On Tue, Jul 24, 2012 at 10:46:12AM +0200, Rainer Jung wrote: > IMHO if the admin explicitely configured an IP in the ProxyBlock > list we should nevertheless check. For this case there's already a > somewhat related warning in the docs which we could enhance for this > new case. > > It looks like we could check whether we have an explicit IP during > set_proxy_exclude() by comparing new->name and apr_sockaddr_ip_get() > of new->addr and later do the IP lookup for the target host only for > those rules where we had an explicit IP. > > Not sure whether apr_sockaddr_ip_get() applied to the result of > apr_sockaddr_info_get() applied to an IP gives back the same IP, > e.g. when there's IPv4 and v6 involved.
Right, with a v6 address there can be multiple representations of the same address so that wouldn't be reliable. This seems to pile caveat on top of caveat; is it really necessary? ProxyBlock is not even documented to take literal IP addresses, but rather "*|word|host|domain". Adding a special case for a literal IP will add significant complexity here; is it useful? If there is a forward proxy configured why can't that proxy block the IP address? (But reading that code again, you also lead me to another bug; the use of apr_sockaddr_ip_get() against resolved addresses on the ->noproxies list looks to be leaky/unsafe, it will allocate memory out of pconf each time we check a resolved address!) Regards, Joe
