Bug 186659 - Hostnames with e.g. underscores are cut by webalizer - e.g. the domain part vanishes
Hostnames with e.g. underscores are cut by webalizer - e.g. the domain part v...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: webalizer (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-24 21:52 EST by Jarkko
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 2.01_10-30
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-06-16 10:04:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
The first patch (now obsolete!) (458 bytes, patch)
2006-03-24 21:52 EST, Jarkko
no flags Details | Diff
The second patch (now obsolete!) (1.67 KB, patch)
2006-03-27 16:42 EST, Jarkko
no flags Details | Diff
Fixed patch which is ANSI C compatible (2.14 KB, patch)
2006-03-27 17:46 EST, Jarkko
no flags Details | Diff
Corrected usage of strcmp (2.14 KB, patch)
2006-03-30 01:18 EST, Jarkko
no flags Details | Diff

  None (edit)
Description Jarkko 2006-03-24 21:52:19 EST
I've already fixed this. Just add the patch to the spec and rebuild. :)

I hope at least fc5 and fc4 get this fix. Perhaps the fedoralegacy.org guys
could release a fix for fc3 etc. as well as without this fix webalizer produces
inaccurate reports.
Comment 1 Jarkko 2006-03-24 21:52:20 EST
Created attachment 126688 [details]
The first patch (now obsolete!)
Comment 2 Jarkko 2006-03-24 21:54:22 EST
Oh, and before you ask; *yes* I tested the fix and it worked. :)
Comment 3 Jarkko 2006-03-25 02:21:05 EST
I just heard that hostnames should not contain underscores according to the RFC.
But, this bug is still a bug as there webalizer was modifying values from DNS in
a way the result was misinformation.
Comment 4 Jarkko 2006-03-27 16:27:23 EST
Ok, the RFCs aren't actually so clear about this (whether underscores are
allowed or not). Apparently underscores are allowed in hostnames which are never
used for services like web or email. So they *are* allowed in web server
*client* hostnames.

The line I removed contained a check for a valid hostname syntax. It was just in
a wrong place (or implemented in a wrong way as it cut the hostname). So, to
block possible cross site scripting attacks using reverse DNS... I added checks
for valid hostnames.

BUT, I also made Webalizer to revert back to the IP whenever possible so that we
will get correct data in such cases instead of a cut hostname or a string
"Invalid" (I added that to be printed when no IP is available).

This patch fixes this bug + adds more checks for hostname validity to prevent
abuse. And, the main feature is that webalizer will fallback to the original IP
if the hostname is not valid.

I've already tested this patch in FC5 and FC3 (added it to the spec files and
rebuilt rpms). Everything worked ok.
Comment 5 Jarkko 2006-03-27 16:30:52 EST
Comment on attachment 126688 [details]
The first patch (now obsolete!)

--- webalizer-2.01-10/webalizer.c.hostname	2002-04-17 01:11:31.000000000
+0300
+++ webalizer-2.01-10/webalizer.c	2006-03-27 21:59:20.000000000 +0300
@@ -987,6 +987,9 @@
	     f_day=l_day=rec_day;
	  }

+	  /* Save IP address for later checks */
+	  char *ip = log_rec.hostname;
+
 #ifdef USE_DNS
	  /* Resolve IP address if needed */
	  if (dns_db)
@@ -996,13 +999,33 @@
	  }
 #endif

-	  /* lowercase hostname */
+	  /* lowercase hostname - and validity check */
	  cp1 = log_rec.hostname;
-	  while (*cp1 != '\0')
+	  int dot = 0;
+	  if (!isalnum((int)*cp1)) strncpy(log_rec.hostname,"Invalid",8);
+	  else
	  {
-	     if ( (*cp1>='A') && (*cp1<='Z') ) *cp1 += 'a'-'A';
-	     if ( (isalnum((int)*cp1))||(*cp1=='.')||(*cp1=='-') ) cp1++;
-	     else *cp1='\0';
+	     int invalid = 0;
+	     while (*cp1 != '\0')
+	     {
+		if ( (*cp1>='A') && (*cp1<='Z') ) *cp1 += 'a'-'A';
+		if (*cp1=='.') dot = 1;
+		if ( (isalnum((int)*cp1))||(*cp1=='.')||(*cp1=='-') ||
+		   (*cp1=='_' && dot==0) ) cp1++;
+		else
+		{
+		   if (!strcmp(log_rec.hostname,ip))
+		      strcpy(log_rec.hostname,ip);
+		   else
+		      strncpy(log_rec.hostname,"Invalid",8);
+		   invalid = 1; break;
+		}
+	     }
+	     if (!invalid)
+	     {
+		cp1--;
+		if (!isalnum((int)*cp1)) strncpy(log_rec.hostname,"Invalid",8);
+	     }
	  }

	  /* Catch blank hostnames here */
Comment 6 Jarkko 2006-03-27 16:42:44 EST
Created attachment 126853 [details]
The second patch (now obsolete!)

Allow '_' in the first part of the hostname. Don't cut the hostname if invalid.
Revert to the original IP instead when possible. If not possible, set hostname
to string "Invalid".
Comment 7 Jarkko 2006-03-27 16:52:19 EST
Ok, *now* I'm just waiting for you to add this patch to the spec - waiting for
webalizer to appear in fc5/4/3 updates... Thanx. ;)
Comment 8 Jarkko 2006-03-27 17:46:35 EST
Created attachment 126860 [details]
Fixed patch which is ANSI C compatible

Sorry! The patch was not ANSI C compatible as the declarations were in wrong
place. I moved them to the beginning. Should be ok now.
Comment 9 Jarkko 2006-03-30 01:18:58 EST
Created attachment 127042 [details]
Corrected usage of strcmp

Ouch, I was using srtcmp the wrong way there. We need to revert to the IP when
the hostname is different than the IP - not when they are the same.
Comment 10 Joe Orton 2006-06-16 10:04:14 EDT
Thanks a lot for the patches, Jarkko (and sorry for the delay!) - I've committed
all of these; should hit Raw Hide once the test1 freeze is over.

Note You need to log in before you can comment on or make changes to this bug.