From 30d1dcee45dfc68d63ae954485642ff306fb4ac2 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 18 Nov 2015 02:56:53 +0100 Subject: Squid3 - do not add invalid subnets for 'Allow Users on Interface' to ACL (Bug #4331, Bug #4526) --- config/squid3/34/squid.inc | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index aee85bcd..b7eb9889 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -41,12 +41,6 @@ require_once('service-utils.inc'); if (!function_exists("filter_configure")) { require_once("filter.inc"); } -/* Squid reverse proxy */ -require_once('/usr/local/pkg/squid_reverse.inc'); -/* Squid javascript helpers */ -require_once('/usr/local/pkg/squid_js.inc'); -/* Squid antivirus intergration features helpers */ -require_once('/usr/local/pkg/squid_antivirus.inc'); $shortcut_section = "squid"; @@ -77,6 +71,13 @@ if ($uname['machine'] == 'amd64') { ini_set('memory_limit', '250M'); } +/* Squid reverse proxy */ +require_once('/usr/local/pkg/squid_reverse.inc'); +/* Squid javascript helpers */ +require_once('/usr/local/pkg/squid_js.inc'); +/* Squid antivirus intergration features helpers */ +require_once('/usr/local/pkg/squid_antivirus.inc'); + /* * Utility functions */ @@ -1222,9 +1223,14 @@ EOD; foreach ($real_ifaces as $iface) { list($ip, $mask) = $iface; $ip = long2ip(ip2long($ip) & ip2long($mask)); - $mask = 32-log((ip2long($mask) ^ ip2long('255.255.255.255'))+1,2); + $mask = 32 - log((ip2long($mask) ^ ip2long('255.255.255.255')) +1, 2); if (!preg_match("@$ip/$mask@", $src)) { - $src .= " $ip/$mask"; + // XXX: Do not add invalid subnets (Bug #4331, Bug #4526) + if (is_subnet("{$ip}/{$mask}")) { + $src .= " $ip/$mask"; + } else { + log_error("[squid] 'Allow Users on Interface' ACL skipped for '{$ip}/{$mask}' since it is not a valid subnet."); + } } } $conf .= "# Allow local network(s) on interface(s)\n"; -- cgit v1.2.3