Commit 71734ab5 authored by Bas Lijnse's avatar Bas Lijnse

Also allow (sub)networks in check on allowed hosts

parent 58a53468
Pipeline #24518 passed with stage
in 5 minutes and 9 seconds
......@@ -111,7 +111,7 @@ where
("Specify the HTTP port (default: " +++ toString defaults.serverPort +++ ")")
, Option [] ["timeout"] (OptArg (\mp->fmap \o->{o & timeout=fmap toInt mp}) "MILLISECONDS")
"Specify the timeout in ms (default: 500)\nIf not given, use an indefinite timeout."
, Option [] ["allowed-hosts"] (ReqArg (\p->fmap \o->{o & allowedHosts = split "," p}) "IPADRESSES")
, Option [] ["allowed-hosts"] (ReqArg (\p->fmap \o->{o & allowedHosts = if (p == "") [] (split "," p)}) "IPADRESSES")
("Specify a comma separated white list of hosts that are allowed to connected to this application\ndefault: "
+++ join "," defaults.allowedHosts)
, Option [] ["keepalive"] (ReqArg (\p->fmap \o->{o & keepaliveTime={tv_sec=toInt p,tv_nsec=0}}) "SECONDS")
......
......@@ -134,11 +134,18 @@ httpServer port keepAliveTime requestProcessHandlers sds
= wrapIWorldConnectionTask {ConnectionHandlersIWorld|onConnect=onConnect, onData=onData, onShareChange=onShareChange, onTick=onTick, onDisconnect=onDisconnect, onDestroy=onDestroy} sds
where
onConnect connId host r iworld=:{IWorld|world,clock,options={allowedHosts}}
| allowedHosts =: [] || isMember host allowedHosts
| isAllowed host allowedHosts
= (Ok (NTIdle host clock),Nothing,[],False,{IWorld|iworld & world = world})
| otherwise
//Close the connection immediately if the remote host is not in the whitelist
= (Ok (NTIdle host clock),Nothing,[],True,{IWorld|iworld & world = world})
where
//Simple check to also match (sub)networks such as 192.168.0.0 or 0.0.0.0
isAllowed host [] = True
isAllowed host hosts = any (allowedIP (split "." host)) (map (split ".") hosts)
allowedIP [h1,h2,h3,h4] [p1,p2,p3,p4]
= (p1 == "0" || h1 == p1) && (p2 == "0" || h2 == p2) && (p3 == "0" || h3 == p3) && (p4 == "0" || h4 == p4)
allowedIP _ _ = False
onData data connState=:(NTProcessingRequest request localState) r env
//Select handler based on request path
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment