* modules/aaa/mod_authz_host.c (host_check_authorization): Simplify

comment stripping in "Require host"; log a warning if a comment is used in 'Require host', or an error if the expression is empty with the comment stripped. (Currently in 2.4, #comment part is parsed) git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1826207 13f79535-47bb-0310-9956-ffa450edef68
author: Joe Orton <jorton@apache.org> 2018-03-08 12:40:27 +0100
committer: Joe Orton <jorton@apache.org> 2018-03-08 12:40:27 +0100
commit: 765451e7a891e038072b56366f3c9cb7a5e6a99b (patch)
tree: 505e894ba9dddd223343491f93683c9178c13ff4 /modules/aaa/mod_authz_host.c
parent: * modules/lua/config.m4 (CHECK_LUA): Support Debian-style (diff)
download: apache2-765451e7a891e038072b56366f3c9cb7a5e6a99b.tar.xz
apache2-765451e7a891e038072b56366f3c9cb7a5e6a99b.zip
1 files changed, 22 insertions, 14 deletions
diff --git a/modules/aaa/mod_authz_host.c b/modules/aaa/mod_authz_host.c
index 4439d98523..b43414f410 100644
--- a/modules/aaa/mod_authz_host.c
+++ b/modules/aaa/mod_authz_host.c
@@ -164,8 +164,7 @@ static authz_status host_check_authorization(request_rec *r,
                                              const char *require_line,
                                              const void *parsed_require_line)
 {
-    const char *t;
-    char *w, *hash_ptr;
+    const char *t, *w;
     const char *remotehost = NULL;
     int remotehost_is_ip;
 
@@ -193,22 +192,31 @@ static authz_status host_check_authorization(request_rec *r,
             host names to check rather than a single name.  This is different
             from the previous host based syntax. */
         t = require;
-        while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
-            /* '#' is not valid hostname character and admin could specify
-             * 'Require host localhost# Add example.com later'. We should not
-             * grant access to 'example.com' in that case. */
-            if ((hash_ptr = ap_strchr(w, '#'))) {
-                if (hash_ptr == w) {
-                    break;
-                }
-                *hash_ptr = '\0';
+
+        /* '#' is not a valid hostname character and admin could
+         * specify 'Require host localhost# Add example.com later'. We
+         * should not grant access to 'example.com' in that case. */
+        w = ap_strchr_c(t, '#');
+        if (w) {
+            if (w == t) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10120)
+                              "authz_host authorize: dubious empty "
+                              "'Require host %s' with only comment", t);
+                return AUTHZ_DENIED;
             }
+
+            ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(10121)
+                          "authz_host authorize: ignoring comment in "
+                          "'Require host %s'", t);
+
+            /* Truncate the string at the #. */
+            t = apr_pstrmemdup(r->pool, t, w - t);
+        }
+        
+        while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
             if (in_domain(w, remotehost)) {
                 return AUTHZ_GRANTED;
             }
-            if (hash_ptr) {
-                break;
-            }
         }
     }
author	Joe Orton <jorton@apache.org>	2018-03-08 12:40:27 +0100
committer	Joe Orton <jorton@apache.org>	2018-03-08 12:40:27 +0100
commit	765451e7a891e038072b56366f3c9cb7a5e6a99b (patch)
tree	505e894ba9dddd223343491f93683c9178c13ff4 /modules/aaa/mod_authz_host.c
parent	* modules/lua/config.m4 (CHECK_LUA): Support Debian-style (diff)
download	apache2-765451e7a891e038072b56366f3c9cb7a5e6a99b.tar.xz apache2-765451e7a891e038072b56366f3c9cb7a5e6a99b.zip