sec: disallow global IPs from proxying

This commit is contained in:
Peter Šurda 2021-03-01 10:33:19 +01:00
parent 534b33fa52
commit ce70c7144c
Signed by untrusted user: PeterSurda
GPG Key ID: 0C5F50C0B5F37D87

26
main.py
View File

@ -19,17 +19,29 @@ redirect_filename = config["app"].get("redirect", "redirect")
class MainApp:
def _can_ip_be_proxy(self):
self.remoteip = cherrypy.request.remote.ip
try:
ipobj = IPv4Address(self.remoteip)
except AddressValueError:
try:
ipobj = IPv6Address(self.remoteip)
except AddressValueError:
return False
return not ipobj.is_global
def _init_ip(self):
"""
Get remote IP
"""
try:
self.remoteip = cherrypy.request.headers.get(
'X-Real-Ip',
cherrypy.request.remote.ip
)
except BaseException:
self.remoteip = cherrypy.request.remote.ip
if self._can_ip_be_proxy():
try:
self.remoteip = cherrypy.request.headers.get(
'X-Real-Ip',
cherrypy.request.remote.ip
)
except KeyError:
pass
try:
self.hostinfo = socket.gethostbyaddr(self.remoteip)