Re: [Nms-cgi-devel] FormMail.cgi CIDR (fwd)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Mon, 28 Jan 2002, Jonathan Stowe wrote:
> > The below seems to have got lost in the activity of the last few
> > days (not helped by my opaque comment).
> >
> > It allows 130.88.0.0/16 CIDR style masks in @referers .
> >
>
> It appears to :
>
>   A) only allow those masks

It does only allow the a.b.c.d/e mask, since the raw IP is handled
by the if statement below. It adds to the current functionality,
rather than replacing anything.



>   B) summon $5 out of thin air at some point

Oops. New patch below:

--- FormMail.pl	Tue Jan 22 00:13:43 2002
+++ FormMail-sams.pl	Mon Jan 28 21:29:59 2002
@@ -277,6 +277,19 @@
       if ($referer =~ m|https?://([^/]*)\Q$test_ref\E|i) {
 	$check_referer = 1;
 	last;
+      }
+      elsif ( $secure && $test_ref =~ /(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\/(\d{1,2})/ ) {
+        my $cidr=$5;
+        my $test_bits= unpack "N", pack "CCCC", $1, $2, $3, $4;
+        my $test_bit_mask= unpack "N", pack "B*", "1" x $cidr . "0" x (32 - $cidr );
+
+        $referer =~ /(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/;
+        my $ip_bits= unpack "N", pack "CCCC", $1, $2, $3, $4;
+
+        if (($test_bits & $test_bit_mask) == ($ip_bits & $test_bit_mask)) {
+          $check_referer = 1;
+                  last;
+        }
       }
       elsif ( $secure && $test_ref =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/ ) {
         if ( $referer =~ m|https?://([^/]+)| ) {




Sam

-- 
   Managing sysadmins is like leading a neighborhood gang of
   neurotic pumas on jet-powered hoverbikes with nasty smack habits and
   opposable thumbs.  -- from www.monkeybagel.com





