httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: ProxyBlock question
Date Tue, 24 Jul 2012 09:22:58 GMT
On Tue, Jul 24, 2012 at 10:46:12AM +0200, Rainer Jung wrote:
> IMHO if the admin explicitely configured an IP in the ProxyBlock
> list we should nevertheless check. For this case there's already a
> somewhat related warning in the docs which we could enhance for this
> new case.
> 
> It looks like we could check whether we have an explicit IP during
> set_proxy_exclude() by comparing new->name and apr_sockaddr_ip_get()
> of new->addr and later do the IP lookup for the target host only for
> those rules where we had an explicit IP.
> 
> Not sure whether apr_sockaddr_ip_get() applied to the result of
> apr_sockaddr_info_get() applied to an IP gives back the same IP,
> e.g. when there's IPv4 and v6 involved.

Right, with a v6 address there can be multiple representations of the 
same address so that wouldn't be reliable. 

This seems to pile caveat on top of caveat; is it really necessary? 
ProxyBlock is not even documented to take literal IP addresses, but 
rather "*|word|host|domain".  Adding a special case for a literal IP 
will add significant complexity here; is it useful?  If there is a 
forward proxy configured why can't that proxy block the IP address?

(But reading that code again, you also lead me to another bug; the use 
of apr_sockaddr_ip_get() against resolved addresses on the ->noproxies 
list looks to be leaky/unsafe, it will allocate memory out of pconf each 
time we check a resolved address!)

Regards, Joe

Mime
View raw message