Skip to content
Permalink
Browse files

createUser(): fix check for localhost login when using local proxies

Testing the socket address for 127.0.0.1 isn't enough when the API is
accessible behind a local proxy (like a Tor onion service). By checking
the "Host" HTTP header field the client the access is further restricted.

This is still not bullet proof if an attacker fakes the "Host" field.
Likely we need more proof like a process PID which can be verified by deCONZ.
  • Loading branch information
manup committed Sep 22, 2019
1 parent 7f9016a commit f780c3b69e01a0be084b1bdc89f13903bae9d34e
Showing with 7 additions and 1 deletion.
  1. +7 −1 rest_configuration.cpp
@@ -745,7 +745,13 @@ int DeRestPluginPrivate::createUser(const ApiRequest &req, ApiResponse &rsp)

if (!gwLinkButton)
{
if (gwAllowLocal && req.sock->peerAddress() == localHost)
QString host = req.hdr.value(QLatin1String("Host"));
if (host.indexOf(':') > 0)
{
host = host.split(':')[0];
}

if (gwAllowLocal && req.sock->peerAddress() == localHost && (host == QLatin1String("127.0.0.1") || host == QLatin1String("localhost")))
{
// proceed
}

0 comments on commit f780c3b

Please sign in to comment.
You can’t perform that action at this time.