dovecot-2.0: config: Added some nesting requirements to remote_i...

[dovecot at dovecot.org]

details:   http://hg.dovecot.org/dovecot-2.0/rev/d3d8ba13faa6
changeset: 9860:d3d8ba13faa6
user:      Timo Sirainen <tss at iki.fi>
date:      Thu Sep 03 17:12:16 2009 -0400
description:
config: Added some nesting requirements to remote_ip, local_ip and protocol.

diffstat:

1 file changed, 27 insertions(+), 5 deletions(-)
src/config/config-parser.c |   32 +++++++++++++++++++++++++++-----

diffs (49 lines):

diff -r f9ca1a1ebcf8 -r d3d8ba13faa6 src/config/config-parser.c
--- a/src/config/config-parser.c	Thu Sep 03 16:36:38 2009 -0400
+++ b/src/config/config-parser.c	Thu Sep 03 17:12:16 2009 -0400
@@ -206,18 +206,40 @@ config_filter_add_new_filter(struct pars
 			     const char **error_r)
 {
 	struct config_filter *filter = &ctx->cur_section->filter;
+	struct config_filter *parent = &ctx->cur_section->prev->filter;
 	struct config_filter_parser *parser;
 
 	if (strcmp(key, "protocol") == 0) {
-		filter->service = p_strdup(ctx->pool, value);
+		if (parent->service != NULL)
+			*error_r = "protocol must not be under protocol";
+		else
+			filter->service = p_strdup(ctx->pool, value);
 	} else if (strcmp(key, "local_ip") == 0) {
-		if (net_parse_range(value, &filter->local_net,
-				    &filter->local_bits) < 0)
+		if (parent->remote_bits > 0)
+			*error_r = "local_ip must not be under remote_ip";
+		else if (parent->service != NULL)
+			*error_r = "local_ip must not be under protocol";
+		else if (net_parse_range(value, &filter->local_net,
+					 &filter->local_bits) < 0)
 			*error_r = "Invalid network mask";
+		else if (parent->local_bits > filter->local_bits ||
+			 (parent->local_bits > 0 &&
+			  !net_is_in_network(&filter->local_net,
+					     &parent->local_net,
+					     parent->local_bits)))
+			*error_r = "local_ip not a subset of parent local_ip";
 	} else if (strcmp(key, "remote_ip") == 0) {
-		if (net_parse_range(value, &filter->remote_net,
-				    &filter->remote_bits) < 0)
+		if (parent->service != NULL)
+			*error_r = "remote_ip must not be under protocol";
+		else if (net_parse_range(value, &filter->remote_net,
+					 &filter->remote_bits) < 0)
 			*error_r = "Invalid network mask";
+		else if (parent->remote_bits > filter->remote_bits ||
+			 (parent->remote_bits > 0 &&
+			  !net_is_in_network(&filter->remote_net,
+					     &parent->remote_net,
+					     parent->remote_bits)))
+			*error_r = "remote_ip not a subset of parent remote_ip";
 	} else {
 		return FALSE;
 	}