CGI-ACL
view release on metacpan or search on metacpan
Sets `$self->{deny_cloud}` to `1`.
### NOTES
IPv4 and IPv6 clients are both subject to the cloud check. A client with
no reverse DNS record, or whose forward confirmation fails, is treated as
a non-cloud host and allowed through the cloud check (though it may still
be denied by other rules).
DNS lookups are performed synchronously. On non-Windows platforms a
`$DNS_TIMEOUT`-second alarm is used to prevent indefinite blocking.
### API SPECIFICATION
#### Input
# No parameters accepted.
{}
#### Output
lib/CGI/ACL.pm view on Meta::CPAN
Sets C<< $self->{deny_cloud} >> to C<1>.
=head3 NOTES
IPv4 and IPv6 clients are both subject to the cloud check. A client with
no reverse DNS record, or whose forward confirmation fails, is treated as
a non-cloud host and allowed through the cloud check (though it may still
be denied by other rules).
DNS lookups are performed synchronously. On non-Windows platforms a
C<$DNS_TIMEOUT>-second alarm is used to prevent indefinite blocking.
=head3 API SPECIFICATION
=head4 Input
# No parameters accepted.
{}
=head4 Output
lib/CGI/ACL.pm view on Meta::CPAN
# Step 2: forward lookup (hostname -> IP list)
@forward_ips = _rdns_forward($hostname, $family);
}
# Cancel the alarm inside the eval to avoid a post-eval race
alarm(0);
};
# Belt-and-suspenders: ensure the alarm is always cancelled
alarm(0);
return if $@ || !$hostname;
} else {
# Windows: no alarm support; perform lookups synchronously
$hostname = gethostbyaddr($packed, $family) or return;
# Forward lookup to confirm the hostname maps back to the original IP
@forward_ips = _rdns_forward($hostname, $family);
}
# Step 3: the hostname is only trusted if a forward record confirms the IP
return (grep { $_ eq $canonical } @forward_ips) ? $hostname : undef;
}
t/extended_tests.t view on Meta::CPAN
# gethostbyaddr should return undef, exercising the !$hostname branch.
diag "calling _verified_rdns on no-PTR IP $config{RFC5737_IP}" if $ENV{TEST_VERBOSE};
my $result = CGI::ACL::_verified_rdns($config{RFC5737_IP});
is($result, undef, 'no-PTR address returns undef via !$hostname branch');
};
# âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
# WINDOWS PLATFORM PATH (unreachable on non-Windows)
# Lines 923-929 in lib/CGI/ACL.pm contain the Windows synchronous code path
# (no alarm, direct gethostbyaddr + _rdns_forward). These lines execute only
# when $^O eq 'MSWin32'. On macOS/Linux they are DEAD CODE and cannot be
# covered without mocking $^O itself, which is a Readonly built-in.
#
# COMMENTED OUT â shown here for review. Do not enable unless running on
# Windows where the coverage will naturally be collected by the normal DNS
# tests.
#
# subtest '_verified_rdns(): Windows synchronous path' => sub {
# plan skip_all => 'only on Windows' unless $^O eq 'MSWin32';
# # On Windows, $^O is 'MSWin32', so gethostbyaddr and _rdns_forward
# # are called without an alarm. Lines 925-928 execute here.
# my $guard = mock_scoped 'CGI::ACL::_rdns_forward'
# => sub { ($config{LOCAL_IP}) };
# my $result = CGI::ACL::_verified_rdns($config{LOCAL_IP});
# ok(defined $result, 'Windows path returns hostname');
# };
# âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
( run in 0.538 second using v1.01-cache-2.11-cpan-9581c071862 )