allow_remote=false does not prevent remote access

[vfaronov]

Steps to reproduce the problem:

1. Run mitmproxy on a publicly routable host, with default configuration including listen_host="", listen_port=8080, and allow_remote=false.
2. From a host on a different network, send a request through that instance of mitmproxy, e.g. with curl --proxy http://your-host.example:8080

The default allow_remote=false should prevent this request from succeeding. However, it is served by mitmproxy just fine.

Any other comments? What have you tried so far?

I have a laptop sitting in the “DMZ” of a home router, which is globally IPv4 routable. I also have a VPS which is globally IPv4 routable. Both the laptop and the VPS are running Ubuntu 16.04 “Xenial Xerus”. I can reproduce the problem with mitmproxy running on the VPS and curl on the laptop, as well as vice-versa.

Both tcpdump and mitmproxy’s own Details pane show the request as originating from a remote network.

I only noticed this because I saw strange flows in a mitmproxy instance that I spun up on the laptop.

System information

Mitmproxy: 3.0.3 binary
Python: 3.5.2
OpenSSL: OpenSSL 1.1.0g 2 Nov 2017
Platform: Linux-4.4.0-116-generic-x86_64-with-debian-stretch-sid

[Kriechi]

Thanks - I can verify it!
Not sure why yet, but the tests and the implementation are not that complex... let me look into that!

[Kriechi]

Looks like the check fails because IPv4 source addresses get mapped into IPv6 address with ::ffff:<IPv4>, and then it apparently becomes a private address range in https://github.com/python/cpython/blob/10b134a07c898c2fbc5fd3582503680a54ed80a2/Lib/ipaddress.py#L2258.