diff options
author | Jo-Philipp Wich <jow@openwrt.org> | 2010-08-11 00:05:34 +0000 |
---|---|---|
committer | Jo-Philipp Wich <jow@openwrt.org> | 2010-08-11 00:05:34 +0000 |
commit | 3d99f030820877eb84835fb1be66a7db3f5b0c68 (patch) | |
tree | ab165f9195ca06e8c8b635f0edce60ce30c5a706 /package/uhttpd/src/uhttpd.c | |
parent | a5371dfe3909f14d45803efcfa5a85446f7954ac (diff) | |
download | upstream-3d99f030820877eb84835fb1be66a7db3f5b0c68.tar.gz upstream-3d99f030820877eb84835fb1be66a7db3f5b0c68.tar.bz2 upstream-3d99f030820877eb84835fb1be66a7db3f5b0c68.zip |
uhttpd: add option to reject requests from RFC1918 IPs to public server IPs (DNS rebinding countermeasure)
SVN-Revision: 22589
Diffstat (limited to 'package/uhttpd/src/uhttpd.c')
-rw-r--r-- | package/uhttpd/src/uhttpd.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/package/uhttpd/src/uhttpd.c b/package/uhttpd/src/uhttpd.c index 82729627e0..be882470ad 100644 --- a/package/uhttpd/src/uhttpd.c +++ b/package/uhttpd/src/uhttpd.c @@ -524,7 +524,7 @@ int main (int argc, char **argv) #endif while( (opt = getopt(argc, argv, - "fSDC:K:E:I:p:s:h:c:l:L:d:r:m:x:t:T:")) > 0 + "fSDRC:K:E:I:p:s:h:c:l:L:d:r:m:x:t:T:")) > 0 ) { switch(opt) { @@ -648,6 +648,10 @@ int main (int argc, char **argv) conf.no_dirlists = 1; break; + case 'R': + conf.rfc1918_filter = 1; + break; + #ifdef HAVE_CGI /* cgi prefix */ case 'x': @@ -728,6 +732,7 @@ int main (int argc, char **argv) " -I string Use given filename as index page for directories\n" " -S Do not follow symbolic links outside of the docroot\n" " -D Do not allow directory listings, send 403 instead\n" + " -R Enable RFC1918 filter\n" #ifdef HAVE_LUA " -l string URL prefix for Lua handler, default is '/lua'\n" " -L file Lua handler script, omit to disable Lua\n" @@ -932,6 +937,14 @@ int main (int argc, char **argv) /* parse message header */ if( (req = uh_http_header_recv(cl)) != NULL ) { + /* RFC1918 filtering required? */ + if( conf.rfc1918_filter && sa_rfc1918(&cl->peeraddr) && + !sa_rfc1918(&cl->servaddr) ) + { + uh_http_sendhf(cl, 403, "Forbidden", + "Rejected request from RFC1918 IP to public server address"); + } + else #ifdef HAVE_LUA /* Lua request? */ if( L && uh_path_match(conf.lua_prefix, req->url) ) |