GitHub/Anki
1
0
Fork 0
mirror of https://github.com/ankitects/anki.git synced 2025-09-18 22:12:21 -04:00
Code Issues Projects Releases Packages 1 Wiki Activity Actions

Ensure webpages in browser can't access local webserver

Browse source 
Thanks to Daniel for the report.
This commit is contained in:
Damien Elmes 2023-11-08 09:22:14 +10:00
parent 6ebe726670
commit 454ca6ce2c
1 changed files with 10 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
qt/aqt/mediasrv.py
View file

@ -18,7 +18,7 @@ from typing import Callable
import flask import flask
import flask_cors import flask_cors
import stringcase import stringcase
from flask import Response, request from flask import Response, abort, request
from waitress.server import create_server from waitress.server import create_server
import aqt import aqt
@ -38,7 +38,7 @@ from aqt.qt import *
from aqt.utils import aqt_data_path from aqt.utils import aqt_data_path
app = flask.Flask(__name__, root_path="/fake") app = flask.Flask(__name__, root_path="/fake")
flask_cors.CORS(app) flask_cors.CORS(app, resources={r"/*": {"origins": "127.0.0.1"}})
@dataclass @dataclass
@ -256,6 +256,14 @@ def _handle_builtin_file_request(request: BundledFileRequest) -> Response:
@app.route("/<path:pathin>", methods=["GET", "POST"]) @app.route("/<path:pathin>", methods=["GET", "POST"])
def handle_request(pathin: str) -> Response: def handle_request(pathin: str) -> Response:
host = request.headers.get("Host", "").lower()
allowed_prefixes = ("127.0.0.1:", "localhost:", "[::1]:")
if not any(host.startswith(prefix) for prefix in allowed_prefixes):
# while we only bind to localhost, this request may have come from a local browser
# via a DNS rebinding attack
print("deny non-local host", host)
abort(403)
req = _extract_request(pathin) req = _extract_request(pathin)
if dev_mode: if dev_mode:
print(f"{time.time():.3f} {flask.request.method} /{pathin}") print(f"{time.time():.3f} {flask.request.method} /{pathin}")