diff options
-rw-r--r-- | source3/include/proto.h | 1 | ||||
-rw-r--r-- | source3/lib/access.c | 81 | ||||
-rw-r--r-- | source3/web/cgi.c | 81 |
3 files changed, 81 insertions, 82 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h index a389966742..50309a931c 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -351,7 +351,6 @@ bool allow_access(const char **deny_list, const char **allow_list, const char *cname, const char *caddr); -bool check_access(int sock, const char **allow_list, const char **deny_list); /* The following definitions come from passdb/account_pol.c */ diff --git a/source3/lib/access.c b/source3/lib/access.c index 00cdd5cd13..1293dc024e 100644 --- a/source3/lib/access.c +++ b/source3/lib/access.c @@ -336,84 +336,3 @@ bool allow_access(const char **deny_list, SAFE_FREE(nc_caddr); return ret; } - -/* return true if the char* contains ip addrs only. Used to avoid -name lookup calls */ - -static bool only_ipaddrs_in_list(const char **list) -{ - bool only_ip = true; - - if (!list) { - return true; - } - - for (; *list ; list++) { - /* factor out the special strings */ - if (strequal(*list, "ALL") || strequal(*list, "FAIL") || - strequal(*list, "EXCEPT")) { - continue; - } - - if (!is_ipaddress(*list)) { - /* - * If we failed, make sure that it was not because - * the token was a network/netmask pair. Only - * network/netmask pairs have a '/' in them. - */ - if ((strchr_m(*list, '/')) == NULL) { - only_ip = false; - DEBUG(3,("only_ipaddrs_in_list: list has " - "non-ip address (%s)\n", - *list)); - break; - } - } - } - - return only_ip; -} - -/* return true if access should be allowed to a service for a socket */ -bool check_access(int sock, const char **allow_list, const char **deny_list) -{ - bool ret = false; - bool only_ip = false; - char addr[INET6_ADDRSTRLEN]; - - if ((!deny_list || *deny_list==0) && (!allow_list || *allow_list==0)) { - return true; - } - - /* Bypass name resolution calls if the lists - * only contain IP addrs */ - if (only_ipaddrs_in_list(allow_list) && - only_ipaddrs_in_list(deny_list)) { - only_ip = true; - DEBUG (3, ("check_access: no hostnames " - "in host allow/deny list.\n")); - ret = allow_access(deny_list, - allow_list, - "", - get_peer_addr(sock,addr,sizeof(addr))); - } else { - DEBUG (3, ("check_access: hostnames in " - "host allow/deny list.\n")); - ret = allow_access(deny_list, - allow_list, - get_peer_name(sock,true), - get_peer_addr(sock,addr,sizeof(addr))); - } - - if (ret) { - DEBUG(2,("Allowed connection from %s (%s)\n", - only_ip ? "" : get_peer_name(sock,true), - get_peer_addr(sock,addr,sizeof(addr)))); - } else { - DEBUG(0,("Denied connection from %s (%s)\n", - only_ip ? "" : get_peer_name(sock,true), - get_peer_addr(sock,addr,sizeof(addr)))); - } - - return(ret); -} diff --git a/source3/web/cgi.c b/source3/web/cgi.c index 3d7b32c293..9c9a365457 100644 --- a/source3/web/cgi.c +++ b/source3/web/cgi.c @@ -506,6 +506,87 @@ static void cgi_download(char *file) +/* return true if the char* contains ip addrs only. Used to avoid +name lookup calls */ + +static bool only_ipaddrs_in_list(const char **list) +{ + bool only_ip = true; + + if (!list) { + return true; + } + + for (; *list ; list++) { + /* factor out the special strings */ + if (strequal(*list, "ALL") || strequal(*list, "FAIL") || + strequal(*list, "EXCEPT")) { + continue; + } + + if (!is_ipaddress(*list)) { + /* + * If we failed, make sure that it was not because + * the token was a network/netmask pair. Only + * network/netmask pairs have a '/' in them. + */ + if ((strchr_m(*list, '/')) == NULL) { + only_ip = false; + DEBUG(3,("only_ipaddrs_in_list: list has " + "non-ip address (%s)\n", + *list)); + break; + } + } + } + + return only_ip; +} + +/* return true if access should be allowed to a service for a socket */ +static bool check_access(int sock, const char **allow_list, + const char **deny_list) +{ + bool ret = false; + bool only_ip = false; + char addr[INET6_ADDRSTRLEN]; + + if ((!deny_list || *deny_list==0) && (!allow_list || *allow_list==0)) { + return true; + } + + /* Bypass name resolution calls if the lists + * only contain IP addrs */ + if (only_ipaddrs_in_list(allow_list) && + only_ipaddrs_in_list(deny_list)) { + only_ip = true; + DEBUG (3, ("check_access: no hostnames " + "in host allow/deny list.\n")); + ret = allow_access(deny_list, + allow_list, + "", + get_peer_addr(sock,addr,sizeof(addr))); + } else { + DEBUG (3, ("check_access: hostnames in " + "host allow/deny list.\n")); + ret = allow_access(deny_list, + allow_list, + get_peer_name(sock,true), + get_peer_addr(sock,addr,sizeof(addr))); + } + + if (ret) { + DEBUG(2,("Allowed connection from %s (%s)\n", + only_ip ? "" : get_peer_name(sock,true), + get_peer_addr(sock,addr,sizeof(addr)))); + } else { + DEBUG(0,("Denied connection from %s (%s)\n", + only_ip ? "" : get_peer_name(sock,true), + get_peer_addr(sock,addr,sizeof(addr)))); + } + + return(ret); +} /** * @brief Setup the CGI framework. |