Merge branch 'PHP-5.6'

* PHP-5.6: NEWS NEWS Fixed bug #68428 allowed_client is IPv4 only
2026-04-29 11:13:36 +02:00 · 2014-11-17 09:23:59 +01:00
parent 2b1f90af2b 82c71158c1
commit 2c816d0c9b
1 changed files with 50 additions and 22 deletions
@@ -144,7 +144,7 @@ static HashTable fcgi_mgmt_vars;

 static int is_initialized = 0;
 static int in_shutdown = 0;
-static in_addr_t *allowed_clients = NULL;
+static sa_t *allowed_clients = NULL;

 static sa_t client_sa;

@@ -267,14 +267,18 @@ void fcgi_set_allowed_clients(char *ip)
 				*end = 0;
 				end++;
 			}
-			allowed_clients[n] = inet_addr(cur);
-			if (allowed_clients[n] == INADDR_NONE) {
+			if (inet_pton(AF_INET, cur, &allowed_clients[n].sa_inet.sin_addr)>0) {
+				allowed_clients[n].sa.sa_family = AF_INET;
+				n++;
+			} else if (inet_pton(AF_INET6, cur, &allowed_clients[n].sa_inet6.sin6_addr)>0) {
+				allowed_clients[n].sa.sa_family = AF_INET6;
+				n++;
+			} else {
 				zlog(ZLOG_ERROR, "Wrong IP address '%s' in listen.allowed_clients", cur);
 			}
-			n++;
 			cur = end;
 		}
-		allowed_clients[n] = INADDR_NONE;
+		allowed_clients[n].sa.sa_family = 0;
 		free(ip);
 	}
 }
@@ -750,6 +754,43 @@ void fcgi_close(fcgi_request *req, int force, int destroy)
 	}
 }

+static int fcgi_is_allowed() {
+	int i;
+
+	if (client_sa.sa.sa_family == AF_UNIX) {
+		return 1;
+	}
+	if (!allowed_clients) {
+		return 1;
+	}
+	if (client_sa.sa.sa_family == AF_INET) {
+		for (i=0 ; allowed_clients[i].sa.sa_family ; i++) {
+			if (allowed_clients[i].sa.sa_family == AF_INET
+				&& !memcmp(&client_sa.sa_inet.sin_addr, &allowed_clients[i].sa_inet.sin_addr, 4)) {
+				return 1;
+			}
+		}
+	}
+	if (client_sa.sa.sa_family == AF_INET6) {
+		for (i=0 ; allowed_clients[i].sa.sa_family ; i++) {
+			if (allowed_clients[i].sa.sa_family == AF_INET6
+				&& !memcmp(&client_sa.sa_inet6.sin6_addr, &allowed_clients[i].sa_inet6.sin6_addr, 12)) {
+				return 1;
+			}
+#ifdef IN6_IS_ADDR_V4MAPPED
+			if (allowed_clients[i].sa.sa_family == AF_INET
+			    && IN6_IS_ADDR_V4MAPPED(&client_sa.sa_inet6.sin6_addr)
+				&& !memcmp(((char *)&client_sa.sa_inet6.sin6_addr)+12, &allowed_clients[i].sa_inet.sin_addr, 4)) {
+				return 1;
+			}
+#endif
+		}
+	}
+
+	zlog(ZLOG_ERROR, "Connection disallowed: IP address '%s' has been dropped.", fcgi_get_last_client_ip());
+	return 0;
+}
+
 int fcgi_accept_request(fcgi_request *req)
 {
 #ifdef _WIN32
@@ -800,23 +841,10 @@ int fcgi_accept_request(fcgi_request *req)
 					FCGI_UNLOCK(req->listen_socket);

 					client_sa = sa;
-					if (sa.sa.sa_family == AF_INET && req->fd >= 0 && allowed_clients) {
-						int n = 0;
-						int allowed = 0;
-
-						while (allowed_clients[n] != INADDR_NONE) {
-							if (allowed_clients[n] == sa.sa_inet.sin_addr.s_addr) {
-								allowed = 1;
-								break;
-							}
-							n++;
-						}
-						if (!allowed) {
-							zlog(ZLOG_ERROR, "Connection disallowed: IP address '%s' has been dropped.", inet_ntoa(sa.sa_inet.sin_addr));
-							closesocket(req->fd);
-							req->fd = -1;
-							continue;
-						}
+					if (req->fd >= 0 && !fcgi_is_allowed()) {
+						closesocket(req->fd);
+						req->fd = -1;
+						continue;
 					}
 				}