diff -Nru hylafax-4.2.0.orig/hfaxd/InetFaxServer.c++ hylafax-4.2.0/hfaxd/InetFaxServer.c++
--- hylafax-4.2.0.orig/hfaxd/InetFaxServer.c++ Mon Dec 27 14:10:09 2004
+++ hylafax-4.2.0/hfaxd/InetFaxServer.c++ Tue Dec 28 10:49:52 2004
@@ -177,16 +177,14 @@
/*
* Check host identity returned by gethostbyaddr to
* weed out clients trying to spoof us (this is mostly
- * a sanity check; it's still trivial to spoof).
- * If the name returned by gethostbyaddr is in our domain,
- * look up the name and check that the peer's address
+ * a sanity check; if they have full control of DNS
+ * they can still spoof)
+ * Look up the name and check that the peer's address
* corresponds to the host name.
*/
bool
InetFaxServer::checkHostIdentity(hostent*& hp)
{
- if (!isLocalDomain(hp->h_name)) // not local, don't check
- return (true);
fxStr name(hp->h_name); // must copy static value
hp = Socket::gethostbyname(name);
if (hp) {
diff -Nru hylafax-4.2.0.orig/hfaxd/User.c++ hylafax-4.2.0/hfaxd/User.c++
--- hylafax-4.2.0.orig/hfaxd/User.c++ Mon Dec 27 14:10:21 2004
+++ hylafax-4.2.0/hfaxd/User.c++ Tue Dec 28 11:00:32 2004
@@ -136,16 +136,26 @@
* must supply. The next field is the password that
* must be presented to gain administrative privileges.
*
+ * If the regex is a single word (no @ sign), we take it
+ * as a host only short form for (^[^@]*@
+ *
* If the first character of the is a ``!''
* then the line specifies user(s) to disallow; a match
* causes the user to be rejected w/o a password prompt.
* This facility is mainly for backwards compatibility.
*/
char* cp;
+ bool userandhost = false;
for (cp = line; *cp && *cp != ':'; cp++)
- ;
+ if (*cp == '@') userandhost = true;
+
const char* base = &line[line[0] == '!'];
- RE pat(base, cp-base);
+ fxStr pattern(base, cp-base);
+ if (! userandhost) {
+ pattern.insert("^.*@");
+ pattern.append("$");
+ }
+ RE pat(pattern);
if (line[0] == '!') { // disallow access on match
if (pat.Find(dotform) || pat.Find(hostform))
return (false);