Re-check remote IP if trusted, fixes #168

The fix for #168 was not complete, as the last suggested change was never pulled. This fixes the problem that IP checks are done before $acptip is updated with the remote IP, by re-checking when set. Another possible fix would be to only check IP's after reading the headers, but imo it is best to deny access as soon as possible.
2026-05-04 22:30:33 +01:00 · 2018-11-12 18:12:09 +00:00
parent 9c736481d7
commit c084ebc0d4
1 changed files with 18 additions and 0 deletions
--- a/miniserv.pl
+++ b/miniserv.pl
@@ -1458,6 +1458,24 @@ if ($config{'trust_real_ip'}) {
 		# If a remote IP was given, use it for all access control checks
 		# from now on.
 		$acptip = $headerhost;
+		
+		# re-check remote address against access list
+		if (@deny && &ip_match($acptip, $localip, @deny) ||
+		    @allow && !&ip_match($acptip, $localip, @allow)) {
+			&http_error(403, "Access denied for ".&html_strip($acptip));
+			return 0;
+			}
+		
+		if ($use_libwrap) {
+			# Check address with TCP-wrappers
+			if (!hosts_ctl($config{'pam'}, STRING_UNKNOWN,
+				       $acptip, STRING_UNKNOWN)) {
+				&http_error(403, "Access denied for ".&html_strip($acptip).
+						 " by TCP wrappers");
+				return 0;
+				}
+			}
+		print DEBUG "handle_request: passed Remote IP checks\n";
 		}
 	$loghost = $acpthost;
 	}