Mirrored_Repos/veloren
1
0
Fork 0
mirror of https://gitlab.com/veloren/veloren.git synced 2024-08-30 18:12:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Disallow /ui when any Forwarded header is detected

Browse Source
This commit is contained in:
Marcel Märtens 2024-03-17 13:41:56 +01:00
parent a35cc5b9c0
commit dc419e28c0
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
server-cli/src/web/ui/mod.rs
View File

@ -1,6 +1,6 @@
use axum::{
extract::{ConnectInfo, State},
http::{header::SET_COOKIE, HeaderValue},
http::{header::SET_COOKIE, HeaderMap, HeaderValue},
response::{Html, IntoResponse},
routing::get,
Router,
@ -22,14 +22,19 @@ pub fn router(secret_token: String) -> Router {
async fn ui(
ConnectInfo(addr): ConnectInfo<SocketAddr>,
headers: HeaderMap,
State(token): State<UiApiToken>,
) -> impl IntoResponse {
if !addr.ip().is_loopback() {
const X_FORWARDED_FOR: &'_ str = "X-Forwarded-For";
if !addr.ip().is_loopback()
|| headers.contains_key(axum::http::header::FORWARDED)
|| headers.contains_key(X_FORWARDED_FOR)
{
return Html(
r#"<!DOCTYPE html>
<html>
<body>
Ui is only accessible from 127.0.0.1
Ui is only accessible from 127.0.0.1. Usage of proxies is forbidden.
</body>
</html>
"#