Allow to use subnet notation in reverse proxy list

Closes #17475.
2025-01-14 00:37:58 +00:00 · 2022-09-07 13:29:46 +08:00 · 2022-09-07 13:29:46 +08:00 · 109c45bb95
commit 109c45bb95
parent 851374e517
2 changed files with 24 additions and 9 deletions
--- a/src/webui/webapplication.cpp
+++ b/src/webui/webapplication.cpp
@ -42,7 +42,6 @@
 #include <QUrl>

 #include "base/algorithm.h"
-#include "base/global.h"
 #include "base/http/httperror.h"
 #include "base/logger.h"
 #include "base/preferences.h"
@ -402,15 +401,29 @@ void WebApplication::configure()
    m_isReverseProxySupportEnabled = pref->isWebUIReverseProxySupportEnabled();
    if (m_isReverseProxySupportEnabled)
    {
-        m_trustedReverseProxyList.clear();
-
        const QStringList proxyList = pref->getWebUITrustedReverseProxiesList().split(u';', Qt::SkipEmptyParts);

-        for (const QString &proxy : proxyList)
+        m_trustedReverseProxyList.clear();
+        m_trustedReverseProxyList.reserve(proxyList.size());
+
+        for (QString proxy : proxyList)
        {
-            QHostAddress ip;
-            if (ip.setAddress(proxy))
-                m_trustedReverseProxyList.push_back(ip);
+            if (!proxy.contains(u'/'))
+            {
+                const QAbstractSocket::NetworkLayerProtocol protocol = QHostAddress(proxy).protocol();
+                if (protocol == QAbstractSocket::IPv4Protocol)
+                {
+                    proxy.append(u"/32");
+                }
+                else if (protocol == QAbstractSocket::IPv6Protocol)
+                {
+                    proxy.append(u"/128");
+                }
+            }
+
+            const std::optional<Utils::Net::Subnet> subnet = Utils::Net::parseSubnet(proxy);
+            if (subnet)
+                m_trustedReverseProxyList.push_back(subnet.value());
        }

        if (m_trustedReverseProxyList.isEmpty())
@ -728,7 +741,7 @@ QHostAddress WebApplication::resolveClientAddress() const
        return m_env.clientAddress;

    // Only reverse proxy can overwrite client address
-    if (!m_trustedReverseProxyList.contains(m_env.clientAddress))
+    if (!Utils::Net::isIPInSubnets(m_env.clientAddress, m_trustedReverseProxyList))
        return m_env.clientAddress;

    const QString forwardedFor = m_request.headers.value(Http::HEADER_X_FORWARDED_FOR);
--- a/src/webui/webapplication.h
+++ b/src/webui/webapplication.h
@ -34,11 +34,13 @@
 #include <QDateTime>
 #include <QElapsedTimer>
 #include <QHash>
+#include <QHostAddress>
 #include <QMap>
 #include <QObject>
 #include <QRegularExpression>
 #include <QSet>
 #include <QTranslator>
+#include <QVector>

 #include "base/applicationcomponent.h"
 #include "base/global.h"
@ -233,7 +235,7 @@ private:

    // Reverse proxy
    bool m_isReverseProxySupportEnabled;
-    QVector<QHostAddress> m_trustedReverseProxyList;
+    QVector<Utils::Net::Subnet> m_trustedReverseProxyList;
    QHostAddress m_clientAddress;

    QVector<Http::Header> m_prebuiltHeaders;