Add option for WebUI Host header validation

Closes #9743.
6 years ago · 344e47dcfb
8 changed files with 67 additions and 23 deletions
--- a/src/base/preferences.cpp
+++ b/src/base/preferences.cpp
@ -626,6 +626,16 @@ void Preferences::setWebUiCSRFProtectionEnabled(bool enabled)
				@@ -626,6 +626,16 @@ void Preferences::setWebUiCSRFProtectionEnabled(bool enabled)
    setValue("Preferences/WebUI/CSRFProtection", enabled);
 }

+bool Preferences::isWebUIHostHeaderValidationEnabled() const
+{
+    return value("Preferences/WebUI/HostHeaderValidation", true).toBool();
+}
+
+void Preferences::setWebUIHostHeaderValidationEnabled(const bool enabled)
+{
+    setValue("Preferences/WebUI/HostHeaderValidation", enabled);
+}
+
 bool Preferences::isWebUiHttpsEnabled() const
 {
    return value("Preferences/WebUI/HTTPS/Enabled", false).toBool();
--- a/src/base/preferences.h
+++ b/src/base/preferences.h
@ -201,6 +201,8 @@ public:
				@@ -201,6 +201,8 @@ public:
    void setWebUiClickjackingProtectionEnabled(bool enabled);
    bool isWebUiCSRFProtectionEnabled() const;
    void setWebUiCSRFProtectionEnabled(bool enabled);
+    bool isWebUIHostHeaderValidationEnabled() const;
+    void setWebUIHostHeaderValidationEnabled(bool enabled);

    // HTTPS
    bool isWebUiHttpsEnabled() const;
--- a/src/gui/optionsdialog.cpp
+++ b/src/gui/optionsdialog.cpp
@ -390,6 +390,7 @@ OptionsDialog::OptionsDialog(QWidget *parent)
				@@ -390,6 +390,7 @@ OptionsDialog::OptionsDialog(QWidget *parent)
    connect(m_ui->checkBypassAuthSubnetWhitelist, &QAbstractButton::toggled, m_ui->IPSubnetWhitelistButton, &QPushButton::setEnabled);
    connect(m_ui->checkClickjacking, &QCheckBox::toggled, this, &ThisType::enableApplyButton);
    connect(m_ui->checkCSRFProtection, &QCheckBox::toggled, this, &ThisType::enableApplyButton);
+    connect(m_ui->groupHostHeaderValidation, &QGroupBox::toggled, this, &ThisType::enableApplyButton);
    connect(m_ui->checkDynDNS, &QGroupBox::toggled, this, &ThisType::enableApplyButton);
    connect(m_ui->comboDNSService, qComboBoxCurrentIndexChanged, this, &ThisType::enableApplyButton);
    connect(m_ui->domainNameTxt, &QLineEdit::textChanged, this, &ThisType::enableApplyButton);
@ -719,6 +720,7 @@ void OptionsDialog::saveOptions()
				@@ -719,6 +720,7 @@ void OptionsDialog::saveOptions()
        // Security
        pref->setWebUiClickjackingProtectionEnabled(m_ui->checkClickjacking->isChecked());
        pref->setWebUiCSRFProtectionEnabled(m_ui->checkCSRFProtection->isChecked());
+        pref->setWebUIHostHeaderValidationEnabled(m_ui->groupHostHeaderValidation->isChecked());
        // DynDNS
        pref->setDynDNSEnabled(m_ui->checkDynDNS->isChecked());
        pref->setDynDNSService(m_ui->comboDNSService->currentIndex());
@ -1082,6 +1084,7 @@ void OptionsDialog::loadOptions()
				@@ -1082,6 +1084,7 @@ void OptionsDialog::loadOptions()
    // Security
    m_ui->checkClickjacking->setChecked(pref->isWebUiClickjackingProtectionEnabled());
    m_ui->checkCSRFProtection->setChecked(pref->isWebUiCSRFProtectionEnabled());
+    m_ui->groupHostHeaderValidation->setChecked(pref->isWebUIHostHeaderValidationEnabled());

