summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDirk Engling <erdgeist@erdgeist.org>2024-03-31 13:36:26 +0200
committerDirk Engling <erdgeist@erdgeist.org>2024-03-31 13:36:26 +0200
commitaca3ee0ac8cc6b389bcae2b767c0289ba21c8bf0 (patch)
tree9e2e02513472996bad00384e00dc97e8babfb28c
parent5b98dcf3a36f43bf335f6888d9515bdb614cbd6d (diff)
Prevent proxied ips of the wrong flavour to poison our clients
-rw-r--r--ot_http.c12
1 files changed, 10 insertions, 2 deletions
diff --git a/ot_http.c b/ot_http.c
index 35f88b1..88b4261 100644
--- a/ot_http.c
+++ b/ot_http.c
@@ -420,9 +420,17 @@ static ssize_t http_handle_announce( const int64 sock, struct ot_workstruct *ws,
420 if( accesslist_is_blessed( cookie->ip, OT_PERMISSION_MAY_PROXY ) ) { 420 if( accesslist_is_blessed( cookie->ip, OT_PERMISSION_MAY_PROXY ) ) {
421 ot_ip6 proxied_ip; 421 ot_ip6 proxied_ip;
422 char *fwd = http_header( ws->request, ws->header_size, "x-forwarded-for" ); 422 char *fwd = http_header( ws->request, ws->header_size, "x-forwarded-for" );
423 if( fwd && scan_ip6( fwd, proxied_ip ) ) 423 if( fwd && scan_ip6( fwd, proxied_ip ) ) {
424 /* If proxy reports an ipv6 address but we can only handle v4 (or vice versa), bail out */
425#ifndef WANT_V6
426 if( !ip6_isv4mapped(proxied_ip) )
427#else
428 if( ip6_isv4mapped(proxied_ip) )
429#endif
430 HTTPERROR_400_PARAM;
431
424 OT_SETIP( &ws->peer, proxied_ip ); 432 OT_SETIP( &ws->peer, proxied_ip );
425 else 433 } else
426 OT_SETIP( &ws->peer, cookie->ip ); 434 OT_SETIP( &ws->peer, cookie->ip );
427 } else 435 } else
428#endif 436#endif