From e81271189216dbf2850c6d4461dfc3f37c731ac8 Mon Sep 17 00:00:00 2001 From: Otto Moerbeek Date: Tue, 30 Jun 2020 13:46:54 +0200 Subject: [PATCH] Backport of acl check to 4.1.x --- pdns/sstuff.hh | 2 +- pdns/webserver.cc | 5 +---- pdns/webserver.hh | 7 +++++++ pdns/ws-recursor.cc | 9 +++++++++ pdns/ws-recursor.hh | 5 ++++- 5 files changed, 22 insertions(+), 6 deletions(-) diff --git a/pdns/sstuff.hh b/pdns/sstuff.hh index 707b1ad12b..5ae66854ee 100644 --- a/pdns/sstuff.hh +++ b/pdns/sstuff.hh @@ -111,7 +111,7 @@ public: } //! Check remote address against netmaskgroup ng - bool acl(NetmaskGroup &ng) + bool acl(const NetmaskGroup &ng) { ComboAddress remote; if (getRemote(remote)) diff --git a/pdns/webserver.cc b/pdns/webserver.cc index f1a95f4e21..5a7054bd7f 100644 --- a/pdns/webserver.cc +++ b/pdns/webserver.cc @@ -344,16 +344,13 @@ void WebServer::go() if(!d_server) return; try { - NetmaskGroup acl; - acl.toMasks(::arg()["webserver-allow-from"]); - while(true) { try { auto client = d_server->accept(); if (!client) { continue; } - if (client->acl(acl)) { + if (client->acl(d_acl)) { std::thread webHandler(WebServerConnectionThreadStart, this, client); webHandler.detach(); } else { diff --git a/pdns/webserver.hh b/pdns/webserver.hh index b3ede8925e..2de84fd258 100644 --- a/pdns/webserver.hh +++ b/pdns/webserver.hh @@ -139,6 +139,11 @@ class WebServer : public boost::noncopyable public: WebServer(const string &listenaddress, int port); virtual ~WebServer() { }; + + void setACL(const NetmaskGroup &nmg) { + d_acl = nmg; + } + void bind(); void go(); @@ -160,6 +165,8 @@ protected: int d_port; string d_password; std::shared_ptr d_server; + + NetmaskGroup d_acl; }; #endif /* WEBSERVER_HH */ diff --git a/pdns/ws-recursor.cc b/pdns/ws-recursor.cc index 0f71ee4f0b..2393d754b9 100644 --- a/pdns/ws-recursor.cc +++ b/pdns/ws-recursor.cc @@ -450,6 +450,11 @@ RecursorWebServer::RecursorWebServer(FDMultiplexer* fdm) registerAllStats(); d_ws = new AsyncWebServer(fdm, arg()["webserver-address"], arg().asNum("webserver-port")); + + NetmaskGroup acl; + acl.toMasks(::arg()["webserver-allow-from"]); + d_ws->setACL(acl); + d_ws->bind(); // legacy dispatch @@ -610,6 +615,10 @@ void AsyncServer::newConnection() // This is an entry point from FDM, so it needs to catch everything. void AsyncWebServer::serveConnection(std::shared_ptr client) const try { + if (!client->acl(d_acl)) { + return; + } + HttpRequest req; YaHTTP::AsyncRequestLoader yarl; yarl.initialize(&req); diff --git a/pdns/ws-recursor.hh b/pdns/ws-recursor.hh index 9df3a81c7e..13a3707a75 100644 --- a/pdns/ws-recursor.hh +++ b/pdns/ws-recursor.hh @@ -32,7 +32,10 @@ class HttpResponse; class AsyncServer : public Server { public: - AsyncServer(const string &localaddress, int port) : Server(localaddress, port) { }; + AsyncServer(const string &localaddress, int port) : Server(localaddress, port) + { + d_server_socket.setNonBlocking(); + }; friend void AsyncServerNewConnectionMT(void *p); -- 2.47.2