From: Joe Orton <jorton@apache.org>
Date: Thu, 8 Mar 2018 11:40:27 +0000 (+0000)
Subject: * modules/aaa/mod_authz_host.c (host_check_authorization): Simplify
X-Git-Tag: 2.5.0-alpha2-ci-test-only~2806
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=765451e7a891e038072b56366f3c9cb7a5e6a99b;p=thirdparty%2Fapache%2Fhttpd.git

* modules/aaa/mod_authz_host.c (host_check_authorization): Simplify
  comment stripping in "Require host"; log a warning if a comment is
  used in 'Require host', or an error if the expression is empty with
  the comment stripped. (Currently in 2.4, #comment part is parsed)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1826207 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/aaa/mod_authz_host.c b/modules/aaa/mod_authz_host.c
index 4439d98523c..b43414f4106 100644
--- a/modules/aaa/mod_authz_host.c
+++ b/modules/aaa/mod_authz_host.c
@@ -164,8 +164,7 @@ static authz_status host_check_authorization(request_rec *r,
                                              const char *require_line,
                                              const void *parsed_require_line)
 {
-    const char *t;
-    char *w, *hash_ptr;
+    const char *t, *w;
     const char *remotehost = NULL;
     int remotehost_is_ip;
 
@@ -193,22 +192,31 @@ static authz_status host_check_authorization(request_rec *r,
             host names to check rather than a single name.  This is different
             from the previous host based syntax. */
         t = require;
-        while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
-            /* '#' is not valid hostname character and admin could specify
-             * 'Require host localhost# Add example.com later'. We should not
-             * grant access to 'example.com' in that case. */
-            if ((hash_ptr = ap_strchr(w, '#'))) {
-                if (hash_ptr == w) {
-                    break;
-                }
-                *hash_ptr = '\0';
+
+        /* '#' is not a valid hostname character and admin could
+         * specify 'Require host localhost# Add example.com later'. We
+         * should not grant access to 'example.com' in that case. */
+        w = ap_strchr_c(t, '#');
+        if (w) {
+            if (w == t) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10120)
+                              "authz_host authorize: dubious empty "
+                              "'Require host %s' with only comment", t);
+                return AUTHZ_DENIED;
             }
+
+            ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(10121)
+                          "authz_host authorize: ignoring comment in "
+                          "'Require host %s'", t);
+
+            /* Truncate the string at the #. */
+            t = apr_pstrmemdup(r->pool, t, w - t);
+        }
+        
+        while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
             if (in_domain(w, remotehost)) {
                 return AUTHZ_GRANTED;
             }
-            if (hash_ptr) {
-                break;
-            }
         }
     }