httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject svn commit: r763708 - in /httpd/sandbox/mod_remoteip: README mod_remoteip.c
Date Thu, 09 Apr 2009 15:54:33 GMT
Author: wrowe
Date: Thu Apr  9 15:54:33 2009
New Revision: 763708

URL: http://svn.apache.org/viewvc?rev=763708&view=rev
Log:
Address a few of Colm's concerns; 

  The ->internal designations were not initialized properly; fixed.

  If no explicit servers are defined, apply absolute (intranet) 
  trust to the contents of the designated RemoteIPHeader
  (e.g. a load balancer originated header).

  Collect all of the applicable IP host addresses for each hostname
  (e.g. A and AAAA) and disallow hostname/subnet syntax.

Modified:
    httpd/sandbox/mod_remoteip/README
    httpd/sandbox/mod_remoteip/mod_remoteip.c

Modified: httpd/sandbox/mod_remoteip/README
URL: http://svn.apache.org/viewvc/httpd/sandbox/mod_remoteip/README?rev=763708&r1=763707&r2=763708&view=diff
==============================================================================
--- httpd/sandbox/mod_remoteip/README (original)
+++ httpd/sandbox/mod_remoteip/README Thu Apr  9 15:54:33 2009
@@ -66,7 +66,7 @@
 trusted internal proxies, specify one or more IP's (or IP prefixes such as
 the pattern "10.", or IP with /subnet bits) using any combination of;
 
-  RemoteIPInternalProxy [IP|IP/subnet|hostname]...
+  RemoteIPInternalProxy [hostname|IP|IP/subnet]...
   RemoteIPInternalProxyList filename
 
 where the filename contains entries, one or more per line, of IP, IP/subnet
@@ -78,18 +78,21 @@
 
  * http://meta.wikimedia.org/wiki/XFF_project
 
-  RemoteIPTrustedProxy [IP|IP/subnet|hostname]...
+  RemoteIPTrustedProxy [hostname|IP|IP/subnet]...
   RemoteIPTrustedProxyList filename
 
 The Proxy/ProxyList directives should accept hostnames, although these then
-must be translated to IP when added to the table.
+must be translated to IP when added to the table which can be an agonizingly
+slow process for a long proxy list.  An inverted flavor of logresolve would
+be very useful here.  
 
 There is a second tier of issues.  We will only recognize private IP
 addresses when presented by a specific internal proxy or chain of internal 
 proxies.  On balance, most private addresses from external trusted proxies
 are not useful.  RFC 1918 defines these as 10./8, 172.16./12 and 192.168./16, 
-and even 127./8 may be of interest for purposes of testing or remoting one 
-particular box.  Other non-extranet patterns are similarly disallowed.
+and even 169.254./16 or 127./8 may be of interest for purposes of testing or 
+remoting one particular box.  Similarly all IPv6 addresses outside of the 
+public 2000::/3 block are handled as private addresses.
 
 If a given proxy is trusted, but not one of our private proxies, and indicates
 that its immediate X-Forwarded-For pointer is within a private subnet, that

Modified: httpd/sandbox/mod_remoteip/mod_remoteip.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/mod_remoteip/mod_remoteip.c?rev=763708&r1=763707&r2=763708&view=diff
==============================================================================
--- httpd/sandbox/mod_remoteip/mod_remoteip.c (original)
+++ httpd/sandbox/mod_remoteip/mod_remoteip.c Thu Apr  9 15:54:33 2009
@@ -141,20 +141,36 @@
     if (!config->proxymatch_ip)
         config->proxymatch_ip = apr_array_make(cmd->pool, 1, sizeof(*match));
     match = (remoteip_proxymatch_t *) apr_array_push(config->proxymatch_ip);
+    match->internal = (int)internal;
 
