dont check hostname if not bound to loopback in client api security
This commit is contained in:
parent
45b691a06a
commit
98bdc96699
@ -3,6 +3,7 @@
|
||||
Process incoming requests to the client api server to validate
|
||||
that they are legitimate and not DNSR/XSRF or other local adversary
|
||||
"""
|
||||
from ipaddress import ip_address
|
||||
import hmac
|
||||
|
||||
from flask import Blueprint, request, abort, g
|
||||
@ -53,8 +54,8 @@ class ClientAPISecurity:
|
||||
def validate_request():
|
||||
"""Validate request has set password & is the correct hostname."""
|
||||
# For the purpose of preventing DNS rebinding attacks
|
||||
if ip_address(client_api.host).is_loopback:
|
||||
localhost = True
|
||||
if client_api.host != '0.0.0.0':
|
||||
if request.host != '%s:%s' % \
|
||||
(client_api.host, client_api.bindPort):
|
||||
localhost = False
|
||||
|
Loading…
Reference in New Issue
Block a user