Mercurial > hg > nginx
view src/http/modules/ngx_http_access_module.c @ 8102:49e7db44b57c
SSI: handling of subrequests from other modules (ticket #1263).
As the SSI parser always uses the context from the main request for storing
variables and blocks, that context should always exist for subrequests using
SSI, even though the main request does not necessarily have SSI enabled.
However, `ngx_http_get_module_ctx(r->main, ...)` is getting NULL in such cases,
resulting in the worker crashing SIGSEGV when accessing its attributes.
This patch links the first initialized context to the main request, and
upgrades it only when main context is initialized.
author | Ciel Zhao <i@ciel.dev> |
---|---|
date | Mon, 21 Nov 2022 17:01:34 +0300 |
parents | 72188d1bcab5 |
children |
line wrap: on
line source
/* * Copyright (C) Igor Sysoev * Copyright (C) Nginx, Inc. */ #include <ngx_config.h> #include <ngx_core.h> #include <ngx_http.h> typedef struct { in_addr_t mask; in_addr_t addr; ngx_uint_t deny; /* unsigned deny:1; */ } ngx_http_access_rule_t; #if (NGX_HAVE_INET6) typedef struct { struct in6_addr addr; struct in6_addr mask; ngx_uint_t deny; /* unsigned deny:1; */ } ngx_http_access_rule6_t; #endif #if (NGX_HAVE_UNIX_DOMAIN) typedef struct { ngx_uint_t deny; /* unsigned deny:1; */ } ngx_http_access_rule_un_t; #endif typedef struct { ngx_array_t *rules; /* array of ngx_http_access_rule_t */ #if (NGX_HAVE_INET6) ngx_array_t *rules6; /* array of ngx_http_access_rule6_t */ #endif #if (NGX_HAVE_UNIX_DOMAIN) ngx_array_t *rules_un; /* array of ngx_http_access_rule_un_t */ #endif } ngx_http_access_loc_conf_t; static ngx_int_t ngx_http_access_handler(ngx_http_request_t *r); static ngx_int_t ngx_http_access_inet(ngx_http_request_t *r, ngx_http_access_loc_conf_t *alcf, in_addr_t addr); #if (NGX_HAVE_INET6) static ngx_int_t ngx_http_access_inet6(ngx_http_request_t *r, ngx_http_access_loc_conf_t *alcf, u_char *p); #endif #if (NGX_HAVE_UNIX_DOMAIN) static ngx_int_t ngx_http_access_unix(ngx_http_request_t *r, ngx_http_access_loc_conf_t *alcf); #endif static ngx_int_t ngx_http_access_found(ngx_http_request_t *r, ngx_uint_t deny); static char *ngx_http_access_rule(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); static void *ngx_http_access_create_loc_conf(ngx_conf_t *cf); static char *ngx_http_access_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child); static ngx_int_t ngx_http_access_init(ngx_conf_t *cf); static ngx_command_t ngx_http_access_commands[] = { { ngx_string("allow"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LMT_CONF |NGX_CONF_TAKE1, ngx_http_access_rule, NGX_HTTP_LOC_CONF_OFFSET, 0, NULL }, { ngx_string("deny"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LMT_CONF |NGX_CONF_TAKE1, ngx_http_access_rule, NGX_HTTP_LOC_CONF_OFFSET, 0, NULL }, ngx_null_command }; static ngx_http_module_t ngx_http_access_module_ctx = { NULL, /* preconfiguration */ ngx_http_access_init, /* postconfiguration */ NULL, /* create main configuration */ NULL, /* init main configuration */ NULL, /* create server configuration */ NULL, /* merge server configuration */ ngx_http_access_create_loc_conf, /* create location configuration */ ngx_http_access_merge_loc_conf /* merge location configuration */ }; ngx_module_t ngx_http_access_module = { NGX_MODULE_V1, &ngx_http_access_module_ctx, /* module