diff --git a/varnish/blockinator.vcl b/varnish/blockinator.vcl index 0430bf0..ef86696 100644 --- a/varnish/blockinator.vcl +++ b/varnish/blockinator.vcl @@ -40,10 +40,16 @@ C{ { char *sqlite3_error; - if (atoi(argv[0]) > 0) { + /* + argv[0] - number of matches + argv[1] - remote_ip from SQL statement + + Check that we have valid results and double check IP before blocking + */ + if (argc > 0 && atoi(argv[0]) > 0 && strcmp(argv[1], remote_ip) == 0) { /* Any results indicate a block */ - syslog(LOG_INFO, "Blocklist match found for %s. (Forwarded_IP: %s, User-Agent: %s, Cookie: %s)", remote_ip, forwarded_ip, useragent, cookie); - VRT_SetHdr(sp, HDR_REQ, "\010X-Block:", "1", vrt_magic_string_end); + syslog(LOG_INFO, "Blocklist match found for %s/%s. (Forwarded_IP: %s, User-Agent: %s, Cookie: %s)", remote_ip, argv[1], forwarded_ip, useragent, cookie); + VRT_SetHdr(sp, HDR_REQ, "\010X-Block:", remote_ip, vrt_magic_string_end); } return 0; diff --git a/varnish/blocklist-check.vcl b/varnish/blocklist-check.vcl index e1e6778..8fb2ac6 100644 --- a/varnish/blocklist-check.vcl +++ b/varnish/blocklist-check.vcl @@ -9,7 +9,7 @@ C{ char *safecookie = str_replace(cookie, "'", "''"); - snprintf(statement, BUFSIZ, "SELECT COUNT(*) FROM blocklist WHERE remote_ip = '%s' AND (forwarded_ip = 'ANY' OR forwarded_ip = '%s') AND (useragent = 'ANY' OR useragent = '%s') AND (cookie = 'ANY' OR instr('%s', cookie))", remote_ip, forwarded_ip, useragent, safecookie); + snprintf(statement, BUFSIZ, "SELECT COUNT(*), remote_ip FROM blocklist WHERE remote_ip = '%s' AND (forwarded_ip = 'ANY' OR forwarded_ip = '%s') AND (useragent = 'ANY' OR useragent = '%s')", remote_ip, forwarded_ip, useragent); sqlite3_init(); if (sqlite3_exec(db, statement, resultHandler, sp, &sqlite3_error) != SQLITE_OK) {