You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I was using an inline comment with the following format, in relay_acl_allow (not this exact IP, but shown here as an example):
8.8.8.8/32 # My safe machine IP
Unfortunately, the code later reads this line as a single entry, and is fine parsing the entire line, including what I thought was a comment after #, as an IP. The ipaddr npm module then seems to understand this as 8.8.8.8/0, allowing any IP to pass the relay ACL test.
As a result, my machine was sending spam all over the world, because I've inappropriately assumed that the ACL worked fine, thus didn't impose any restriction in the firewall for that port. I fixed those two mistakes (misconfiguration of the comment + added some firewall rules), but I think it'd be super great to:
make it super explicit what is fine or not for a plugin configuration to accept
optionally, for the relay plugin, not take into account any line that doesn't look like an IP address, based on testing it with a regular expression or something like this
The text was updated successfully, but these errors were encountered:
bnjbvr
changed the title
Make it clear in configuration that inline comments aren't supported
bug: don't allow invalid entries in the relay_acl_allow file
Aug 28, 2024
Renamed the issue, because I think the (2) item on the above list should really be implemented; it's too easy otherwise to shoot oneself in the feet by writing an incorrect configuration line, and thus allowing spammers to use the software.
Minimal repro showing the issue (arguably it's in ipaddr.js):
constipaddr=require('ipaddr.js');letcidr="8.8.8.8/32 # This machine";cidr=cidr.split('/');letc_net=cidr[0];letc_mask=cidr[1]||32;letcnetip=ipaddr.parse(c_net);console.log('c net ip =',cnetip);letip=ipaddr.parse("13.37.42.42");console.log('ip=',ip);console.log('accepted?',ip.match(cnetip,c_mask));
This will show accepted? true for any value of ip.
I was using an inline comment with the following format, in
relay_acl_allow
(not this exact IP, but shown here as an example):Unfortunately, the code later reads this line as a single entry, and is fine parsing the entire line, including what I thought was a comment after
#
, as an IP. Theipaddr
npm module then seems to understand this as8.8.8.8/0
, allowing any IP to pass the relay ACL test.As a result, my machine was sending spam all over the world, because I've inappropriately assumed that the ACL worked fine, thus didn't impose any restriction in the firewall for that port. I fixed those two mistakes (misconfiguration of the comment + added some firewall rules), but I think it'd be super great to:
The text was updated successfully, but these errors were encountered: