Validate IP addresses before passing to the firewall module.

Use the external Net::IP perl module to do a proper IPv4/IPv6 address or
network validation.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

diff --git a/modules/Base.pm b/modules/Base.pm
index 2f5e73773bc825d21c6000d54d33cd2daba5f130..96ea2562f8dc22f6f83229c290ced65633f42381 100644 (file)
--- a/modules/Base.pm
+++ b/modules/Base.pm
@@ -6,6 +6,8 @@ use Exporter qw(import);
 
 our @EXPORT_OK = qw(GenerateMonitoredFiles FilePositions);
 
+use Net::IP;
+
 #
 ## Function to generate a hash of monitored files and their file positions.
 #
@@ -116,6 +118,23 @@ sub FilePositions (\%\%) {
        return %new_file_positions;
 }
 
+#
+## Wrapper function for IP address and network validation.
+#
+## This wrapper function uses the external Net::IP perl module to
+## check if a given input is a valid IPv4/IPv6 address or network.
+#
+sub IsValidAddressOrNetwork ($) {
+       my $address = shift;
+
+       # Check if the address is a valid IPv4/IPv6 address or network.
+       # Return "undef" False if the address is not valid.
+       my $ip = new Net::IP ($address) || return undef;
+
+       # If we got here, the address is valid. Return True.
+       return 1;
+}
+
 #
 ## Function for fileposition initialization.
 #

diff --git a/modules/Events.pm b/modules/Events.pm
index 2f4b561a15d5bfd914620ddb8dcdcf63b015f868..b60a572b6a0431868d5ef3ff0676a05eab804427 100644 (file)
--- a/modules/Events.pm
+++ b/modules/Events.pm
@@ -77,8 +77,12 @@ sub CheckAction ($$) {
                 return;
         }
 
-       # XXX
        # Check if the given address is valid.
+       unless(&Guardian::Base::IsValidAddressOrNetwork($address)) {
+               # Log error message.
+               $logger->Log("err", "Invalid IP address: $address");
+               return;
+       }
 
        # Call required handler.
        my $error = $commands{$command}->($self, $address, $module, $message);