You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by laurent Mazier <la...@esf.ericsson.se> on 2000/02/03 10:06:33 UTC
mod_access/5690: Access control based on an IP range
>Number: 5690
>Category: mod_access
>Synopsis: Access control based on an IP range
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: apache
>State: open
>Class: change-request
>Submitter-Id: apache
>Arrival-Date: Thu Feb 03 01:10:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: laurent.mazier@esf.ericsson.se
>Release: 1.3.6
>Organization:
apache
>Environment:
Solaris 2.7, gcc 2.95.2
>Description:
Access controls based on IP/subnet mask/domain are not enough in some cases.
The following patch allows access control based on an IP range.
Syntax is :
allow|deny from xxx.xxx.xxx.xxx<yyy.yyy.yyy.yyy
>How-To-Repeat:
>Fix:
diff -u --recursive apache_1.3.6/src/modules/standard/mod_access.c apache_1.3.6.patch/src/modules/standard/mod_access.c
--- apache_1.3.6/src/modules/standard/mod_access.c Fri Jan 1 20:05:06 1999
+++ apache_1.3.6.patch/src/modules/standard/mod_access.c Fri Jul 23 13:49:22 1999
@@ -72,6 +72,7 @@
T_ENV,
T_ALL,
T_IP,
+ T_RANGE,
T_HOST,
T_FAIL
};
@@ -165,6 +166,21 @@
a->type = T_ALL;
}
+ else if ((s = strchr(where, '<'))) {
+ a->type = T_RANGE;
+ *s++ = '\0';
+
+ if (!is_ip(where)
+ || (a->x.ip.net = ap_inet_addr(where)) == INADDR_NONE) {
+ a->type = T_FAIL;
+ return "syntax error in low IP range";
+ }
+ if (!is_ip(s)
+ || (a->x.ip.mask = ap_inet_addr(s)) == INADDR_NONE) {
+ a->type = T_FAIL;
+ return "syntax error in high IP range";
+ }
+ }
else if ((s = strchr(where, '/'))) {
unsigned long mask;
@@ -312,6 +328,12 @@
case T_ALL:
return 1;
+
+ case T_RANGE:
+ if ((r->connection->remote_addr.sin_addr.s_addr >= ap[i].x.ip.net)
+ && (r->connection->remote_addr.sin_addr.s_addr <= ap[i].x.ip.mask))
+ return 1;
+ break;
case T_IP:
if (ap[i].x.ip.net != INADDR_NONE
>Release-Note:
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <ap...@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or ]
["Re: general/1098:"). If the subject doesn't match this ]
[pattern, your message will be misfiled and ignored. The ]
["apbugs" address is not added to the Cc line of messages from ]
[the database automatically because of the potential for mail ]
[loops. If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request from a ]
[developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]