dxs
/
onionr
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Added ui.public_remote_enabled and ui.public_remote_hosts

master
Kevin Froman 2020-09-08 08:39:18 +00:00
parent 17ef138c21
commit 2ce5f48c90
3 changed files with 32 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
src/httpapi/security/client.py
View File

@ -4,9 +4,13 @@ Process incoming requests to the client api server to validate
that they are legitimate and not DNSR/XSRF or other local adversary that they are legitimate and not DNSR/XSRF or other local adversary
""" """
import hmac import hmac
from flask import Blueprint, request, abort, g from flask import Blueprint, request, abort, g
from onionrservices import httpheaders from onionrservices import httpheaders
from . import pluginwhitelist from . import pluginwhitelist
import config
import logger
""" """
This program is free software: you can redistribute it and/or modify This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -31,6 +35,11 @@ whitelist_endpoints = [
'siteapi.siteFile', 'staticfiles.onionrhome', 'siteapi.siteFile', 'staticfiles.onionrhome',
'themes.getTheme', 'staticfiles.onboarding', 'staticfiles.onboardingIndex'] 'themes.getTheme', 'staticfiles.onboarding', 'staticfiles.onboardingIndex']
remote_safe_whitelist = ['www', 'staticfiles']
public_remote_enabled = config.get('ui.public_remote_enabled', False)
public_remote_hostnames = config.get('ui.public_remote_hosts', [])
class ClientAPISecurity: class ClientAPISecurity:
def __init__(self, client_api): def __init__(self, client_api):
@ -42,10 +51,23 @@ class ClientAPISecurity:
@client_api_security_bp.before_app_request @client_api_security_bp.before_app_request
def validate_request(): def validate_request():
"""Validate request has set password and is the correct hostname""" """Validate request has set password & is the correct hostname."""
# For the purpose of preventing DNS rebinding attacks # For the purpose of preventing DNS rebinding attacks
if request.host != '%s:%s' % (client_api.host, client_api.bindPort): localhost = True
abort(403) if request.host != '%s:%s' % \
(client_api.host, client_api.bindPort):
localhost = False
if not localhost and public_remote_enabled:
if request.host not in public_remote_hostnames:
logger.warn(
f'{request.host} not in {public_remote_hostnames}')
abort(403)
else:
if not localhost:
logger.warn(
f'Possible DNS rebinding attack by {request.host}')
abort(403)
# Add shared objects # Add shared objects
try: try:
@ -53,11 +75,13 @@ class ClientAPISecurity:
except KeyError: except KeyError:
g.too_many = None g.too_many = None
if request.endpoint in whitelist_endpoints: # Static files for Onionr sites
return
if request.path.startswith('/site/'): if request.path.startswith('/site/'):
return return
if request.endpoint in whitelist_endpoints:
return
try: try:
if not hmac.compare_digest( if not hmac.compare_digest(
request.headers['token'], client_api.clientToken): request.headers['token'], client_api.clientToken):

2
static-data/default_config.json
View File

@ -73,6 +73,8 @@
}, },
"ui": { "ui": {
"animated_background": true, "animated_background": true,
"public_remote_enabled": false,
"public_remote_hosts": [],
"theme": "dark" "theme": "dark"
} }
} }