Please sign in to comment.
createUser(): fix check for localhost login when using local proxies
Testing the socket address for 127.0.0.1 isn't enough when the API is accessible behind a local proxy (like a Tor onion service). By checking the "Host" HTTP header field the client the access is further restricted. This is still not bullet proof if an attacker fakes the "Host" field. Likely we need more proof like a process PID which can be verified by deCONZ.
- Loading branch information