mirror of
https://github.com/Grasscutters/mitmproxy.git
synced 2024-11-27 02:24:18 +00:00
Merge pull request #3243 from mhils/dns-rebinding
mitmweb: protect against dns rebinding
This commit is contained in:
commit
7f464b8929
@ -463,10 +463,33 @@ class SaveOptions(RequestHandler):
|
|||||||
pass
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
class DnsRebind(RequestHandler):
|
||||||
|
def get(self):
|
||||||
|
raise tornado.web.HTTPError(
|
||||||
|
403,
|
||||||
|
reason="To protect against DNS rebinding, mitmweb can only be accessed by IP at the moment. "
|
||||||
|
"(https://github.com/mitmproxy/mitmproxy/issues/3234)"
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
class Application(tornado.web.Application):
|
class Application(tornado.web.Application):
|
||||||
def __init__(self, master, debug):
|
def __init__(self, master, debug):
|
||||||
self.master = master
|
self.master = master
|
||||||
handlers = [
|
super().__init__(
|
||||||
|
default_host="dns-rebind-protection",
|
||||||
|
template_path=os.path.join(os.path.dirname(__file__), "templates"),
|
||||||
|
static_path=os.path.join(os.path.dirname(__file__), "static"),
|
||||||
|
xsrf_cookies=True,
|
||||||
|
cookie_secret=os.urandom(256),
|
||||||
|
debug=debug,
|
||||||
|
autoreload=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
self.add_handlers("dns-rebind-protection", [(r"/.*", DnsRebind)])
|
||||||
|
self.add_handlers(
|
||||||
|
# make mitmweb accessible by IP only to prevent DNS rebinding.
|
||||||
|
r'^(localhost|[0-9.:\[\]]+)$',
|
||||||
|
[
|
||||||
(r"/", IndexHandler),
|
(r"/", IndexHandler),
|
||||||
(r"/filter-help(?:\.json)?", FilterHelp),
|
(r"/filter-help(?:\.json)?", FilterHelp),
|
||||||
(r"/updates", ClientConnection),
|
(r"/updates", ClientConnection),
|
||||||
@ -490,12 +513,4 @@ class Application(tornado.web.Application):
|
|||||||
(r"/options(?:\.json)?", Options),
|
(r"/options(?:\.json)?", Options),
|
||||||
(r"/options/save", SaveOptions)
|
(r"/options/save", SaveOptions)
|
||||||
]
|
]
|
||||||
settings = dict(
|
|
||||||
template_path=os.path.join(os.path.dirname(__file__), "templates"),
|
|
||||||
static_path=os.path.join(os.path.dirname(__file__), "static"),
|
|
||||||
xsrf_cookies=True,
|
|
||||||
cookie_secret=os.urandom(256),
|
|
||||||
debug=debug,
|
|
||||||
autoreload=False,
|
|
||||||
)
|
)
|
||||||
super().__init__(handlers, **settings)
|
|
||||||
|
Loading…
Reference in New Issue
Block a user