aboutsummaryrefslogtreecommitdiffstats
path: root/package/uhttpd/src/uhttpd.c
diff options
context:
space:
mode:
authorJo-Philipp Wich <jow@openwrt.org>2010-08-11 00:05:34 +0000
committerJo-Philipp Wich <jow@openwrt.org>2010-08-11 00:05:34 +0000
commit3d99f030820877eb84835fb1be66a7db3f5b0c68 (patch)
treeab165f9195ca06e8c8b635f0edce60ce30c5a706 /package/uhttpd/src/uhttpd.c
parenta5371dfe3909f14d45803efcfa5a85446f7954ac (diff)
downloadupstream-3d99f030820877eb84835fb1be66a7db3f5b0c68.tar.gz
upstream-3d99f030820877eb84835fb1be66a7db3f5b0c68.tar.bz2
upstream-3d99f030820877eb84835fb1be66a7db3f5b0c68.zip
uhttpd: add option to reject requests from RFC1918 IPs to public server IPs (DNS rebinding countermeasure)
SVN-Revision: 22589
Diffstat (limited to 'package/uhttpd/src/uhttpd.c')
-rw-r--r--package/uhttpd/src/uhttpd.c15
1 files changed, 14 insertions, 1 deletions
diff --git a/package/uhttpd/src/uhttpd.c b/package/uhttpd/src/uhttpd.c
index 82729627e0..be882470ad 100644
--- a/package/uhttpd/src/uhttpd.c
+++ b/package/uhttpd/src/uhttpd.c
@@ -524,7 +524,7 @@ int main (int argc, char **argv)
#endif
while( (opt = getopt(argc, argv,
- "fSDC:K:E:I:p:s:h:c:l:L:d:r:m:x:t:T:")) > 0
+ "fSDRC:K:E:I:p:s:h:c:l:L:d:r:m:x:t:T:")) > 0
) {
switch(opt)
{
@@ -648,6 +648,10 @@ int main (int argc, char **argv)
conf.no_dirlists = 1;
break;
+ case 'R':
+ conf.rfc1918_filter = 1;
+ break;
+
#ifdef HAVE_CGI
/* cgi prefix */
case 'x':
@@ -728,6 +732,7 @@ int main (int argc, char **argv)
" -I string Use given filename as index page for directories\n"
" -S Do not follow symbolic links outside of the docroot\n"
" -D Do not allow directory listings, send 403 instead\n"
+ " -R Enable RFC1918 filter\n"
#ifdef HAVE_LUA
" -l string URL prefix for Lua handler, default is '/lua'\n"
" -L file Lua handler script, omit to disable Lua\n"
@@ -932,6 +937,14 @@ int main (int argc, char **argv)
/* parse message header */
if( (req = uh_http_header_recv(cl)) != NULL )
{
+ /* RFC1918 filtering required? */
+ if( conf.rfc1918_filter && sa_rfc1918(&cl->peeraddr) &&
+ !sa_rfc1918(&cl->servaddr) )
+ {
+ uh_http_sendhf(cl, 403, "Forbidden",
+ "Rejected request from RFC1918 IP to public server address");
+ }
+ else
#ifdef HAVE_LUA
/* Lua request? */
if( L && uh_path_match(conf.lua_prefix, req->url) )