dont check hostname if not bound to loopback in client api security

This commit is contained in:
Kevin Froman 2021-01-22 21:41:06 +00:00
parent 7303cf041e
commit 9306143e4c
2 changed files with 15 additions and 14 deletions

View File

@ -3,6 +3,7 @@
Process incoming requests to the client api server to validate Process incoming requests to the client api server to validate
that they are legitimate and not DNSR/XSRF or other local adversary that they are legitimate and not DNSR/XSRF or other local adversary
""" """
from ipaddress import ip_address
import hmac import hmac
from flask import Blueprint, request, abort, g from flask import Blueprint, request, abort, g
@ -53,8 +54,8 @@ class ClientAPISecurity:
def validate_request(): def validate_request():
"""Validate request has set password & is the correct hostname.""" """Validate request has set password & is the correct hostname."""
# For the purpose of preventing DNS rebinding attacks # For the purpose of preventing DNS rebinding attacks
if ip_address(client_api.host).is_loopback:
localhost = True localhost = True
if client_api.host != '0.0.0.0':
if request.host != '%s:%s' % \ if request.host != '%s:%s' % \
(client_api.host, client_api.bindPort): (client_api.host, client_api.bindPort):
localhost = False localhost = False

View File

@ -121,8 +121,8 @@ class NetController:
with open(self.dataDir + 'torPid.txt', 'w') as tor_pid_file: with open(self.dataDir + 'torPid.txt', 'w') as tor_pid_file:
tor_pid_file.write(str(tor.pid)) tor_pid_file.write(str(tor.pid))
multiprocessing.Process(target=watchdog.watchdog, #multiprocessing.Process(target=watchdog.watchdog,
args=[os.getpid(), tor.pid], daemon=True).start() # args=[os.getpid(), tor.pid], daemon=True).start()
logger.info('Finished starting Tor.', terminal=True) logger.info('Finished starting Tor.', terminal=True)