diff options
| author | Remi Collet <remi@php.net> | 2014-11-17 09:22:13 +0100 |
|---|---|---|
| committer | Remi Collet <remi@php.net> | 2014-11-17 09:22:13 +0100 |
| commit | 3a8103ae4738824ebb27a9a739e253740580ed36 (patch) | |
| tree | 57b2f8a06496e9dec1e3dba3dfbd484033ccd32f | |
| parent | 4475cbdc8577ec704bf7d6a6c753e5e4066fec19 (diff) | |
| download | php-git-3a8103ae4738824ebb27a9a739e253740580ed36.tar.gz | |
Fixed bug #68428 allowed_client is IPv4 only
| -rw-r--r-- | sapi/fpm/fpm/fastcgi.c | 72 |
1 files changed, 50 insertions, 22 deletions
diff --git a/sapi/fpm/fpm/fastcgi.c b/sapi/fpm/fpm/fastcgi.c index d1db0ec293..36e37b79d3 100644 --- a/sapi/fpm/fpm/fastcgi.c +++ b/sapi/fpm/fpm/fastcgi.c @@ -144,7 +144,7 @@ static HashTable fcgi_mgmt_vars; static int is_initialized = 0; static int in_shutdown = 0; -static in_addr_t *allowed_clients = NULL; +static sa_t *allowed_clients = NULL; static sa_t client_sa; @@ -267,14 +267,18 @@ void fcgi_set_allowed_clients(char *ip) *end = 0; end++; } - allowed_clients[n] = inet_addr(cur); - if (allowed_clients[n] == INADDR_NONE) { + if (inet_pton(AF_INET, cur, &allowed_clients[n].sa_inet.sin_addr)>0) { + allowed_clients[n].sa.sa_family = AF_INET; + n++; + } else if (inet_pton(AF_INET6, cur, &allowed_clients[n].sa_inet6.sin6_addr)>0) { + allowed_clients[n].sa.sa_family = AF_INET6; + n++; + } else { zlog(ZLOG_ERROR, "Wrong IP address '%s' in listen.allowed_clients", cur); } - n++; cur = end; } - allowed_clients[n] = INADDR_NONE; + allowed_clients[n].sa.sa_family = 0; free(ip); } } @@ -760,6 +764,43 @@ void fcgi_close(fcgi_request *req, int force, int destroy) } } +static int fcgi_is_allowed() { + int i; + + if (client_sa.sa.sa_family == AF_UNIX) { + return 1; + } + if (!allowed_clients) { + return 1; + } + if (client_sa.sa.sa_family == AF_INET) { + for (i=0 ; allowed_clients[i].sa.sa_family ; i++) { + if (allowed_clients[i].sa.sa_family == AF_INET + && !memcmp(&client_sa.sa_inet.sin_addr, &allowed_clients[i].sa_inet.sin_addr, 4)) { + return 1; + } + } + } + if (client_sa.sa.sa_family == AF_INET6) { + for (i=0 ; allowed_clients[i].sa.sa_family ; i++) { + if (allowed_clients[i].sa.sa_family == AF_INET6 + && !memcmp(&client_sa.sa_inet6.sin6_addr, &allowed_clients[i].sa_inet6.sin6_addr, 12)) { + return 1; + } +#ifdef IN6_IS_ADDR_V4MAPPED + if (allowed_clients[i].sa.sa_family == AF_INET + && IN6_IS_ADDR_V4MAPPED(&client_sa.sa_inet6.sin6_addr) + && !memcmp(((char *)&client_sa.sa_inet6.sin6_addr)+12, &allowed_clients[i].sa_inet.sin_addr, 4)) { + return 1; + } +#endif + } + } + + zlog(ZLOG_ERROR, "Connection disallowed: IP address '%s' has been dropped.", fcgi_get_last_client_ip()); + return 0; +} + int fcgi_accept_request(fcgi_request *req) { #ifdef _WIN32 @@ -810,23 +851,10 @@ int fcgi_accept_request(fcgi_request *req) FCGI_UNLOCK(req->listen_socket); client_sa = sa; - if (sa.sa.sa_family == AF_INET && req->fd >= 0 && allowed_clients) { - int n = 0; - int allowed = 0; - - while (allowed_clients[n] != INADDR_NONE) { - if (allowed_clients[n] == sa.sa_inet.sin_addr.s_addr) { - allowed = 1; - break; - } - n++; - } - if (!allowed) { - zlog(ZLOG_ERROR, "Connection disallowed: IP address '%s' has been dropped.", inet_ntoa(sa.sa_inet.sin_addr)); - closesocket(req->fd); - req->fd = -1; - continue; - } + if (req->fd >= 0 && !fcgi_is_allowed()) { + closesocket(req->fd); + req->fd = -1; + continue; } } |