httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 36987] New: - mod_proxy: ProxyBlock is not checked for all IP addresses found in the DNS
Date Mon, 10 Oct 2005 11:42:03 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=36987>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=36987

           Summary: mod_proxy: ProxyBlock is not checked for all IP
                    addresses found in the DNS
           Product: Apache httpd-2.0
           Version: 2.0.54
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_proxy
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: timo.viipuri@f-secure.com


Sites listed in the ProxyBlock list should be blocked based on all IP addresses
found in the DNS. Now they are blocked only based on the first IP address found
in the DNS. For example, site:

Name:    x.com
Addresses:  64.4.241.33, 216.113.188.33, 216.113.188.64, 64.4.241.16

should be blocked if it is tried to access with any one of the above IPs.
Currently, it is only blocked with 64.4.241.33

The problem is easy to see in the code in function
proxy_util.c:ap_proxy_checkproxyblock():

--------------------BEGIN CODE-------------------
968:   while (conf_addr) {
969:        while (uri_addr) {
970:            char *conf_ip;
971:            char *uri_ip;
972:            apr_sockaddr_ip_get(&conf_ip, conf_addr);
973:            apr_sockaddr_ip_get(&uri_ip, uri_addr);
974:            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
975:                         "proxy: ProxyBlock comparing %s and %s", conf_ip,
uri_ip);
976:            if (!apr_strnatcasecmp(conf_ip, uri_ip)) {
977:                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server,
978:                    "proxy: connect to remote machine %s blocked: IP %s
matched", uri_addr->hostname, conf_ip);
979:                return HTTP_FORBIDDEN;
980:            }
981:            uri_addr = uri_addr->next;
982:        }
983:        conf_addr = conf_addr->next;
984:    }
--------------------END CODE-------------------

The inner loop is exited when uri_addr == NULL. However, uri_addr is not reseted
after the loop is exited for the first time so it is not entered again on the
next runs of the outer loop.

The following patch will solve the problem:

--------------------BEGIN PATCH-------------------
--- proxy_util_ORIG.c   Mon Aug 22 12:22:53 2005
+++ proxy_util.c        Mon Oct 10 14:18:12 2005
@@ -966,6 +966,7 @@
             return HTTP_FORBIDDEN;
         }
         while (conf_addr) {
+            uri_addr = src_uri_addr;
             while (uri_addr) {
                 char *conf_ip;
                 char *uri_ip;
--------------------END PATCH-------------------

To demonstrate the error behaviour, here's a clip of error.log when ProxyBlock
has been set to "x.com" and someone tries to access it with IP address
216.113.188.64:

-----------BEGIN ORIGINAL ERROR.LOG------------
[Mon Oct 10 13:46:14 2005] [debug] proxy_util.c(975): proxy: checking remote
machine [216.113.188.64] against [x.com]
[Mon Oct 10 13:46:14 2005] [debug] proxy_util.c(991): proxy: ProxyBlock
comparing 64.4.241.33 and 216.113.188.64
-----------END ORIGINAL ERROR.LOG--------------

And here's how it looks after the patch has been applied:

-----------BEGIN PATCHED ERROR.LOG------------
[Mon Oct 10 13:50:48 2005] [debug] proxy_util.c(975): proxy: checking remote
machine [216.113.188.64] against [x.com]
[Mon Oct 10 13:50:48 2005] [debug] proxy_util.c(991): proxy: ProxyBlock
comparing 64.4.241.33 and 216.113.188.64
[Mon Oct 10 13:50:48 2005] [debug] proxy_util.c(991): proxy: ProxyBlock
comparing 216.113.188.33 and 216.113.188.64
[Mon Oct 10 13:50:48 2005] [debug] proxy_util.c(991): proxy: ProxyBlock
comparing 216.113.188.64 and 216.113.188.64
[Mon Oct 10 13:50:48 2005] [warn] proxy: connect to remote machine
216.113.188.64 blocked: IP 216.113.188.64 matched
-----------END PATCHED ERROR.LOG--------------

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message