Merge r1589986, r1589995, r1633528 from trunk

  *) Add the ldap function to the expression API, allowing LDAP filters and
     distinguished names based on expressions to be escaped correctly to
     guard against LDAP injection.

Submitted by: minfrin, minfrin, jailletc36
Reviewed by: minfrin, icing, covener
Backported by: jailletc36

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898217 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index bb05452ebfc3a1422708da8df5d69199775ed573..e71733779a2fd1249783c46b9560545475e374ba 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.53
 
+  *) Add the ldap function to the expression API, allowing LDAP filters and
+     distinguished names based on expressions to be escaped correctly to
+     guard against LDAP injection. [Graham Leggett]
+
   *) mod_md: the status description in MDomain's JSON, exposed in the
      md-status handler (if configured) did sometimes not carry the correct
      message when certificates needed renew.

diff --git a/docs/manual/expr.xml b/docs/manual/expr.xml
index ea4636e3cb2b8fcee362be1b651d2c67e434de3d..c7329d124712e1210295c1803a362f93d5ac1767 100644 (file)
--- a/docs/manual/expr.xml
+++ b/docs/manual/expr.xml
@@ -523,6 +523,9 @@ listfunction ::= listfuncname "<strong>(</strong>" word "<strong>)</strong>"
     <tr><td><code>filesize</code></td>
         <td>Return size of a file (or 0 if file does not exist or is not
             regular file)</td><td>restricted</td></tr>
+    <tr><td><code>ldap</code></td>
+        <td>Escape characters as required by LDAP distinguished name escaping
+            (RFC4514) and LDAP filter escaping (RFC4515).</td><td></td></tr>
 
     </table>
 

diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml
index 6447f2359751cae55c2b490eb8ed0f8d1749b659..855790fed8b916ef457ed9cd61fc8b3cddbf424c 100644 (file)
--- a/docs/manual/mod/mod_authnz_ldap.xml
+++ b/docs/manual/mod/mod_authnz_ldap.xml
@@ -519,6 +519,16 @@ Require ldap-filter "&(cell=*)(department=marketing)"
     <code>ldap-attribute</code> will be faster than the search operation
     used by <code>ldap-filter</code> especially within a large directory.</p>
 
+    <p>When using an <a href="../expr.html">expression</a> within the filter, care
+    must be taken to ensure that LDAP filters are escaped correctly to guard against
+    LDAP injection. The ldap function can be used for this purpose.</p>
+
+<highlight language="config">
+&lt;LocationMatch ^/dav/(?<SITENAME>[^/]+)/&gt;
+  Require ldap-filter (memberOf=cn=%{ldap:%{unescape:%{env:MATCH_SITENAME}},ou=Websites,o=Example)
+&lt;/LocationMatch&gt;
+</highlight>
+
 </section>
 
 </section>

diff --git a/server/util_expr_eval.c b/server/util_expr_eval.c
index 2e031d0c7be57e12147addeb9ba75aae953bbdfe..7d6ae1ea7ca2e7df2084facb48a5d13976082f23 100644 (file)
--- a/server/util_expr_eval.c
+++ b/server/util_expr_eval.c
@@ -32,6 +32,10 @@
 #include "apr_fnmatch.h"
 #include "apr_base64.h"
 #include "apr_sha1.h"
+#include "apr_version.h"
+#if APR_VERSION_AT_LEAST(1,5,0)
+#include "apr_escape.h"
+#endif
 
 #include <limits.h>     /* for INT_MAX */
 
@@ -1087,9 +1091,16 @@ static const char *sha1_func(ap_expr_eval_ctx_t *ctx, const void *data,
 static const char *md5_func(ap_expr_eval_ctx_t *ctx, const void *data,
                                const char *arg)
 {
-       return ap_md5(ctx->p, (const unsigned char *)arg);
+    return ap_md5(ctx->p, (const unsigned char *)arg);
 }
 
+#if APR_VERSION_AT_LEAST(1,6,0)
+static const char *ldap_func(ap_expr_eval_ctx_t *ctx, const void *data,
+                               const char *arg)
+{
+    return apr_pescape_ldap(ctx->p, arg, APR_ESCAPE_STRING, APR_ESCAPE_LDAP_ALL);
+}
+#endif
 
 #define MAX_FILE_SIZE 10*1024*1024
 static const char *file_func(ap_expr_eval_ctx_t *ctx, const void *data,
@@ -1667,6 +1678,9 @@ static const struct expr_provider_single string_func_providers[] = {
     { unbase64_func,        "unbase64",       NULL, 0 },
     { sha1_func,            "sha1",           NULL, 0 },
     { md5_func,             "md5",            NULL, 0 },
+#if APR_VERSION_AT_LEAST(1,6,0)
+    { ldap_func,            "ldap",           NULL, 0 },
+#endif
     { NULL, NULL, NULL}
 };