View Issue Details

IDProjectCategoryView StatusLast Update
0002240unrealircdpublic2004-12-26 19:28
Reporteraquanight Assigned Tocodemastr 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
PlatformX86OSWindowsOS VersionXP Pro SP2
Product Version3.2.2 
Fixed in Version3.2.3 
Summary0002240: CIDR notation circumvents "Too broad mask" protection
DescriptionThe /?line commands all check if a mask is too broad and thus prevent opers from adding an insanely wide ?line (like *@*). However, CIDR notation allows an oper to ban a very large IP range, thus getting around this mechanism. For example, the mask *@0.0.0.0/1 is accepted as valid, and would end up banning about half the internet from the network!

I'm thinking a simple check for CIDR masks should be done to avoid setting extremely wide CIDR bans, just as extremely wide wildcard bans aren't allowed. I think a good rule would be to require no less than /8 without uline intervention (eg, minimum 8 bits in the mask, so 0.0.0.0/1 isn't valid, but 39.0.0.0/8 is).
Steps To Reproduce- Attempt to add a gline for something really broad using only wildcards. For example: *@*.com. Get "too broad mask" error.
- Attempt to add a gline for something really broad using CIDR. For example, *@0.0.0.0/1. It works.

(Recommend using a low (5s?) timeout (or an except tkl *@*) if you test this on a real network!)
TagsNo tags attached.
3rd party modules

Activities

codemastr

2004-12-26 19:28

reporter   ~0008675

As of .212, it now requires 16bits. 8 seemed too low (banning 1.0.0.0-1.255.255.255 is rather broad).

Issue History

Date Modified Username Field Change
2004-12-15 13:02 aquanight New Issue
2004-12-15 14:13 syzop Status new => acknowledged
2004-12-26 19:28 codemastr Status acknowledged => resolved
2004-12-26 19:28 codemastr Fixed in Version => 3.2.3
2004-12-26 19:28 codemastr Resolution open => fixed
2004-12-26 19:28 codemastr Assigned To => codemastr
2004-12-26 19:28 codemastr Note Added: 0008675