>
   Returns true when the path matches one of the regular expressions. It can be
   used any time, but it is important to remember that regex matching is slower
@@ -7828,6 +7839,10 @@ url_ip <ip_address>
   It can be used to prevent access to certain resources such as local network.
   It is useful with option "http_proxy".
 
+url_len <integer>
+  Returns true when the url length matches the values or ranges specified. This
+  may be used to detect abusive requests for instance.
+
 url_port <integer>
   Applies to the port specified in the absolute URI in an HTTP request. It can
   be used to prevent access to certain resources. It is useful with option

diff --git a/include/proto/acl.h b/include/proto/acl.h
index c35cee9b4e59ce70cb54dcb4154d895e0baa448e..b3ae181e14382b2f154c393c871506eb01a88ca3 100644 (file)
--- a/include/proto/acl.h
+++ b/include/proto/acl.h
@@ -2,7 +2,7 @@
  * include/proto/acl.h
  * This file provides interface definitions for ACL manipulation.
  *
- * Copyright (C) 2000-2010 Willy Tarreau - w@1wt.eu
+ * Copyright (C) 2000-2011 Willy Tarreau - w@1wt.eu
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -136,6 +136,9 @@ int acl_parse_nothing(const char **text, struct acl_pattern *pattern, int *opaqu
 /* NB: For two strings to be identical, it is required that their lengths match */
 int acl_match_str(struct acl_test *test, struct acl_pattern *pattern);
 
+/* Checks that the length of the pattern in <test> is included between min and max */
+int acl_match_len(struct acl_test *test, struct acl_pattern *pattern);
+
 /* Checks that the integer in <test> is included between min and max */
 int acl_match_int(struct acl_test *test, struct acl_pattern *pattern);
 

diff --git a/src/acl.c b/src/acl.c
index 33f00ed2bf8992e594a5b9273ed74cc92246d36b..3546ef746456117265ce4a60dbcd43e426c5c788 100644 (file)
--- a/src/acl.c
+++ b/src/acl.c
@@ -1,7 +1,7 @@
 /*
  * ACL management functions.
  *
- * Copyright 2000-2010 Willy Tarreau <w@1wt.eu>
+ * Copyright 2000-2011 Willy Tarreau <w@1wt.eu>
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -650,6 +650,15 @@ int acl_match_int(struct acl_test *test, struct acl_pattern *pattern)
        return ACL_PAT_FAIL;
 }
 
+/* Checks that the length of the pattern in <test> is included between min and max */
+int acl_match_len(struct acl_test *test, struct acl_pattern *pattern)
+{
+       if ((!pattern->val.range.min_set || pattern->val.range.min <= test->len) &&
+           (!pattern->val.range.max_set || test->len <= pattern->val.range.max))
+               return ACL_PAT_PASS;
+       return ACL_PAT_FAIL;
+}
+
 int acl_match_ip(struct acl_test *test, struct acl_pattern *pattern)
 {
        struct in_addr *s;

diff --git a/src/proto_http.c b/src/proto_http.c
index 2cd58d2c9b4b7db4fb79c9266c4757ec31535803..c39fb94624902f936dfed9642802622dbd89e7f2 100644 (file)
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -8371,6 +8371,7 @@ static struct acl_kw_list acl_kws = {{ },{
        { "url_dir",    acl_parse_str,   acl_fetch_url,      acl_match_dir,  ACL_USE_L7REQ_VOLATILE },
        { "url_dom",    acl_parse_str,   acl_fetch_url,      acl_match_dom,  ACL_USE_L7REQ_VOLATILE },
        { "url_reg",    acl_parse_reg,   acl_fetch_url,      acl_match_reg,  ACL_USE_L7REQ_VOLATILE },
+       { "url_len",    acl_parse_int,   acl_fetch_url,      acl_match_len,  ACL_USE_L7REQ_VOLATILE },
        { "url_ip",     acl_parse_ip,    acl_fetch_url_ip,   acl_match_ip,   ACL_USE_L7REQ_VOLATILE|ACL_MAY_LOOKUP },
        { "url_port",   acl_parse_int,   acl_fetch_url_port, acl_match_int,  ACL_USE_L7REQ_VOLATILE },
 
@@ -8383,6 +8384,7 @@ static struct acl_kw_list acl_kws = {{ },{
        { "hdr_dir",    acl_parse_str,   acl_fetch_chdr,    acl_match_dir, ACL_USE_L7REQ_VOLATILE },
        { "hdr_dom",    acl_parse_str,   acl_fetch_chdr,    acl_match_dom, ACL_USE_L7REQ_VOLATILE },
        { "hdr_cnt",    acl_parse_int,   acl_fetch_chdr_cnt,acl_match_int, ACL_USE_L7REQ_VOLATILE },
+       { "hdr_len",    acl_parse_int,   acl_fetch_chdr,    acl_match_len, ACL_USE_L7REQ_VOLATILE },
        { "hdr_val",    acl_parse_int,   acl_fetch_chdr_val,acl_match_int, ACL_USE_L7REQ_VOLATILE },
        { "hdr_ip",     acl_parse_ip,    acl_fetch_chdr_ip, acl_match_ip,  ACL_USE_L7REQ_VOLATILE|ACL_MAY_LOOKUP },
 
@@ -8394,6 +8396,7 @@ static struct acl_kw_list acl_kws = {{ },{
        { "shdr_dir",   acl_parse_str,   acl_fetch_shdr,    acl_match_dir, ACL_USE_L7RTR_VOLATILE },
        { "shdr_dom",   acl_parse_str,   acl_fetch_shdr,    acl_match_dom, ACL_USE_L7RTR_VOLATILE },
        { "shdr_cnt",   acl_parse_int,   acl_fetch_shdr_cnt,acl_match_int, ACL_USE_L7RTR_VOLATILE },
+       { "shdr_len",   acl_parse_int,   acl_fetch_shdr,    acl_match_len, ACL_USE_L7RTR_VOLATILE },
        { "shdr_val",   acl_parse_int,   acl_fetch_shdr_val,acl_match_int, ACL_USE_L7RTR_VOLATILE },
        { "shdr_ip",    acl_parse_ip,    acl_fetch_shdr_ip, acl_match_ip,  ACL_USE_L7RTR_VOLATILE|ACL_MAY_LOOKUP },
 
@@ -8404,6 +8407,7 @@ static struct acl_kw_list acl_kws = {{ },{
        { "path_sub",   acl_parse_str,   acl_fetch_path,   acl_match_sub, ACL_USE_L7REQ_VOLATILE },
        { "path_dir",   acl_parse_str,   acl_fetch_path,   acl_match_dir, ACL_USE_L7REQ_VOLATILE },
        { "path_dom",   acl_parse_str,   acl_fetch_path,   acl_match_dom, ACL_USE_L7REQ_VOLATILE },
+       { "path_len",   acl_parse_int,   acl_fetch_path,   acl_match_len, ACL_USE_L7REQ_VOLATILE },
 
 #if 0
        { "line",       acl_parse_str,   acl_fetch_line,   acl_match_str   },