summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/include/proto.h1
-rw-r--r--source3/lib/access.c81
-rw-r--r--source3/web/cgi.c81
3 files changed, 81 insertions, 82 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h
index a389966742..50309a931c 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -351,7 +351,6 @@ bool allow_access(const char **deny_list,
const char **allow_list,
const char *cname,
const char *caddr);
-bool check_access(int sock, const char **allow_list, const char **deny_list);
/* The following definitions come from passdb/account_pol.c */
diff --git a/source3/lib/access.c b/source3/lib/access.c
index 00cdd5cd13..1293dc024e 100644
--- a/source3/lib/access.c
+++ b/source3/lib/access.c
@@ -336,84 +336,3 @@ bool allow_access(const char **deny_list,
SAFE_FREE(nc_caddr);
return ret;
}
-
-/* return true if the char* contains ip addrs only. Used to avoid
-name lookup calls */
-
-static bool only_ipaddrs_in_list(const char **list)
-{
- bool only_ip = true;
-
- if (!list) {
- return true;
- }
-
- for (; *list ; list++) {
- /* factor out the special strings */
- if (strequal(*list, "ALL") || strequal(*list, "FAIL") ||
- strequal(*list, "EXCEPT")) {
- continue;
- }
-
- if (!is_ipaddress(*list)) {
- /*
- * If we failed, make sure that it was not because
- * the token was a network/netmask pair. Only
- * network/netmask pairs have a '/' in them.
- */
- if ((strchr_m(*list, '/')) == NULL) {
- only_ip = false;
- DEBUG(3,("only_ipaddrs_in_list: list has "
- "non-ip address (%s)\n",
- *list));
- break;
- }
- }
- }
-
- return only_ip;
-}
-
-/* return true if access should be allowed to a service for a socket */
-bool check_access(int sock, const char **allow_list, const char **deny_list)
-{
- bool ret = false;
- bool only_ip = false;
- char addr[INET6_ADDRSTRLEN];
-
- if ((!deny_list || *deny_list==0) && (!allow_list || *allow_list==0)) {
- return true;
- }
-
- /* Bypass name resolution calls if the lists
- * only contain IP addrs */
- if (only_ipaddrs_in_list(allow_list) &&
- only_ipaddrs_in_list(deny_list)) {
- only_ip = true;
- DEBUG (3, ("check_access: no hostnames "
- "in host allow/deny list.\n"));
- ret = allow_access(deny_list,
- allow_list,
- "",
- get_peer_addr(sock,addr,sizeof(addr)));
- } else {
- DEBUG (3, ("check_access: hostnames in "
- "host allow/deny list.\n"));
- ret = allow_access(deny_list,
- allow_list,
- get_peer_name(sock,true),
- get_peer_addr(sock,addr,sizeof(addr)));
- }
-
- if (ret) {
- DEBUG(2,("Allowed connection from %s (%s)\n",
- only_ip ? "" : get_peer_name(sock,true),
- get_peer_addr(sock,addr,sizeof(addr))));
- } else {
- DEBUG(0,("Denied connection from %s (%s)\n",
- only_ip ? "" : get_peer_name(sock,true),
- get_peer_addr(sock,addr,sizeof(addr))));
- }
-
- return(ret);
-}
diff --git a/source3/web/cgi.c b/source3/web/cgi.c
index 3d7b32c293..9c9a365457 100644
--- a/source3/web/cgi.c
+++ b/source3/web/cgi.c
@@ -506,6 +506,87 @@ static void cgi_download(char *file)
+/* return true if the char* contains ip addrs only. Used to avoid
+name lookup calls */
+
+static bool only_ipaddrs_in_list(const char **list)
+{
+ bool only_ip = true;
+
+ if (!list) {
+ return true;
+ }
+
+ for (; *list ; list++) {
+ /* factor out the special strings */
+ if (strequal(*list, "ALL") || strequal(*list, "FAIL") ||
+ strequal(*list, "EXCEPT")) {
+ continue;
+ }
+
+ if (!is_ipaddress(*list)) {
+ /*
+ * If we failed, make sure that it was not because
+ * the token was a network/netmask pair. Only
+ * network/netmask pairs have a '/' in them.
+ */
+ if ((strchr_m(*list, '/')) == NULL) {
+ only_ip = false;
+ DEBUG(3,("only_ipaddrs_in_list: list has "
+ "non-ip address (%s)\n",
+ *list));
+ break;
+ }
+ }
+ }
+
+ return only_ip;
+}
+
+/* return true if access should be allowed to a service for a socket */
+static bool check_access(int sock, const char **allow_list,
+ const char **deny_list)
+{
+ bool ret = false;
+ bool only_ip = false;
+ char addr[INET6_ADDRSTRLEN];
+
+ if ((!deny_list || *deny_list==0) && (!allow_list || *allow_list==0)) {
+ return true;
+ }
+
+ /* Bypass name resolution calls if the lists
+ * only contain IP addrs */
+ if (only_ipaddrs_in_list(allow_list) &&
+ only_ipaddrs_in_list(deny_list)) {
+ only_ip = true;
+ DEBUG (3, ("check_access: no hostnames "
+ "in host allow/deny list.\n"));
+ ret = allow_access(deny_list,
+ allow_list,
+ "",
+ get_peer_addr(sock,addr,sizeof(addr)));
+ } else {
+ DEBUG (3, ("check_access: hostnames in "
+ "host allow/deny list.\n"));
+ ret = allow_access(deny_list,
+ allow_list,
+ get_peer_name(sock,true),
+ get_peer_addr(sock,addr,sizeof(addr)));
+ }
+
+ if (ret) {
+ DEBUG(2,("Allowed connection from %s (%s)\n",
+ only_ip ? "" : get_peer_name(sock,true),
+ get_peer_addr(sock,addr,sizeof(addr))));
+ } else {
+ DEBUG(0,("Denied connection from %s (%s)\n",
+ only_ip ? "" : get_peer_name(sock,true),
+ get_peer_addr(sock,addr,sizeof(addr))));
+ }
+
+ return(ret);
+}
/**
* @brief Setup the CGI framework.