dont check hostname if not bound to loopback in client api security
This commit is contained in:
parent
45b691a06a
commit
98bdc96699
@ -3,6 +3,7 @@
|
|||||||
Process incoming requests to the client api server to validate
|
Process incoming requests to the client api server to validate
|
||||||
that they are legitimate and not DNSR/XSRF or other local adversary
|
that they are legitimate and not DNSR/XSRF or other local adversary
|
||||||
"""
|
"""
|
||||||
|
from ipaddress import ip_address
|
||||||
import hmac
|
import hmac
|
||||||
|
|
||||||
from flask import Blueprint, request, abort, g
|
from flask import Blueprint, request, abort, g
|
||||||
@ -53,22 +54,22 @@ class ClientAPISecurity:
|
|||||||
def validate_request():
|
def validate_request():
|
||||||
"""Validate request has set password & is the correct hostname."""
|
"""Validate request has set password & is the correct hostname."""
|
||||||
# For the purpose of preventing DNS rebinding attacks
|
# For the purpose of preventing DNS rebinding attacks
|
||||||
localhost = True
|
if ip_address(client_api.host).is_loopback:
|
||||||
if client_api.host != '0.0.0.0':
|
localhost = True
|
||||||
if request.host != '%s:%s' % \
|
if request.host != '%s:%s' % \
|
||||||
(client_api.host, client_api.bindPort):
|
(client_api.host, client_api.bindPort):
|
||||||
localhost = False
|
localhost = False
|
||||||
|
|
||||||
if not localhost and public_remote_enabled:
|
if not localhost and public_remote_enabled:
|
||||||
if request.host not in public_remote_hostnames:
|
if request.host not in public_remote_hostnames:
|
||||||
logger.warn(
|
logger.warn(
|
||||||
f'{request.host} not in {public_remote_hostnames}')
|
f'{request.host} not in {public_remote_hostnames}')
|
||||||
abort(403)
|
abort(403)
|
||||||
else:
|
else:
|
||||||
if not localhost:
|
if not localhost:
|
||||||
logger.warn(
|
logger.warn(
|
||||||
f'Possible DNS rebinding attack by {request.host}')
|
f'Possible DNS rebinding attack by {request.host}')
|
||||||
abort(403)
|
abort(403)
|
||||||
|
|
||||||
# Add shared objects
|
# Add shared objects
|
||||||
try:
|
try:
|
||||||
|
Loading…
Reference in New Issue
Block a user