dont check hostname if not bound to loopback in client api security

This commit is contained in:
Kevin Froman 2021-01-22 21:41:06 +00:00
parent 45b691a06a
commit 98bdc96699

View File

@ -3,6 +3,7 @@
Process incoming requests to the client api server to validate Process incoming requests to the client api server to validate
that they are legitimate and not DNSR/XSRF or other local adversary that they are legitimate and not DNSR/XSRF or other local adversary
""" """
from ipaddress import ip_address
import hmac import hmac
from flask import Blueprint, request, abort, g from flask import Blueprint, request, abort, g
@ -53,22 +54,22 @@ class ClientAPISecurity:
def validate_request(): def validate_request():
"""Validate request has set password & is the correct hostname.""" """Validate request has set password & is the correct hostname."""
# For the purpose of preventing DNS rebinding attacks # For the purpose of preventing DNS rebinding attacks
localhost = True if ip_address(client_api.host).is_loopback:
if client_api.host != '0.0.0.0': localhost = True
if request.host != '%s:%s' % \ if request.host != '%s:%s' % \
(client_api.host, client_api.bindPort): (client_api.host, client_api.bindPort):
localhost = False localhost = False
if not localhost and public_remote_enabled: if not localhost and public_remote_enabled:
if request.host not in public_remote_hostnames: if request.host not in public_remote_hostnames:
logger.warn( logger.warn(
f'{request.host} not in {public_remote_hostnames}') f'{request.host} not in {public_remote_hostnames}')
abort(403) abort(403)
else: else:
if not localhost: if not localhost:
logger.warn( logger.warn(
f'Possible DNS rebinding attack by {request.host}') f'Possible DNS rebinding attack by {request.host}')
abort(403) abort(403)
# Add shared objects # Add shared objects
try: try: