X-Git-Url: https://mattmccutchen.net/rsync/rsync.git/blobdiff_plain/7da9a16d10eecddf695d00fbbf948e9b70bd7706..25ff04417e4b4fa0aeb44e0b1576a01021aa1650:/access.c diff --git a/access.c b/access.c index bd07567a..f8dd593f 100644 --- a/access.c +++ b/access.c @@ -26,24 +26,25 @@ static int match_hostname(char *host, char *tok) { - if (!host || !*host) return 0; - return (fnmatch(tok, host, 0) == 0); + if (!host || !*host) + return 0; + return wildmatch(tok, host); } static int match_binary(char *b1, char *b2, char *mask, int addrlen) { int i; - for (i=0; i> 3; @@ -66,7 +67,7 @@ static int match_address(char *addr, char *tok) int gai; int ret = 0; int addrlen = 0; -#ifdef HAVE_STRTOL +#if HAVE_STRTOL long int bits; #else int bits; @@ -75,22 +76,26 @@ static int match_address(char *addr, char *tok) char *a = NULL, *t = NULL; unsigned int len; - if (!addr || !*addr) return 0; + if (!addr || !*addr) + return 0; p = strchr(tok,'/'); if (p) { *p = '\0'; len = p - tok; - } - else + } else len = strlen(tok); /* Fail quietly if tok is a hostname (not an address) */ - if (strspn(tok, "./0123456789") != len -#ifdef INET6 - && !strchr(tok, ':') + if (strspn(tok, ".0123456789") != len +#if INET6 + && strchr(tok, ':') == NULL #endif - ) return 0; + ) { + if (p) + *p = '/'; + return 0; + } memset(&hints, 0, sizeof(hints)); hints.ai_family = PF_UNSPEC; @@ -99,17 +104,18 @@ static int match_address(char *addr, char *tok) hints.ai_flags = AI_NUMERICHOST; #endif - gai = getaddrinfo(addr, NULL, &hints, &resa); - if (gai) return 0; + if (getaddrinfo(addr, NULL, &hints, &resa) != 0) { + if (p) + *p = '/'; + return 0; + } gai = getaddrinfo(tok, NULL, &hints, &rest); if (p) *p++ = '/'; - if (gai) { - rprintf(FERROR, - "error matching address %s: %s\n", - tok, - gai_strerror(gai)); + if (gai != 0) { + rprintf(FLOG, "error matching address %s: %s\n", + tok, gai_strerror(gai)); freeaddrinfo(resa); return 0; } @@ -127,7 +133,7 @@ static int match_address(char *addr, char *tok) break; -#ifdef INET6 +#if INET6 case PF_INET6: { struct sockaddr_in6 *sin6a, *sin6t; @@ -140,7 +146,7 @@ static int match_address(char *addr, char *tok) addrlen = 16; -#ifdef HAVE_SOCKADDR_IN6_SCOPE_ID +#if HAVE_SOCKADDR_IN6_SCOPE_ID if (sin6t->sin6_scope_id && sin6a->sin6_scope_id != sin6t->sin6_scope_id) { ret = 0; @@ -152,7 +158,7 @@ static int match_address(char *addr, char *tok) } #endif default: - rprintf(FERROR,"unknown family %u\n", rest->ai_family); + rprintf(FLOG, "unknown family %u\n", rest->ai_family); ret = 0; goto out; } @@ -160,23 +166,23 @@ static int match_address(char *addr, char *tok) bits = -1; if (p) { if (inet_pton(resa->ai_addr->sa_family, p, mask) <= 0) { -#ifdef HAVE_STRTOL +#if HAVE_STRTOL char *ep = NULL; #else unsigned char *pp; #endif -#ifdef HAVE_STRTOL +#if HAVE_STRTOL bits = strtol(p, &ep, 10); if (!*p || *ep) { - rprintf(FERROR,"malformed mask in %s\n", tok); + rprintf(FLOG, "malformed mask in %s\n", tok); ret = 0; goto out; } #else for (pp = (unsigned char *)p; *pp; pp++) { if (!isascii(*pp) || !isdigit(*pp)) { - rprintf(FERROR,"malformed mask in %s\n", tok); + rprintf(FLOG, "malformed mask in %s\n", tok); ret = 0; goto out; } @@ -188,7 +194,7 @@ static int match_address(char *addr, char *tok) goto out; } if (bits < 0 || bits > (addrlen << 3)) { - rprintf(FERROR,"malformed mask in %s\n", tok); + rprintf(FLOG, "malformed mask in %s\n", tok); ret = 0; goto out; } @@ -213,12 +219,14 @@ static int access_match(char *list, char *addr, char *host) char *tok; char *list2 = strdup(list); - if (!list2) out_of_memory("access_match"); + if (!list2) + out_of_memory("access_match"); strlower(list2); - if (host) strlower(host); + if (host) + strlower(host); - for (tok=strtok(list2," ,\t"); tok; tok=strtok(NULL," ,\t")) { + for (tok = strtok(list2, " ,\t"); tok; tok = strtok(NULL, " ,\t")) { if (match_hostname(host, tok) || match_address(addr, tok)) { free(list2); return 1; @@ -231,29 +239,25 @@ static int access_match(char *list, char *addr, char *host) int allow_access(char *addr, char *host, char *allow_list, char *deny_list) { - /* if theres no deny list and no allow list then allow access */ - if ((!deny_list || !*deny_list) && (!allow_list || !*allow_list)) - return 1; - - /* if there is an allow list but no deny list then allow only hosts - on the allow list */ - if (!deny_list || !*deny_list) - return(access_match(allow_list, addr, host)); - - /* if theres a deny list but no allow list then allow - all hosts not on the deny list */ - if (!allow_list || !*allow_list) - return(!access_match(deny_list,addr,host)); - - /* if there are both type of list then allow all hosts on the - allow list */ - if (access_match(allow_list,addr,host)) - return 1; - - /* if there are both type of list and it's not on the allow then - allow it if its not on the deny */ - if (access_match(deny_list,addr,host)) + if (allow_list && !*allow_list) + allow_list = NULL; + if (deny_list && !*deny_list) + deny_list = NULL; + + /* If we match an allow-list item, we always allow access. */ + if (allow_list) { + if (access_match(allow_list, addr, host)) + return 1; + /* For an allow-list w/o a deny-list, disallow non-matches. */ + if (!deny_list) + return 0; + } + + /* If we match a deny-list item (and got past any allow-list + * items), we always disallow access. */ + if (deny_list && access_match(deny_list, addr, host)) return 0; + /* Allow all other access. */ return 1; }