-
-
Notifications
You must be signed in to change notification settings - Fork 660
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug: don't allow invalid entries in the relay_acl_allow
file
#3396
Comments
relay_acl_allow
file
Renamed the issue, because I think the (2) item on the above list should really be implemented; it's too easy otherwise to shoot oneself in the feet by writing an incorrect configuration line, and thus allowing spammers to use the software. |
Minimal repro showing the issue (arguably it's in ipaddr.js): const ipaddr = require('ipaddr.js');
let cidr = "8.8.8.8/32 # This machine";
cidr = cidr.split('/');
let c_net = cidr[0];
let c_mask = cidr[1] || 32;
let cnetip = ipaddr.parse(c_net);
console.log('c net ip =', cnetip);
let ip = ipaddr.parse("13.37.42.42");
console.log('ip=', ip);
console.log('accepted?', ip.match(cnetip, c_mask)); This will show |
|
Thanks for your answer, but I disagree with your assessment of 1: the input must be mistrusted, or errors must be signaled explicitly, or invalid lines must be explicitly ruled out. Anything else will lead an administrator of such an instance to shoot themselves in the feet, as I did in a particularly catastrophic way. |
We look forward to you contributing a Pull Request to brings the file parsing up to your expectations. |
I was using an inline comment with the following format, in
relay_acl_allow
(not this exact IP, but shown here as an example):Unfortunately, the code later reads this line as a single entry, and is fine parsing the entire line, including what I thought was a comment after
#
, as an IP. Theipaddr
npm module then seems to understand this as8.8.8.8/0
, allowing any IP to pass the relay ACL test.As a result, my machine was sending spam all over the world, because I've inappropriately assumed that the ACL worked fine, thus didn't impose any restriction in the firewall for that port. I fixed those two mistakes (misconfiguration of the comment + added some firewall rules), but I think it'd be super great to:
The text was updated successfully, but these errors were encountered: