This patch fixes the problem I mentioned in my reply to Jeff - namely that
any deny host directive should deny access when a double reverse lookup
fails.
I'm out of town this weekend, so I don't have a lot of time to test this.
Other eyes appreciated. (Feel free to commit.) -- justin
Index: mod_authz_host.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/aaa/mod_authz_host.c,v
retrieving revision 1.1
diff -u -r1.1 mod_authz_host.c
--- mod_authz_host.c 10 Sep 2002 00:15:39 -0000 1.1
+++ mod_authz_host.c 4 Oct 2002 04:37:07 -0000
@@ -240,7 +240,8 @@
}
}
-static int find_allowdeny(request_rec *r, apr_array_header_t *a, int
method)
+static int find_allowdeny(request_rec *r, apr_array_header_t *a, int
method,
+ int deny)
{
allowdeny *ap = (allowdeny *) a->elts;
@@ -280,6 +281,12 @@
&remotehost_is_ip);
if ((remotehost == NULL) || remotehost_is_ip) {
+ if (deny) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "client denied due to reverse lookup
"
+ "failure: %s", r->filename);
+ return 1;
+ }
gothost = 1;
}
else {
@@ -310,24 +317,24 @@
if (a->order[method] == ALLOW_THEN_DENY) {
ret = HTTP_FORBIDDEN;
- if (find_allowdeny(r, a->allows, method)) {
+ if (find_allowdeny(r, a->allows, method, 0)) {
ret = OK;
}
- if (find_allowdeny(r, a->denys, method)) {
+ if (find_allowdeny(r, a->denys, method, 1)) {
ret = HTTP_FORBIDDEN;
}
}
else if (a->order[method] == DENY_THEN_ALLOW) {
- if (find_allowdeny(r, a->denys, method)) {
+ if (find_allowdeny(r, a->denys, method, 1)) {
ret = HTTP_FORBIDDEN;
}
- if (find_allowdeny(r, a->allows, method)) {
+ if (find_allowdeny(r, a->allows, method, 0)) {
ret = OK;
}
}
else {
- if (find_allowdeny(r, a->allows, method)
- && !find_allowdeny(r, a->denys, method)) {
+ if (find_allowdeny(r, a->allows, method, 0)
+ && !find_allowdeny(r, a->denys, method, 1)) {
ret = OK;
}
else {
