I’ve fixed an issue of the mod_authz_host's Allow/Deny directives worki...

[vivanv]

...ng incorrectly on httpd 2.2.25.

The apr_ipsubnet_test function was changed in APR 1.4.7, as well as in 1.4.8 that is included in httpd 2.2.25
apr_ipsubnet_test function looks like this right now:
APR_DECLARE(int) apr_ipsubnet_test(apr_ipsubnet_t *ipsub, apr_sockaddr_t *sa)
{

if APR_HAVE_IPV6

/* XXX This line will segv on Win32 build with APR_HAVE_IPV6,
 * but without the IPV6 drivers installed.
 */
if (sa->family == AF_INET) {
    if (ipsub->family == AF_INET &&
        ((sa->sa.sin.sin_addr.s_addr & ipsub->mask[0]) == ipsub->sub[0])) {
        return 1;
    } 

...
the previous version:
APR_DECLARE(int) apr_ipsubnet_test(apr_ipsubnet_t *ipsub, apr_sockaddr_t *sa)
{

if APR_HAVE_IPV6

/* XXX This line will segv on Win32 build with APR_HAVE_IPV6,
 * but without the IPV6 drivers installed.
 */
if (sa->sa.sin.sin_family == AF_INET) {
    if (ipsub->family == AF_INET &&
        ((sa->sa.sin.sin_addr.s_addr & ipsub->mask[0]) == ipsub->sub[0])) {
        return 1;
    }

So IPv4 IP addresses do not match in Allow and Deny directives of mod_authz_host module.
My modifications resolve this issue.

[y-ken]

Thank you for your patch. I will check behavior in my environment.
Would you please give me a sample configuration to check the difference?

[vivanv]

uname -a
SunOS srv2-m4000-01.net.billing.ru 5.10 Generic_147440-27 sun4u sparc SUNW,SPARC-Enterprise

./bin/apachectl -V
Server version: Apache/2.2.25 (Unix) mod_xslt_proxy v. 023.00 [(c) CJSC 'PETER-SERVICE' 2013] Platform = sparc_sun_solaris_2.10__64 Build = 001.105
Server built: Sep 9 2013 15:48:15
Server's Module Magic Number: 20051115:33
Server loaded: APR 1.4.8, APR-Util 1.5.2
Compiled using: APR 1.4.8, APR-Util 1.5.2
Architecture: 64-bit
Server MPM: Worker
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/worker"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_PROC_PTHREAD_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT="/usr/local/apache2"
-D SUEXEC_BIN="/usr/local/apache2/bin/suexec"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

---

Config files:

LogFormat "%h %{X-Forwarded-For}i %l %u %t "%m" "%r&" "%q&" %>s %b "%{Referer}i" "%{User-Agent}i" pid=%{pid}P tid=%{tid}P time_ms=%D" combined

CustomLog "|/import/home/ivan.voronin/tmp/solaris/023.00/apache2/bin/rotatelogs logs/access_log.%Y.%m.%d 86400" combined

LoadModule rpaf_module modules/mod_rpaf-2.0.so

RPAFenable On RPAFsethostname On RPAFproxy_ips 127.0.0.1 172.20.106.70 RPAFheader X-Forwarded-For

<Location /rpaf_test>
DefaultType text/html

Order deny,allow
Deny from all
Allow from 1.1.1.1 127.0.0.1 localhost

---

Request:
GET http://srv2-m4000-01:1280/rpaf_test/1.xml

[no cookies]

Request Headers:
Connection: keep-alive
X-Forwarded-For: 1.1.1.1
Accept: /
Host: srv2-m4000-01:1280
User-Agent: Apache-HttpClient/4.1.2 (java 1.5)

Response :
Response code: 403

LOGS:
access_log.2013.09.16:
ivoronin.net.billing.ru 1.1.1.1 - - [16/Sep/2013:10:52:09 +0400] "GET" "GET /rpaf_test/1.xml HTTP/1.1&" "&" 403 694 "-" "Apache-HttpClient/4.1.2 (java 1.5)" pid=13348 tid=27 time_ms=129185