    m_ui->checkDynDNS->setChecked(pref->isDynDNSEnabled());
    m_ui->comboDNSService->setCurrentIndex(static_cast<int>(pref->getDynDNSService()));
--- a/src/gui/optionsdialog.ui
+++ b/src/gui/optionsdialog.ui
@ -2944,28 +2944,6 @@ Specify an IPv4 or IPv6 address. You can specify &quot;0.0.0.0&quot; for any IPv
				@@ -2944,28 +2944,6 @@ Specify an IPv4 or IPv6 address. You can specify &quot;0.0.0.0&quot; for any IPv
                 </item>
                </layout>
               </item>
-               <item>
-                <layout class="QHBoxLayout" name="horizontalLayout_10">
-                 <item>
-                  <widget class="QLabel" name="labelServerDomains">
-                   <property name="text">
-                    <string>Server domains:</string>
-                   </property>
-                  </widget>
-                 </item>
-                 <item>
-                  <widget class="QLineEdit" name="textServerDomains">
-                   <property name="toolTip">
-                    <string>Whitelist for filtering HTTP Host header values.
-In order to defend against DNS rebinding attack,
-you should put in domain names used by WebUI server.
-
-Use ';' to split multiple entries. Can use wildcard '*'.</string>
-                   </property>
-                  </widget>
-                 </item>
-                </layout>
-               </item>
               <item>
                <widget class="QCheckBox" name="checkWebUIUPnP">
                 <property name="text">
@ -3190,6 +3168,40 @@ Use ';' to split multiple entries. Can use wildcard '*'.</string>
				@@ -3190,6 +3168,40 @@ Use ';' to split multiple entries. Can use wildcard '*'.</string>
                 </property>
                </widget>
               </item>
+               <item>
+                <widget class="QGroupBox" name="groupHostHeaderValidation">
+                 <property name="title">
+                  <string>Enable Host header validation</string>
+                 </property>
+                 <property name="checkable">
+                  <bool>true</bool>
+                 </property>
+                 <layout class="QVBoxLayout" name="verticalLayout_32">
+                  <item>
+                   <layout class="QHBoxLayout" name="horizontalLayout_10">
+                    <item>
+                     <widget class="QLabel" name="labelServerDomains">
+                      <property name="text">
+                       <string>Server domains:</string>
+                      </property>
+                     </widget>
+                    </item>
+                    <item>
+                     <widget class="QLineEdit" name="textServerDomains">
+                      <property name="toolTip">
+                       <string>Whitelist for filtering HTTP Host header values.
+In order to defend against DNS rebinding attack,
+you should put in domain names used by WebUI server.
+
+Use ';' to split multiple entries. Can use wildcard '*'.</string>
+                      </property>
+                     </widget>
+                    </item>
+                   </layout>
+                  </item>
+                 </layout>
+                </widget>
+               </item>
               <item>
                <widget class="QGroupBox" name="checkDynDNS">
                 <property name="title">
--- a/src/webui/api/appcontroller.cpp
+++ b/src/webui/api/appcontroller.cpp
@ -208,6 +208,7 @@ void AppController::preferencesAction()
				@@ -208,6 +208,7 @@ void AppController::preferencesAction()
    // Security
    data["web_ui_clickjacking_protection_enabled"] = pref->isWebUiClickjackingProtectionEnabled();
    data["web_ui_csrf_protection_enabled"] = pref->isWebUiCSRFProtectionEnabled();
+    data["web_ui_host_header_validation_enabled"] = pref->isWebUIHostHeaderValidationEnabled();
    // Update my dynamic domain name
    data["dyndns_enabled"] = pref->isDynDNSEnabled();
    data["dyndns_service"] = pref->getDynDNSService();
@ -487,6 +488,8 @@ void AppController::setPreferencesAction()
				@@ -487,6 +488,8 @@ void AppController::setPreferencesAction()
        pref->setWebUiClickjackingProtectionEnabled(m["web_ui_clickjacking_protection_enabled"].toBool());
    if (m.contains("web_ui_csrf_protection_enabled"))
        pref->setWebUiCSRFProtectionEnabled(m["web_ui_csrf_protection_enabled"].toBool());
+    if (m.contains("web_ui_host_header_validation_enabled"))
+        pref->setWebUIHostHeaderValidationEnabled(m["web_ui_host_header_validation_enabled"].toBool());
    // Update my dynamic domain name
    if (m.contains("dyndns_enabled"))
        pref->setDynDNSEnabled(m["dyndns_enabled"].toBool());
--- a/src/webui/webapplication.cpp
+++ b/src/webui/webapplication.cpp
@ -452,6 +452,7 @@ void WebApplication::configure()
				@@ -452,6 +452,7 @@ void WebApplication::configure()

