Skip to content
Browse files
createUser(): fix check for localhost login when using local proxies
Testing the socket address for isn't enough when the API is
accessible behind a local proxy (like a Tor onion service). By checking
the "Host" HTTP header field the client the access is further restricted.

This is still not bullet proof if an attacker fakes the "Host" field.
Likely we need more proof like a process PID which can be verified by deCONZ.
  • Loading branch information
manup committed Sep 22, 2019
1 parent 7f9016a commit f780c3b69e01a0be084b1bdc89f13903bae9d34e
Showing 1 changed file with 7 additions and 1 deletion.
@@ -745,7 +745,13 @@ int DeRestPluginPrivate::createUser(const ApiRequest &req, ApiResponse &rsp)

if (!gwLinkButton)
if (gwAllowLocal && req.sock->peerAddress() == localHost)
QString host = req.hdr.value(QLatin1String("Host"));
if (host.indexOf(':') > 0)
host = host.split(':')[0];

if (gwAllowLocal && req.sock->peerAddress() == localHost && (host == QLatin1String("") || host == QLatin1String("localhost")))
// proceed

0 comments on commit f780c3b

Please sign in to comment.