From 109c45bb959d89b7e70d933c0d4515fa4d0b39fc Mon Sep 17 00:00:00 2001
From: Chocobo1 <Chocobo1@users.noreply.github.com>
Date: Wed, 7 Sep 2022 13:29:46 +0800
Subject: [PATCH] Allow to use subnet notation in reverse proxy list

Closes #17475.
---
 src/webui/webapplication.cpp | 29 +++++++++++++++++++++--------
 src/webui/webapplication.h   |  4 +++-
 2 files changed, 24 insertions(+), 9 deletions(-)

diff --git a/src/webui/webapplication.cpp b/src/webui/webapplication.cpp
index a22002c45..d35a48c87 100644
--- a/src/webui/webapplication.cpp
+++ b/src/webui/webapplication.cpp
@@ -42,7 +42,6 @@
 #include <QUrl>
 
 #include "base/algorithm.h"
-#include "base/global.h"
 #include "base/http/httperror.h"
 #include "base/logger.h"
 #include "base/preferences.h"
@@ -402,15 +401,29 @@ void WebApplication::configure()
     m_isReverseProxySupportEnabled = pref->isWebUIReverseProxySupportEnabled();
     if (m_isReverseProxySupportEnabled)
     {
-        m_trustedReverseProxyList.clear();
-
         const QStringList proxyList = pref->getWebUITrustedReverseProxiesList().split(u';', Qt::SkipEmptyParts);
 
-        for (const QString &proxy : proxyList)
+        m_trustedReverseProxyList.clear();
+        m_trustedReverseProxyList.reserve(proxyList.size());
+
+        for (QString proxy : proxyList)
         {
-            QHostAddress ip;
-            if (ip.setAddress(proxy))
-                m_trustedReverseProxyList.push_back(ip);
+            if (!proxy.contains(u'/'))
+            {
+                const QAbstractSocket::NetworkLayerProtocol protocol = QHostAddress(proxy).protocol();
+                if (protocol == QAbstractSocket::IPv4Protocol)
+                {
+                    proxy.append(u"/32");
+                }
+                else if (protocol == QAbstractSocket::IPv6Protocol)
+                {
+                    proxy.append(u"/128");
+                }
+            }
+
+            const std::optional<Utils::Net::Subnet> subnet = Utils::Net::parseSubnet(proxy);
+            if (subnet)
+                m_trustedReverseProxyList.push_back(subnet.value());
         }
 
         if (m_trustedReverseProxyList.isEmpty())
@@ -728,7 +741,7 @@ QHostAddress WebApplication::resolveClientAddress() const
         return m_env.clientAddress;
 
     // Only reverse proxy can overwrite client address
-    if (!m_trustedReverseProxyList.contains(m_env.clientAddress))
+    if (!Utils::Net::isIPInSubnets(m_env.clientAddress, m_trustedReverseProxyList))
         return m_env.clientAddress;
 
     const QString forwardedFor = m_request.headers.value(Http::HEADER_X_FORWARDED_FOR);
diff --git a/src/webui/webapplication.h b/src/webui/webapplication.h
index 02a8d576b..f5b0034fd 100644
--- a/src/webui/webapplication.h
+++ b/src/webui/webapplication.h
@@ -34,11 +34,13 @@
 #include <QDateTime>
 #include <QElapsedTimer>
 #include <QHash>
+#include <QHostAddress>
 #include <QMap>
 #include <QObject>
 #include <QRegularExpression>
 #include <QSet>
 #include <QTranslator>
+#include <QVector>
 
 #include "base/applicationcomponent.h"
 #include "base/global.h"
@@ -233,7 +235,7 @@ private:
 
     // Reverse proxy
     bool m_isReverseProxySupportEnabled;
-    QVector<QHostAddress> m_trustedReverseProxyList;
+    QVector<Utils::Net::Subnet> m_trustedReverseProxyList;
     QHostAddress m_clientAddress;
 
     QVector<Http::Header> m_prebuiltHeaders;