dont check hostname if not bound to loopback in client api security
This commit is contained in:
Kevin Froman
parent
7303cf041e
commit
9306143e4c
|
|
@ -3,6 +3,7 @@
|
||||||
Process incoming requests to the client api server to validate
|
Process incoming requests to the client api server to validate
|
||||||
that they are legitimate and not DNSR/XSRF or other local adversary
|
that they are legitimate and not DNSR/XSRF or other local adversary
|
||||||
"""
|
"""
|
||||||
|
from ipaddress import ip_address
|
||||||
import hmac
|
import hmac
|
||||||
|
|
||||||
from flask import Blueprint, request, abort, g
|
from flask import Blueprint, request, abort, g
|
||||||
|
|
@ -53,22 +54,22 @@ class ClientAPISecurity:
|
||||||
def validate_request():
|
def validate_request():
|
||||||
"""Validate request has set password & is the correct hostname."""
|
"""Validate request has set password & is the correct hostname."""
|
||||||
# For the purpose of preventing DNS rebinding attacks
|
# For the purpose of preventing DNS rebinding attacks
|
||||||
localhost = True
|
if ip_address(client_api.host).is_loopback:
|
||||||
if client_api.host != '0.0.0.0':
|
localhost = True
|
||||||
if request.host != '%s:%s' % \
|
if request.host != '%s:%s' % \
|
||||||
(client_api.host, client_api.bindPort):
|
(client_api.host, client_api.bindPort):
|
||||||
localhost = False
|
localhost = False
|
||||||
|
|
||||||
if not localhost and public_remote_enabled:
|
if not localhost and public_remote_enabled:
|
||||||
if request.host not in public_remote_hostnames:
|
if request.host not in public_remote_hostnames:
|
||||||
logger.warn(
|
logger.warn(
|
||||||
f'{request.host} not in {public_remote_hostnames}')
|
f'{request.host} not in {public_remote_hostnames}')
|
||||||
abort(403)
|
abort(403)
|
||||||
else:
|
else:
|
||||||
if not localhost:
|
if not localhost:
|
||||||
logger.warn(
|
logger.warn(
|
||||||
f'Possible DNS rebinding attack by {request.host}')
|
f'Possible DNS rebinding attack by {request.host}')
|
||||||
abort(403)
|
abort(403)
|
||||||
|
|
||||||
# Add shared objects
|
# Add shared objects
|
||||||
try:
|
try:
|
||||||
|
|
|
||||||
|
|
@ -121,8 +121,8 @@ class NetController:
|
||||||
with open(self.dataDir + 'torPid.txt', 'w') as tor_pid_file:
|
with open(self.dataDir + 'torPid.txt', 'w') as tor_pid_file:
|
||||||
tor_pid_file.write(str(tor.pid))
|
tor_pid_file.write(str(tor.pid))
|
||||||
|
|
||||||
multiprocessing.Process(target=watchdog.watchdog,
|
#multiprocessing.Process(target=watchdog.watchdog,
|
||||||
args=[os.getpid(), tor.pid], daemon=True).start()
|
# args=[os.getpid(), tor.pid], daemon=True).start()
|
||||||
|
|
||||||
logger.info('Finished starting Tor.', terminal=True)
|
logger.info('Finished starting Tor.', terminal=True)
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue