dont check hostname if not bound to loopback in client api security

2021-01-22 21:41:06 +00:00 · 2021-01-22 21:41:06 +00:00 · 9306143e4c
parent 7303cf041e
commit 9306143e4c
2 changed files with 15 additions and 14 deletions
--- a/src/httpapi/security/client.py
+++ b/src/httpapi/security/client.py
@ -3,6 +3,7 @@
 Process incoming requests to the client api server to validate
 that they are legitimate and not DNSR/XSRF or other local adversary
 """
+from ipaddress import ip_address
 import hmac

 from flask import Blueprint, request, abort, g
@ -53,22 +54,22 @@ class ClientAPISecurity:
        def validate_request():
            """Validate request has set password & is the correct hostname."""
            # For the purpose of preventing DNS rebinding attacks
-            localhost = True
-            if client_api.host != '0.0.0.0':
+            if ip_address(client_api.host).is_loopback:
+                localhost = True
                if request.host != '%s:%s' % \
                        (client_api.host, client_api.bindPort):
                    localhost = False

-            if not localhost and public_remote_enabled:
-                if request.host not in public_remote_hostnames:
-                    logger.warn(
-                        f'{request.host} not in {public_remote_hostnames}')
-                    abort(403)
-            else:
-                if not localhost:
-                    logger.warn(
-                        f'Possible DNS rebinding attack by {request.host}')
-                    abort(403)
+                if not localhost and public_remote_enabled:
+                    if request.host not in public_remote_hostnames:
+                        logger.warn(
+                            f'{request.host} not in {public_remote_hostnames}')
+                        abort(403)
+                else:
+                    if not localhost:
+                        logger.warn(
+                            f'Possible DNS rebinding attack by {request.host}')
+                        abort(403)

            # Add shared objects
            try:
--- a/src/netcontroller/torcontrol/init.py
+++ b/src/netcontroller/torcontrol/init.py
@ -121,8 +121,8 @@ class NetController:
        with open(self.dataDir + 'torPid.txt', 'w') as tor_pid_file:
            tor_pid_file.write(str(tor.pid))

-        multiprocessing.Process(target=watchdog.watchdog,
-                                args=[os.getpid(), tor.pid], daemon=True).start()
+        #multiprocessing.Process(target=watchdog.watchdog,
+        #                        args=[os.getpid(), tor.pid], daemon=True).start()

        logger.info('Finished starting Tor.', terminal=True)