dont check hostname if not bound to loopback in client api security

2021-01-22 21:41:06 +00:00 · 2021-01-22 21:41:06 +00:00 · 98bdc96699
parent 45b691a06a
commit 98bdc96699
1 changed files with 13 additions and 12 deletions
--- a/src/httpapi/security/client.py
+++ b/src/httpapi/security/client.py
@ -3,6 +3,7 @@
 Process incoming requests to the client api server to validate
 that they are legitimate and not DNSR/XSRF or other local adversary
 """
+from ipaddress import ip_address
 import hmac

 from flask import Blueprint, request, abort, g
@ -53,8 +54,8 @@ class ClientAPISecurity:
        def validate_request():
            """Validate request has set password & is the correct hostname."""
            # For the purpose of preventing DNS rebinding attacks
+            if ip_address(client_api.host).is_loopback:
                localhost = True
-            if client_api.host != '0.0.0.0':
                if request.host != '%s:%s' % \
                        (client_api.host, client_api.bindPort):
                    localhost = False