httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Kraemer <Martin.Krae...@Fujitsu-Siemens.com>
Subject [Patch,Security] Invalid hostnames in log file
Date Thu, 14 Feb 2002 20:57:38 GMT
I came across this problem while I tried to debug a IPv6 version of
apache...

If Apache performs a double-reverse lookup, for instance because a
resource was protected by
  Allow from .my.domain
then it is possible that an initial reverse lookup for the client IP
returns a host name, but the subsequent forward lookup fails (because
many SPAM servers provide either correct reverse DNS service, or
forward, but seldom both).

So what happens?

a) access to the requested resource is denied. Good.
b) in the access_log file, I see the result of the initial
   reverse lookup, which is not invalidated when the double reverse
   lookup fails. Bad bad bad.

That means that, from looking at the access_log, I cannot see
why on earth host "badhost.my.domain" was denied access to a
resource which _should have_ been accessible for every host in
.my.domain!

Just as a hack (untested), I tried to add the following line to
http_core.c, to invalidate a remote_host when double_reverse fails
for it.

What is your opinion about this?

   Martin
-- 
<Martin.Kraemer@Fujitsu-Siemens.com>         |     Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730  Munich,  Germany

Mime
View raw message