]> git.ipfire.org Git - thirdparty/pdns.git/commitdiff
projects / thirdparty / pdns.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b142265)
Backport of acl check to 4.1.x 9283/head
authorOtto Moerbeek <otto.moerbeek@open-xchange.com>
Tue, 30 Jun 2020 11:46:54 +0000 (13:46 +0200)
committerOtto Moerbeek <otto.moerbeek@open-xchange.com>
Tue, 30 Jun 2020 11:46:54 +0000 (13:46 +0200)
pdns/sstuff.hh patch | blob | blame | history
pdns/webserver.cc patch | blob | blame | history
pdns/webserver.hh patch | blob | blame | history
pdns/ws-recursor.cc patch | blob | blame | history
pdns/ws-recursor.hh patch | blob | blame | history

diff --git a/pdns/sstuff.hh b/pdns/sstuff.hh
index 707b1ad12b2b23da3ebe03a482e4dab49ff8de1c..5ae66854ee74a48c6fb3e1d9981bb1bf4849b98c 100644 (file)
--- a/pdns/sstuff.hh
+++ b/pdns/sstuff.hh
@@ -111,7 +111,7 @@ public:
   }
 
   //! Check remote address against netmaskgroup ng
-  bool acl(NetmaskGroup &ng)
+  bool acl(const NetmaskGroup &ng)
   {
     ComboAddress remote;
     if (getRemote(remote))
diff --git a/pdns/webserver.cc b/pdns/webserver.cc
index f1a95f4e219e564c3d1dcfe7b22fa8e67e5ee9ea..5a7054bd7f0ddf0dcf36426eab51cdf86283f267 100644 (file)
--- a/pdns/webserver.cc
+++ b/pdns/webserver.cc
@@ -344,16 +344,13 @@ void WebServer::go()
   if(!d_server)
     return;
   try {
-    NetmaskGroup acl;
-    acl.toMasks(::arg()["webserver-allow-from"]);
-
     while(true) {
       try {
         auto client = d_server->accept();
         if (!client) {
           continue;
         }
-        if (client->acl(acl)) {
+        if (client->acl(d_acl)) {
           std::thread webHandler(WebServerConnectionThreadStart, this, client);
           webHandler.detach();
         } else {
diff --git a/pdns/webserver.hh b/pdns/webserver.hh
index b3ede8925ea67a863be5eaafa940bd0d81888dab..2de84fd2581cea557a840b9c58c7b757a1d9ecb1 100644 (file)
--- a/pdns/webserver.hh
+++ b/pdns/webserver.hh
@@ -139,6 +139,11 @@ class WebServer : public boost::noncopyable
 public:
   WebServer(const string &listenaddress, int port);
   virtual ~WebServer() { };
+
+  void setACL(const NetmaskGroup &nmg) {
+    d_acl = nmg;
+  }
+
   void bind();
   void go();
 
@@ -160,6 +165,8 @@ protected:
   int d_port;
   string d_password;
   std::shared_ptr<Server> d_server;
+
+  NetmaskGroup d_acl;
 };
 
 #endif /* WEBSERVER_HH */
diff --git a/pdns/ws-recursor.cc b/pdns/ws-recursor.cc
index 0f71ee4f0b33c2f7b379a7302d320a38d19bf9f2..2393d754b91fbc26f45b7de58afa15086729b2eb 100644 (file)
--- a/pdns/ws-recursor.cc
+++ b/pdns/ws-recursor.cc
@@ -450,6 +450,11 @@ RecursorWebServer::RecursorWebServer(FDMultiplexer* fdm)
   registerAllStats();
 
   d_ws = new AsyncWebServer(fdm, arg()["webserver-address"], arg().asNum("webserver-port"));
+
+  NetmaskGroup acl;
+  acl.toMasks(::arg()["webserver-allow-from"]);
+  d_ws->setACL(acl);
+
   d_ws->bind();
 
   // legacy dispatch
@@ -610,6 +615,10 @@ void AsyncServer::newConnection()
 // This is an entry point from FDM, so it needs to catch everything.
 void AsyncWebServer::serveConnection(std::shared_ptr<Socket> client) const
 try {
+  if (!client->acl(d_acl)) {
+    return;
+  }
+
   HttpRequest req;
   YaHTTP::AsyncRequestLoader yarl;
   yarl.initialize(&req);
diff --git a/pdns/ws-recursor.hh b/pdns/ws-recursor.hh
index 9df3a81c7e260e97495fdd8312edc28fac1ec3df..13a3707a75bd529b23ee535199e18ebbc1491775 100644 (file)
--- a/pdns/ws-recursor.hh
+++ b/pdns/ws-recursor.hh
@@ -32,7 +32,10 @@ class HttpResponse;
 
 class AsyncServer : public Server {
 public:
-  AsyncServer(const string &localaddress, int port) : Server(localaddress, port) { };
+  AsyncServer(const string &localaddress, int port) : Server(localaddress, port)
+  {
+    d_server_socket.setNonBlocking();
+  };
 
   friend void AsyncServerNewConnectionMT(void *p);
 
Unnamed repository; edit this file 'description' to name the repository.