dont check hostname if not bound to loopback in client api security
This commit is contained in:
parent
45b691a06a
commit
98bdc96699
@ -3,6 +3,7 @@
|
|||||||
Process incoming requests to the client api server to validate
|
Process incoming requests to the client api server to validate
|
||||||
that they are legitimate and not DNSR/XSRF or other local adversary
|
that they are legitimate and not DNSR/XSRF or other local adversary
|
||||||
"""
|
"""
|
||||||
|
from ipaddress import ip_address
|
||||||
import hmac
|
import hmac
|
||||||
|
|
||||||
from flask import Blueprint, request, abort, g
|
from flask import Blueprint, request, abort, g
|
||||||
@ -53,8 +54,8 @@ class ClientAPISecurity:
|
|||||||
def validate_request():
|
def validate_request():
|
||||||
"""Validate request has set password & is the correct hostname."""
|
"""Validate request has set password & is the correct hostname."""
|
||||||
# For the purpose of preventing DNS rebinding attacks
|
# For the purpose of preventing DNS rebinding attacks
|
||||||
|
if ip_address(client_api.host).is_loopback:
|
||||||
localhost = True
|
localhost = True
|
||||||
if client_api.host != '0.0.0.0':
|
|
||||||
if request.host != '%s:%s' % \
|
if request.host != '%s:%s' % \
|
||||||
(client_api.host, client_api.bindPort):
|
(client_api.host, client_api.bindPort):
|
||||||
localhost = False
|
localhost = False
|
||||||
|
Loading…
Reference in New Issue
Block a user