Commit 7cdf00d7 authored by Julien Muchembled's avatar Julien Muchembled

registry: fix security of some RPC when serving behind proxy

parent 3b5d03e4
...@@ -161,11 +161,14 @@ class RegistryServer(object): ...@@ -161,11 +161,14 @@ class RegistryServer(object):
# (IOW, do the contrary of newPrefix) # (IOW, do the contrary of newPrefix)
self.timeout = not_after and not_after + GRACE_PERIOD self.timeout = not_after and not_after + GRACE_PERIOD
def handle_request(self, request, method, kw): def handle_request(self, request, method, kw,
_localhost=('', '::1')):
m = getattr(self, method) m = getattr(self, method)
if method in ('versions', 'topology',) and \ if method in ('versions', 'topology'):
request.client_address[0] not in ('', '::1'): x_forwarded_for = request.headers.get('X-Forwarded-For')
return request.send_error(httplib.FORBIDDEN) if request.client_address[0] not in _localhost or \
x_forwarded_for and x_forwarded_for not in _localhost:
return request.send_error(httplib.FORBIDDEN)
key = m.getcallargs(**kw).get('cn') key = m.getcallargs(**kw).get('cn')
if key: if key:
h = base64.b64decode(request.headers[HMAC_HEADER]) h = base64.b64decode(request.headers[HMAC_HEADER])
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment