dont check hostname if not bound to loopback in client api security

This commit is contained in:
Kevin Froman 2021-01-22 21:41:06 +00:00
parent 7303cf041e
commit 9306143e4c
2 changed files with 15 additions and 14 deletions

View File

@ -3,6 +3,7 @@
Process incoming requests to the client api server to validate
that they are legitimate and not DNSR/XSRF or other local adversary
"""
from ipaddress import ip_address
import hmac
from flask import Blueprint, request, abort, g
@ -53,22 +54,22 @@ class ClientAPISecurity:
def validate_request():
"""Validate request has set password & is the correct hostname."""
# For the purpose of preventing DNS rebinding attacks
localhost = True
if client_api.host != '0.0.0.0':
if ip_address(client_api.host).is_loopback:
localhost = True
if request.host != '%s:%s' % \
(client_api.host, client_api.bindPort):
localhost = False
if not localhost and public_remote_enabled:
if request.host not in public_remote_hostnames:
logger.warn(
f'{request.host} not in {public_remote_hostnames}')
abort(403)
else:
if not localhost:
logger.warn(
f'Possible DNS rebinding attack by {request.host}')
abort(403)
if not localhost and public_remote_enabled:
if request.host not in public_remote_hostnames:
logger.warn(
f'{request.host} not in {public_remote_hostnames}')
abort(403)
else:
if not localhost:
logger.warn(
f'Possible DNS rebinding attack by {request.host}')
abort(403)
# Add shared objects
try:

View File

@ -121,8 +121,8 @@ class NetController:
with open(self.dataDir + 'torPid.txt', 'w') as tor_pid_file:
tor_pid_file.write(str(tor.pid))
multiprocessing.Process(target=watchdog.watchdog,
args=[os.getpid(), tor.pid], daemon=True).start()
#multiprocessing.Process(target=watchdog.watchdog,
# args=[os.getpid(), tor.pid], daemon=True).start()
logger.info('Finished starting Tor.', terminal=True)