PATCH: Disallow a netmask of zero unless the IP is also all zeroes
Greg Sabino Mullane <htamfids@gmail.com>
From: Greg Sabino Mullane <htamfids@gmail.com>
To: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2025-02-11T20:05:33Z
Lists: pgsql-hackers
Attachments
- 0001-Only-allow-a-CIDR-mask-of-zero-if-the-IP-contains-only-zeroes.patch (application/x-patch) patch 0001
I ran into this alarming mistake again the other day. Luckily it was on a dev system. Someone sees an entry in a pg_hba.conf that looks like this: host all all 0.0.0.0/0 md5 They are gobsmacked when they learn this means to let everyone in. So they fix it by adding new entries that look like this: host all all 10.2.55.4/0 md5 host all all 10.2.55.5/0 md5 host all all 10.2.55.6/0 md5 It should, of course, be: host all all 10.2.55.4/32 md5 I say "of course" but few people (even tech ones) know the distinction. (Nor should they have to! But that's for a nearby thread). This patch aims to prevent this very bad footgun by only allowing a /0 if the IP consists of only zeroes. It works for ipv4 and ipv6. Cheers, Greg -- Crunchy Data - https://www.crunchydata.com Enterprise Postgres Software Products & Tech Support