File CVE-2013-1841.patch of Package perl-Net-Server

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2013-1841.patch of Package perl-Net-Server

From dd7c587d44b40a225ad90f7559ebf00967f4e5fc Mon Sep 17 00:00:00 2001
From: Paul Seamons <paul.seamons@newfold.com>
Date: Wed, 30 Nov 2022 22:37:35 -0700
Subject: [PATCH] Add double_reverse_lookups capability

---
 lib/Net/Server.pm  | 57 ++++++++++++++++++++++++++++++++------
 lib/Net/Server.pod | 68 +++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 115 insertions(+), 10 deletions(-)

diff --git a/lib/Net/Server.pm b/lib/Net/Server.pm
index d899cd5..613dcac 100644
--- a/lib/Net/Server.pm
+++ b/lib/Net/Server.pm
@@ -180,6 +180,10 @@ sub post_configure {
 
     # make sure that allow and deny look like array refs
     $prop->{$_} = [] for grep {! ref $prop->{$_}} qw(allow deny cidr_allow cidr_deny);
+
+    $prop->{'reverse_lookups'} ||= 1 if $prop->{'double_reverse_lookups'};
+    $prop->{'double_reverse_lookups'} = $1 || $prop->{'double_reverse_lookups'} || 1
+        if $prop->{'reverse_lookups'} && $prop->{'reverse_lookups'} =~ /^(?:double|2)(.*)$/i;
 }
 
 sub initialize_logging {
@@ -541,18 +545,25 @@ sub get_client_info {
         @{ $prop }{qw(peeraddr peerhost peerport)} = ('0.0.0.0', 'inet.test', 0); # commandline
     }
 
-    if ($addr && defined $prop->{'reverse_lookups'}) {
+    if ($addr && $prop->{'reverse_lookups'}) {
         if ($INC{'Socket6.pm'} && Socket6->can('getnameinfo')) {
             my @res = Socket6::getnameinfo($addr, 0);
-            $prop->{'peerhost'} = $res[0] if @res > 1;
-        }else{
+            if (@res > 1) {
+                $prop->{'peerhost'} = $res[0];
+            } elsif ($prop->{'peeraddr'} =~ /^(?:::ffff:)?(\d+(?:\.\d+){3})$/) {
+                $prop->{'peerhost'} = gethostbyaddr(Socket::inet_aton($1), AF_INET);
+            }
+        } else {
             $prop->{'peerhost'} = gethostbyaddr($addr, AF_INET);
         }
+        if ($prop->{'peerhost'} && $prop->{'double_reverse_lookups'}) {
+            $prop->{'peerhost_rev'} = {map {$_->[0] => 1} Net::Server::Proto->get_addr_info($prop->{'peerhost'})};
+        }
     }
 
     $self->log(3, $self->log_time
                ." CONNECT ".$client->NS_proto
-               ." Peer: \"[$prop->{'peeraddr'}]:$prop->{'peerport'}\""
+               ." Peer: \"[$prop->{'peeraddr'}]:$prop->{'peerport'}\"".($prop->{'peerhost'} ? " ($prop->{'peerhost'}) " : '')
                ." Local: \"[$prop->{'sockaddr'}]:$prop->{'sockport'}\"") if $prop->{'log_level'} && 3 <= $prop->{'log_level'};
 }
 
@@ -566,16 +577,20 @@ sub allow_deny {
     # unix sockets are immune to this check
     return 1 if $sock && $sock->NS_proto =~ /^UNIX/;
 
+    # work around Net::CIDR::cidrlookup() croaking,
+    # if first parameter is an IPv4 address in IPv6 notation.
+    my $peeraddr = ($prop->{'peeraddr'} =~ /^\s*::ffff:([0-9.]+\s*)$/) ? $1 : $prop->{'peeraddr'};
+
+    if ($prop->{'double_reverse_lookups'}) {
+        return 0 if ! $self->double_reverse_lookup($peeraddr, $prop->{'peerhost'}, $prop->{'peerhost_rev'}, $prop->{'peeraddr'})
+    }
+
     # if no allow or deny parameters are set, allow all
     return 1 if ! @{ $prop->{'allow'} }
              && ! @{ $prop->{'deny'} }
              && ! @{ $prop->{'cidr_allow'} }
              && ! @{ $prop->{'cidr_deny'} };
 
-    # work around Net::CIDR::cidrlookup() croaking,
-    # if first parameter is an IPv4 address in IPv6 notation.
-    my $peeraddr = ($prop->{'peeraddr'} =~ /^\s*::ffff:([0-9.]+\s*)$/) ? $1 : $prop->{'peeraddr'};
-
     # if the addr or host matches a deny, reject it immediately
     foreach (@{ $prop->{'deny'} }) {
         return 0 if $prop->{'reverse_lookups'}
@@ -601,6 +616,30 @@ sub allow_deny {
     return 0;
 }
 
+sub double_reverse_lookup {
+    my ($self, $addr, $host, $rev_addrs, $orig_addr) = @_;
+    my $cfg = $self->{'server'}->{'double_reverse_lookups'} || '';
+    if (! $host) {
+        $self->log(3, $self->log_time ." Double reverse missing host from addr $addr");
+        return 0;
+    } elsif (! $rev_addrs) {
+        $self->log(3, $self->log_time ." Double reverse missing reverse addrs from host $host ($addr)");
+        return 0;
+    }
+    my $extra = ($orig_addr && $orig_addr ne $addr) ? ",  orig_addr: $orig_addr" : '';
+    if (! $rev_addrs->{$addr} && ! $rev_addrs->{$orig_addr}) {
+        $self->log(3, $self->log_time ." Double reverse did not match:  addr: $addr,  host: $host"
+            .($cfg =~ /detail/i ? ",  addrs: (".join(' ', sort keys %$rev_addrs).")$extra" : ''));
+        return 0;
+    } elsif ($cfg =~ /autofail/i) {
+        $self->log(3, $self->log_time ." Double reverse autofail:  addr: $addr,  host: $host,  addrs: (".join(' ', sort keys %$rev_addrs).")$extra");
+        return 0;
+    } elsif ($cfg =~ /debug/) {
+        $self->log(3, $self->log_time ." Double reverse debug:  addr: $addr,  host: $host,  addrs: (".join(' ', sort keys %$rev_addrs).")$extra");
+    }
+    return 1;
+}
+
 sub allow_deny_hook { 1 } # false to deny request
 
