dont check hostname if not bound to loopback in client api security

src/httpapi/security/client.py

@@ -3,6 +3,7 @@
 Process incoming requests to the client api server to validate
 that they are legitimate and not DNSR/XSRF or other local adversary
 """
+from ipaddress import ip_address
 import hmac
 
 from flask import Blueprint, request, abort, g
@@ -53,22 +54,22 @@ class ClientAPISecurity:
         def validate_request():
             """Validate request has set password & is the correct hostname."""
             # For the purpose of preventing DNS rebinding attacks
-            localhost = True
+            if ip_address(client_api.host).is_loopback:
-            if client_api.host != '0.0.0.0':
+                localhost = True
                 if request.host != '%s:%s' % \
                         (client_api.host, client_api.bindPort):
                     localhost = False
 
-            if not localhost and public_remote_enabled:
+                if not localhost and public_remote_enabled:
-                if request.host not in public_remote_hostnames:
+                    if request.host not in public_remote_hostnames:
-                    logger.warn(
+                        logger.warn(
-                        f'{request.host} not in {public_remote_hostnames}')
+                            f'{request.host} not in {public_remote_hostnames}')
-                    abort(403)
+                        abort(403)
-            else:
+                else:
-                if not localhost:
+                    if not localhost:
-                    logger.warn(
+                        logger.warn(
-                        f'Possible DNS rebinding attack by {request.host}')
+                            f'Possible DNS rebinding attack by {request.host}')
-                    abort(403)
+                        abort(403)
 
             # Add shared objects
             try: