From f120c9fbd132e5d183a66245b0a36919ae5b44ae Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Fri, 10 Jun 2022 13:15:23 +0200 Subject: [PATCH] block_acl(): Ignore ACL matches when we don't have a destination yet ... but the ACL requires it. Fixes SF bug #913 reported by Peter Geelhoed. --- filters.c | 10 ++++++++++ loadcfg.c | 2 -- project.h | 2 -- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/filters.c b/filters.c index 107c5042..78fe0fa6 100644 --- a/filters.c +++ b/filters.c @@ -261,6 +261,16 @@ int block_acl(const struct access_control_addr *dst, const struct client_state * { if (dst == NULL) { + if (!acl->wildcard_dst) + { + /* + * While the client address matches, the ACL also + * has a destination address which we can't check + * yet so we have to continue with the next ACL. + */ + acl = acl->next; + continue; + } /* Just want to check if they have any access */ if (acl->action == ACL_PERMIT) { diff --git a/loadcfg.c b/loadcfg.c index 447a84bf..d1b945b1 100644 --- a/loadcfg.c +++ b/loadcfg.c @@ -1025,12 +1025,10 @@ struct configuration_spec * load_config(void) break; } } -#ifdef HAVE_RFC2553 else { cur_acl->wildcard_dst = 1; } -#endif /* def HAVE_RFC2553 */ /* * Add it to the list. Note we reverse the list to get the diff --git a/project.h b/project.h index 6ee1a269..8ff5694c 100644 --- a/project.h +++ b/project.h @@ -1379,9 +1379,7 @@ struct access_control_list { struct access_control_addr src[1]; /**< Client IP address */ struct access_control_addr dst[1]; /**< Website or parent proxy IP address */ -#ifdef HAVE_RFC2553 short wildcard_dst; /** < dst address is wildcard */ -#endif short action; /**< ACL_PERMIT or ACL_DENY */ struct access_control_list *next; /**< The next entry in the ACL. */ -- 2.35.2