DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=36987>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=36987 Summary: mod_proxy: ProxyBlock is not checked for all IP addresses found in the DNS Product: Apache httpd-2.0 Version: 2.0.54 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: mod_proxy AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] Sites listed in the ProxyBlock list should be blocked based on all IP addresses found in the DNS. Now they are blocked only based on the first IP address found in the DNS. For example, site: Name: x.com Addresses: 64.4.241.33, 216.113.188.33, 216.113.188.64, 64.4.241.16 should be blocked if it is tried to access with any one of the above IPs. Currently, it is only blocked with 64.4.241.33 The problem is easy to see in the code in function proxy_util.c:ap_proxy_checkproxyblock(): --------------------BEGIN CODE------------------- 968: while (conf_addr) { 969: while (uri_addr) { 970: char *conf_ip; 971: char *uri_ip; 972: apr_sockaddr_ip_get(&conf_ip, conf_addr); 973: apr_sockaddr_ip_get(&uri_ip, uri_addr); 974: ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, 975: "proxy: ProxyBlock comparing %s and %s", conf_ip, uri_ip); 976: if (!apr_strnatcasecmp(conf_ip, uri_ip)) { 977: ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server, 978: "proxy: connect to remote machine %s blocked: IP %s matched", uri_addr->hostname, conf_ip); 979: return HTTP_FORBIDDEN; 980: } 981: uri_addr = uri_addr->next; 982: } 983: conf_addr = conf_addr->next; 984: } --------------------END CODE------------------- The inner loop is exited when uri_addr == NULL. However, uri_addr is not reseted after the loop is exited for the first time so it is not entered again on the next runs of the outer loop. The following patch will solve the problem: --------------------BEGIN PATCH------------------- --- proxy_util_ORIG.c Mon Aug 22 12:22:53 2005 +++ proxy_util.c Mon Oct 10 14:18:12 2005 @@ -966,6 +966,7 @@ return HTTP_FORBIDDEN; } while (conf_addr) { + uri_addr = src_uri_addr; while (uri_addr) { char *conf_ip; char *uri_ip; --------------------END PATCH------------------- To demonstrate the error behaviour, here's a clip of error.log when ProxyBlock has been set to "x.com" and someone tries to access it with IP address 216.113.188.64: -----------BEGIN ORIGINAL ERROR.LOG------------ [Mon Oct 10 13:46:14 2005] [debug] proxy_util.c(975): proxy: checking remote machine [216.113.188.64] against [x.com] [Mon Oct 10 13:46:14 2005] [debug] proxy_util.c(991): proxy: ProxyBlock comparing 64.4.241.33 and 216.113.188.64 -----------END ORIGINAL ERROR.LOG-------------- And here's how it looks after the patch has been applied: -----------BEGIN PATCHED ERROR.LOG------------ [Mon Oct 10 13:50:48 2005] [debug] proxy_util.c(975): proxy: checking remote machine [216.113.188.64] against [x.com] [Mon Oct 10 13:50:48 2005] [debug] proxy_util.c(991): proxy: ProxyBlock comparing 64.4.241.33 and 216.113.188.64 [Mon Oct 10 13:50:48 2005] [debug] proxy_util.c(991): proxy: ProxyBlock comparing 216.113.188.33 and 216.113.188.64 [Mon Oct 10 13:50:48 2005] [debug] proxy_util.c(991): proxy: ProxyBlock comparing 216.113.188.64 and 216.113.188.64 [Mon Oct 10 13:50:48 2005] [warn] proxy: connect to remote machine 216.113.188.64 blocked: IP 216.113.188.64 matched -----------END PATCHED ERROR.LOG-------------- -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
