sec: disallow global IPs from proxying

This commit is contained in:
Peter Šurda 2021-03-01 10:33:19 +01:00
parent 534b33fa52
commit ce70c7144c
Signed by untrusted user: PeterSurda
GPG Key ID: 0C5F50C0B5F37D87

26
main.py
View File

@ -19,17 +19,29 @@ redirect_filename = config["app"].get("redirect", "redirect")
class MainApp: class MainApp:
def _can_ip_be_proxy(self):
self.remoteip = cherrypy.request.remote.ip
try:
ipobj = IPv4Address(self.remoteip)
except AddressValueError:
try:
ipobj = IPv6Address(self.remoteip)
except AddressValueError:
return False
return not ipobj.is_global
def _init_ip(self): def _init_ip(self):
""" """
Get remote IP Get remote IP
""" """
try: if self._can_ip_be_proxy():
self.remoteip = cherrypy.request.headers.get( try:
'X-Real-Ip', self.remoteip = cherrypy.request.headers.get(
cherrypy.request.remote.ip 'X-Real-Ip',
) cherrypy.request.remote.ip
except BaseException: )
self.remoteip = cherrypy.request.remote.ip except KeyError:
pass
try: try:
self.hostinfo = socket.gethostbyaddr(self.remoteip) self.hostinfo = socket.gethostbyaddr(self.remoteip)