• Murray (unregistered)

    These wildcards don't make sense. There is no special significance to the division of IP addresses into bytes. The size of a subnet doesn't need to be divisible by 8.

  • (nodebb)

    Also note that permutations will not double any items – so 10.1.. will never go over 10.1.5.5, and ... will never produce 90.1.90.2 nor 106.106.106.106.

    Addendum 2019-07-16 06:46: dammit markdown, stripping my asterisks. 10.1.*.* and *.*.*.* respectively.

  • Feeling lucky (unregistered)

    The real WTF is that it's IPv4 only.

  • TheCuriousOne (unregistered)

    I'm curious as to the built-in methods used.

    On a side note, what's the purpose of expanding the possibles IP for the rule['host']: would it be enough to check the non wildcarded field ? as in if rule['host'] is '192.168..', you only have to check that your ip starts with 192.168. and you don't care what the rest is, right ?

  • Kuli (unregistered)

    I love the comments. They tell you so much what you wouldn't know otherwise.

    Oh, wait...

  • Argle (unregistered)

    I dunno. I'd like to know the experience level of the person who concocted this. An experienced programmer would ask "what if someone enters X?" I have gained experience from mistakes like this. In the early 90s I built a successful product where the member search used a simple binary tree. I did not foresee the problem when member lists shot over about 5000 on those old WFW machines. I see the mistake clearly now and at the time jumped at a hash method that cured the problem. Same thing again 10 years later when a friend an I put together a system we knew could handle folders with a few thousand files. We didn't anticipate someone having close to a million. I'm in some physical pain right now, so brain isn't working right to remember the big-name fax software of the 90s, but a friend of mine killed it. He ran his entire loan business out of the fax software and he far exceeded anything the designers ever thought anyone would do. EVERY document of his was a fax and the fax software was his database. It was a bit like using a toothpick for a crowbar: principle was right; scope was wrong.

  • (nodebb) in reply to TheCuriousOne

    Which is basically what the rewrite would do.

    split
    it into 4 strings at the dots and check each string in order. If the string is "*", then skip that. If it is a number, compare it. If anything does not match, return False. Otherwise return True.

  • tbo (unregistered) in reply to Feeling lucky

    That's not really a wtf if this code is from before the introduction of IPv6.

  • ooOOooGa (unregistered)

    This looks like a job for regular expressions. Which, I know, sounds like an odd thing to say.

    But turning 10.1.7.* into 10.1.7.* would be a trivial string replacement. Then doing a regex match would do the job just fine.

    And this is all assuming that we actually do need to reinvent the wheel because the language doesn't already have a library for testing that a string is a valid IP address and to check that it matches a particular address range.

  • ray10k (unregistered) in reply to tbo

    Don't feed the spambot.

  • Shannon (unregistered)

    The idea of a "wildcard" for an IP has been around since netmasks, surely? And it's all done with boolean operations on integers.

  • Decius (unregistered)

    You have a 32-bit number. You want to check if certain bits of that number match certain bits of a different 32 bit number.

    Surely, the only thing to do is convert it into a string and then perform a regex on that string.

  • I dunno LOL ¯\(°_o)/¯ (unregistered) in reply to Murray

    But we NEED to be able to wildcard the first byte to look for *.2.3.4! Because it's important to find that same address in all Class-A blocks! Or even better, *.*.36.*, now that's a wildcard!

    But yes, the real WTF is not lack of support for IPv6, it's the lack of support for CIDR, which in 1993 was a thing five years before IPv6, and adopted much more rapidly.

  • Nobody (unregistered)

    Yet another codebase that has been made dysfunctional & unreadable by the dreaded "single point of return" rule...

  • sizer99 (google)

    The easy builtin way to do this in Python:

    import ipaddress def ip_check( ip, rule ): return ipaddress.ip_address( ip ) in ipaddress.ip_network( rule )

    This assumes that 'rule' is really a CIDR address, like '192.168.1.0/24', but there's no reason for it not to be (and it's more functional). If you insist on using 192.168.1.* then a simple split('.') and '*' check can routine can easily convert wildcard to CIDR.

  • sizer99 (google)

    FFS: Where is the markup for this misbegotten comment system documented?

  • Free Bird (unregistered) in reply to Feeling lucky

    No it isn't. IPv6 is for terrorists.

  • löchlein deluxe (unregistered)

    Noooo, this is perfectly fine, it is just hardened against timing attacks. ;-)

  • (nodebb) in reply to sizer99

    FFS: Where is the markup for this misbegotten comment system documented?

    It's Märkdöwn.

  • Herr Otto Flick (unregistered) in reply to ooOOooGa

    Regular expressions? For handling IP addresses? Are you high?

    Turn it in to an integer, or if it is a wildcard, two integers, and compare numerically with the input.

  • PenguinF` (unregistered)

    And this is why we need to give aspiring programmers some solid math education with Big-O notation, instead of relying on script kiddies who have typed a lot of javascript but are essentially only doing cargo cult programming. Stuff like this isn't funny. It's painful and it makes me angry. And no, adding 10k unit tests and benchmarks is not going to prevent this. That's like putting a teenager without a license in a Ferrari, detecting he's driving too unsafely, and then punishing him for it. Ugh.

Leave a comment on “Brütäl Glöbs”

Log In or post as a guest

Replying to comment #:

« Return to Article