From: Christophe Jaillet Date: Sat, 19 Feb 2022 13:47:02 +0000 (+0000) Subject: Merge r1589986, r1589995, r1633528 from trunk X-Git-Tag: 2.4.53-rc1-candidate~55 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=73ce13be5aa9ae5414772bc6a8a2f7de8dd2db34;p=thirdparty%2Fapache%2Fhttpd.git Merge r1589986, r1589995, r1633528 from trunk *) Add the ldap function to the expression API, allowing LDAP filters and distinguished names based on expressions to be escaped correctly to guard against LDAP injection. Submitted by: minfrin, minfrin, jailletc36 Reviewed by: minfrin, icing, covener Backported by: jailletc36 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898217 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index bb05452ebfc..e71733779a2 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.53 + *) Add the ldap function to the expression API, allowing LDAP filters and + distinguished names based on expressions to be escaped correctly to + guard against LDAP injection. [Graham Leggett] + *) mod_md: the status description in MDomain's JSON, exposed in the md-status handler (if configured) did sometimes not carry the correct message when certificates needed renew. diff --git a/docs/manual/expr.xml b/docs/manual/expr.xml index ea4636e3cb2..c7329d12471 100644 --- a/docs/manual/expr.xml +++ b/docs/manual/expr.xml @@ -523,6 +523,9 @@ listfunction ::= listfuncname "(" word ")" filesize Return size of a file (or 0 if file does not exist or is not regular file)restricted + ldap + Escape characters as required by LDAP distinguished name escaping + (RFC4514) and LDAP filter escaping (RFC4515). diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml index 6447f235975..855790fed8b 100644 --- a/docs/manual/mod/mod_authnz_ldap.xml +++ b/docs/manual/mod/mod_authnz_ldap.xml @@ -519,6 +519,16 @@ Require ldap-filter "&(cell=*)(department=marketing)" ldap-attribute will be faster than the search operation used by ldap-filter especially within a large directory.

+

When using an expression within the filter, care + must be taken to ensure that LDAP filters are escaped correctly to guard against + LDAP injection. The ldap function can be used for this purpose.

+ + +<LocationMatch ^/dav/(?[^/]+)/> + Require ldap-filter (memberOf=cn=%{ldap:%{unescape:%{env:MATCH_SITENAME}},ou=Websites,o=Example) +</LocationMatch> + + diff --git a/server/util_expr_eval.c b/server/util_expr_eval.c index 2e031d0c7be..7d6ae1ea7ca 100644 --- a/server/util_expr_eval.c +++ b/server/util_expr_eval.c @@ -32,6 +32,10 @@ #include "apr_fnmatch.h" #include "apr_base64.h" #include "apr_sha1.h" +#include "apr_version.h" +#if APR_VERSION_AT_LEAST(1,5,0) +#include "apr_escape.h" +#endif #include /* for INT_MAX */ @@ -1087,9 +1091,16 @@ static const char *sha1_func(ap_expr_eval_ctx_t *ctx, const void *data, static const char *md5_func(ap_expr_eval_ctx_t *ctx, const void *data, const char *arg) { - return ap_md5(ctx->p, (const unsigned char *)arg); + return ap_md5(ctx->p, (const unsigned char *)arg); } +#if APR_VERSION_AT_LEAST(1,6,0) +static const char *ldap_func(ap_expr_eval_ctx_t *ctx, const void *data, + const char *arg) +{ + return apr_pescape_ldap(ctx->p, arg, APR_ESCAPE_STRING, APR_ESCAPE_LDAP_ALL); +} +#endif #define MAX_FILE_SIZE 10*1024*1024 static const char *file_func(ap_expr_eval_ctx_t *ctx, const void *data, @@ -1667,6 +1678,9 @@ static const struct expr_provider_single string_func_providers[] = { { unbase64_func, "unbase64", NULL, 0 }, { sha1_func, "sha1", NULL, 0 }, { md5_func, "md5", NULL, 0 }, +#if APR_VERSION_AT_LEAST(1,6,0) + { ldap_func, "ldap", NULL, 0 }, +#endif { NULL, NULL, NULL} };