Overview

File protect_against_DNS_rebinding.patch of Package python-mitmproxy

From f196d776d227418068cd8505323c8585a1b1504b Mon Sep 17 00:00:00 2001
From: Maximilian Hils <git@maximilianhils.com>
Date: Wed, 11 Jul 2018 18:56:49 +0800
Subject: [PATCH] mitmweb: protect against dns rebinding

---
 mitmproxy/tools/web/app.py | 56 +++++++++++++++++++++++++---------------------
 1 file changed, 30 insertions(+), 26 deletions(-)

Index: mitmproxy-3.0.4/mitmproxy/tools/web/app.py
===================================================================
--- mitmproxy-3.0.4.orig/mitmproxy/tools/web/app.py
+++ mitmproxy-3.0.4/mitmproxy/tools/web/app.py
@@ -465,31 +465,7 @@ class SaveOptions(RequestHandler):
 class Application(tornado.web.Application):
     def __init__(self, master, debug):
         self.master = master
-        handlers = [
-            (r"/", IndexHandler),
-            (r"/filter-help(?:\.json)?", FilterHelp),
-            (r"/updates", ClientConnection),
-            (r"/events(?:\.json)?", Events),
-            (r"/flows(?:\.json)?", Flows),
-            (r"/flows/dump", DumpFlows),
-            (r"/flows/resume", ResumeFlows),
-            (r"/flows/kill", KillFlows),
-            (r"/flows/(?P<flow_id>[0-9a-f\-]+)", FlowHandler),
-            (r"/flows/(?P<flow_id>[0-9a-f\-]+)/resume", ResumeFlow),
-            (r"/flows/(?P<flow_id>[0-9a-f\-]+)/kill", KillFlow),
-            (r"/flows/(?P<flow_id>[0-9a-f\-]+)/duplicate", DuplicateFlow),
-            (r"/flows/(?P<flow_id>[0-9a-f\-]+)/replay", ReplayFlow),
-            (r"/flows/(?P<flow_id>[0-9a-f\-]+)/revert", RevertFlow),
-            (r"/flows/(?P<flow_id>[0-9a-f\-]+)/(?P<message>request|response)/content.data", FlowContent),
-            (
-                r"/flows/(?P<flow_id>[0-9a-f\-]+)/(?P<message>request|response)/content/(?P<content_view>[0-9a-zA-Z\-\_]+)(?:\.json)?",
-                FlowContentView),
-            (r"/settings(?:\.json)?", Settings),
-            (r"/clear", ClearAll),
-            (r"/options(?:\.json)?", Options),
-            (r"/options/save", SaveOptions)
-        ]
-        settings = dict(
+        super().__init__(
             template_path=os.path.join(os.path.dirname(__file__), "templates"),
             static_path=os.path.join(os.path.dirname(__file__), "static"),
             xsrf_cookies=True,
@@ -497,4 +473,32 @@ class Application(tornado.web.Applicatio
             debug=debug,
             autoreload=False,
         )
-        super().__init__(handlers, **settings)
+
+        self.add_handlers(
+            # make mitmweb accessible by IP only to prevent DNS rebinding.
+            r'(localhost|\d+\.\d+\.\d+\.\d+)',
+            [
+                (r"/", IndexHandler),
+                (r"/filter-help(?:\.json)?", FilterHelp),
+                (r"/updates", ClientConnection),
+                (r"/events(?:\.json)?", Events),
+                (r"/flows(?:\.json)?", Flows),
+                (r"/flows/dump", DumpFlows),
+                (r"/flows/resume", ResumeFlows),
+                (r"/flows/kill", KillFlows),
+                (r"/flows/(?P<flow_id>[0-9a-f\-]+)", FlowHandler),
+                (r"/flows/(?P<flow_id>[0-9a-f\-]+)/resume", ResumeFlow),
+                (r"/flows/(?P<flow_id>[0-9a-f\-]+)/kill", KillFlow),
+                (r"/flows/(?P<flow_id>[0-9a-f\-]+)/duplicate", DuplicateFlow),
+                (r"/flows/(?P<flow_id>[0-9a-f\-]+)/replay", ReplayFlow),
+                (r"/flows/(?P<flow_id>[0-9a-f\-]+)/revert", RevertFlow),
+                (r"/flows/(?P<flow_id>[0-9a-f\-]+)/(?P<message>request|response)/content.data", FlowContent),
+                (
+                    r"/flows/(?P<flow_id>[0-9a-f\-]+)/(?P<message>request|response)/content/(?P<content_view>[0-9a-zA-Z\-\_]+)(?:\.json)?",
+                    FlowContentView),
+                (r"/settings(?:\.json)?", Settings),
+                (r"/clear", ClearAll),
+                (r"/options(?:\.json)?", Options),
+                (r"/options/save", SaveOptions)
+            ]
+        )
openSUSE Build Service is sponsored by
Places