0001-Only-allow-a-CIDR-mask-of-zero-if-the-IP-contains-only-zeroes.patch
application/x-patch
Filename: 0001-Only-allow-a-CIDR-mask-of-zero-if-the-IP-contains-only-zeroes.patch
Type: application/x-patch
Part: 0
Patch
Same data as JSON:
GET /api/v1/attachments/:id/patch
the parsed metadata as JSON — format, series position, per-file stats; never the diff bytes.
API reference →
Format: format-patch
Series: patch 0001
Subject: Only allow a CIDR mask of zero if the IP contains only zeroes.
| File | + | − |
|---|---|---|
| src/backend/libpq/hba.c | 20 | 0 |
From 9ba3d75999da4c2dfe258516cefa6343851d8955 Mon Sep 17 00:00:00 2001
From: Greg Sabino Mullane <greg@turnstep.com>
Date: Tue, 11 Feb 2025 11:16:11 -0500
Subject: [PATCH] Only allow a CIDR mask of zero if the IP contains only
zeroes.
Prevents a common error of not realizing the security implications of 1.2.3.4/0
---
src/backend/libpq/hba.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 510c9ffc6d7..95ff890d461 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1600,6 +1600,26 @@ parse_hba_line(TokenizedAuthLine *tok_line, int elevel)
token->string);
return NULL;
}
+
+ /*
+ * Throw an error if we are putting a /0 on a non-zero IP
+ * address
+ */
+ if (strspn(cidr_slash + 1, "0") == strlen(cidr_slash + 1)
+ && strcspn(token->string, "123456789abcdefABCDEF") != strlen(token->string))
+ {
+ ereport(elevel,
+ (errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("invalid CIDR mask in address \"%s\"",
+ token->string),
+ errhint("A mask of 0 will allow ALL IP addresses."),
+ errcontext("line %d of configuration file \"%s\"",
+ line_num, file_name)));
+ *err_msg = psprintf("invalid CIDR mask in address \"%s\"",
+ token->string);
+ return NULL;
+ }
+
parsedline->masklen = parsedline->addrlen;
pfree(str);
}
--
2.30.2