diff options
| author | pav <pav@FreeBSD.org> | 2011-04-08 15:28:10 +0800 |
|---|---|---|
| committer | pav <pav@FreeBSD.org> | 2011-04-08 15:28:10 +0800 |
| commit | 59c9d56facc1b8aa3fdb03a7c8d274613d97c054 (patch) | |
| tree | a3af695876ef0d4f39742a38e9295436179f8b9b /www | |
| parent | 09dffdb193118570c08b8cc2d2eb639009ebb0d5 (diff) | |
| download | freebsd-ports-gnome-59c9d56facc1b8aa3fdb03a7c8d274613d97c054.tar.gz freebsd-ports-gnome-59c9d56facc1b8aa3fdb03a7c8d274613d97c054.tar.zst freebsd-ports-gnome-59c9d56facc1b8aa3fdb03a7c8d274613d97c054.zip | |
- Fix security vulnerability: ACL lists allow all clients to connect when an IP
range is configured
PR: ports/156264
Submitted by: Roger Marquis <marquis@roble.com> (maintainer)
Security: yes!
Diffstat (limited to 'www')
| -rw-r--r-- | www/tinyproxy/Makefile | 2 | ||||
| -rw-r--r-- | www/tinyproxy/files/patch-src__acl.c | 55 |
2 files changed, 56 insertions, 1 deletions
diff --git a/www/tinyproxy/Makefile b/www/tinyproxy/Makefile index 30171b4fc50e..8e07a6fd49b1 100644 --- a/www/tinyproxy/Makefile +++ b/www/tinyproxy/Makefile @@ -7,7 +7,7 @@ PORTNAME= tinyproxy PORTVERSION= 1.8.2 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 1 CATEGORIES= www MASTER_SITES= https://banu.com/pub/tinyproxy/1.8/ diff --git a/www/tinyproxy/files/patch-src__acl.c b/www/tinyproxy/files/patch-src__acl.c new file mode 100644 index 000000000000..02ea0f3c21bb --- /dev/null +++ b/www/tinyproxy/files/patch-src__acl.c @@ -0,0 +1,55 @@ +--- src/acl.c.orig ++++ src/acl.c +@@ -66,8 +66,8 @@ struct acl_s { + * + */ + static int +-fill_netmask_array (char *bitmask_string, unsigned char array[], +- size_t len) ++fill_netmask_array (char *bitmask_string, int v6, ++ unsigned char array[], size_t len) + { + unsigned int i; + unsigned long int mask; +@@ -81,7 +81,14 @@ fill_netmask_array (char *bitmask_string, unsigned char array[], + || (errno != 0 && mask == 0) || (endptr == bitmask_string)) + return -1; + +- /* valid range for a bit mask */ ++ if (v6 == 0) { ++ /* The mask comparison is done as an IPv6 address, so ++ * convert to a longer mask in the case of IPv4 ++ * addresses. */ ++ mask += 12 * 8; ++ } ++ ++ /* check valid range for a bit mask */ + if (mask > (8 * len)) + return -1; + +@@ -163,6 +170,9 @@ insert_acl (char *location, acl_access_t access_type, vector_t *access_list) + */ + p = strchr (location, '/'); + if (p != NULL) { ++ char dst[sizeof(struct in6_addr)]; ++ int v6; ++ + /* + * We have a slash, so it's intended to be an + * IP address with mask +@@ -173,8 +183,15 @@ insert_acl (char *location, acl_access_t access_type, vector_t *access_list) + + acl.type = ACL_NUMERIC; + ++ /* Check if the IP address before the netmask is ++ * an IPv6 address */ ++ if (inet_pton(AF_INET6, location, dst) > 0) ++ v6 = 1; ++ else ++ v6 = 0; ++ + if (fill_netmask_array +- (p + 1, &(acl.address.ip.mask[0]), IPV6_LEN) ++ (p + 1, v6, &(acl.address.ip.mask[0]), IPV6_LEN) + < 0) + return -1; |