diff options
author | Maximilian Hils <git@maximilianhils.com> | 2018-07-12 10:40:50 +0800 |
---|---|---|
committer | Maximilian Hils <git@maximilianhils.com> | 2018-07-12 10:40:50 +0800 |
commit | 48ff616cefe899eb4de6d64957a1e291a7c022f5 (patch) | |
tree | a1ba49da1b77bffe4dd5cacfbd3e0ad919fc0364 /mitmproxy | |
parent | ae9177922911bd9d39b4fead45e196b51b2b9a84 (diff) | |
download | mitmproxy-48ff616cefe899eb4de6d64957a1e291a7c022f5.tar.gz mitmproxy-48ff616cefe899eb4de6d64957a1e291a7c022f5.tar.bz2 mitmproxy-48ff616cefe899eb4de6d64957a1e291a7c022f5.zip |
mitmweb: improve dns rebinding protection, support ipv6
Diffstat (limited to 'mitmproxy')
-rw-r--r-- | mitmproxy/tools/web/app.py | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/mitmproxy/tools/web/app.py b/mitmproxy/tools/web/app.py index 9c13690a..b72e0d77 100644 --- a/mitmproxy/tools/web/app.py +++ b/mitmproxy/tools/web/app.py @@ -463,10 +463,20 @@ class SaveOptions(RequestHandler): pass +class DnsRebind(RequestHandler): + def get(self): + raise tornado.web.HTTPError( + 403, + reason="To protect against DNS rebinding, mitmweb can only be accessed by IP at the moment. " + "(https://github.com/mitmproxy/mitmproxy/issues/3234)" + ) + + class Application(tornado.web.Application): def __init__(self, master, debug): self.master = master super().__init__( + default_host="dns-rebind-protection", template_path=os.path.join(os.path.dirname(__file__), "templates"), static_path=os.path.join(os.path.dirname(__file__), "static"), xsrf_cookies=True, @@ -475,9 +485,10 @@ class Application(tornado.web.Application): autoreload=False, ) + self.add_handlers("dns-rebind-protection", [(r"/.*", DnsRebind)]) self.add_handlers( # make mitmweb accessible by IP only to prevent DNS rebinding. - r'(localhost|\d+\.\d+\.\d+\.\d+)', + r'^(localhost|[0-9.:\[\]]+)$', [ (r"/", IndexHandler), (r"/filter-help(?:\.json)?", FilterHelp), |