bughz/tinyproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

(acl_string_processing): Moved the string processing code out of check_acl() and into it's own function because it now does two (2) tests. If the ACL string is a complete host name, in other words doesn't start with a period, than a reverse DNS look-up is done on the host name and compared to the IP address of the client; otherwise, the normal text string comparison is done.

Browse Source 
(check_acl): Moved the string text out of the function and removed some logging code by jumping to the "Deny" code at the end of the function.
This commit is contained in:
Robert James Kaes 2002-06-05 16:59:21 +00:00
parent 5e74b6e011
commit b697ebf16b
1 changed files with 88 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
src/acl.c
View File

@ -1,10 +1,10 @@
/* $Id: acl.c,v 1.15 2002-05-23 18:20:27 rjkaes Exp $ /* $Id: acl.c,v 1.16 2002-06-05 16:59:21 rjkaes Exp $
* *
* This system handles Access Control for use of this daemon. A list of * This system handles Access Control for use of this daemon. A list of
* domains, or IP addresses (including IP blocks) are stored in a list * domains, or IP addresses (including IP blocks) are stored in a list
* which is then used to compare incoming connections. * which is then used to compare incoming connections.
* *
* Copyright (C) 2000 Robert James Kaes (rjkaes@flarenet.com) * Copyright (C) 2000,2002 Robert James Kaes (rjkaes@flarenet.com)
* *
* This program is free software; you can redistribute it and/or modify it * This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the * under the terms of the GNU General Public License as published by the
@ -132,18 +132,88 @@ insert_acl(char *location, acl_access_t access_type)
return 0; return 0;
} }
/*
* This function is called whenever a "string" access control is found in
* the ACL. From here we do both a text based string comparison, along with
* a reverse name lookup comparison of the IP addresses.
*
* Return: 0 if host is denied
* 1 if host is allowed
* -1 if no tests match, so skip
*/
static inline int
acl_string_processing(struct acl_s* aclptr,
const char* ip_address,
const char* string_address)
{
int i;
struct hostent* result;
size_t test_length, match_length;
/*
* If the first character of the ACL string is a period, we need to
* do a string based test only; otherwise, we can do a reverse
* lookup test as well.
*/
if (aclptr->location[0] != '.') {
/* It is not a partial domain, so do a reverse lookup. */
result = gethostbyname(aclptr->location);
if (!result)
goto STRING_TEST;
for (i = 0; result->h_addr_list[i]; ++i) {
if (strcmp(ip_address,
inet_ntoa(*((struct in_addr*)result->h_addr_list[i]))) == 0) {
/* We have a match */
if (aclptr->acl_access == ACL_DENY) {
return 0;
} else {
DEBUG2("Matched using reverse domain lookup: %s", ip_address);
return 1;
}
}
}
/*
* If we got this far, the reverse didn't match, so drop down
* to a standard string test.
*/
}
STRING_TEST:
test_length = strlen(string_address);
match_length = strlen(aclptr->location);
/*
* If the string length is shorter than AC string, return a -1 so
* that the "driver" will skip onto the next control in the list.
*/
if (test_length < match_length)
return -1;
if (strcasecmp(string_address + (test_length - match_length), aclptr->location) == 0) {
if (aclptr->acl_access == ACL_DENY)
return 0;
else
return 1;
}
/* Indicate that no tests succeeded, so skip to next control. */
return -1;
}
/* /*
* Checks whether file descriptor is allowed. * Checks whether file descriptor is allowed.
* *
* Returns: * Returns:
* 1 if allowed * 1 if allowed
* 0 if denied * 0 if denied
* -1 if error
*/ */
int int
check_acl(int fd, const char* ip_address, const char* string_address) check_acl(int fd, const char* ip_address, const char* string_address)
{ {
struct acl_s *aclptr; struct acl_s* aclptr;
int ret;
assert(fd >= 0); assert(fd >= 0);
assert(ip_address != NULL); assert(ip_address != NULL);
@ -158,26 +228,16 @@ check_acl(int fd, const char* ip_address, const char* string_address)
while (aclptr) { while (aclptr) {
if (aclptr->type == ACL_STRING) { if (aclptr->type == ACL_STRING) {
size_t test_length = strlen(string_address); ret = acl_string_processing(aclptr,
size_t match_length = strlen(aclptr->location); ip_address,
string_address);
if (ret == 0)
goto UNAUTHORIZED;
else if (ret == 1)
return 1;
if (test_length < match_length) {
aclptr = aclptr->next; aclptr = aclptr->next;
continue; continue;
}
if (strcasecmp
(string_address + (test_length - match_length),
aclptr->location) == 0) {
if (aclptr->acl_access == ACL_DENY) {
log_message(LOG_NOTICE,
"Unauthorized access from \"%s\"",
string_address);
return 0;
} else {
return 1;
}
}
} else { } else {
struct in_addr test_addr, match_addr; struct in_addr test_addr, match_addr;
in_addr_t netmask_addr; in_addr_t netmask_addr;
@ -194,16 +254,12 @@ check_acl(int fd, const char* ip_address, const char* string_address)
if ((test_addr.s_addr & netmask_addr) == if ((test_addr.s_addr & netmask_addr) ==
(match_addr.s_addr & netmask_addr)) { (match_addr.s_addr & netmask_addr)) {
if (aclptr->acl_access == ACL_DENY) { if (aclptr->acl_access == ACL_DENY)
log_message(LOG_NOTICE, goto UNAUTHORIZED;
"Unauthorized access from [%s].", else
ip_address);
return 0;
} else {
return 1; return 1;
} }
} }
}
/* /*
* Dropped through... go on to the next one. * Dropped through... go on to the next one.
@ -214,6 +270,7 @@ check_acl(int fd, const char* ip_address, const char* string_address)
/* /*
* Deny all connections by default. * Deny all connections by default.
*/ */
UNAUTHORIZED:
log_message(LOG_NOTICE, "Unauthorized connection from \"%s\" [%s].", log_message(LOG_NOTICE, "Unauthorized connection from \"%s\" [%s].",
string_address, ip_address); string_address, ip_address);
return 0; return 0;