context */ ngx_http_access_commands, /* module directives */ NGX_HTTP_MODULE, /* module type */ NULL, /* init master */ NULL, /* init module */ NULL, /* init process */ NULL, /* init thread */ NULL, /* exit thread */ NULL, /* exit process */ NULL, /* exit master */ NGX_MODULE_V1_PADDING }; static ngx_int_t ngx_http_access_handler(ngx_http_request_t *r) { struct sockaddr_in *sin; ngx_http_access_loc_conf_t *alcf; #if (NGX_HAVE_INET6) u_char *p; in_addr_t addr; struct sockaddr_in6 *sin6; #endif alcf = ngx_http_get_module_loc_conf(r, ngx_http_access_module); switch (r->connection->sockaddr->sa_family) { case AF_INET: if (alcf->rules) { sin = (struct sockaddr_in *) r->connection->sockaddr; return ngx_http_access_inet(r, alcf, sin->sin_addr.s_addr); } break; #if (NGX_HAVE_INET6) case AF_INET6: sin6 = (struct sockaddr_in6 *) r->connection->sockaddr; p = sin6->sin6_addr.s6_addr; if (alcf->rules && IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { addr = p[12] << 24; addr += p[13] << 16; addr += p[14] << 8; addr += p[15]; return ngx_http_access_inet(r, alcf, htonl(addr)); } if (alcf->rules6) { return ngx_http_access_inet6(r, alcf, p); } break; #endif #if (NGX_HAVE_UNIX_DOMAIN) case AF_UNIX: if (alcf->rules_un) { return ngx_http_access_unix(r, alcf); } break; #endif } return NGX_DECLINED; } static ngx_int_t ngx_http_access_inet(ngx_http_request_t *r, ngx_http_access_loc_conf_t *alcf, in_addr_t addr) { ngx_uint_t i; ngx_http_access_rule_t *rule; rule = alcf->rules->elts; for (i = 0; i < alcf->rules->nelts; i++) { ngx_log_debug3(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "access: %08XD %08XD %08XD", addr, rule[i].mask, rule[i].addr); if ((addr & rule[i].mask) == rule[i].addr) { return ngx_http_access_found(r, rule[i].deny); } } return NGX_DECLINED; } #if (NGX_HAVE_INET6) static ngx_int_t ngx_http_access_inet6(ngx_http_request_t *r, ngx_http_access_loc_conf_t *alcf, u_char *p) { ngx_uint_t n; ngx_uint_t i; ngx_http_access_rule6_t *rule6; rule6 = alcf->rules6->elts; for (i = 0; i < alcf->rules6->nelts; i++) { #if (NGX_DEBUG) { size_t cl, ml, al; u_char ct[NGX_INET6_ADDRSTRLEN]; u_char mt[NGX_INET6_ADDRSTRLEN]; u_char at[NGX_INET6_ADDRSTRLEN]; cl = ngx_inet6_ntop(p, ct, NGX_INET6_ADDRSTRLEN); ml = ngx_inet6_ntop(rule6[i].mask.s6_addr, mt, NGX_INET6_ADDRSTRLEN); al = ngx_inet6_ntop(rule6[i].addr.s6_addr, at, NGX_INET6_ADDRSTRLEN); ngx_log_debug6(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "access: %*s %*s %*s", cl, ct, ml, mt, al, at); } #endif for (n = 0; n < 16; n++) { if ((p[n] & rule6[i].mask.s6_addr[n]) != rule6[i].addr.s6_addr[n]) { goto next; } } return ngx_http_access_found(r, rule6[i].deny); next: continue; } return NGX_DECLINED; } #endif #if (NGX_HAVE_UNIX_DOMAIN) static ngx_int_t ngx_http_access_unix(ngx_http_request_t *r, ngx_http_access_loc_conf_t *alcf) { ngx_uint_t i; ngx_http_access_rule_un_t *rule_un; rule_un = alcf->rules_un->elts; for (i = 0; i < alcf->rules_un->nelts; i++) { /* TODO: check path */ if (1) { return ngx_http_access_found(r, rule_un[i].deny); } } return NGX_DECLINED; } #endif static ngx_int_t ngx_http_access_found(ngx_http_request_t *r, ngx_uint_t deny) { ngx_http_core_loc_conf_t *clcf; if (deny) { clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); if (clcf->satisfy == NGX_HTTP_SATISFY_ALL) { ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "access forbidden by rule"); } return NGX_HTTP_FORBIDDEN; } return NGX_OK; } static char * ngx_http_access_rule(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { ngx_http_access_loc_conf_t *alcf = conf; ngx_int_t rc; ngx_uint_t all; ngx_str_t *value; ngx_cidr_t cidr; ngx_http_access_rule_t *rule; #if (NGX_HAVE_INET6) ngx_http_access_rule6_t *rule6; #endif #if (NGX_HAVE_UNIX_DOMAIN) ngx_http_access_rule_un_t *rule_un; #endif all = 0; ngx_memzero(&cidr, sizeof(ngx_cidr_t)); value = cf->args->elts; if (value[1].len == 3 && ngx_strcmp(value[1].data, "all") == 0) { all = 1; #if (NGX_HAVE_UNIX_DOMAIN) } else if (value[1].len == 5 && ngx_strcmp(value[1].data, "unix:") == 0) { cidr.family = AF_UNIX; #endif } else { rc = ngx_ptocidr(&value[1], &cidr); if (rc == NGX_ERROR) { ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "invalid parameter \"%V\"", &value[1]); return NGX_CONF_ERROR; } if (rc == NGX_DONE) { ngx_conf_log_error(NGX_LOG_WARN, cf, 0, "low address bits of %V are meaningless", &value[1]); } } if (cidr.family == AF_INET || all) { if (alcf->rules == NULL) { alcf->rules = ngx_array_create(cf->pool, 4, sizeof(ngx_http_access_rule_t)); if (alcf->rules == NULL) { return NGX_CONF_ERROR; } } rule = ngx_array_push(alcf->rules); if (rule == NULL) { return NGX_CONF_ERROR; } rule->mask = cidr.u.in.mask; rule->addr = cidr.u.in.addr; rule->deny = (value[0].data[0] == 'd') ? 1 : 0; } #if (NGX_HAVE_INET6) if (cidr.family == AF_INET6 || all) { if (alcf->rules6 == NULL) { alcf->rules6 = ngx_array_create(cf->pool, 4, sizeof(ngx_http_access_rule6_t)); if (alcf->rules6 == NULL) { return NGX_CONF_ERROR; } } rule6 = ngx_array_push(alcf->rules6); if (rule6 == NULL) { return NGX_CONF_ERROR; } rule6->mask = cidr.u.in6.mask; rule6->addr = cidr.u.in6.addr; rule6->deny = (value[0].data[0] == 'd') ? 1 : 0; } #endif #if (NGX_HAVE_UNIX_DOMAIN) if (cidr.family == AF_UNIX || all) { if (alcf->rules_un == NULL) { alcf->rules_un = ngx_array_create(cf->pool, 1, sizeof(ngx_http_access_rule_un_t)); if (alcf->rules_un == NULL) { return NGX_CONF_ERROR; } } rule_un = ngx_array_push(alcf->rules_un); if (rule_un == NULL) { return NGX_CONF_ERROR; } rule_un->deny = (value[0].data[0] == 'd') ? 1 : 0; } #endif return NGX_CONF_OK; } static void * ngx_http_access_create_loc_conf(ngx_conf_t *cf) { ngx_http_access_loc_conf_t *conf; conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_access_loc_conf_t)); if (conf == NULL) { return NULL; } return conf; } static char * ngx_http_access_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) { ngx_http_access_loc_conf_t *prev = parent; ngx_http_access_loc_conf_t *conf = child; if (conf->rules == NULL #if (NGX_HAVE_INET6) && conf->rules6 == NULL #endif #if (NGX_HAVE_UNIX_DOMAIN) && conf->rules_un == NULL #endif ) { conf->rules = prev->rules; #if (NGX_HAVE_INET6) conf->rules6 = prev->rules6; #endif #if (NGX_HAVE_UNIX_DOMAIN) conf->rules_un = prev->rules_un; #endif } return NGX_CONF_OK; } static ngx_int_t ngx_http_access_init(ngx_conf_t *cf) { ngx_http_handler_pt *h; ngx_http_core_main_conf_t *cmcf; cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module); h = ngx_array_push(&cmcf->phases[NGX_HTTP_ACCESS_PHASE].handlers); if (h == NULL) { return NGX_ERROR; } *h = ngx_http_access_handler; return NGX_OK; }