CGI-ACL

 view release on metacpan or  search on metacpan

README.md  view on Meta::CPAN


Sets `$self->{deny_cloud}` to `1`.

### NOTES

IPv4 and IPv6 clients are both subject to the cloud check.  A client with
no reverse DNS record, or whose forward confirmation fails, is treated as
a non-cloud host and allowed through the cloud check (though it may still
be denied by other rules).

DNS lookups are performed synchronously.  On non-Windows platforms a
`$DNS_TIMEOUT`-second alarm is used to prevent indefinite blocking.

### API SPECIFICATION

#### Input

    # No parameters accepted.
    {}

#### Output

lib/CGI/ACL.pm  view on Meta::CPAN


Sets C<< $self->{deny_cloud} >> to C<1>.

=head3 NOTES

IPv4 and IPv6 clients are both subject to the cloud check.  A client with
no reverse DNS record, or whose forward confirmation fails, is treated as
a non-cloud host and allowed through the cloud check (though it may still
be denied by other rules).

DNS lookups are performed synchronously.  On non-Windows platforms a
C<$DNS_TIMEOUT>-second alarm is used to prevent indefinite blocking.

=head3 API SPECIFICATION

=head4 Input

    # No parameters accepted.
    {}

=head4 Output

lib/CGI/ACL.pm  view on Meta::CPAN

				# Step 2: forward lookup (hostname -> IP list)
				@forward_ips = _rdns_forward($hostname, $family);
			}
			# Cancel the alarm inside the eval to avoid a post-eval race
			alarm(0);
		};
		# Belt-and-suspenders: ensure the alarm is always cancelled
		alarm(0);
		return if $@ || !$hostname;
	} else {
		# Windows: no alarm support; perform lookups synchronously
		$hostname = gethostbyaddr($packed, $family) or return;

		# Forward lookup to confirm the hostname maps back to the original IP
		@forward_ips = _rdns_forward($hostname, $family);
	}

	# Step 3: the hostname is only trusted if a forward record confirms the IP
	return (grep { $_ eq $canonical } @forward_ips) ? $hostname : undef;
}

t/extended_tests.t  view on Meta::CPAN

	# gethostbyaddr should return undef, exercising the !$hostname branch.
	diag "calling _verified_rdns on no-PTR IP $config{RFC5737_IP}" if $ENV{TEST_VERBOSE};

	my $result = CGI::ACL::_verified_rdns($config{RFC5737_IP});

	is($result, undef, 'no-PTR address returns undef via !$hostname branch');
};

# ─────────────────────────────────────────────────────────────────────────────
# WINDOWS PLATFORM PATH (unreachable on non-Windows)
# Lines 923-929 in lib/CGI/ACL.pm contain the Windows synchronous code path
# (no alarm, direct gethostbyaddr + _rdns_forward).  These lines execute only
# when $^O eq 'MSWin32'.  On macOS/Linux they are DEAD CODE and cannot be
# covered without mocking $^O itself, which is a Readonly built-in.
#
# COMMENTED OUT — shown here for review.  Do not enable unless running on
# Windows where the coverage will naturally be collected by the normal DNS
# tests.
#
# subtest '_verified_rdns(): Windows synchronous path' => sub {
#     plan skip_all => 'only on Windows' unless $^O eq 'MSWin32';
#     # On Windows, $^O is 'MSWin32', so gethostbyaddr and _rdns_forward
#     # are called without an alarm.  Lines 925-928 execute here.
#     my $guard = mock_scoped 'CGI::ACL::_rdns_forward'
#         => sub { ($config{LOCAL_IP}) };
#     my $result = CGI::ACL::_verified_rdns($config{LOCAL_IP});
#     ok(defined $result, 'Windows path returns hostname');
# };
# ─────────────────────────────────────────────────────────────────────────────



( run in 0.665 second using v1.01-cache-2.11-cpan-9581c071862 )