error_log.2013.09.16:
[Mon Sep 16 10:51:12 2013] [debug] src/mod_rpaf-0.6.4/mod_rpaf-2.0.c(145): [client 172.20.106.70] mod_rpaf: starting change_remote_ip
[Mon Sep 16 10:51:12 2013] [debug] src/mod_rpaf-0.6.4/mod_rpaf-2.0.c(158): [client 172.20.106.70] mod_rpaf: change_remote_ip r->connection->remote_ip=172.20.106.70
[Mon Sep 16 10:51:12 2013] [debug] src/mod_rpaf-0.6.4/mod_rpaf-2.0.c(189): [client 1.1.1.1] mod_rpaf: change_remote_ip r->connection->remote_ip=1.1.1.1 r->connection->remote_addr=16843009 r->connection->remote_addr->sa.sin.sin_family=2
[Mon Sep 16 10:51:12 2013] [debug] src/mod_rpaf-0.6.4/mod_rpaf-2.0.c(230): [client 1.1.1.1] mod_rpaf: exit change_remote_ip DECLINED
[Mon Sep 16 10:51:12 2013] [debug] mod_authz_host.c(308): [client 1.1.1.1] mod_authz_host: starting check_dir_access
[Mon Sep 16 10:51:12 2013] [debug] mod_authz_host.c(222): [client 1.1.1.1] mod_authz_host: starting find_allowdeny method=0
[Mon Sep 16 10:51:12 2013] [debug] mod_authz_host.c(236): [client 1.1.1.1] mod_authz_host: find_allowdeny ap[0].type=2
[Mon Sep 16 10:51:12 2013] [debug] mod_authz_host.c(253): [client 1.1.1.1] mod_authz_host: exit find_allowdeny T_ALL retturn=1
[Mon Sep 16 10:51:12 2013] [debug] mod_authz_host.c(222): [client 1.1.1.1] mod_authz_host: starting find_allowdeny method=0
[Mon Sep 16 10:51:12 2013] [debug] mod_authz_host.c(236): [client 1.1.1.1] mod_authz_host: find_allowdeny ap[0].type=3
[Mon Sep 16 10:51:12 2013] [debug] mod_authz_host.c(258): [client 1.1.1.1] mod_authz_host: find_allowdeny T_IP ap[0].x.ip(2;16843009;-1) retturn=1 r->connection->remote_addr(16843009;2)
[Mon Sep 16 10:51:12 2013] [debug] mod_authz_host.c(236): [client 1.1.1.1] mod_authz_host: find_allowdeny ap[1].type=3
[Mon Sep 16 10:51:12 2013] [debug] mod_authz_host.c(258): [client 1.1.1.1] mod_authz_host: find_allowdeny T_IP ap[1].x.ip(2;2130706433;-1) retturn=1 r->connection->remote_addr(16843009;2)
[Mon Sep 16 10:51:12 2013] [debug] mod_authz_host.c(236): [client 1.1.1.1] mod_authz_host: find_allowdeny ap[2].type=4
[Mon Sep 16 10:51:12 2013] [debug] mod_authz_host.c(297): [client 1.1.1.1] mod_authz_host: exit find_allowdeny retturn=0
[Mon Sep 16 10:51:12 2013] [error] [client 1.1.1.1] client denied by server configuration: /import/home/ivan.voronin/tmp/solaris/023.00/apache2/htdocs/rpaf_test
[Mon Sep 16 10:51:12 2013] [debug] mod_authz_host.c(349): [client 1.1.1.1] mod_authz_host: exit check_dir_access ret=403

[vivanv]

with my patch:

GET http://srv2-m4000-01:1280/rpaf_test/1.xml

[no cookies]

Request Headers:
Connection: keep-alive
X-Forwarded-For: 1.1.1.1
Accept: */*
Host: srv2-m4000-01:1280
User-Agent: Apache-HttpClient/4.1.2 (java 1.5)

access_log.2013.09.16:
1.1.1.1 1.1.1.1 - - [16/Sep/2013:11:08:57 +0400] "GET" "GET /rpaf_test/1.xml HTTP/1.1&" "&" 200 63 "-" "Apache-HttpClient/4.1.2 (java 1.5)" pid=4531 tid=27 time_ms=106169


GET http://srv2-m4000-01:1280/rpaf_test/1.xml

[no cookies]

Request Headers:
Connection: keep-alive
X-Forwarded-For: 1.1.1.2
Accept: */*
Host: srv2-m4000-01:1280
User-Agent: Apache-HttpClient/4.1.2 (java 1.5)

Response code: 403

access_log.2013.09.16:
1.1.1.2 1.1.1.2 - - [16/Sep/2013:11:11:59 +0400] "GET" "GET /rpaf_test/1.xml HTTP/1.1&" "&" 403 694 "-" "Apache-HttpClient/4.1.2 (java 1.5)" pid=4531 tid=27 time_ms=95301