Browse Source

Merge pull request #7669 from Chocobo1/portCheck

[WebAPI] Improve error messages
adaptive-webui-19844
Mike Tzou 7 years ago committed by GitHub
parent
commit
d821bdc9f3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 23
      src/webui/abstractwebapplication.cpp
  2. 2
      src/webui/abstractwebapplication.h

23
src/webui/abstractwebapplication.cpp

@ -121,7 +121,7 @@ Http::Response AbstractWebApplication::processRequest(const Http::Request &reque
header(Http::HEADER_CONTENT_SECURITY_POLICY, "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none';"); header(Http::HEADER_CONTENT_SECURITY_POLICY, "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none';");
// block cross-site requests // block cross-site requests
if (isCrossSiteRequest(request_) || !validateHostHeader(request_, env, domainList)) { if (isCrossSiteRequest(request_) || !validateHostHeader(domainList)) {
status(401, "Unauthorized"); status(401, "Unauthorized");
return response(); return response();
} }
@ -433,23 +433,25 @@ bool AbstractWebApplication::isCrossSiteRequest(const Http::Request &request) co
return true; return true;
} }
bool AbstractWebApplication::validateHostHeader(const Http::Request &request, const Http::Environment &env, const QStringList &domains) const bool AbstractWebApplication::validateHostHeader(const QStringList &domains) const
{ {
const QUrl hostHeader = QUrl::fromUserInput(request.headers.value(Http::HEADER_HOST)); const QUrl hostHeader = QUrl::fromUserInput(request().headers[Http::HEADER_HOST]);
const QString requestHost = hostHeader.host(); const QString requestHost = hostHeader.host();
// (if present) try matching host header's port with local port // (if present) try matching host header's port with local port
const int requestPort = hostHeader.port(); const int requestPort = hostHeader.port();
if ((requestPort != -1) && (env.localPort != requestPort)) { if ((requestPort != -1) && (env().localPort != requestPort)) {
Logger::instance()->addMessage(tr("WebUI: Invalid Host header, port mismatch") + "\n" Logger::instance()->addMessage(tr("WebUI: Invalid Host header, port mismatch.") + "\n"
+ tr("Source IP: '%1'. Received Host header: '%2'").arg(env.clientAddress.toString()).arg(requestHost) + tr("Request source IP: '%1'. Server port: '%2'. Received Host header: '%3'")
.arg(env().clientAddress.toString()).arg(env().localPort)
.arg(request().headers[Http::HEADER_HOST])
, Log::WARNING); , Log::WARNING);
return false; return false;
} }
// try matching host header with local address // try matching host header with local address
#if (QT_VERSION >= QT_VERSION_CHECK(5, 8, 0)) #if (QT_VERSION >= QT_VERSION_CHECK(5, 8, 0))
const bool sameAddr = env.localAddress.isEqual(QHostAddress(requestHost)); const bool sameAddr = env().localAddress.isEqual(QHostAddress(requestHost));
#else #else
const auto equal = [](const Q_IPV6ADDR &l, const Q_IPV6ADDR &r) -> bool { const auto equal = [](const Q_IPV6ADDR &l, const Q_IPV6ADDR &r) -> bool {
for (int i = 0; i < 16; ++i) { for (int i = 0; i < 16; ++i) {
@ -458,7 +460,7 @@ bool AbstractWebApplication::validateHostHeader(const Http::Request &request, co
} }
return true; return true;
}; };
const bool sameAddr = equal(env.localAddress.toIPv6Address(), QHostAddress(requestHost).toIPv6Address()); const bool sameAddr = equal(env().localAddress.toIPv6Address(), QHostAddress(requestHost).toIPv6Address());
#endif #endif
if (sameAddr) if (sameAddr)
@ -471,8 +473,9 @@ bool AbstractWebApplication::validateHostHeader(const Http::Request &request, co
return true; return true;
} }
Logger::instance()->addMessage(tr("WebUI: Invalid Host header") + "\n" Logger::instance()->addMessage(tr("WebUI: Invalid Host header.") + "\n"
+ tr("Source IP: '%1'. Received Host header: '%2'").arg(env.clientAddress.toString()).arg(requestHost) + tr("Request source IP: '%1'. Received Host header: '%2'")
.arg(env().clientAddress.toString()).arg(request().headers[Http::HEADER_HOST])
, Log::WARNING); , Log::WARNING);
return false; return false;
} }

2
src/webui/abstractwebapplication.h

@ -106,7 +106,7 @@ private:
QStringMap parseCookie(const Http::Request &request) const; QStringMap parseCookie(const Http::Request &request) const;
bool isCrossSiteRequest(const Http::Request &request) const; bool isCrossSiteRequest(const Http::Request &request) const;
bool validateHostHeader(const Http::Request &request, const Http::Environment &env, const QStringList &domains) const; bool validateHostHeader(const QStringList &domains) const;
static void translateDocument(QString &data); static void translateDocument(QString &data);

Loading…
Cancel
Save