dont check hostname if not bound to loopback in client api security

src/httpapi/security/client.py

@@ -3,6 +3,7 @@
 Process incoming requests to the client api server to validate
 that they are legitimate and not DNSR/XSRF or other local adversary
 """
+from ipaddress import ip_address
 import hmac
 
 from flask import Blueprint, request, abort, g
@@ -53,8 +54,8 @@ class ClientAPISecurity:
         def validate_request():
             """Validate request has set password & is the correct hostname."""
             # For the purpose of preventing DNS rebinding attacks
+            if ip_address(client_api.host).is_loopback:
                 localhost = True
-            if client_api.host != '0.0.0.0':
                 if request.host != '%s:%s' % \
                         (client_api.host, client_api.bindPort):
                     localhost = False

src/netcontroller/torcontrol/__init__.py

@@ -121,8 +121,8 @@ class NetController:
         with open(self.dataDir + 'torPid.txt', 'w') as tor_pid_file:
             tor_pid_file.write(str(tor.pid))
 
-        multiprocessing.Process(target=watchdog.watchdog,
+        #multiprocessing.Process(target=watchdog.watchdog,
-                                args=[os.getpid(), tor.pid], daemon=True).start()
+        #                        args=[os.getpid(), tor.pid], daemon=True).start()
 
         logger.info('Finished starting Tor.', terminal=True)