Protect webserver::bans and webserver::allowances

fchevassu-antidot · etr · commit 81067eff8c53 · 2026-01-27T11:08:03.000-08:00
diff --git a/src/httpserver/webserver.hpp b/src/httpserver/webserver.hpp
@@ -184,6 +184,7 @@ class webserver {
      std::map<details::http_endpoint, http_resource*> registered_resources;
      std::map<std::string, http_resource*> registered_resources_str;
 
+     std::shared_mutex bans_and_allowances_mutex;
      std::set<http::ip_representation> bans;
      std::set<http::ip_representation> allowances;
 
diff --git a/src/webserver.cpp b/src/webserver.cpp
@@ -379,6 +379,7 @@ void webserver::unregister_resource(const string& resource) {
 }
 
 void webserver::ban_ip(const string& ip) {
+    std::unique_lock bans_and_allowances_lock(bans_and_allowances_mutex);
     ip_representation t_ip(ip);
     set<ip_representation>::iterator it = bans.find(t_ip);
     if (it != bans.end() && (t_ip.weight() < (*it).weight())) {
@@ -390,6 +391,7 @@ void webserver::ban_ip(const string& ip) {
 }
 
 void webserver::allow_ip(const string& ip) {
+    std::unique_lock bans_and_allowances_lock(bans_and_allowances_mutex);
     ip_representation t_ip(ip);
     set<ip_representation>::iterator it = allowances.find(t_ip);
     if (it != allowances.end() && (t_ip.weight() < (*it).weight())) {
@@ -401,10 +403,12 @@ void webserver::allow_ip(const string& ip) {
 }
 
 void webserver::unban_ip(const string& ip) {
+    std::unique_lock bans_and_allowances_lock(bans_and_allowances_mutex);
     bans.erase(ip_representation(ip));
 }
 
 void webserver::disallow_ip(const string& ip) {
+    std::unique_lock bans_and_allowances_lock(bans_and_allowances_mutex);
     allowances.erase(ip_representation(ip));
 }
 
@@ -451,6 +455,7 @@ MHD_Result policy_callback(void *cls, const struct sockaddr* addr, socklen_t add
 
     if (!(static_cast<webserver*>(cls))->ban_system_enabled) return MHD_YES;
 
+    std::shared_lock bans_and_allowances_lock((static_cast<webserver*>(cls))->bans_and_allowances_mutex);
     if ((((static_cast<webserver*>(cls))->default_policy == http_utils::ACCEPT) &&
                 ((static_cast<webserver*>(cls))->bans.count(ip_representation(addr))) &&
                 (!(static_cast<webserver*>(cls))->allowances.count(ip_representation(addr)))) ||

Original file line number	Diff line number	Diff line change
`@@ -379,6 +379,7 @@ void webserver::unregister_resource(const string& resource) {`
`379`	`379`	`}`
`380`	`380`
`381`	`381`	`void webserver::ban_ip(const string& ip) {`
	`382`	`+ std::unique_lock bans_and_allowances_lock(bans_and_allowances_mutex);`
`382`	`383`	`ip_representation t_ip(ip);`
`383`	`384`	`set<ip_representation>::iterator it = bans.find(t_ip);`
`384`	`385`	`if (it != bans.end() && (t_ip.weight() < (*it).weight())) {`
`@@ -390,6 +391,7 @@ void webserver::ban_ip(const string& ip) {`
`390`	`391`	`}`
`391`	`392`
`392`	`393`	`void webserver::allow_ip(const string& ip) {`
	`394`	`+ std::unique_lock bans_and_allowances_lock(bans_and_allowances_mutex);`
`393`	`395`	`ip_representation t_ip(ip);`
`394`	`396`	`set<ip_representation>::iterator it = allowances.find(t_ip);`
`395`	`397`	`if (it != allowances.end() && (t_ip.weight() < (*it).weight())) {`
`@@ -401,10 +403,12 @@ void webserver::allow_ip(const string& ip) {`
`401`	`403`	`}`
`402`	`404`
`403`	`405`	`void webserver::unban_ip(const string& ip) {`
	`406`	`+ std::unique_lock bans_and_allowances_lock(bans_and_allowances_mutex);`
`404`	`407`	`bans.erase(ip_representation(ip));`
`405`	`408`	`}`
`406`	`409`
`407`	`410`	`void webserver::disallow_ip(const string& ip) {`
	`411`	`+ std::unique_lock bans_and_allowances_lock(bans_and_allowances_mutex);`
`408`	`412`	`allowances.erase(ip_representation(ip));`
`409`	`413`	`}`
`410`	`414`
`@@ -451,6 +455,7 @@ MHD_Result policy_callback(void cls, const struct sockaddr addr, socklen_t add`
`451`	`455`
`452`	`456`	`if (!(static_cast<webserver*>(cls))->ban_system_enabled) return MHD_YES;`
`453`	`457`
	`458`	`+ std::shared_lock bans_and_allowances_lock((static_cast<webserver*>(cls))->bans_and_allowances_mutex);`
`454`	`459`	`if ((((static_cast<webserver*>(cls))->default_policy == http_utils::ACCEPT) &&`
`455`	`460`	`((static_cast<webserver*>(cls))->bans.count(ip_representation(addr))) &&`
`456`	`461`	`(!(static_cast<webserver*>(cls))->allowances.count(ip_representation(addr)))) \|\|`