0001-Only-allow-a-CIDR-mask-of-zero-if-the-IP-contains-only-zeroes.patch

application/x-patch

Filename: 0001-Only-allow-a-CIDR-mask-of-zero-if-the-IP-contains-only-zeroes.patch
Type: application/x-patch
Part: 0
Message: PATCH: Disallow a netmask of zero unless the IP is also all zeroes

Patch

Same data as JSON: GET /api/v1/attachments/:id/patch the parsed metadata as JSON — format, series position, per-file stats; never the diff bytes. API reference →
Format: format-patch
Series: patch 0001
Subject: Only allow a CIDR mask of zero if the IP contains only zeroes.
File+
src/backend/libpq/hba.c 20 0
From 9ba3d75999da4c2dfe258516cefa6343851d8955 Mon Sep 17 00:00:00 2001
From: Greg Sabino Mullane <greg@turnstep.com>
Date: Tue, 11 Feb 2025 11:16:11 -0500
Subject: [PATCH] Only allow a CIDR mask of zero if the IP contains only
 zeroes.

Prevents a common error of not realizing the security implications of 1.2.3.4/0
---
 src/backend/libpq/hba.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 510c9ffc6d7..95ff890d461 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1600,6 +1600,26 @@ parse_hba_line(TokenizedAuthLine *tok_line, int elevel)
 										token->string);
 					return NULL;
 				}
+
+				/*
+				 * Throw an error if we are putting a /0 on a non-zero IP
+				 * address
+				 */
+				if (strspn(cidr_slash + 1, "0") == strlen(cidr_slash + 1)
+					&& strcspn(token->string, "123456789abcdefABCDEF") != strlen(token->string))
+				{
+					ereport(elevel,
+							(errcode(ERRCODE_CONFIG_FILE_ERROR),
+							 errmsg("invalid CIDR mask in address \"%s\"",
+									token->string),
+							 errhint("A mask of 0 will allow ALL IP addresses."),
+							 errcontext("line %d of configuration file \"%s\"",
+										line_num, file_name)));
+					*err_msg = psprintf("invalid CIDR mask in address \"%s\"",
+										token->string);
+					return NULL;
+				}
+
 				parsedline->masklen = parsedline->addrlen;
 				pfree(str);
 			}
-- 
2.30.2