From abeddabbb717ccfd9120ee49b1c9a186edaadf5d Mon Sep 17 00:00:00 2001
From: Michael Stapelberg <stapelberg@google.com>
Date: Tue, 19 Feb 2019 07:50:39 +0100
Subject: [PATCH] dhcp4d: restrict lease details page to internal IPs

---
 cmd/dhcp4d/dhcp4d.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/cmd/dhcp4d/dhcp4d.go b/cmd/dhcp4d/dhcp4d.go
index 2ee037e..fb707dd 100644
--- a/cmd/dhcp4d/dhcp4d.go
+++ b/cmd/dhcp4d/dhcp4d.go
@@ -79,6 +79,19 @@ func loadLeases(h *dhcp4d.Handler, fn string) error {
 	updateNonExpired(leases)
 
 	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		host, _, err := net.SplitHostPort(r.RemoteAddr)
+		if err != nil {
+			http.Error(w, "bad request", http.StatusBadRequest)
+			return
+		}
+		ip := net.ParseIP(host)
+		if xff := r.Header.Get("X-Forwarded-For"); ip.IsLoopback() && xff != "" {
+			ip = net.ParseIP(xff)
+		}
+		if !gokrazy.IsInPrivateNet(ip) {
+			http.Error(w, fmt.Sprintf("access from %v forbidden", ip), http.StatusForbidden)
+			return
+		}
 		// TODO: html template
 		for _, l := range leases {
 			fmt.Fprintf(w, "• %+v (vendor %v)\n", l, ouiDB.Lookup(l.HardwareAddr[:8]))