 sub request_denied_hook {}
@@ -960,7 +999,7 @@ sub options {
     foreach (qw(conf_file
                 user group chroot log_level
                 log_file pid_file background setsid
-                listen reverse_lookups
+                listen ipv6_package reverse_lookups double_reverse_lookups
                 no_close_by_child
                 no_client_stdout tie_client_stdout tied_stdout_callback tied_stdin_callback
                 leave_children_open_on_hup
diff --git a/lib/Net/Server.pod b/lib/Net/Server.pod
index 781982a..41cb2c0 100644
--- a/lib/Net/Server.pod
+++ b/lib/Net/Server.pod
@@ -439,6 +439,8 @@ base class.)
     ipv               (4|6|*)                  *
     proto             (tcp|udp|unix)           "tcp"
     listen            \d+                      SOMAXCONN
+    ipv6_package      (IO::Socket::INET6       IO::Socket::IP
+                       |IO::Socket::IP)
 
     ## syslog parameters (if log_file eq Sys::Syslog)
     syslog_logsock    (native|unix|inet|udp
@@ -447,7 +449,8 @@ base class.)
     syslog_logopt     (cons|ndelay|nowait|pid) pid
     syslog_facility   \w+                      daemon
 
-    reverse_lookups   1                        undef
+    reverse_lookups   (1|double|double-debug)  undef
+    double_reverse_lookups  (1|debug|autofail) undef
     allow             /regex/                  none
     deny              /regex/                  none
     cidr_allow        CIDR                     none
@@ -819,12 +822,65 @@ Socket6::AF_INET6 or Socket::AF_UNSPEC, and it is short.
 
 See L<IO::Socket>.  Not used with udp protocol (or UNIX SOCK_DGRAM).
 
+=item ipv6_package
+
+Net::Server::Proto will try to determine the appropriate socket
+class to use if a v6 socket is needed.  It will default to
+trying IO::Socket::IP first, and then IO::Socket::INET6.  Specifying
+this package allows for a specific package to be used (note that
+IO::Socket::SSL used by Proto::SSL does its own ipv6 socket package
+determination).
+
 =item reverse_lookups
 
 Specify whether to lookup the hostname of the connected IP.
 Information is cached in server object under C<peerhost> property.
 Default is to not use reverse_lookups (undef).
 
+Can be set to the values "double", "double-detail", "double-autofail",
+or "double-debug" to set double_reverse_lookups.
+
+=item double_reverse_lookups
+
+If set, also sets reverse_lookups.
+
+Same as setting reverse_lookups to "double".  Looks up the IPs
+that the hostname resolves to to make sure the connection ip is one
+of those ips.
+
+Sets peerhost_rev as a hashref of ip addresses the name resolved to
+during get_client_info.
+
+If double_reverse_lookups is set, the double_reverse_lookup method
+is called during the allow_deny method.  The
+double_reverse_lookup method is passed:
+
+    addr  - the IPv4 or IPv6 address
+    host  - the hostname the addr resolved to
+    addrs - the hashref of ip addresses the host resolved to
+    orig  - the original unfiltered addr
+
+Makes allow_deny return false if there is no hostname, no reverse ips,
+or if one of the ip addrs does not match the connection ip addr.
+Sends a log level 3 message.
+
+Can set double_reverse_lookups to one of the following to adjust logging:
+
+    detail   - add addrs to the failure messages
+    autofail - fail on every connection and log
+    debug    - log address information (but not fail) for successful connections
+
+The following one liners can help with debugging:
+
+    net-server HTTP --reverse_lookups=double-debug --log_level=3
+    # curl localhost:8080 in other window
+
+    2022/11/30-22:16:45 CONNECT TCP Peer: "[::ffff:127.0.0.1]:44766" (localhost)  Local: "[::ffff:127.0.0.1]:8080"
+    2022/11/30-22:16:45 Double reverse debug:  addr: 127.0.0.1,  host: localhost,  addrs: (127.0.0.1),  orig_addr: ::ffff:127.0.0.1
+
+The double_reverse_lookup is called before running any allow/deny
+rules.
+
 =item allow/deny
 
 May be specified multiple times.  Contains regex to compare to
@@ -1096,6 +1152,9 @@ represents the program flow:
 
     $self->post_client_connection_hook;
 
+The allow_deny method calls $self->double_reverse_lookup if
+double_reverse_lookups are enabled.
+
 The process then loops and waits for the next connection.  For a more
 in depth discussion, please read the code.
 
@@ -1253,6 +1312,13 @@ ip address, socket type, and hostname (as needed).
 This method uses the rules defined in the allow and deny configuration
 parameters to determine if the ip address should be accepted.
 
+=item C<$self-E<gt>double_reverse_lookup>
+
+Called if the double_reverse_lookups value is set or reverse_lookups
+is set to "double".  Uses peerhost_rev hashref ips to verify that the
+connection ip is valid for the hostname.  See the
+double_reverse_lookups configuration.
+
 =item C<$self-E<gt>process_request>
 
 This method is intended to handle all of the client communication.  At

Places

File CVE-2013-1841.patch of Package perl-Net-Server

Places