dont check hostname if not bound to loopback in client api security

This commit is contained in:
Kevin Froman 2021-01-22 21:41:06 +00:00
parent 45b691a06a
commit 98bdc96699

View File

@ -3,6 +3,7 @@
Process incoming requests to the client api server to validate Process incoming requests to the client api server to validate
that they are legitimate and not DNSR/XSRF or other local adversary that they are legitimate and not DNSR/XSRF or other local adversary
""" """
from ipaddress import ip_address
import hmac import hmac
from flask import Blueprint, request, abort, g from flask import Blueprint, request, abort, g
@ -53,8 +54,8 @@ class ClientAPISecurity:
def validate_request(): def validate_request():
"""Validate request has set password & is the correct hostname.""" """Validate request has set password & is the correct hostname."""
# For the purpose of preventing DNS rebinding attacks # For the purpose of preventing DNS rebinding attacks
if ip_address(client_api.host).is_loopback:
localhost = True localhost = True
if client_api.host != '0.0.0.0':
if request.host != '%s:%s' % \ if request.host != '%s:%s' % \
(client_api.host, client_api.bindPort): (client_api.host, client_api.bindPort):
localhost = False localhost = False