ouch/inspircd
2
0
Fork 0
mirror of https://github.com/inspircd/inspircd.git synced 2025-03-08 17:19:01 -05:00
Code Issues Packages Projects Releases Wiki Activity

Scope the container SSL enforcement a bit better.

Browse Source
This commit is contained in:
Sadie Powell 2025-03-02 13:06:35 +00:00
parent 42afdfd072
commit 9c15165021
1 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/modules/m_spanningtree/server.cpp
View File

@ -37,10 +37,18 @@
namespace
{
bool RunningInContainer()
bool IsContainerAddress(const irc::sockets::sockaddrs& sa)
{
std::error_code ec;
return std::filesystem::is_regular_file("/.dockerenv", ec);
if (std::filesystem::is_regular_file("/.dockerenv", ec))
{
// We are running in docker, check for internal addresses.
if (irc::sockets::cidr_mask("172.17.0.0/16").match(sa))
return true; // docker0
if (irc::sockets::cidr_mask("172.18.0.0/16").match(sa))
return true; // docker_gwbridge.
}
return false;
}
}
@ -150,7 +158,7 @@ std::shared_ptr<Link> TreeSocket::AuthRemote(const CommandBase::Params& params)
ssliohook->GetCiphersuite(ciphersuite);
ServerInstance->SNO.WriteToSnoMask('l', "Negotiated ciphersuite {} on link {}", ciphersuite, x->Name);
}
else if (!capab->remotesa.is_local() && !RunningInContainer())
else if (!capab->remotesa.is_local() && !IsContainerAddress(capab->remotesa))
{
this->SendError("Non-local server connections MUST be linked with SSL!");
return nullptr;