Mirrored_Repos/veloren
1
0
Fork 0
mirror of https://gitlab.com/veloren/veloren.git synced 2024-08-30 18:12:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Disallow /ui when any Forwarded header is detected

Browse Source
This commit is contained in:
Marcel Märtens 2024-03-17 13:41:56 +01:00
parent a35cc5b9c0
commit dc419e28c0
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
server-cli/src/web/ui/mod.rs
View File

@ -1,6 +1,6 @@
use axum::{ use axum::{
extract::{ConnectInfo, State}, extract::{ConnectInfo, State},
http::{header::SET_COOKIE, HeaderValue}, http::{header::SET_COOKIE, HeaderMap, HeaderValue},
response::{Html, IntoResponse}, response::{Html, IntoResponse},
routing::get, routing::get,
Router, Router,
@ -22,14 +22,19 @@ pub fn router(secret_token: String) -> Router {
async fn ui( async fn ui(
ConnectInfo(addr): ConnectInfo<SocketAddr>, ConnectInfo(addr): ConnectInfo<SocketAddr>,
headers: HeaderMap,
State(token): State<UiApiToken>, State(token): State<UiApiToken>,
) -> impl IntoResponse { ) -> impl IntoResponse {
if !addr.ip().is_loopback() { const X_FORWARDED_FOR: &'_ str = "X-Forwarded-For";
if !addr.ip().is_loopback()
|| headers.contains_key(axum::http::header::FORWARDED)
|| headers.contains_key(X_FORWARDED_FOR)
{
return Html( return Html(
r#"<!DOCTYPE html> r#"<!DOCTYPE html>
<html> <html>
<body> <body>
Ui is only accessible from 127.0.0.1 Ui is only accessible from 127.0.0.1. Usage of proxies is forbidden.
</body> </body>
</html> </html>
"# "#