sec: disallow global IPs from proxying

2021-03-01 10:33:19 +01:00 · 2021-03-01 10:33:19 +01:00 · ce70c7144c
commit ce70c7144c
parent 534b33fa52
1 changed files with 19 additions and 7 deletions
--- a/main.py
+++ b/main.py
@ -19,17 +19,29 @@ redirect_filename = config["app"].get("redirect", "redirect")


 class MainApp:
+    def _can_ip_be_proxy(self):
+        self.remoteip = cherrypy.request.remote.ip
+        try:
+            ipobj = IPv4Address(self.remoteip)
+        except AddressValueError:
+            try:
+                ipobj = IPv6Address(self.remoteip)
+            except AddressValueError:
+                return False
+        return not ipobj.is_global
+
    def _init_ip(self):
        """
        Get remote IP
        """
-        try:
-            self.remoteip = cherrypy.request.headers.get(
-                'X-Real-Ip',
-                cherrypy.request.remote.ip
-            )
-        except BaseException:
-            self.remoteip = cherrypy.request.remote.ip
+        if self._can_ip_be_proxy():
+            try:
+                self.remoteip = cherrypy.request.headers.get(
+                    'X-Real-Ip',
+                    cherrypy.request.remote.ip
+                )
+            except KeyError:
+                pass

        try:
            self.hostinfo = socket.gethostbyaddr(self.remoteip)