security improvement proposal: pg_hba.conf and CIDR mask wrote:
> The following bug has been logged online:
>
> Bug reference: 4433
> Logged by: security improvement proposal: pg_hba.conf and CIDR
> mask
> Email address: marc@intershop.de
> PostgreSQL version: 8.2.4
> Operating system: Linux
> Description: entries like "host all all 10.0.50.31/0 ..."
> should not be allowed or trigger a warning
> Details:
>
> Hello,
>
> not really a bug, but a possible security issue for wrongly configured
> installations.
>
> A CIDR mask length of 0 will allow to connect from any location. I did this
> mistake as I didn't read the documentation carefully enough.
>
> Checking the mask against the IP address would prevent such errors:
>
> /0 : disallow ?
0.0.0.0/0 should continue to be accepted.
> /24 : IP must ends with .0
> /16 : IP must ends with .0.0
If you're going to do that, you might as well enforce it for any CIDR
subnet and say that the address given must be the network address, not a
host address within the network. That way it works for non-multiple-of-8
CIDR subnets too.
--
Craig Ringer