Am 04.08.2016 um 17:46 schrieb Yann Ylavic:
On Thu, Aug 4, 2016 at 3:30 PM, Rainer Jung <rainer.j...@kippdata.de> wrote:
- apr_ipsubnet_create() has some logic, that for instance accepts "192.168"
as input with NULL mask_or_numbits and returns sub 192.168.0.0 and mask
255.255.0.0.
Hmm, indeed, but this looks buggy to me.
Shouldn't apr_ipsubnet_create() be fixed with:
- rv = parse_ip(*ipsub, ipstr, mask_or_numbits == NULL);
+ rv = parse_ip(*ipsub, ipstr, mask_or_numbits != NULL);
?
At least code archaeology shows this condition goes back very long way.
It seems to me NULL was used as a marker for abbreviated IPv4 network
address, like 192.168 meaning 192.168/16. Simply switching the test
could break stuff like simple IP ACLs ("Allow from 192.168"). Not tested
with httpd though, I was just doing some tests by calling
apr_ipsubnet_create() directly from a small standalone program to
confirm its behavior.
Regards,
Rainer
