Re: mod_lua and subprocess_env

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Mar 22, 2017 at 2:53 PM, Andrei Ivanov <andrei.ivanov@xxxxxxxxx> wrote:
>
> Welcome back :-)

Thanks ;)

>
> These expressions don't work anymore: Can't parse value expression :
> Function 'PeerExtList' does not exist
>
> Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
> Header set Expr1 "expr='IP Address:'.%{REMOTE_ADDR} -in
> %{PeerExtList:2.5.29.17}"

This is not what I proposed (according to the new patch), the above
works only with first/initial (now obsolete) patch.

For the "Client-SAN" header, it fails because
"%{PeerExtList:2.5.29.17}" is a list and it can't be evaluated in a
string context (like mod_headers' expr= context).

A string context is what's allowed between the quotes in a full
expression context (like a an <If>'s condition), but omitting/without
the quotes...

So same for the second, "'IP Address:'.%{REMOTE_ADDR}" is not valid in
a string context, you'd have to use expr="IP Address:%{REMOTE_ADDR}"
directly, but still the following "-in %{PeerExtList:2.5.29.17}" isn't
valid either (no condition evaluated in a string context...).

That's why my latest patch introduces "%{: <any expression> :}" (note
the leading and trailing colons), so you should be able to:
 Header set Expr1 "expr=%{: 'IP Address:%{REMOTE_ADDR}' -in
PeerExtList('2.5.29.17') :}"

but still the above is "false" (my patch also evaluates the conditions
into the strings "true"/"false").
This is because 'IP Address:%{REMOTE_ADDR}' is only a part of the
first entry of PeerExtList('2.5.29.17') (which could be expressed
literally as {'email:<redacted1>, email:<redacted2>, IP
Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP
Address:159.107.78.131, IP Address:FE80:0:0:0:6D03:4CE1:C15F:5A44'}),
not an entry on its own (like in {'email:<redacted1>',
'email:<redacted2>', 'IP Address:127.0.0.1', 'IP
Address:0:0:0:0:0:0:0:1', 'IP Address:159.107.78.131', 'IP
Address:FE80:0:0:0:6D03:4CE1:C15F:5A44'}).

So we need to be able to split a list but applying a regular
expression on all of its entries and creating a new list with the
capture(s).

That's the new "split/<match>/<substitute>/" operator, which will walk
all the list's entries (actually the first and only one in the
PeerExtList('2.5.29.17') case) and split them into a new list where
<match>ed, i.e. keep only what's before (hence also after by progress
on the next <match>) and <substitute>d if not empty.

All in one, this gives:
 Header set Expr1 "expr=%{: %{REMOTE_ADDR} -in
(PeerExtList('subjectAltName') =~ split/.*?IP Address:([^,]+)/$1/) :}"
Where we create an %{: expression :} context where we can search for
%{REMOTE_ADDR} -in PeerExtList('subjectAltName') splitted on ".*?IP
Address:([^,]+)" (i.e. skip anything before and including 'IP
Address:' to keep only what follows until the next comma: the IP!).
This one should return "true"...


>
> I've modified this one to use the "normal" method syntax, hoping that would
> work:
>
> <If "%{PeerExtList('2.5.29.17') =~ /%{REMOTE_ADDR}/">
>     Header set matched-dynamic true
> </If>

Likewise, %{REMOTE_ADDR} cannot be evaluated at init time (when the
regular expression is compiled), thus the failure.

But:
 <If "%{REMOTE_ADDR} -in (PeerExtList('subjectAltName') =~ split/.*?IP
Address:([^,]+)/$1/)">
    Header set matched-dynamic true
 </If>
should work...


Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux