[LAN] check origin for all the DNS records to be local in order to mitigate DNS rebinding attacks.
This commit is contained in:
parent
fd60a1c359
commit
d300c5aa4e
|
@ -424,8 +424,7 @@ var RequestGuard = (() => {
|
||||||
// check cross-zone WAN->LAN requests
|
// check cross-zone WAN->LAN requests
|
||||||
if (enforced && originUrl && !Sites.isInternal(originUrl) && url.startsWith("http") &&
|
if (enforced && originUrl && !Sites.isInternal(originUrl) && url.startsWith("http") &&
|
||||||
!policy.can(originUrl, "lan", ns.policyContext(request)) &&
|
!policy.can(originUrl, "lan", ns.policyContext(request)) &&
|
||||||
(await iputil.isLocalURI(url)) && !(await iputil.isLocalURI(originUrl))) {
|
(await iputil.isLocalURI(url)) && !(await iputil.isLocalURI(originUrl, true))) {
|
||||||
|
|
||||||
debug("WAN->LAN request blocked", request);
|
debug("WAN->LAN request blocked", request);
|
||||||
let r = Object.assign({}, request);
|
let r = Object.assign({}, request);
|
||||||
r.url = originUrl; // we want to report the origin as needing the permission
|
r.url = originUrl; // we want to report the origin as needing the permission
|
||||||
|
|
Loading…
Reference in New Issue