    m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
    m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
+    m_isHostHeaderValidationEnabled = pref->isWebUIHostHeaderValidationEnabled();
    m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
 }

@ -542,7 +543,7 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
				@@ -542,7 +543,7 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
    try {
        // block suspicious requests
        if ((m_isCSRFProtectionEnabled && isCrossSiteRequest(m_request))
-            || !validateHostHeader(m_domainList)) {
+            || (m_isHostHeaderValidationEnabled && !validateHostHeader(m_domainList))) {
            throw UnauthorizedHTTPError();
        }

--- a/src/webui/webapplication.h
+++ b/src/webui/webapplication.h
@ -155,5 +155,6 @@ private:
				@@ -155,5 +155,6 @@ private:
    QStringList m_domainList;
    bool m_isClickjackingProtectionEnabled;
    bool m_isCSRFProtectionEnabled;
+    bool m_isHostHeaderValidationEnabled;
    bool m_isHttpsEnabled;
 };
--- a/src/webui/www/private/preferences_content.html
+++ b/src/webui/www/private/preferences_content.html
@ -457,6 +457,10 @@
				@@ -457,6 +457,10 @@
            <input type="checkbox" id="csrf_protection_checkbox" />
            <label for="csrf_protection_checkbox">QBT_TR(Enable Cross-Site Request Forgery (CSRF) protection)QBT_TR[CONTEXT=OptionsDialog]</label>
        </div>
+        <div class="formRow">
+            <input type="checkbox" id="host_header_validation_checkbox" />
+            <label for="host_header_validation_checkbox">QBT_TR(Enable Host header validation)QBT_TR[CONTEXT=OptionsDialog]</label>
+        </div>
    </fieldset>

    <fieldset class="settings">
@ -712,6 +716,11 @@
				@@ -712,6 +716,11 @@
        $('bypass_auth_subnet_whitelist_textarea').setProperty('disabled', !isBypassAuthSubnetWhitelistEnabled);
    };

+    updateHostHeaderValidationSettings = function() {
+        var isHostHeaderValidationEnabled = $('host_header_validation_checkbox').getProperty('checked');
+        $('webui_domain_textarea').setProperty('disabled', !isHostHeaderValidationEnabled);
+    };
+
    updateDynDnsSettings = function() {
        var isDynDnsEnabled = $('use_dyndns_checkbox').getProperty('checked');
        $('dyndns_select').setProperty('disabled', !isDynDnsEnabled);
@ -971,6 +980,8 @@
				@@ -971,6 +980,8 @@
                    // Security
                    $('clickjacking_protection_checkbox').setProperty('checked', pref.web_ui_clickjacking_protection_enabled);
                    $('csrf_protection_checkbox').setProperty('checked', pref.web_ui_csrf_protection_enabled);
+                    $('host_header_validation_checkbox').setProperty('checked', pref.web_ui_host_header_validation_enabled);
+                    updateHostHeaderValidationSettings();

                    // Update my dynamic domain name
                    $('use_dyndns_checkbox').setProperty('checked', pref.dyndns_enabled);
@ -1256,6 +1267,7 @@
				@@ -1256,6 +1267,7 @@

        settings.set('web_ui_clickjacking_protection_enabled', $('clickjacking_protection_checkbox').getProperty('checked'));
        settings.set('web_ui_csrf_protection_enabled', $('csrf_protection_checkbox').getProperty('checked'));
+        settings.set('web_ui_host_header_validation_enabled', $('host_header_validation_checkbox').getProperty('checked'));

        // Update my dynamic domain name
        settings.set('dyndns_enabled', $('use_dyndns_checkbox').getProperty('checked'));