From 83e8819638f6f1c27fa627e6b898711e67bf8c8e Mon Sep 17 00:00:00 2001 From: Graham Leggett Date: Fri, 25 Apr 2014 10:55:04 +0000 Subject: [PATCH] Add the ldap function to the expression API, allowing LDAP filters and distinguished names based on expressions to be escaped correctly to guard against LDAP injection. Note: this requires at least APR v1.6.0 or above for the apr_escape API. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1589986 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++++ docs/manual/expr.xml | 3 +++ docs/manual/mod/mod_authnz_ldap.xml | 10 ++++++++++ server/util_expr_eval.c | 8 ++++++++ 4 files changed, 25 insertions(+) diff --git a/CHANGES b/CHANGES index ff880bacc8d..d7e90a06b71 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) Add the ldap function to the expression API, allowing LDAP filters and + distinguished names based on expressions to be escaped correctly to + guard against LDAP injection. [Graham Leggett] + *) Add module mod_ssl_ct, which provides an implementation of Certificate Transparency (RFC 6962) for httpd. [Jeff Trawick] diff --git a/docs/manual/expr.xml b/docs/manual/expr.xml index c8be338d4c7..bd3956f46ad 100644 --- a/docs/manual/expr.xml +++ b/docs/manual/expr.xml @@ -514,6 +514,9 @@ listfunction ::= listfuncname "(" word ")" filesize Return size of a file (or 0 if file does not exist or is not regular file)yes + ldap + Escape characters as required by LDAP distinguished name escaping + (RFC4514) and LDAP filter escaping (RFC4515). diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml index 652deffbe63..2e29e5d14e0 100644 --- a/docs/manual/mod/mod_authnz_ldap.xml +++ b/docs/manual/mod/mod_authnz_ldap.xml @@ -496,6 +496,16 @@ AuthLDAPMaxSubGroupDepth 1 ldap-attribute will be faster than the search operation used by ldap-filter especially within a large directory.

+

When using an expression within the filter, care + must be taken to ensure that LDAP filters are escaped correctly to guard against + LDAP injection. The ldap function can be used for this purpose.

+ + +<LocationMatch ^/dav/(?[^/]+)/> + Require ldap-filter (memberOf=cn=%{ldap:%{unescape:%{env:MATCH_SITENAME}},ou=Websites,o=Example) +</LocationMatch> + + diff --git a/server/util_expr_eval.c b/server/util_expr_eval.c index aa7e971279e..96be20e12b0 100644 --- a/server/util_expr_eval.c +++ b/server/util_expr_eval.c @@ -31,6 +31,7 @@ #include "apr_fnmatch.h" #include "apr_base64.h" #include "apr_sha1.h" +#include "apr_escape.h" #include /* for INT_MAX */ @@ -1061,6 +1062,12 @@ static const char *md5_func(ap_expr_eval_ctx_t *ctx, const void *data, return ap_md5(ctx->p, (const unsigned char *)arg); } +static const char *ldap_func(ap_expr_eval_ctx_t *ctx, const void *data, + const char *arg) +{ + return apr_pescape_ldap(ctx->p, arg, APR_ESCAPE_STRING, APR_ESCAPE_LDAP_ALL); +} + #define MAX_FILE_SIZE 10*1024*1024 static const char *file_func(ap_expr_eval_ctx_t *ctx, const void *data, @@ -1645,6 +1652,7 @@ static const struct expr_provider_single string_func_providers[] = { { unbase64_func, "unbase64", NULL, 0 }, { sha1_func, "sha1", NULL, 0 }, { md5_func, "md5", NULL, 0 }, + { ldap_func, "ldap", NULL, 0 }, { NULL, NULL, NULL} }; -- 2.47.3