Merge pull request #2070 from MediaBrowser/dev

Dev
author: Luke <luke.pulverenti@gmail.com> 2016-08-18 13:27:58 -0400
committer: GitHub <noreply@github.com> 2016-08-18 13:27:58 -0400
commit: 98dd668751f4d524361f0db1155cc09f414a1cb6 (patch)
tree: e11774285a3b02d0bcf7c7ec09a5053eb9503ff8 /MediaBrowser.Server.Implementations/HttpServer/HttpListenerHost.cs
parent: 3162d71c45a51ea8a66d5cc8ab26d93397299aae (diff)
parent: db9c02fffddc15f4660f2462093e72ba257f8acb (diff)
1 files changed, 50 insertions, 0 deletions
diff --git a/MediaBrowser.Server.Implementations/HttpServer/HttpListenerHost.cs b/MediaBrowser.Server.Implementations/HttpServer/HttpListenerHost.cs
index 90055d8ec..633208739 100644
--- a/MediaBrowser.Server.Implementations/HttpServer/HttpListenerHost.cs
+++ b/MediaBrowser.Server.Implementations/HttpServer/HttpListenerHost.cs
@@ -331,6 +331,46 @@ namespace MediaBrowser.Server.Implementations.HttpServer
             return url;
         }
 
+        private string NormalizeConfiguredLocalAddress(string address)
+        {
+            var index = address.Trim('/').IndexOf('/');
+
+            if (index != -1)
+            {
+                address = address.Substring(index + 1);
+            }
+
+            return address.Trim('/');
+        }
+
+        private bool ValidateHost(Uri url)
+        {
+            var hosts = _config
+                .Configuration
+                .LocalNetworkAddresses
+                .Select(NormalizeConfiguredLocalAddress)
+                .ToList();
+
+            if (hosts.Count == 0)
+            {
+                return true;
+            }
+
+            var host = url.Host ?? string.Empty;
+
+            _logger.Debug("Validating host {0}", host);
+
+            if (_networkManager.IsInPrivateAddressSpace(host))
+            {
+                hosts.Add("localhost");
+                hosts.Add("127.0.0.1");
+
+                return hosts.Any(i => host.IndexOf(i, StringComparison.OrdinalIgnoreCase) != -1);
+            }
+
+            return true;
+        }
+
         /// <summary>
         /// Overridable method that can be used to implement a custom hnandler
         /// </summary>
@@ -350,6 +390,16 @@ namespace MediaBrowser.Server.Implementations.HttpServer
                 return ;
             }
 
+            if (!ValidateHost(url))
+            {
+                httpRes.StatusCode = 400;
+                httpRes.ContentType = "text/plain";
+                httpRes.Write("Invalid host");
+
+                httpRes.Close();
+                return;
+            }
+
             var operationName = httpReq.OperationName;
             var localPath = url.LocalPath;
author	Luke <luke.pulverenti@gmail.com>	2016-08-18 13:27:58 -0400
committer	GitHub <noreply@github.com>	2016-08-18 13:27:58 -0400
commit	98dd668751f4d524361f0db1155cc09f414a1cb6 (patch)
tree	e11774285a3b02d0bcf7c7ec09a5053eb9503ff8 /MediaBrowser.Server.Implementations/HttpServer/HttpListenerHost.cs
parent	3162d71c45a51ea8a66d5cc8ab26d93397299aae (diff)
parent	db9c02fffddc15f4660f2462093e72ba257f8acb (diff)