httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@ai.mit.edu (Robert S. Thau)
Subject Patch to tighten up access control
Date Wed, 08 Nov 1995 18:30:02 GMT
I was going through loose ends.  This seems to be the only serious one
left that I can find --- it keeps "allow from good.com" from letting
in clients from nogood.com (because the terminal substring matches);
it also cures a similar problem with IP address authentication, albeit
one which is harder to exploit.

rst

*** mod_access.c~	Tue Oct 10 18:01:50 1995
--- mod_access.c	Wed Nov  8 12:59:14 1995
***************
*** 141,154 ****
      int dl=strlen(domain);
      int wl=strlen(what);
  
!     if((wl-dl) >= 0)
!         return(!strcmp(domain,&what[wl-dl]));
!     else
          return 0;
  }
  
  int in_ip(char *domain, char *what) {
!     return(!strncmp(domain,what,strlen(domain)));
  }
  
  int find_allowdeny (conn_rec *c, array_header *a, int method)
--- 141,170 ----
      int dl=strlen(domain);
      int wl=strlen(what);
  
!     if((wl-dl) >= 0) {
!         if (strcmp(domain,&what[wl-dl]) != 0) return 0;
! 
! 	/* Make sure we matched an *entire* subdomain --- if the user
! 	 * said 'allow from good.com', we don't want people from nogood.com
! 	 * to be able to get in.
! 	 */
! 	
! 	if (wl == dl) return 1;	/* matched whole thing */
! 	else return (domain[0] == '.' || what[wl - dl - 1] == '.');
!     } else
          return 0;
  }
  
  int in_ip(char *domain, char *what) {
! 
!     /* Check a similar screw case to the one checked above ---
!      * "allow from 204.26.2" shouldn't let in people from 204.26.23
!      */
!     
!     int l = strlen(domain);
!     if (strncmp(domain,what,l) != 0) return 0;
!     if (domain[l - 1] == '.') return 1;
!     return (what[l] == '\0' || what[l] == '.');
  }
  
  int find_allowdeny (conn_rec *c, array_header *a, int method)


Mime
View raw message