fixed broken dns rebinding mitigation and secured peer adding
parent
c35242be1a
commit
64b14720c1
|
@ -176,7 +176,7 @@ class API:
|
|||
# Validate host header, to protect against DNS rebinding attacks
|
||||
host = self.host
|
||||
if hostType == 'private':
|
||||
if not request.host.startswith('127'):
|
||||
if not request.host.startswith('127') and not self._utils.checkIsIP(request.host):
|
||||
abort(403)
|
||||
elif hostType == 'public':
|
||||
if not request.host.endswith('onion') and not request.host.endswith('i2p'):
|
||||
|
|
|
@ -69,6 +69,13 @@ class OnionrUtils:
|
|||
finally:
|
||||
sock.close()
|
||||
return retVal
|
||||
def checkIsIP(self, ip):
|
||||
try:
|
||||
socket.inet_aton(ip)
|
||||
except:
|
||||
return False
|
||||
else:
|
||||
return True
|
||||
def exportMyPubkey(self):
|
||||
'''Export our PGP key if it exists'''
|
||||
if not os.path.exists(self.fingerprintFile):
|
||||
|
@ -107,26 +114,38 @@ class OnionrUtils:
|
|||
idLength = len(id)
|
||||
retVal = True
|
||||
idNoDomain = ''
|
||||
#if idLength != 60 and idLength != 22 and idLength != 62:
|
||||
peerType = ''
|
||||
# i2p b32 addresses are 60 characters long (including .b32.i2p)
|
||||
if idLength == 60:
|
||||
if not id.endsWith('.b32.i2p'):
|
||||
peerType = 'i2p'
|
||||
if not id.endswith('.b32.i2p'):
|
||||
retVal = False
|
||||
else:
|
||||
idNoDomain = id.split('.b32.i2p')[0]
|
||||
# Onion v2's are 22 (including .onion), v3's are 62 with .onion
|
||||
elif idLength == 22 or idLength == 62:
|
||||
if not id.endsWith('.onion'):
|
||||
peerType = 'onion'
|
||||
if not id.endswith('.onion'):
|
||||
retVal = False
|
||||
else:
|
||||
idNoDomain = id.split('.onion')[0]
|
||||
else:
|
||||
retVal = False
|
||||
if retVal:
|
||||
if id.endsWith('.onion'):
|
||||
if peerType == 'i2p':
|
||||
try:
|
||||
int(idNoDomain, 16)
|
||||
except ValueError:
|
||||
id.split('.b32.i2p')[2]
|
||||
except:
|
||||
pass
|
||||
else:
|
||||
retVal = False
|
||||
elif peerType == 'onion':
|
||||
try:
|
||||
id.split('.onion')[2]
|
||||
except:
|
||||
pass
|
||||
else:
|
||||
retVal = False
|
||||
elif id.endsWith('.b32.i2p'):
|
||||
if not idNoDomain.isalnum():
|
||||
retVal = False
|
||||
return retVal
|
||||
|
|
|
@ -51,7 +51,7 @@ class OnionrTests(unittest.TestCase):
|
|||
myCore = core.Core()
|
||||
if not os.path.exists('data/peers.db'):
|
||||
myCore.createPeerDB()
|
||||
if myCore.addPeer('test'):
|
||||
if myCore.addPeer('facebookcorewwwi.onion') and not myCore.addPeer('invalidpeer.onion'):
|
||||
self.assertTrue(True)
|
||||
else:
|
||||
self.assertTrue(False)
|
||||
|
|
Loading…
Reference in New Issue