MINOR: acl: add new matches for header/path/url length

This patch introduces hdr_len, path_len and url_len for matching these respective parts lengths against integers. This can be used to detect abuse or empty headers.
2024-12-27 23:22:09 +00:00 · 2011-09-16 08:32:32 +02:00 · 2011-09-16 08:32:32 +02:00 · 0e69854ed4
commit 0e69854ed4
parent 275600b6c7
4 changed files with 33 additions and 2 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -7717,6 +7717,13 @@ hdr_ip(<header>) <ip_address>
  X-Client-IP. See "hdr" for more information on header matching. Use the
  shdr_ip() variant for response headers sent by the server.

+hdr_len <integer>
+hdr_len(<header>) <integer>
+  Returns true when at least one of the headers has a length which matches the
+  values or ranges specified. This may be used to detect empty or too large
+  headers. See "hdr" for more information on header matching. Use the
+  shdr_len() variant for response headers sent by the server.
+
 hdr_reg <regex>
 hdr_reg(<header>) <regex>
  Returns true when one of the headers matches of the regular expressions. It
@ -7781,6 +7788,10 @@ path_end <string>
  Returns true when the path ends with one of the strings. This may be used to
  control file name extension.

+path_len <integer>
+  Returns true when the path length matches the values or ranges specified.
+  This may be used to detect abusive requests for instance.
+
 path_reg <regex>
  Returns true when the path matches one of the regular expressions. It can be
  used any time, but it is important to remember that regex matching is slower
@ -7828,6 +7839,10 @@ url_ip <ip_address>
  It can be used to prevent access to certain resources such as local network.
  It is useful with option "http_proxy".

+url_len <integer>
+  Returns true when the url length matches the values or ranges specified. This
+  may be used to detect abusive requests for instance.
+
 url_port <integer>
  Applies to the port specified in the absolute URI in an HTTP request. It can
  be used to prevent access to certain resources. It is useful with option
--- a/include/proto/acl.h
+++ b/include/proto/acl.h
@ -2,7 +2,7 @@
 * include/proto/acl.h
 * This file provides interface definitions for ACL manipulation.
 *
- * Copyright (C) 2000-2010 Willy Tarreau - w@1wt.eu
+ * Copyright (C) 2000-2011 Willy Tarreau - w@1wt.eu
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
@ -136,6 +136,9 @@ int acl_parse_nothing(const char **text, struct acl_pattern *pattern, int *opaqu
 /* NB: For two strings to be identical, it is required that their lengths match */
 int acl_match_str(struct acl_test *test, struct acl_pattern *pattern);

+/* Checks that the length of the pattern in <test> is included between min and max */
+int acl_match_len(struct acl_test *test, struct acl_pattern *pattern);
+
 /* Checks that the integer in <test> is included between min and max */
 int acl_match_int(struct acl_test *test, struct acl_pattern *pattern);

--- a/src/acl.c
+++ b/src/acl.c
@ -1,7 +1,7 @@
 /*
 * ACL management functions.
 *
- * Copyright 2000-2010 Willy Tarreau <w@1wt.eu>
+ * Copyright 2000-2011 Willy Tarreau <w@1wt.eu>
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
@ -650,6 +650,15 @@ int acl_match_int(struct acl_test *test, struct acl_pattern *pattern)
 	return ACL_PAT_FAIL;
 }

+/* Checks that the length of the pattern in <test> is included between min and max */
+int acl_match_len(struct acl_test *test, struct acl_pattern *pattern)
+{
+	if ((!pattern->val.range.min_set || pattern->val.range.min <= test->len) &&
+	    (!pattern->val.range.max_set || test->len <= pattern->val.range.max))
+		return ACL_PAT_PASS;
+	return ACL_PAT_FAIL;
+}
+
 int acl_match_ip(struct acl_test *test, struct acl_pattern *pattern)
 {
 	struct in_addr *s;
--- a/src/proto_http.c
+++ b/src/proto_http.c
@ -8371,6 +8371,7 @@ static struct acl_kw_list acl_kws = {{ },{
 	{ "url_dir",    acl_parse_str,   acl_fetch_url,      acl_match_dir,  ACL_USE_L7REQ_VOLATILE },
 	{ "url_dom",    acl_parse_str,   acl_fetch_url,      acl_match_dom,  ACL_USE_L7REQ_VOLATILE },
 	{ "url_reg",    acl_parse_reg,   acl_fetch_url,      acl_match_reg,  ACL_USE_L7REQ_VOLATILE },
+	{ "url_len",    acl_parse_int,   acl_fetch_url,      acl_match_len,  ACL_USE_L7REQ_VOLATILE },
 	{ "url_ip",     acl_parse_ip,    acl_fetch_url_ip,   acl_match_ip,   ACL_USE_L7REQ_VOLATILE|ACL_MAY_LOOKUP },
 	{ "url_port",   acl_parse_int,   acl_fetch_url_port, acl_match_int,  ACL_USE_L7REQ_VOLATILE },

@ -8383,6 +8384,7 @@ static struct acl_kw_list acl_kws = {{ },{
 	{ "hdr_dir",    acl_parse_str,   acl_fetch_chdr,    acl_match_dir, ACL_USE_L7REQ_VOLATILE },
 	{ "hdr_dom",    acl_parse_str,   acl_fetch_chdr,    acl_match_dom, ACL_USE_L7REQ_VOLATILE },
 	{ "hdr_cnt",    acl_parse_int,   acl_fetch_chdr_cnt,acl_match_int, ACL_USE_L7REQ_VOLATILE },
+	{ "hdr_len",    acl_parse_int,   acl_fetch_chdr,    acl_match_len, ACL_USE_L7REQ_VOLATILE },
 	{ "hdr_val",    acl_parse_int,   acl_fetch_chdr_val,acl_match_int, ACL_USE_L7REQ_VOLATILE },
 	{ "hdr_ip",     acl_parse_ip,    acl_fetch_chdr_ip, acl_match_ip,  ACL_USE_L7REQ_VOLATILE|ACL_MAY_LOOKUP },

@ -8394,6 +8396,7 @@ static struct acl_kw_list acl_kws = {{ },{
 	{ "shdr_dir",   acl_parse_str,   acl_fetch_shdr,    acl_match_dir, ACL_USE_L7RTR_VOLATILE },
 	{ "shdr_dom",   acl_parse_str,   acl_fetch_shdr,    acl_match_dom, ACL_USE_L7RTR_VOLATILE },
 	{ "shdr_cnt",   acl_parse_int,   acl_fetch_shdr_cnt,acl_match_int, ACL_USE_L7RTR_VOLATILE },
+	{ "shdr_len",   acl_parse_int,   acl_fetch_shdr,    acl_match_len, ACL_USE_L7RTR_VOLATILE },
 	{ "shdr_val",   acl_parse_int,   acl_fetch_shdr_val,acl_match_int, ACL_USE_L7RTR_VOLATILE },
 	{ "shdr_ip",    acl_parse_ip,    acl_fetch_shdr_ip, acl_match_ip,  ACL_USE_L7RTR_VOLATILE|ACL_MAY_LOOKUP },

@ -8404,6 +8407,7 @@ static struct acl_kw_list acl_kws = {{ },{
 	{ "path_sub",   acl_parse_str,   acl_fetch_path,   acl_match_sub, ACL_USE_L7REQ_VOLATILE },
 	{ "path_dir",   acl_parse_str,   acl_fetch_path,   acl_match_dir, ACL_USE_L7REQ_VOLATILE },
 	{ "path_dom",   acl_parse_str,   acl_fetch_path,   acl_match_dom, ACL_USE_L7REQ_VOLATILE },
+	{ "path_len",   acl_parse_int,   acl_fetch_path,   acl_match_len, ACL_USE_L7REQ_VOLATILE },

 #if 0
 	{ "line",       acl_parse_str,   acl_fetch_line,   acl_match_str   },