Fix @rbl false-negative when getaddrinfo returns IPv6 first#116

Open

Easton97-Jens wants to merge 1 commit into

codex/propose-fix-for-rbl-false-negative

Owner

Easton97-Jens commented May 28, 2026

Motivation

Fix a security-regression in Rbl::evaluate() where getaddrinfo() could return an AF_INET6 entry before a valid AF_INET RBL response and the code returned false after inspecting only the first addrinfo, causing possible fail-open behavior for @rbl rules.

Description

Iterate the entire addrinfo linked list returned by getaddrinfo() and select the first AF_INET entry to populate the sockaddr_in and call furtherInfo(); only return false after scanning all results and finding no IPv4 entry (changes in src/operators/rbl.cc).

Testing

Ran test -d build, attempted cmake --build build -j2 --target modsecurity (failed with Error: could not load cache due to local build cache/config state), and verified the source diff and affected lines with git diff and nl -ba src/operators/rbl.cc to confirm the intended change.


          Fix RBL lookup to handle IPv6-first addrinfo results

c67db08

Easton97-Jens added aardvark codex labels

— with

ChatGPT Codex Connector

sonarqubecloud Bot commented May 28, 2026

Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels