Skip to content

@ipMatch misses IP with multiple values #2893

New issue
New issue
Open
Open
@ipMatch misses IP with multiple values#2893
Labels
2.xRelated to ModSecurity version 2.xPlatform - ApachebugIt is a confirmed bug
@marcstern

Description

@marcstern
marcstern
opened on Apr 20, 2023

v2 master in httpd.
The following rule works correctly (matches 192.168.59.1 with 192.168.0.0/16):
SecRule "REMOTE_ADDR" "@ipMatch 192.168.0.0/16" ...
However, when the IP is mixed with several other ones, it doesn't perform the matching correctly (it should match 192.168.59.1 with 192.168.0.0/16).

Example from the debug log (with a huge number of IP, I agree):

  • Rule 22a21f63bd0: SecRule "REMOTE_ADDR" "@ipMatch 212.222.125.64/26,10.128.2.0/24,10.128.5.0/24,10.128.26.0/24,10.135.40.0/23,10.135.45.0/24,127.0.0.1,127.0.0.1,127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,81.243.240.179,104.40.205.115,212.222.125.64/26,10.128.2.0/24,10.128.5.0/24,10.128.26.0/24,10.135.40.0/23,10.135.45.0/24,10.201.11.231/28,10.201.21.231/28,185.248.206.0/22,176.124.43.192/26,10.201.10.203/29,10.201.10.41,151.216.16.0/20,185.161.121.0/24,193.101.184.0/24,149.36.6.0/24,195.190.82.0/24,194.51.35.0/24,185.194.166.0/24,185.194.167.0/24,47.91.28.27,47.245.0.176,47.245.4.189,8.209.115.195,212.222.125.64/26,10.128.2.0/24,10.128.5.0/24,10.128.26.0/24,10.135.40.0/23,10.135.45.0/24,176.124.43.192/26,10.201.10.203/29,10.201.10.41,127.0.0.1,127.0.0.1,10.201.11.231/28,10.201.21.231/28,127.0.0.1,127.0.0.1,81.243.240.179,104.40.205.115,212.222.125.64/26,10.128.2.0/24,10.128.5.0/24,10.128.26.0/24,10.135.40.0/23,10.135.45.0/24,10.201.11.231/28,10.201.21.231/28,185.248.206.0/22,176.124.43.192/26,10.201.10.203/29,10.201.10.41,151.216.16.0/20,185.161.121.0/24,193.101.184.0/24,149.36.6.0/24,195.190.82.0/24,194.51.35.0/24,185.194.166.0/24,185.194.167.0/24,47.91.28.27,47.245.0.176,47.245.4.189,8.209.115.195,127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,127.0.0.1,127.0.0.1,10.190.10.0/24,81.243.240.179,104.40.205.115" "phase:1,t:none,nolog,noauditlog,pass"
  • Transformation completed in 0 usec.
  • Executing operator "ipMatch" with param "212.222.125.64/26,10.128.2.0/24,10.128.5.0/24,10.128.26.0/24,10.135.40.0/23,10.135.45.0/24,127.0.0.1,127.0.0.1,127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,81.243.240.179,104.40.205.115,212.222.125.64/26,10.128.2.0/24,10.128.5.0/24,10.128.26.0/24,10.135.40.0/23,10.135.45.0/24,10.201.11.231/28,10.201.21.231/28,185.248.206.0/22,176.124.43.192/26,10.201.10.203/29,10.201.10.41,151.216.16.0/20,185.161.121.0/24,193.101.184.0/24,149.36.6.0/24,195.190.82.0/24,194.51.35.0/24,185.194.166.0/24,185.194.167.0/24,47.91.28.27,47.245.0.176,47.245.4.189,8.209.115.195,212.222.125.64/26,10.128.2.0/24,10.128.5.0/24,10.128.26.0/24,10.135.40.0/23,10.135.45.0/24,176.124.43.192/26,10.201.10.203/29,10.201.10.41,127.0.0.1,127.0.0.1,10.201.11.231/28,10.201.21.231/28,127.0.0.1,127.0.0.1,81.243.240.179,104.40.205.115,212.222.125.64/26,10.128.2.0/24,10.128.5.0/24,10.128.26.0/24,10.135.40.0/23,10.135.45.0/24,10.201.11.231/28,10.201.21.231/28,185.248.206.0/22,176.124.43.192/26,10.201.10.203/29,10.201.10.41,151.216.16.0/20,185.161.121.0/24,193.101.184.0/24,149.36.6.0/24,195.190.82.0/24,194.51.35.0/24,185.194.166.0/24,185.194.167.0/24,47.91.28.27,47.245.0.176,47.245.4.189,8.209.115.195,127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,127.0.0.1,127.0.0.1,10.190.10.0/24,81.243.240.179,104.40.205.115" against REMOTE_ADDR.
  • Target value: "192.168.59.1"
  • Operator completed in 0 usec.
  • Rule returned 0.

Metadata

Metadata

Assignees

No one assigned

    Labels

    2.xRelated to ModSecurity version 2.xPlatform - ApachebugIt is a confirmed bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions