From 98bdc9669922a1821fc41da9f2259375ad758f22 Mon Sep 17 00:00:00 2001 From: Kevin Froman Date: Fri, 22 Jan 2021 21:41:06 +0000 Subject: [PATCH] dont check hostname if not bound to loopback in client api security --- src/httpapi/security/client.py | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/src/httpapi/security/client.py b/src/httpapi/security/client.py index 71393dec..716e9295 100644 --- a/src/httpapi/security/client.py +++ b/src/httpapi/security/client.py @@ -3,6 +3,7 @@ Process incoming requests to the client api server to validate that they are legitimate and not DNSR/XSRF or other local adversary """ +from ipaddress import ip_address import hmac from flask import Blueprint, request, abort, g @@ -53,22 +54,22 @@ class ClientAPISecurity: def validate_request(): """Validate request has set password & is the correct hostname.""" # For the purpose of preventing DNS rebinding attacks - localhost = True - if client_api.host != '0.0.0.0': + if ip_address(client_api.host).is_loopback: + localhost = True if request.host != '%s:%s' % \ (client_api.host, client_api.bindPort): localhost = False - if not localhost and public_remote_enabled: - if request.host not in public_remote_hostnames: - logger.warn( - f'{request.host} not in {public_remote_hostnames}') - abort(403) - else: - if not localhost: - logger.warn( - f'Possible DNS rebinding attack by {request.host}') - abort(403) + if not localhost and public_remote_enabled: + if request.host not in public_remote_hostnames: + logger.warn( + f'{request.host} not in {public_remote_hostnames}') + abort(403) + else: + if not localhost: + logger.warn( + f'Possible DNS rebinding attack by {request.host}') + abort(403) # Add shared objects try: