From 253220f7335b7b81efe7e415f747b6642c4b8fff Mon Sep 17 00:00:00 2001 From: tunnelpr0 <61991283+tunnelpr0@users.noreply.github.com> Date: Thu, 9 Jul 2020 21:28:09 +0200 Subject: [PATCH 1/3] Update app.py Fixed the DNS Rebind Protection for secure handling of IPv6 addresses --- mitmproxy/tools/web/app.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mitmproxy/tools/web/app.py b/mitmproxy/tools/web/app.py index cf07ae155..2fc560c59 100644 --- a/mitmproxy/tools/web/app.py +++ b/mitmproxy/tools/web/app.py @@ -499,7 +499,8 @@ class Application(tornado.web.Application): self.add_handlers("dns-rebind-protection", [(r"/.*", DnsRebind)]) self.add_handlers( # make mitmweb accessible by IP only to prevent DNS rebinding. - r'^(localhost|[0-9.:\[\]]+)$', + # IPv(4|6) pattern from https://riptutorial.com/regex/example/14146/match-an-ip-address, slightly adjusted to mitmproxy + r'^localhost$|^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$|^\[((?:[0-9a-fA-F]{1,4}\:){7}[0-9a-fA-F]{1,4}|\:\:(?:[0-9a-fA-F]{1,4}\:){0,6}[0-9a-fA-F]{1,4}|[0-9a-fA-F]{1,4}\:\:(?:[0-9a-fA-F]{1,4}\:){0,5}[0-9a-fA-F]{1,4}|[0-9a-fA-F]{1,4}\:[0-9a-fA-F]{1,4}\:\:(?:[0-9a-fA-F]{1,4}\:){0,4}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}\:){0,2}[0-9a-fA-F]{1,4}\:\:(?:[0-9a-fA-F]{1,4}\:){0,3}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}\:){0,3}[0-9a-fA-F]{1,4}\:\:(?:[0-9a-fA-F]{1,4}\:){0,2}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}\:){0,4}[0-9a-fA-F]{1,4}\:\:(?:[0-9a-fA-F]{1,4}\:)?[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}\:){0,5}[0-9a-fA-F]{1,4}\:\:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}\:){0,6}[0-9a-fA-F]{1,4}\:\:)\]$', [ (r"/", IndexHandler), (r"/filter-help(?:\.json)?", FilterHelp), From be8cb243b5740b2f32e6ece9834ef373e72d2ac5 Mon Sep 17 00:00:00 2001 From: tunnelpr0 <61991283+tunnelpr0@users.noreply.github.com> Date: Thu, 9 Jul 2020 21:33:06 +0200 Subject: [PATCH 2/3] Update CHANGELOG Fixed the DNS Rebind Protection for secure support of IPv6 addresses (@tunnelpr0) --- CHANGELOG | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG b/CHANGELOG index 86fcae9c6..b3a07fa00 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -19,6 +19,7 @@ Unreleased: mitmproxy next * Add new MapRemote addon to rewrite URLs of requests (@mplattner) * Add support for HTTP Trailers to the HTTP/2 protocol (@sanlengjingvv and @Kriechi) * Fix certificate runtime error during expire cleanup (@gorogoroumaru) + * Fixed the DNS Rebind Protection for secure support of IPv6 addresses (@tunnelpr0) * --- TODO: add new PRs above this line --- From 817216116c8450b786950ff3251e76a4c09d91e3 Mon Sep 17 00:00:00 2001 From: tunnelpr0 <61991283+tunnelpr0@users.noreply.github.com> Date: Fri, 10 Jul 2020 12:12:43 +0200 Subject: [PATCH 3/3] Update app.py Updated DNS Rebind Protection RegEx Pattern --- mitmproxy/tools/web/app.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/mitmproxy/tools/web/app.py b/mitmproxy/tools/web/app.py index 2fc560c59..96679d690 100644 --- a/mitmproxy/tools/web/app.py +++ b/mitmproxy/tools/web/app.py @@ -499,8 +499,7 @@ class Application(tornado.web.Application): self.add_handlers("dns-rebind-protection", [(r"/.*", DnsRebind)]) self.add_handlers( # make mitmweb accessible by IP only to prevent DNS rebinding. - # IPv(4|6) pattern from https://riptutorial.com/regex/example/14146/match-an-ip-address, slightly adjusted to mitmproxy - r'^localhost$|^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$|^\[((?:[0-9a-fA-F]{1,4}\:){7}[0-9a-fA-F]{1,4}|\:\:(?:[0-9a-fA-F]{1,4}\:){0,6}[0-9a-fA-F]{1,4}|[0-9a-fA-F]{1,4}\:\:(?:[0-9a-fA-F]{1,4}\:){0,5}[0-9a-fA-F]{1,4}|[0-9a-fA-F]{1,4}\:[0-9a-fA-F]{1,4}\:\:(?:[0-9a-fA-F]{1,4}\:){0,4}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}\:){0,2}[0-9a-fA-F]{1,4}\:\:(?:[0-9a-fA-F]{1,4}\:){0,3}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}\:){0,3}[0-9a-fA-F]{1,4}\:\:(?:[0-9a-fA-F]{1,4}\:){0,2}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}\:){0,4}[0-9a-fA-F]{1,4}\:\:(?:[0-9a-fA-F]{1,4}\:)?[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}\:){0,5}[0-9a-fA-F]{1,4}\:\:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}\:){0,6}[0-9a-fA-F]{1,4}\:\:)\]$', + r'^(localhost|[0-9.]+|\[[0-9a-fA-F:]+\])$', [ (r"/", IndexHandler), (r"/filter-help(?:\.json)?", FilterHelp),