Include 0.0.0.0/8 in DNS rebind checks.

2025-12-19 18:28:25 +00:00 · 2015-08-03 21:52:12 +01:00
parent 63ec5d1264
commit d2aa7dfbb6
2 changed files with 9 additions and 1 deletions
--- a/7
+++ b/7
@@ -1,3 +1,10 @@
+version 2.76
+            Include 0.0.0.0/8 in DNS rebind checks. This range 
+	    translates to hosts on  the local network, or, at 
+	    least, 0.0.0.0 accesses the local host, so could
+	    be targets for DNS rebinding. See RFC 5735 section 3 
+	    for details. Thanks to Stephen Röttger for the bug report.
+	    
 version 2.75
            Fix reversion on 2.74 which caused 100% CPU use when a 
 	    dhcp-script is configured. Thanks to Adrian Davey for
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -728,7 +728,8 @@ int private_net(struct in_addr addr, int ban_localhost)
  in_addr_t ip_addr = ntohl(addr.s_addr);

  return
-    (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost)  /* 127.0.0.0/8    (loopback) */ || 
+    (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost)  /* 127.0.0.0/8    (loopback) */ ||
+    ((ip_addr & 0xFF000000) == 0x00000000)  /* RFC 5735 section 3. "here" network */ ||
    ((ip_addr & 0xFFFF0000) == 0xC0A80000)  /* 192.168.0.0/16 (private)  */ ||
    ((ip_addr & 0xFF000000) == 0x0A000000)  /* 10.0.0.0/8     (private)  */ ||
    ((ip_addr & 0xFFF00000) == 0xAC100000)  /* 172.16.0.0/12  (private)  */ ||