diff options
| author | Volker Lendecke <vl@samba.org> | 2010-08-18 16:50:26 +0200 |
|---|---|---|
| committer | Volker Lendecke <vl@samba.org> | 2010-08-22 14:28:34 +0200 |
| commit | de951249356a3705fc2a3c51575134415ac0ea05 (patch) | |
| tree | 5e90f978ef201ea50584bf0c1c8d7dcf8f72bd5c /source3/web | |
| parent | 70c5bed4b2ca4660e8a06cee6d4e813744cc7be8 (diff) | |
| download | samba-de951249356a3705fc2a3c51575134415ac0ea05.tar.gz samba-de951249356a3705fc2a3c51575134415ac0ea05.tar.bz2 samba-de951249356a3705fc2a3c51575134415ac0ea05.zip | |
s3: Move check_access to cgi.c, its only user
Diffstat (limited to 'source3/web')
| -rw-r--r-- | source3/web/cgi.c | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/source3/web/cgi.c b/source3/web/cgi.c index 3d7b32c293..9c9a365457 100644 --- a/source3/web/cgi.c +++ b/source3/web/cgi.c @@ -506,6 +506,87 @@ static void cgi_download(char *file) +/* return true if the char* contains ip addrs only. Used to avoid +name lookup calls */ + +static bool only_ipaddrs_in_list(const char **list) +{ + bool only_ip = true; + + if (!list) { + return true; + } + + for (; *list ; list++) { + /* factor out the special strings */ + if (strequal(*list, "ALL") || strequal(*list, "FAIL") || + strequal(*list, "EXCEPT")) { + continue; + } + + if (!is_ipaddress(*list)) { + /* + * If we failed, make sure that it was not because + * the token was a network/netmask pair. Only + * network/netmask pairs have a '/' in them. + */ + if ((strchr_m(*list, '/')) == NULL) { + only_ip = false; + DEBUG(3,("only_ipaddrs_in_list: list has " + "non-ip address (%s)\n", + *list)); + break; + } + } + } + + return only_ip; +} + +/* return true if access should be allowed to a service for a socket */ +static bool check_access(int sock, const char **allow_list, + const char **deny_list) +{ + bool ret = false; + bool only_ip = false; + char addr[INET6_ADDRSTRLEN]; + + if ((!deny_list || *deny_list==0) && (!allow_list || *allow_list==0)) { + return true; + } + + /* Bypass name resolution calls if the lists + * only contain IP addrs */ + if (only_ipaddrs_in_list(allow_list) && + only_ipaddrs_in_list(deny_list)) { + only_ip = true; + DEBUG (3, ("check_access: no hostnames " + "in host allow/deny list.\n")); + ret = allow_access(deny_list, + allow_list, + "", + get_peer_addr(sock,addr,sizeof(addr))); + } else { + DEBUG (3, ("check_access: hostnames in " + "host allow/deny list.\n")); + ret = allow_access(deny_list, + allow_list, + get_peer_name(sock,true), + get_peer_addr(sock,addr,sizeof(addr))); + } + + if (ret) { + DEBUG(2,("Allowed connection from %s (%s)\n", + only_ip ? "" : get_peer_name(sock,true), + get_peer_addr(sock,addr,sizeof(addr)))); + } else { + DEBUG(0,("Denied connection from %s (%s)\n", + only_ip ? "" : get_peer_name(sock,true), + get_peer_addr(sock,addr,sizeof(addr)))); + } + + return(ret); +} /** * @brief Setup the CGI framework. |