mitmweb: protect against dns rebinding

mitmproxy/tools/web/app.py

@@ -466,7 +466,19 @@ class SaveOptions(RequestHandler):
 class Application(tornado.web.Application):
     def __init__(self, master, debug):
         self.master = master
-        handlers = [
+        super().__init__(
+            template_path=os.path.join(os.path.dirname(__file__), "templates"),
+            static_path=os.path.join(os.path.dirname(__file__), "static"),
+            xsrf_cookies=True,
+            cookie_secret=os.urandom(256),
+            debug=debug,
+            autoreload=False,
+        )
+
+        self.add_handlers(
+            # make mitmweb accessible by IP only to prevent DNS rebinding.
+            r'(localhost|\d+\.\d+\.\d+\.\d+)',
+            [
                 (r"/", IndexHandler),
                 (r"/filter-help(?:\.json)?", FilterHelp),
                 (r"/updates", ClientConnection),
@@ -490,12 +502,4 @@ class Application(tornado.web.Application):
                 (r"/options(?:\.json)?", Options),
                 (r"/options/save", SaveOptions)
             ]
-        settings = dict(
-            template_path=os.path.join(os.path.dirname(__file__), "templates"),
-            static_path=os.path.join(os.path.dirname(__file__), "static"),
-            xsrf_cookies=True,
-            cookie_secret=os.urandom(256),
-            debug=debug,
-            autoreload=False,
         )
-        super().__init__(handlers, **settings)