oci/zeronet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Only allow UI requests from safe hosts

Browse source
This commit is contained in:
shortcutme 2017-06-13 14:19:23 +02:00
parent d55fbd1728
commit 42874038e2
No known key found for this signature in database
GPG key ID: 5B63BAE6CB9613AE
2 changed files with 27 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
src/Ui/UiRequest.py
View file

@ -40,11 +40,35 @@ class UiRequest(object):
self.start_response = start_response # Start response function self.start_response = start_response # Start response function
self.user = None self.user = None
def isHostAllowed(self, host):
if host in self.server.allowed_hosts:
return True
if self.isProxyRequest(): # Support for chrome extension proxy
if self.server.site_manager.isDomain(host):
return True
else:
return False
if config.ui_ip != "127.0.0.1" and self.server.learn_allowed_host:
# Learn the first request's host as allowed one
self.server.learn_allowed_host = False
self.server.allowed_hosts.add(host)
self.server.log.info("Added %s as allowed host" % host)
return True
return False
# Call the request handler function base on path # Call the request handler function base on path
def route(self, path): def route(self, path):
if config.ui_restrict and self.env['REMOTE_ADDR'] not in config.ui_restrict: # Restict Ui access by ip # Restict Ui access by ip
if config.ui_restrict and self.env['REMOTE_ADDR'] not in config.ui_restrict:
return self.error403(details=False) return self.error403(details=False)
# Check if host allowed to do request
if not self.isHostAllowed(self.env.get("HTTP_HOST")):
return self.error403("Invalid host", details=False)
path = re.sub("^http://zero[/]+", "/", path) # Remove begining http://zero/ for chrome extension path = re.sub("^http://zero[/]+", "/", path) # Remove begining http://zero/ for chrome extension
path = re.sub("^http://", "/", path) # Remove begining http for chrome extension .bit access path = re.sub("^http://", "/", path) # Remove begining http for chrome extension .bit access

2
src/Ui/UiServer.py
View file

@ -58,6 +58,8 @@ class UiServer:
self.port = config.ui_port self.port = config.ui_port
if self.ip == "*": if self.ip == "*":
self.ip = "" # Bind all self.ip = "" # Bind all
self.allowed_hosts = set(["zero", "localhost:%s" % config.ui_port, "%s:%s" % (config.ui_ip, config.ui_port)])
self.learn_allowed_host = True
self.wrapper_nonces = [] self.wrapper_nonces = []
self.site_manager = SiteManager.site_manager self.site_manager = SiteManager.site_manager
self.sites = SiteManager.site_manager.list() self.sites = SiteManager.site_manager.list()