From d300c5aa4ee8d22a9d0129047961af5d27c47cd8 Mon Sep 17 00:00:00 2001
From: hackademix <giorgio@maone.net>
Date: Tue, 15 Feb 2022 10:22:53 +0100
Subject: [PATCH] [LAN] check origin for all the DNS records to be local in
 order to mitigate DNS rebinding attacks.

---
 src/bg/RequestGuard.js | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/bg/RequestGuard.js b/src/bg/RequestGuard.js
index 2fb824a..3b5e477 100644
--- a/src/bg/RequestGuard.js
+++ b/src/bg/RequestGuard.js
@@ -424,8 +424,7 @@ var RequestGuard = (() => {
         // check cross-zone WAN->LAN requests
         if (enforced && originUrl && !Sites.isInternal(originUrl) && url.startsWith("http") &&
           !policy.can(originUrl, "lan", ns.policyContext(request)) &&
-          (await iputil.isLocalURI(url)) && !(await iputil.isLocalURI(originUrl))) {
-
+          (await iputil.isLocalURI(url)) && !(await iputil.isLocalURI(originUrl, true))) {
           debug("WAN->LAN request blocked", request);
           let r = Object.assign({}, request);
           r.url = originUrl; // we want to report the origin as needing the permission