lordwelch/router7
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

dhcp4d: restrict lease details page to internal IPs

Browse Source
This commit is contained in:
Michael Stapelberg 2019-02-19 07:50:39 +01:00
parent cbff6a2541
commit abeddabbb7
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
cmd/dhcp4d/dhcp4d.go
View File

@ -79,6 +79,19 @@ func loadLeases(h *dhcp4d.Handler, fn string) error {
updateNonExpired(leases) updateNonExpired(leases)
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
host, _, err := net.SplitHostPort(r.RemoteAddr)
if err != nil {
http.Error(w, "bad request", http.StatusBadRequest)
return
}
ip := net.ParseIP(host)
if xff := r.Header.Get("X-Forwarded-For"); ip.IsLoopback() && xff != "" {
ip = net.ParseIP(xff)
}
if !gokrazy.IsInPrivateNet(ip) {
http.Error(w, fmt.Sprintf("access from %v forbidden", ip), http.StatusForbidden)
return
}
// TODO: html template // TODO: html template
for _, l := range leases { for _, l := range leases {
fmt.Fprintf(w, "• %+v (vendor %v)\n", l, ouiDB.Lookup(l.HardwareAddr[:8])) fmt.Fprintf(w, "• %+v (vendor %v)\n", l, ouiDB.Lookup(l.HardwareAddr[:8]))