From ce70c7144cacd0e246711e9b200362b8804e902f Mon Sep 17 00:00:00 2001
From: Peter Surda <surda@economicsofbitcoin.com>
Date: Mon, 1 Mar 2021 10:33:19 +0100
Subject: [PATCH] sec: disallow global IPs from proxying

---
 main.py | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/main.py b/main.py
index e57b3d2..da63005 100644
--- a/main.py
+++ b/main.py
@@ -19,17 +19,29 @@ redirect_filename = config["app"].get("redirect", "redirect")
 
 
 class MainApp:
+    def _can_ip_be_proxy(self):
+        self.remoteip = cherrypy.request.remote.ip
+        try:
+            ipobj = IPv4Address(self.remoteip)
+        except AddressValueError:
+            try:
+                ipobj = IPv6Address(self.remoteip)
+            except AddressValueError:
+                return False
+        return not ipobj.is_global
+
     def _init_ip(self):
         """
         Get remote IP
         """
-        try:
-            self.remoteip = cherrypy.request.headers.get(
-                'X-Real-Ip',
-                cherrypy.request.remote.ip
-            )
-        except BaseException:
-            self.remoteip = cherrypy.request.remote.ip
+        if self._can_ip_be_proxy():
+            try:
+                self.remoteip = cherrypy.request.headers.get(
+                    'X-Real-Ip',
+                    cherrypy.request.remote.ip
+                )
+            except KeyError:
+                pass
 
         try:
             self.hostinfo = socket.gethostbyaddr(self.remoteip)