You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Justin Erenkrantz <je...@apache.org> on 2002/10/04 06:49:23 UTC
[PATCH] Deny when reverse lookup fails
This patch fixes the problem I mentioned in my reply to Jeff - namely that
any deny host directive should deny access when a double reverse lookup
fails.
I'm out of town this weekend, so I don't have a lot of time to test this.
Other eyes appreciated. (Feel free to commit.) -- justin
Index: mod_authz_host.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/aaa/mod_authz_host.c,v
retrieving revision 1.1
diff -u -r1.1 mod_authz_host.c
--- mod_authz_host.c 10 Sep 2002 00:15:39 -0000 1.1
+++ mod_authz_host.c 4 Oct 2002 04:37:07 -0000
@@ -240,7 +240,8 @@
}
}
-static int find_allowdeny(request_rec *r, apr_array_header_t *a, int
method)
+static int find_allowdeny(request_rec *r, apr_array_header_t *a, int
method,
+ int deny)
{
allowdeny *ap = (allowdeny *) a->elts;
@@ -280,6 +281,12 @@
&remotehost_is_ip);
if ((remotehost == NULL) || remotehost_is_ip) {
+ if (deny) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "client denied due to reverse lookup
"
+ "failure: %s", r->filename);
+ return 1;
+ }
gothost = 1;
}
else {
@@ -310,24 +317,24 @@
if (a->order[method] == ALLOW_THEN_DENY) {
ret = HTTP_FORBIDDEN;
- if (find_allowdeny(r, a->allows, method)) {
+ if (find_allowdeny(r, a->allows, method, 0)) {
ret = OK;
}
- if (find_allowdeny(r, a->denys, method)) {
+ if (find_allowdeny(r, a->denys, method, 1)) {
ret = HTTP_FORBIDDEN;
}
}
else if (a->order[method] == DENY_THEN_ALLOW) {
- if (find_allowdeny(r, a->denys, method)) {
+ if (find_allowdeny(r, a->denys, method, 1)) {
ret = HTTP_FORBIDDEN;
}
- if (find_allowdeny(r, a->allows, method)) {
+ if (find_allowdeny(r, a->allows, method, 0)) {
ret = OK;
}
}
else {
- if (find_allowdeny(r, a->allows, method)
- && !find_allowdeny(r, a->denys, method)) {
+ if (find_allowdeny(r, a->allows, method, 0)
+ && !find_allowdeny(r, a->denys, method, 1)) {
ret = OK;
}
else {
Re: [PATCH] Deny when reverse lookup fails
Posted by Justin Erenkrantz <je...@apache.org>.
--On Friday, October 4, 2002 10:13 AM -0400 Joshua Slive <jo...@slive.ca>
wrote:
> If I understand you correctly, that would be a major change to current
> behavior. I believe that people expect a configuration like
>
> deny from .badguy.com
>
> to allow access from unknown IP addresses (IP addresses that have no
> reverse lookup). Obviously, this is not at all secure, but that is how
> it has always been, and it is the way I would expect it to work.
Yes and no. If I control badguy.com and know that you're denying me based
on that, I could remove the reverse mapping from my domain and then I can
get in. So, yes, host-based denial is insecure and has almost no hope of
true success.
Perhaps we could create a config option that allows for double reverse
failures on denials to proceed. But, I think it is worth it to reevaluate
what we're doing now... -- justin
Re: [PATCH] Deny when reverse lookup fails
Posted by Joshua Slive <jo...@slive.ca>.
Justin Erenkrantz wrote:
> This patch fixes the problem I mentioned in my reply to Jeff - namely
> that any deny host directive should deny access when a double reverse
> lookup fails.
If I understand you correctly, that would be a major change to current
behavior. I believe that people expect a configuration like
deny from .badguy.com
to allow access from unknown IP addresses (IP addresses that have no
reverse lookup). Obviously, this is not at all secure, but that is how
it has always been, and it is the way I would expect it to work.
Joshua.