Protect Settings pages from being accessed remotely

Only allow access to the Settings pages to clients connecting from the local network, and not from the network's gateway.

# Conflicts:
#	Slim/Utils/OS/Linux.pm

Changelog7.html

@@ -18,6 +18,7 @@ <h2><a name="v7.9.1" id="v7.9.1"></a>Version 7.9.1</h2>
 
 	<li>Other:</li>
 	<ul>
+		<li>Block access to settings pages from outside the local network.</li>
 		<li>Make Playlists menu available to the SB Classic/Boom/Transporter's Home menu</li>
 		<li>Updated faad2 to latest code. Includes patches to increase maximum path length and fix some transcoding issues on Windows. Thanks <a href="https://github.com/ralph-irving/faad2">ralphy</a> and utgg.</li>
 		<li>Limit growth of the write-ahead log files for caches.</li>

Slim/Utils/OS.pm

@@ -295,6 +295,11 @@ sub getProxy {
 	return $proxy;
 }
 
+=head2 getDefaultGateway()
+	Get the network's default gateway address
+=cut
+sub getDefaultGateway { '' }
+
 sub ignoredItems {
 	return (
 		# Items we should ignore on a linux volume

Slim/Utils/OS/Linux.pm

@@ -81,4 +81,21 @@ sub signalUpdateReady {
 	}
 }
 
+my $gateway;
+sub getDefaultGateway {
+	if (!defined $gateway) {
+		$gateway = '';
+
+		my $route = `/sbin/route -n`;
+		while ( $route =~ /^(?:0\.0\.0\.0)\s*(\d+\.\d+\.\d+\.\d+)/mg ) {
+			if ( Slim::Utils::Network::ip_is_private($1) ) {
+				$gateway = $1;
+				last;
+			}
+		}
+	}
+
+	return $gateway;
+}
+
 1;

Slim/Utils/OS/OSX.pm

@@ -345,6 +345,20 @@ sub pathFromMacAlias {
 	return $path;
 }
 
+my $gateway;
+sub getDefaultGateway {
+	if (!defined $gateway) {
+		$gateway = '';
+
+		my $route = `route -n get default`;
+		if ($route =~ /gateway:\s*(\d+\.\d+\.\d+\.\d+)/s ) {
+			$gateway = $1 if Slim::Utils::Network::ip_is_private($1);
+		}
+	}
+
+	return $gateway;
+}
+
 my $updateCheckInitialized;
 my $plistLabel = "com.slimdevices.updatecheck";
 

Slim/Utils/OS/Win32.pm

@@ -396,6 +396,23 @@ sub getProxy {
 	return $proxy || $class->SUPER::getProxy();
 }
 
+my $gateway;
+sub getDefaultGateway {
+	if (!defined $gateway) {
+		$gateway = '';
+
+		my $route = `route print -4`;
+		while ( $route =~ /^\s*0\.0\.0\.0\s+\d+\.\d+\.\d+\.\d+\s+(\d+\.\d+\.\d+\.\d+)/mg ) {
+			if ( Slim::Utils::Network::ip_is_private($1) ) {
+				$gateway = $1;
+				last;
+			}
+		}
+	}
+
+	return $gateway;
+}
+
 sub ignoredItems {
 	return (
 		# Items we should ignore  on a Windows volume

Slim/Utils/Prefs.pm

@@ -221,6 +221,7 @@ sub init {
 			return join(',', Slim::Utils::Network::hostAddr());
 		},
 		'csrfProtectionLevel'   => 0,
+		'protectSettings'       => 1,
 		'authorize'             => 0,
 		'username'              => '',
 		'password'              => '',

Slim/Web/HTTP.pm

@@ -963,11 +963,38 @@ sub generateHTTPResponse {
 		);
 	}
 
-	main::INFOLOG && $log->is_info && $log->info("Generating response for ($type, $contentType) $path");
-
-	# some generally useful form details...
 	my $classOrCode = Slim::Web::Pages->getPageFunction($path);
 
+	# protect access to settings pages: only allow from local network
+	if ( main::WEBUI 
+		&& $peeraddr{$httpClient} ne '127.0.0.1'
+		&& $prefs->get('protectSettings') 
+		&& $classOrCode && !ref $classOrCode && $classOrCode->isa('Slim::Web::Settings') 
+	) {
+		my $gateway = Slim::Utils::OSDetect->getOS()->getDefaultGateway();
+
+		if ( 
+			( $gateway && Slim::Utils::Network::intip($peeraddr{$httpClient}) == Slim::Utils::Network::intip($gateway) )
+			|| !Slim::Utils::Network::ip_is_private($peeraddr{$httpClient} )
+		) {
+			$log->warn("Access to settings pages is restricted to the local network or localhost: $peeraddr{$httpClient}");
+
+			$response->code(RC_FORBIDDEN);
+
+			$body = filltemplatefile('html/errors/403.html', $params);
+
+			return prepareResponseForSending(
+				$client,
+				$params,
+				$body,
+				$httpClient,
+				$response,
+			);
+		}
+	}
+
+	main::INFOLOG && $log->is_info && $log->info("Generating response for ($type, $contentType) $path");
+
 	if (defined($client) && $classOrCode) {
 		$params->{'player'} = $client->id();
 		$params->{'myClientState'} = $client;