dont check hostname if not bound to loopback in client api security

2021-01-22 21:41:06 +00:00 · 2021-01-22 21:41:06 +00:00 · 9306143e4c
parent 7303cf041e
commit 9306143e4c
2 changed files with 15 additions and 14 deletions
--- a/src/httpapi/security/client.py
+++ b/src/httpapi/security/client.py
@ -3,6 +3,7 @@
 Process incoming requests to the client api server to validate
 that they are legitimate and not DNSR/XSRF or other local adversary
 """
+from ipaddress import ip_address
 import hmac

 from flask import Blueprint, request, abort, g
@ -53,8 +54,8 @@ class ClientAPISecurity:
        def validate_request():
            """Validate request has set password & is the correct hostname."""
            # For the purpose of preventing DNS rebinding attacks
+            if ip_address(client_api.host).is_loopback:
                localhost = True
-            if client_api.host != '0.0.0.0':
                if request.host != '%s:%s' % \
                        (client_api.host, client_api.bindPort):
                    localhost = False
--- a/src/netcontroller/torcontrol/init.py
+++ b/src/netcontroller/torcontrol/init.py
@ -121,8 +121,8 @@ class NetController:
        with open(self.dataDir + 'torPid.txt', 'w') as tor_pid_file:
            tor_pid_file.write(str(tor.pid))

-        multiprocessing.Process(target=watchdog.watchdog,
-                                args=[os.getpid(), tor.pid], daemon=True).start()
+        #multiprocessing.Process(target=watchdog.watchdog,
+        #                        args=[os.getpid(), tor.pid], daemon=True).start()

        logger.info('Finished starting Tor.', terminal=True)