diff options
| author | Dirk Engling <erdgeist@erdgeist.org> | 2024-03-31 13:36:26 +0200 |
|---|---|---|
| committer | Dirk Engling <erdgeist@erdgeist.org> | 2024-03-31 13:36:26 +0200 |
| commit | aca3ee0ac8cc6b389bcae2b767c0289ba21c8bf0 (patch) | |
| tree | 9e2e02513472996bad00384e00dc97e8babfb28c | |
| parent | 5b98dcf3a36f43bf335f6888d9515bdb614cbd6d (diff) | |
Prevent proxied ips of the wrong flavour to poison our clients
| -rw-r--r-- | ot_http.c | 12 |
1 files changed, 10 insertions, 2 deletions
| @@ -420,9 +420,17 @@ static ssize_t http_handle_announce( const int64 sock, struct ot_workstruct *ws, | |||
| 420 | if( accesslist_is_blessed( cookie->ip, OT_PERMISSION_MAY_PROXY ) ) { | 420 | if( accesslist_is_blessed( cookie->ip, OT_PERMISSION_MAY_PROXY ) ) { |
| 421 | ot_ip6 proxied_ip; | 421 | ot_ip6 proxied_ip; |
| 422 | char *fwd = http_header( ws->request, ws->header_size, "x-forwarded-for" ); | 422 | char *fwd = http_header( ws->request, ws->header_size, "x-forwarded-for" ); |
| 423 | if( fwd && scan_ip6( fwd, proxied_ip ) ) | 423 | if( fwd && scan_ip6( fwd, proxied_ip ) ) { |
| 424 | /* If proxy reports an ipv6 address but we can only handle v4 (or vice versa), bail out */ | ||
| 425 | #ifndef WANT_V6 | ||
| 426 | if( !ip6_isv4mapped(proxied_ip) ) | ||
| 427 | #else | ||
| 428 | if( ip6_isv4mapped(proxied_ip) ) | ||
| 429 | #endif | ||
| 430 | HTTPERROR_400_PARAM; | ||
| 431 | |||
| 424 | OT_SETIP( &ws->peer, proxied_ip ); | 432 | OT_SETIP( &ws->peer, proxied_ip ); |
| 425 | else | 433 | } else |
| 426 | OT_SETIP( &ws->peer, cookie->ip ); | 434 | OT_SETIP( &ws->peer, cookie->ip ); |
| 427 | } else | 435 | } else |
| 428 | #endif | 436 | #endif |