dont check hostname if not bound to loopback in client api security

This commit is contained in:
Kevin Froman 2021-01-22 21:41:06 +00:00
parent 7303cf041e
commit 9306143e4c
2 changed files with 15 additions and 14 deletions

View File

@ -3,6 +3,7 @@
Process incoming requests to the client api server to validate Process incoming requests to the client api server to validate
that they are legitimate and not DNSR/XSRF or other local adversary that they are legitimate and not DNSR/XSRF or other local adversary
""" """
from ipaddress import ip_address
import hmac import hmac
from flask import Blueprint, request, abort, g from flask import Blueprint, request, abort, g
@ -53,22 +54,22 @@ class ClientAPISecurity:
def validate_request(): def validate_request():
"""Validate request has set password & is the correct hostname.""" """Validate request has set password & is the correct hostname."""
# For the purpose of preventing DNS rebinding attacks # For the purpose of preventing DNS rebinding attacks
localhost = True if ip_address(client_api.host).is_loopback:
if client_api.host != '0.0.0.0': localhost = True
if request.host != '%s:%s' % \ if request.host != '%s:%s' % \
(client_api.host, client_api.bindPort): (client_api.host, client_api.bindPort):
localhost = False localhost = False
if not localhost and public_remote_enabled: if not localhost and public_remote_enabled:
if request.host not in public_remote_hostnames: if request.host not in public_remote_hostnames:
logger.warn( logger.warn(
f'{request.host} not in {public_remote_hostnames}') f'{request.host} not in {public_remote_hostnames}')
abort(403) abort(403)
else: else:
if not localhost: if not localhost:
logger.warn( logger.warn(
f'Possible DNS rebinding attack by {request.host}') f'Possible DNS rebinding attack by {request.host}')
abort(403) abort(403)
# Add shared objects # Add shared objects
try: try:

View File

@ -121,8 +121,8 @@ class NetController:
with open(self.dataDir + 'torPid.txt', 'w') as tor_pid_file: with open(self.dataDir + 'torPid.txt', 'w') as tor_pid_file:
tor_pid_file.write(str(tor.pid)) tor_pid_file.write(str(tor.pid))
multiprocessing.Process(target=watchdog.watchdog, #multiprocessing.Process(target=watchdog.watchdog,
args=[os.getpid(), tor.pid], daemon=True).start() # args=[os.getpid(), tor.pid], daemon=True).start()
logger.info('Finished starting Tor.', terminal=True) logger.info('Finished starting Tor.', terminal=True)