Bug 182556
| Summary: | Cannot assign multiple domains to nsAdminAccessHosts | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Retired] 389 | Reporter: | Jason Sherlock <jash> | ||||
| Component: | UI - Configuration | Assignee: | Amita Sharma <amsharma> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Viktor Ashirov <vashirov> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 1.0 | CC: | amsharma | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | i386 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | 1.0.2 | ||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-12-07 17:12:37 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 183369 | ||||||
| Attachments: |
|
||||||
|
Description
Jason Sherlock
2006-02-23 10:30:08 UTC
Yep. We use apr_fnmatch which is a really simple regex match. Can you use nsAdminAccessAddresses e.g. 10.0.12.*? Reviewed by: Nathan (Thanks!)
Files: mod_admserv.c
Branch: HEAD
Fix Description: The adminserver console uses a pattern like
(pat1|pat2|...|patN) to encode the host and IP address access allowed
lists. apr_fnmatch is not smart enough to grok this pattern, so we have
to have mod_admserv pre-digest it. The strdup is because strtok
modifies it's argument. apr_strdup allocates memory out of a per
request pool, and automatically frees it at the end of the request, so
we don't have to free it here.
Platforms tested: Fedora Core 4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
Checking in mod_admserv.c;
/cvs/dirsec/mod_admserv/mod_admserv.c,v <-- mod_admserv.c
new revision: 1.20; previous revision: 1.19
done
*** mod_admserv.c.~1.19.~ 2006-01-17 12:25:07.000000000 -0700
--- mod_admserv.c 2006-02-23 16:40:14.000000000 -0700
***************
*** 1822,1829 ****
return 1;
}
! /* Check if the caller hostname or ip address is disallowed */
static int
admserv_host_ip_check(request_rec *r)
{
--- 1822,1850 ----
return 1;
}
! /* pattern is (pat1|pat2|...|patN) where patN is a simple apr_fnmatch
pattern
! if we get a match, just return immediately with success, otherwise,
loop
! through all the patterns and return a failure code if no match
! */
! static apr_status_t
! admserv_match_list(char *patterns, const char *string, int flags)
! {
! apr_status_t rc = APR_SUCCESS;
! char *last = NULL;
! char *pattern = apr_strtok(patterns, "()|", &last);
!
! while (pattern) {
! rc = apr_fnmatch(pattern, string, flags);
! if (rc == APR_SUCCESS) {
! return rc;
! }
! pattern = apr_strtok(NULL, "()|", &last);
! }
+ return rc;
+ }
+
+ /* Check if the caller hostname or ip address is disallowed */
static int
admserv_host_ip_check(request_rec *r)
{
***************
*** 1845,1851 ****
const char *maxdns = ap_get_remote_host(r->connection,
r->per_dir_config,
REMOTE_HOST, NULL);
if (maxdns) {
! apr_status_t rc = apr_fnmatch(accessHosts, maxdns,
matchflags);
if (rc != APR_SUCCESS) {
} else {
return DECLINED;
--- 1866,1872 ----
const char *maxdns = ap_get_remote_host(r->connection,
r->per_dir_config,
REMOTE_HOST, NULL);
if (maxdns) {
! apr_status_t rc = admserv_match_list(apr_pstrdup(r->pool,
accessHosts), maxdns, matchflags);
if (rc != APR_SUCCESS) {
} else {
return DECLINED;
***************
*** 1858,1870 ****
char buf[PR_NETDB_BUF_SIZE];
PRHostEnt hEntry;
if (PR_SUCCESS == PR_GetHostByAddr(&addr, buf,
sizeof(buf), &hEntry)) {
! if (APR_SUCCESS != apr_fnmatch(accessHosts,
hEntry.h_name, matchflags)) {
char ** x;
ap_log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r,
"admserv_host_ip_check: host
[%s] did not match pattern [%s] -"
"will scan aliases",
hEntry.h_name, accessHosts);
for (x = hEntry.h_aliases; x && *x; x++) {
! if (APR_SUCCESS !=
apr_fnmatch(accessHosts, *x, matchflags)) {
ap_log_rerror(APLOG_MARK,
APLOG_NOTICE, 0, r,
"admserv_host_ip_check:
host alias [%s] did not match pattern [%s]",
*x, accessHosts);
--- 1879,1893 ----
char buf[PR_NETDB_BUF_SIZE];
PRHostEnt hEntry;
if (PR_SUCCESS == PR_GetHostByAddr(&addr, buf,
sizeof(buf), &hEntry)) {
! if (APR_SUCCESS !=
admserv_match_list(apr_pstrdup(r->pool, accessHosts),
!
hEntry.h_name, matchflags)) {
char ** x;
ap_log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r,
"admserv_host_ip_check: host
[%s] did not match pattern [%s] -"
"will scan aliases",
hEntry.h_name, accessHosts);
for (x = hEntry.h_aliases; x && *x; x++) {
! if (APR_SUCCESS !=
admserv_match_list(apr_pstrdup(r->pool, accessHosts),
! *x,
matchflags)) {
ap_log_rerror(APLOG_MARK,
APLOG_NOTICE, 0, r,
"admserv_host_ip_check:
host alias [%s] did not match pattern [%s]",
*x, accessHosts);
***************
*** 1889,1895 ****
if (accessAddresses && *accessAddresses) {
int matchflags = APR_FNM_PERIOD;
! apr_status_t rc = apr_fnmatch(accessAddresses, clientIP,
matchflags);
if (rc == APR_SUCCESS) {
} else {
return DECLINED;
--- 1912,1918 ----
if (accessAddresses && *accessAddresses) {
int matchflags = APR_FNM_PERIOD;
! apr_status_t rc = admserv_match_list(apr_pstrdup(r->pool,
accessAddresses), clientIP, matchflags);
if (rc == APR_SUCCESS) {
} else {
return DECLINED;
Seems to work for me. Verified aginst: 1195517861 redhat-ds-base-8.0.0-11.el5dsrv Mon Nov 19 2007 1195517864 redhat-ds-admin-8.0.0-1.15.el5dsrv Mon Nov 19 2007 1195517865 redhat-ds-console-8.0.0-8.el5dsrv Mon Nov 19 2007 1195517866 redhat-admin-console-8.0.0-9.el5dsrv Mon Nov 19 2007 Created attachment 513753 [details] SS Tested based on comment#0, Hence marking as VERIFIED. |