From e982aded09ae6c78c594c472e5937d500193bf26 Mon Sep 17 00:00:00 2001
From: Oliver Gorwits <oliver@cpan.org>
Date: Mon, 30 Dec 2019 11:23:17 +0000
Subject: [PATCH] add some protections to ACLs and an error log, following #686

---
 lib/App/Netdisco/Util/Permission.pm | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/App/Netdisco/Util/Permission.pm b/lib/App/Netdisco/Util/Permission.pm
index 1ef33d40..39a3d357 100644
--- a/lib/App/Netdisco/Util/Permission.pm
+++ b/lib/App/Netdisco/Util/Permission.pm
@@ -101,7 +101,11 @@ sub check_acl {
   return 0 if !defined $real_ip
     or blessed $real_ip; # class we do not understand
 
-  $config  = [$config] if ref [] ne ref $config;
+  $config  = [$config] if ref '' eq ref $config;
+  if (ref [] ne ref $config) {
+    error "error: acl is not a single item or list (cannot compare to $real_ip)";
+    return 0;
+  }
   my $all  = (scalar grep {$_ eq 'op:and'} @$config);
 
   # common case of using plain IP in ACL, so string compare for speed
@@ -201,6 +205,9 @@ sub check_acl {
           next INLIST;
       }
 
+      # could be something in error, and IP/host is only option left
+      next INLIST if ref $item;
+
       my $ip = NetAddr::IP::Lite->new($item)
         or next INLIST;
       next INLIST if $ip->bits != $addr->bits and not $all;