MINOR: acl: add new matches for header/path/url length
This patch introduces hdr_len, path_len and url_len for matching these
respective parts lengths against integers. This can be used to detect
abuse or empty headers.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index c6785c2..9bcc16e 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -7717,6 +7717,13 @@
X-Client-IP. See "hdr" for more information on header matching. Use the
shdr_ip() variant for response headers sent by the server.
+hdr_len <integer>
+hdr_len(<header>) <integer>
+ Returns true when at least one of the headers has a length which matches the
+ values or ranges specified. This may be used to detect empty or too large
+ headers. See "hdr" for more information on header matching. Use the
+ shdr_len() variant for response headers sent by the server.
+
hdr_reg <regex>
hdr_reg(<header>) <regex>
Returns true when one of the headers matches of the regular expressions. It
@@ -7781,6 +7788,10 @@
Returns true when the path ends with one of the strings. This may be used to
control file name extension.
+path_len <integer>
+ Returns true when the path length matches the values or ranges specified.
+ This may be used to detect abusive requests for instance.
+
path_reg <regex>
Returns true when the path matches one of the regular expressions. It can be
used any time, but it is important to remember that regex matching is slower
@@ -7828,6 +7839,10 @@
It can be used to prevent access to certain resources such as local network.
It is useful with option "http_proxy".
+url_len <integer>
+ Returns true when the url length matches the values or ranges specified. This
+ may be used to detect abusive requests for instance.
+
url_port <integer>
Applies to the port specified in the absolute URI in an HTTP request. It can
be used to prevent access to certain resources. It is useful with option
diff --git a/include/proto/acl.h b/include/proto/acl.h
index c35cee9..b3ae181 100644
--- a/include/proto/acl.h
+++ b/include/proto/acl.h
@@ -2,7 +2,7 @@
* include/proto/acl.h
* This file provides interface definitions for ACL manipulation.
*
- * Copyright (C) 2000-2010 Willy Tarreau - w@1wt.eu
+ * Copyright (C) 2000-2011 Willy Tarreau - w@1wt.eu
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -136,6 +136,9 @@
/* NB: For two strings to be identical, it is required that their lengths match */
int acl_match_str(struct acl_test *test, struct acl_pattern *pattern);
+/* Checks that the length of the pattern in <test> is included between min and max */
+int acl_match_len(struct acl_test *test, struct acl_pattern *pattern);
+
/* Checks that the integer in <test> is included between min and max */
int acl_match_int(struct acl_test *test, struct acl_pattern *pattern);
diff --git a/src/acl.c b/src/acl.c
index 33f00ed..3546ef7 100644
--- a/src/acl.c
+++ b/src/acl.c
@@ -1,7 +1,7 @@
/*
* ACL management functions.
*
- * Copyright 2000-2010 Willy Tarreau <w@1wt.eu>
+ * Copyright 2000-2011 Willy Tarreau <w@1wt.eu>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -650,6 +650,15 @@
return ACL_PAT_FAIL;
}
+/* Checks that the length of the pattern in <test> is included between min and max */
+int acl_match_len(struct acl_test *test, struct acl_pattern *pattern)
+{
+ if ((!pattern->val.range.min_set || pattern->val.range.min <= test->len) &&
+ (!pattern->val.range.max_set || test->len <= pattern->val.range.max))
+ return ACL_PAT_PASS;
+ return ACL_PAT_FAIL;
+}
+
int acl_match_ip(struct acl_test *test, struct acl_pattern *pattern)
{
struct in_addr *s;
diff --git a/src/proto_http.c b/src/proto_http.c
index 2cd58d2..c39fb94 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -8371,6 +8371,7 @@
{ "url_dir", acl_parse_str, acl_fetch_url, acl_match_dir, ACL_USE_L7REQ_VOLATILE },
{ "url_dom", acl_parse_str, acl_fetch_url, acl_match_dom, ACL_USE_L7REQ_VOLATILE },
{ "url_reg", acl_parse_reg, acl_fetch_url, acl_match_reg, ACL_USE_L7REQ_VOLATILE },
+ { "url_len", acl_parse_int, acl_fetch_url, acl_match_len, ACL_USE_L7REQ_VOLATILE },
{ "url_ip", acl_parse_ip, acl_fetch_url_ip, acl_match_ip, ACL_USE_L7REQ_VOLATILE|ACL_MAY_LOOKUP },
{ "url_port", acl_parse_int, acl_fetch_url_port, acl_match_int, ACL_USE_L7REQ_VOLATILE },
@@ -8383,6 +8384,7 @@
{ "hdr_dir", acl_parse_str, acl_fetch_chdr, acl_match_dir, ACL_USE_L7REQ_VOLATILE },
{ "hdr_dom", acl_parse_str, acl_fetch_chdr, acl_match_dom, ACL_USE_L7REQ_VOLATILE },
{ "hdr_cnt", acl_parse_int, acl_fetch_chdr_cnt,acl_match_int, ACL_USE_L7REQ_VOLATILE },
+ { "hdr_len", acl_parse_int, acl_fetch_chdr, acl_match_len, ACL_USE_L7REQ_VOLATILE },
{ "hdr_val", acl_parse_int, acl_fetch_chdr_val,acl_match_int, ACL_USE_L7REQ_VOLATILE },
{ "hdr_ip", acl_parse_ip, acl_fetch_chdr_ip, acl_match_ip, ACL_USE_L7REQ_VOLATILE|ACL_MAY_LOOKUP },
@@ -8394,6 +8396,7 @@
{ "shdr_dir", acl_parse_str, acl_fetch_shdr, acl_match_dir, ACL_USE_L7RTR_VOLATILE },
{ "shdr_dom", acl_parse_str, acl_fetch_shdr, acl_match_dom, ACL_USE_L7RTR_VOLATILE },
{ "shdr_cnt", acl_parse_int, acl_fetch_shdr_cnt,acl_match_int, ACL_USE_L7RTR_VOLATILE },
+ { "shdr_len", acl_parse_int, acl_fetch_shdr, acl_match_len, ACL_USE_L7RTR_VOLATILE },
{ "shdr_val", acl_parse_int, acl_fetch_shdr_val,acl_match_int, ACL_USE_L7RTR_VOLATILE },
{ "shdr_ip", acl_parse_ip, acl_fetch_shdr_ip, acl_match_ip, ACL_USE_L7RTR_VOLATILE|ACL_MAY_LOOKUP },
@@ -8404,6 +8407,7 @@
{ "path_sub", acl_parse_str, acl_fetch_path, acl_match_sub, ACL_USE_L7REQ_VOLATILE },
{ "path_dir", acl_parse_str, acl_fetch_path, acl_match_dir, ACL_USE_L7REQ_VOLATILE },
{ "path_dom", acl_parse_str, acl_fetch_path, acl_match_dom, ACL_USE_L7REQ_VOLATILE },
+ { "path_len", acl_parse_int, acl_fetch_path, acl_match_len, ACL_USE_L7REQ_VOLATILE },
#if 0
{ "line", acl_parse_str, acl_fetch_line, acl_match_str },