summaryrefslogtreecommitdiff
path: root/source3/web
diff options
context:
space:
mode:
authorVolker Lendecke <vl@samba.org>2010-08-18 16:50:26 +0200
committerVolker Lendecke <vl@samba.org>2010-08-22 14:28:34 +0200
commitde951249356a3705fc2a3c51575134415ac0ea05 (patch)
tree5e90f978ef201ea50584bf0c1c8d7dcf8f72bd5c /source3/web
parent70c5bed4b2ca4660e8a06cee6d4e813744cc7be8 (diff)
downloadsamba-de951249356a3705fc2a3c51575134415ac0ea05.tar.gz
samba-de951249356a3705fc2a3c51575134415ac0ea05.tar.bz2
samba-de951249356a3705fc2a3c51575134415ac0ea05.zip
s3: Move check_access to cgi.c, its only user
Diffstat (limited to 'source3/web')
-rw-r--r--source3/web/cgi.c81
1 files changed, 81 insertions, 0 deletions
diff --git a/source3/web/cgi.c b/source3/web/cgi.c
index 3d7b32c293..9c9a365457 100644
--- a/source3/web/cgi.c
+++ b/source3/web/cgi.c
@@ -506,6 +506,87 @@ static void cgi_download(char *file)
+/* return true if the char* contains ip addrs only. Used to avoid
+name lookup calls */
+
+static bool only_ipaddrs_in_list(const char **list)
+{
+ bool only_ip = true;
+
+ if (!list) {
+ return true;
+ }
+
+ for (; *list ; list++) {
+ /* factor out the special strings */
+ if (strequal(*list, "ALL") || strequal(*list, "FAIL") ||
+ strequal(*list, "EXCEPT")) {
+ continue;
+ }
+
+ if (!is_ipaddress(*list)) {
+ /*
+ * If we failed, make sure that it was not because
+ * the token was a network/netmask pair. Only
+ * network/netmask pairs have a '/' in them.
+ */
+ if ((strchr_m(*list, '/')) == NULL) {
+ only_ip = false;
+ DEBUG(3,("only_ipaddrs_in_list: list has "
+ "non-ip address (%s)\n",
+ *list));
+ break;
+ }
+ }
+ }
+
+ return only_ip;
+}
+
+/* return true if access should be allowed to a service for a socket */
+static bool check_access(int sock, const char **allow_list,
+ const char **deny_list)
+{
+ bool ret = false;
+ bool only_ip = false;
+ char addr[INET6_ADDRSTRLEN];
+
+ if ((!deny_list || *deny_list==0) && (!allow_list || *allow_list==0)) {
+ return true;
+ }
+
+ /* Bypass name resolution calls if the lists
+ * only contain IP addrs */
+ if (only_ipaddrs_in_list(allow_list) &&
+ only_ipaddrs_in_list(deny_list)) {
+ only_ip = true;
+ DEBUG (3, ("check_access: no hostnames "
+ "in host allow/deny list.\n"));
+ ret = allow_access(deny_list,
+ allow_list,
+ "",
+ get_peer_addr(sock,addr,sizeof(addr)));
+ } else {
+ DEBUG (3, ("check_access: hostnames in "
+ "host allow/deny list.\n"));
+ ret = allow_access(deny_list,
+ allow_list,
+ get_peer_name(sock,true),
+ get_peer_addr(sock,addr,sizeof(addr)));
+ }
+
+ if (ret) {
+ DEBUG(2,("Allowed connection from %s (%s)\n",
+ only_ip ? "" : get_peer_name(sock,true),
+ get_peer_addr(sock,addr,sizeof(addr))));
+ } else {
+ DEBUG(0,("Denied connection from %s (%s)\n",
+ only_ip ? "" : get_peer_name(sock,true),
+ get_peer_addr(sock,addr,sizeof(addr))));
+ }
+
+ return(ret);
+}
/**
* @brief Setup the CGI framework.