diff options
author | Dirk Engling <erdgeist@erdgeist.org> | 2024-03-31 13:36:26 +0200 |
---|---|---|
committer | Dirk Engling <erdgeist@erdgeist.org> | 2024-03-31 13:36:26 +0200 |
commit | aca3ee0ac8cc6b389bcae2b767c0289ba21c8bf0 (patch) | |
tree | 9e2e02513472996bad00384e00dc97e8babfb28c | |
parent | 5b98dcf3a36f43bf335f6888d9515bdb614cbd6d (diff) |
Prevent proxied ips of the wrong flavour to poison our clients
-rw-r--r-- | ot_http.c | 12 |
1 files changed, 10 insertions, 2 deletions
@@ -420,9 +420,17 @@ static ssize_t http_handle_announce( const int64 sock, struct ot_workstruct *ws, | |||
420 | if( accesslist_is_blessed( cookie->ip, OT_PERMISSION_MAY_PROXY ) ) { | 420 | if( accesslist_is_blessed( cookie->ip, OT_PERMISSION_MAY_PROXY ) ) { |
421 | ot_ip6 proxied_ip; | 421 | ot_ip6 proxied_ip; |
422 | char *fwd = http_header( ws->request, ws->header_size, "x-forwarded-for" ); | 422 | char *fwd = http_header( ws->request, ws->header_size, "x-forwarded-for" ); |
423 | if( fwd && scan_ip6( fwd, proxied_ip ) ) | 423 | if( fwd && scan_ip6( fwd, proxied_ip ) ) { |
424 | /* If proxy reports an ipv6 address but we can only handle v4 (or vice versa), bail out */ | ||
425 | #ifndef WANT_V6 | ||
426 | if( !ip6_isv4mapped(proxied_ip) ) | ||
427 | #else | ||
428 | if( ip6_isv4mapped(proxied_ip) ) | ||
429 | #endif | ||
430 | HTTPERROR_400_PARAM; | ||
431 | |||
424 | OT_SETIP( &ws->peer, proxied_ip ); | 432 | OT_SETIP( &ws->peer, proxied_ip ); |
425 | else | 433 | } else |
426 | OT_SETIP( &ws->peer, cookie->ip ); | 434 | OT_SETIP( &ws->peer, cookie->ip ); |
427 | } else | 435 | } else |
428 | #endif | 436 | #endif |