From 9306143e4c567758e56828cbf5fefb93ddbee4b4 Mon Sep 17 00:00:00 2001
From: Kevin Froman <beardog@mailbox.org>
Date: Fri, 22 Jan 2021 21:41:06 +0000
Subject: [PATCH] dont check hostname if not bound to loopback in client api
 security

---
 src/httpapi/security/client.py           | 25 ++++++++++++------------
 src/netcontroller/torcontrol/__init__.py |  4 ++--
 2 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/src/httpapi/security/client.py b/src/httpapi/security/client.py
index 71393dec..716e9295 100644
--- a/src/httpapi/security/client.py
+++ b/src/httpapi/security/client.py
@@ -3,6 +3,7 @@
 Process incoming requests to the client api server to validate
 that they are legitimate and not DNSR/XSRF or other local adversary
 """
+from ipaddress import ip_address
 import hmac
 
 from flask import Blueprint, request, abort, g
@@ -53,22 +54,22 @@ class ClientAPISecurity:
         def validate_request():
             """Validate request has set password & is the correct hostname."""
             # For the purpose of preventing DNS rebinding attacks
-            localhost = True
-            if client_api.host != '0.0.0.0':
+            if ip_address(client_api.host).is_loopback:
+                localhost = True
                 if request.host != '%s:%s' % \
                         (client_api.host, client_api.bindPort):
                     localhost = False
 
-            if not localhost and public_remote_enabled:
-                if request.host not in public_remote_hostnames:
-                    logger.warn(
-                        f'{request.host} not in {public_remote_hostnames}')
-                    abort(403)
-            else:
-                if not localhost:
-                    logger.warn(
-                        f'Possible DNS rebinding attack by {request.host}')
-                    abort(403)
+                if not localhost and public_remote_enabled:
+                    if request.host not in public_remote_hostnames:
+                        logger.warn(
+                            f'{request.host} not in {public_remote_hostnames}')
+                        abort(403)
+                else:
+                    if not localhost:
+                        logger.warn(
+                            f'Possible DNS rebinding attack by {request.host}')
+                        abort(403)
 
             # Add shared objects
             try:
diff --git a/src/netcontroller/torcontrol/__init__.py b/src/netcontroller/torcontrol/__init__.py
index 2e861e6c..a5e57495 100644
--- a/src/netcontroller/torcontrol/__init__.py
+++ b/src/netcontroller/torcontrol/__init__.py
@@ -121,8 +121,8 @@ class NetController:
         with open(self.dataDir + 'torPid.txt', 'w') as tor_pid_file:
             tor_pid_file.write(str(tor.pid))
 
-        multiprocessing.Process(target=watchdog.watchdog,
-                                args=[os.getpid(), tor.pid], daemon=True).start()
+        #multiprocessing.Process(target=watchdog.watchdog,
+        #                        args=[os.getpid(), tor.pid], daemon=True).start()
 
         logger.info('Finished starting Tor.', terminal=True)