You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by laurent Mazier <la...@esf.ericsson.se> on 2000/02/03 10:06:33 UTC

mod_access/5690: Access control based on an IP range

>Number:         5690
>Category:       mod_access
>Synopsis:       Access control based on an IP range
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          change-request
>Submitter-Id:   apache
>Arrival-Date:   Thu Feb 03 01:10:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     laurent.mazier@esf.ericsson.se
>Release:        1.3.6
>Organization:
apache
>Environment:
Solaris 2.7, gcc 2.95.2
>Description:
Access controls based on IP/subnet mask/domain are not enough in some cases.

The following patch allows access control based on an IP range.

Syntax is :
allow|deny from xxx.xxx.xxx.xxx<yyy.yyy.yyy.yyy
>How-To-Repeat:

>Fix:
diff -u --recursive apache_1.3.6/src/modules/standard/mod_access.c apache_1.3.6.patch/src/modules/standard/mod_access.c
--- apache_1.3.6/src/modules/standard/mod_access.c	Fri Jan  1 20:05:06 1999
+++ apache_1.3.6.patch/src/modules/standard/mod_access.c	Fri Jul 23 13:49:22 1999
@@ -72,6 +72,7 @@
     T_ENV,
     T_ALL,
     T_IP,
+    T_RANGE,
     T_HOST,
     T_FAIL
 };
@@ -165,6 +166,21 @@
 	a->type = T_ALL;

     }
+    else if ((s = strchr(where, '<'))) {
+        a->type = T_RANGE;
+        *s++ = '\0';
+
+        if (!is_ip(where)
+            || (a->x.ip.net = ap_inet_addr(where)) == INADDR_NONE) {
+            a->type = T_FAIL;
+            return "syntax error in low IP range";
+        }
+        if (!is_ip(s)
+            || (a->x.ip.mask = ap_inet_addr(s)) == INADDR_NONE) {
+            a->type = T_FAIL;
+            return "syntax error in high IP range";
+        }
+    }
     else if ((s = strchr(where, '/'))) {
 	unsigned long mask;

@@ -312,6 +328,12 @@

 	case T_ALL:
 	    return 1;
+
+        case T_RANGE:
+            if ((r->connection->remote_addr.sin_addr.s_addr >= ap[i].x.ip.net)
+             && (r->connection->remote_addr.sin_addr.s_addr <= ap[i].x.ip.mask))
+                return 1;
+            break;

 	case T_IP:
 	    if (ap[i].x.ip.net != INADDR_NONE
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <ap...@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]