From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Tue, 30 Jun 2020 11:46:54 +0000 (+0200)
Subject: Backport of acl check to 4.1.x
X-Git-Tag: rec-4.1.17^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F9283%2Fhead;p=thirdparty%2Fpdns.git

Backport of acl check to 4.1.x
---

diff --git a/pdns/sstuff.hh b/pdns/sstuff.hh
index 707b1ad12b..5ae66854ee 100644
--- a/pdns/sstuff.hh
+++ b/pdns/sstuff.hh
@@ -111,7 +111,7 @@ public:
   }
 
   //! Check remote address against netmaskgroup ng
-  bool acl(NetmaskGroup &ng)
+  bool acl(const NetmaskGroup &ng)
   {
     ComboAddress remote;
     if (getRemote(remote))
diff --git a/pdns/webserver.cc b/pdns/webserver.cc
index f1a95f4e21..5a7054bd7f 100644
--- a/pdns/webserver.cc
+++ b/pdns/webserver.cc
@@ -344,16 +344,13 @@ void WebServer::go()
   if(!d_server)
     return;
   try {
-    NetmaskGroup acl;
-    acl.toMasks(::arg()["webserver-allow-from"]);
-
     while(true) {
       try {
         auto client = d_server->accept();
         if (!client) {
           continue;
         }
-        if (client->acl(acl)) {
+        if (client->acl(d_acl)) {
           std::thread webHandler(WebServerConnectionThreadStart, this, client);
           webHandler.detach();
         } else {
diff --git a/pdns/webserver.hh b/pdns/webserver.hh
index b3ede8925e..2de84fd258 100644
--- a/pdns/webserver.hh
+++ b/pdns/webserver.hh
@@ -139,6 +139,11 @@ class WebServer : public boost::noncopyable
 public:
   WebServer(const string &listenaddress, int port);
   virtual ~WebServer() { };
+
+  void setACL(const NetmaskGroup &nmg) {
+    d_acl = nmg;
+  }
+
   void bind();
   void go();
 
@@ -160,6 +165,8 @@ protected:
   int d_port;
   string d_password;
   std::shared_ptr<Server> d_server;
+
+  NetmaskGroup d_acl;
 };
 
 #endif /* WEBSERVER_HH */
diff --git a/pdns/ws-recursor.cc b/pdns/ws-recursor.cc
index 0f71ee4f0b..2393d754b9 100644
--- a/pdns/ws-recursor.cc
+++ b/pdns/ws-recursor.cc
@@ -450,6 +450,11 @@ RecursorWebServer::RecursorWebServer(FDMultiplexer* fdm)
   registerAllStats();
 
   d_ws = new AsyncWebServer(fdm, arg()["webserver-address"], arg().asNum("webserver-port"));
+
+  NetmaskGroup acl;
+  acl.toMasks(::arg()["webserver-allow-from"]);
+  d_ws->setACL(acl);
+
   d_ws->bind();
 
   // legacy dispatch
@@ -610,6 +615,10 @@ void AsyncServer::newConnection()
 // This is an entry point from FDM, so it needs to catch everything.
 void AsyncWebServer::serveConnection(std::shared_ptr<Socket> client) const
 try {
+  if (!client->acl(d_acl)) {
+    return;
+  }
+
   HttpRequest req;
   YaHTTP::AsyncRequestLoader yarl;
   yarl.initialize(&req);
diff --git a/pdns/ws-recursor.hh b/pdns/ws-recursor.hh
index 9df3a81c7e..13a3707a75 100644
--- a/pdns/ws-recursor.hh
+++ b/pdns/ws-recursor.hh
@@ -32,7 +32,10 @@ class HttpResponse;
 
 class AsyncServer : public Server {
 public:
-  AsyncServer(const string &localaddress, int port) : Server(localaddress, port) { };
+  AsyncServer(const string &localaddress, int port) : Server(localaddress, port)
+  {
+    d_server_socket.setNonBlocking();
+  };
 
   friend void AsyncServerNewConnectionMT(void *p);