-    if (!looks_like_ip(ip)) {
+    if (looks_like_ip(ip)) {
+        /* Note s may be null, that's fine (explicit host) */
+        rv = apr_ipsubnet_create(&match->ip, ip, s, cmd->pool);
+    }
+    else
+    {
         apr_sockaddr_t *temp_sa;
+
+        if (s) {
+            return apr_pstrcat(cmd->pool, "RemoteIP: Error parsing IP ", arg, 
+                               " the subnet /", s, " is invalid for ", 
+                               cmd->cmd->name, NULL);
+        }
+
         rv = apr_sockaddr_info_get(&temp_sa,  ip, APR_UNSPEC, 0,
                                    APR_IPV4_ADDR_OK, cmd->temp_pool);
-        if (rv == APR_SUCCESS) 
+        while (rv == APR_SUCCESS)
+        {
             apr_sockaddr_ip_get(&ip, temp_sa);
+            rv = apr_ipsubnet_create(&match->ip, ip, NULL, cmd->pool);
+            if (!(temp_sa = temp_sa->next))
+                break;
+            match = (remoteip_proxymatch_t *) 
+                    apr_array_push(config->proxymatch_ip);
+            match->internal = (int)internal;
+        }
     }
 
-    if (s)
-        rv = apr_ipsubnet_create(&match->ip, ip, s, cmd->pool);
-    else
-        rv = apr_ipsubnet_create(&match->ip, ip, NULL, cmd->pool);
-
     if (rv != APR_SUCCESS) {
         char msgbuf[128];
         apr_strerror(rv, msgbuf, sizeof(msgbuf));
@@ -325,26 +341,27 @@
         }
 
         addrbyte = (unsigned char *) &temp_sa->sa.sin.sin_addr;
+
+        /* For intranet (Internal proxies) ignore all restrictions below */
         if (!internal
               && ((temp_sa->family == APR_INET
-                         /* denying 127. loopback, 10., 172.240..., 192.168. 
-                          * private subnets, and Class D and E special subnets
-                          */
-                      && (addrbyte[0] == 127
-                       || addrbyte[0] == 10
-                       || (addrbyte[0] == 172 && (addrbyte[1] & 0xf0) == 0xf0)
-                       || (addrbyte[0] == 192 && addrbyte[1] == 168)
+                   /* For internet (non-Internal proxies) deny all
+                    * RFC3330 designated local/private subnets:
+                    * 10.0.0.0/8   169.254.0.0/16  192.168.0.0/16 
+                    * 127.0.0.0/8  172.16.0.0/12
+                    */
+                      && (addrbyte[0] == 10
+                       || addrbyte[0] == 127
                        || (addrbyte[0] == 169 && addrbyte[1] == 254)
-                       || (addrbyte[0] & 0xe0) == 0xe0))
+                       || (addrbyte[0] == 172 && (addrbyte[1] & 0xf0) == 16)
+                       || (addrbyte[0] == 192 && addrbyte[1] == 168)))
 #if APR_HAVE_IPV6
                || (temp_sa->family == APR_INET6
-                         /* we translated IPv4-over-IPv6-mapped addresses 
-                          * as IPv4 above, all that is left to deny are 
-                          * multicast, special subnets, etc etc, where the
-                          * high nibble of the address is 0 or f
-                          */
-                      && ((temp_sa->sa.sin6.sin6_addr.s6_addr[0] & 0xf0) ==
0x00
-                       || (temp_sa->sa.sin6.sin6_addr.s6_addr[0] & 0xf0) == 0xf0))
+                   /* For internet (non-Internal proxies) we translated 
+                    * IPv4-over-IPv6-mapped addresses as IPv4, above.
+                    * Accept only Global Unicast 2000::/3 defined by RFC4291
+                    */
+                      && ((temp_sa->sa.sin6.sin6_addr.s6_addr[0] & 0xe0) !=
0x20))
 #endif
         )) {
             ap_log_rerror(APLOG_MARK, APLOG_DEBUG,  rv, r,



Mime
View raw message