Skip to content

Commit

Permalink
createUser(): fix check for localhost login when using local proxies
Browse files Browse the repository at this point in the history
Testing the socket address for 127.0.0.1 isn't enough when the API is
accessible behind a local proxy (like a Tor onion service). By checking
the "Host" HTTP header field the client the access is further restricted.

This is still not bullet proof if an attacker fakes the "Host" field.
Likely we need more proof like a process PID which can be verified by deCONZ.
  • Loading branch information
manup committed Sep 22, 2019
1 parent 7f9016a commit f780c3b
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion rest_configuration.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -745,7 +745,13 @@ int DeRestPluginPrivate::createUser(const ApiRequest &req, ApiResponse &rsp)

if (!gwLinkButton)
{
if (gwAllowLocal && req.sock->peerAddress() == localHost)
QString host = req.hdr.value(QLatin1String("Host"));
if (host.indexOf(':') > 0)
{
host = host.split(':')[0];
}

if (gwAllowLocal && req.sock->peerAddress() == localHost && (host == QLatin1String("127.0.0.1") || host == QLatin1String("localhost")))
{
// proceed
}
Expand Down

0 comments on commit f780c3b

Please sign in to comment.