Bug 54047 - applies ipv4 filters to ipv6 rules
Summary: applies ipv4 filters to ipv6 rules
Status: CLOSED FIXED
Alias: None
Product: APR
Classification: Unclassified
Component: APR (show other bugs)
Version: HEAD
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache Portable Runtime bugs mailinglist
URL:
Keywords: FixedInTrunk
Depends on:
Blocks:
 
Reported: 2012-10-24 00:09 UTC by alan
Modified: 2014-01-21 12:58 UTC (History)
0 users



Attachments
proposed patch (1.59 KB, patch)
2012-11-05 21:59 UTC, Joe Orton
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description alan 2012-10-24 00:09:51 UTC
We have a web server at www.peakinternet.com that is dual stacked:

ipv4: 207.55.16.224
ipv6: 2607:f678::16:224

A recent redesign of the web site moved it to Wordpress, which included as part of the .htaccess a block of ip addresses known for attacks, including:

# PSI network
deny from 38.0.0.0/8

When this rule is enabled and we try to access the site from our ipv6 enabled clients, we get "permission denied" errors.  When it's disabled, the site works fine.  We notice that 38 decimal is 26 hex, which matches the first 8 bits of our ipv6 block.  In looking in the logs, we see that all the ipv6 denials were 26xx addresses:

2600:1002:b016:321f:51ca:e30f:4b1c:fc22]
2600:1008:b002:30f2::103]
2600:1008:b002:adfd:0:41:9772:1301]
2600:1008:b109:5639::103]
2600:1008:b111:8c5::103]
2600:100c:b203:e466:40ae:f7a6:58af:3e2e]
2600:100c:b210:ba5e:53e:ae29:66be:8af2]
2600:100e:b00c:ef2:e90a:88d8:b94a:847e]

etc...

It appears that the ipv4 mask 38/8 is being applied to ipv6 addresses inappropriately - this is only a guess, but it's the only thing we can think of that matches the symptoms...
Comment 1 Joe Orton 2012-11-05 21:59:38 UTC
Created attachment 29555 [details]
proposed patch

How bizarre that such a bug can go undiscovered for so long.  Thanks for the report.

Can you test this APR patch?
Comment 2 Joe Orton 2012-11-05 22:09:16 UTC
Committed in r1405985.
Comment 3 alan 2012-11-06 00:36:40 UTC
I applied that patch to the httpd 2.2.15 code I had handy and verified that the problem exists without the patch and does not exist with the patch.
Comment 4 Stefan Fritsch 2013-04-21 21:43:54 UTC
1.5 commit: r1420111
1.4 commit: r1420116
will be fixed in 1.4.7 / 1.5.0
Comment 5 Jeff Trawick 2014-01-21 12:57:49 UTC
fixed in 1.4.7 and later releases