From 3a8103ae4738824ebb27a9a739e253740580ed36 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@php.net>
Date: Mon, 17 Nov 2014 09:22:13 +0100
Subject: [PATCH] Fixed bug #68428 allowed_client is IPv4 only

---
 sapi/fpm/fpm/fastcgi.c | 72 +++++++++++++++++++++++++++++++++++---------------
 1 file changed, 50 insertions(+), 22 deletions(-)

diff --git a/sapi/fpm/fpm/fastcgi.c b/sapi/fpm/fpm/fastcgi.c
index d1db0ec..36e37b7 100644
--- a/sapi/fpm/fpm/fastcgi.c
+++ b/sapi/fpm/fpm/fastcgi.c
@@ -144,7 +144,7 @@ static HashTable fcgi_mgmt_vars;
 
 static int is_initialized = 0;
 static int in_shutdown = 0;
-static in_addr_t *allowed_clients = NULL;
+static sa_t *allowed_clients = NULL;
 
 static sa_t client_sa;
 
@@ -267,14 +267,18 @@ void fcgi_set_allowed_clients(char *ip)
 				*end = 0;
 				end++;
 			}
-			allowed_clients[n] = inet_addr(cur);
-			if (allowed_clients[n] == INADDR_NONE) {
+			if (inet_pton(AF_INET, cur, &allowed_clients[n].sa_inet.sin_addr)>0) {
+				allowed_clients[n].sa.sa_family = AF_INET;
+				n++;
+			} else if (inet_pton(AF_INET6, cur, &allowed_clients[n].sa_inet6.sin6_addr)>0) {
+				allowed_clients[n].sa.sa_family = AF_INET6;
+				n++;
+			} else {
 				zlog(ZLOG_ERROR, "Wrong IP address '%s' in listen.allowed_clients", cur);
 			}
-			n++;
 			cur = end;
 		}
-		allowed_clients[n] = INADDR_NONE;
+		allowed_clients[n].sa.sa_family = 0;
 		free(ip);
 	}
 }
@@ -760,6 +764,43 @@ void fcgi_close(fcgi_request *req, int force, int destroy)
 	}
 }
 
+static int fcgi_is_allowed() {
+	int i;
+
+	if (client_sa.sa.sa_family == AF_UNIX) {
+		return 1;
+	}
+	if (!allowed_clients) {
+		return 1;
+	}
+	if (client_sa.sa.sa_family == AF_INET) {
+		for (i=0 ; allowed_clients[i].sa.sa_family ; i++) {
+			if (allowed_clients[i].sa.sa_family == AF_INET
+				&& !memcmp(&client_sa.sa_inet.sin_addr, &allowed_clients[i].sa_inet.sin_addr, 4)) {
+				return 1;
+			}
+		}
+	}
+	if (client_sa.sa.sa_family == AF_INET6) {
+		for (i=0 ; allowed_clients[i].sa.sa_family ; i++) {
+			if (allowed_clients[i].sa.sa_family == AF_INET6
+				&& !memcmp(&client_sa.sa_inet6.sin6_addr, &allowed_clients[i].sa_inet6.sin6_addr, 12)) {
+				return 1;
+			}
+#ifdef IN6_IS_ADDR_V4MAPPED
+			if (allowed_clients[i].sa.sa_family == AF_INET
+			    && IN6_IS_ADDR_V4MAPPED(&client_sa.sa_inet6.sin6_addr)
+				&& !memcmp(((char *)&client_sa.sa_inet6.sin6_addr)+12, &allowed_clients[i].sa_inet.sin_addr, 4)) {
+				return 1;
+			}
+#endif
+		}
+	}
+
+	zlog(ZLOG_ERROR, "Connection disallowed: IP address '%s' has been dropped.", fcgi_get_last_client_ip());
+	return 0;
+}
+
 int fcgi_accept_request(fcgi_request *req)
 {
 #ifdef _WIN32
@@ -810,23 +851,10 @@ int fcgi_accept_request(fcgi_request *req)
 					FCGI_UNLOCK(req->listen_socket);
 
 					client_sa = sa;
-					if (sa.sa.sa_family == AF_INET && req->fd >= 0 && allowed_clients) {
-						int n = 0;
-						int allowed = 0;
-
-						while (allowed_clients[n] != INADDR_NONE) {
-							if (allowed_clients[n] == sa.sa_inet.sin_addr.s_addr) {
-								allowed = 1;
-								break;
-							}
-							n++;
-						}
-						if (!allowed) {
-							zlog(ZLOG_ERROR, "Connection disallowed: IP address '%s' has been dropped.", inet_ntoa(sa.sa_inet.sin_addr));
-							closesocket(req->fd);
-							req->fd = -1;
-							continue;
-						}
+					if (req->fd >= 0 && !fcgi_is_allowed()) {
+						closesocket(req->fd);
+						req->fd = -1;
+						continue;
 					}
 				}
 
-- 
2.1.0