Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: remove unnecessary logger initialization in ReverseProxied and enhance IP address validation in session checks

Browse source
This commit is contained in:
Théophile Diot 2024-12-03 15:35:27 +01:00
parent c2b21660c6
commit 59d88bcccd
No known key found for this signature in database
GPG key ID: FA995104A0BA376A
2 changed files with 2 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
src/ui/app/models/reverse_proxied.py
View file

@ -1,14 +1,9 @@
#!/usr/bin/env python3
from logging import getLogger
from werkzeug.middleware.proxy_fix import ProxyFix
class ReverseProxied(ProxyFix):
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
self.__logger = getLogger("UI.ReverseProxied")
def __call__(self, environ, start_response):
"""Modify the WSGI environ based on the various ``Forwarded``
headers before calling the wrapped application. Store the
@ -64,6 +59,4 @@ class ReverseProxied(ProxyFix):
environ["ABSOLUTE_URI"] = f"{environ['wsgi.url_scheme']}://{environ['HTTP_HOST']}{environ['SCRIPT_NAME']}/"
environ["SESSION_COOKIE_DOMAIN"] = environ["HTTP_HOST"]
self.__logger.debug(f"Reverse Proxy environ: {environ}")
return self.app(environ, start_response)

3
src/ui/main.py
View file

@ -1,6 +1,7 @@
#!/usr/bin/env python3
from contextlib import suppress
from datetime import datetime, timedelta
from ipaddress import ip_address
from json import dumps, loads
from os import getenv, sep
from os.path import join
@ -338,7 +339,7 @@ def before_request():
if not request.path.endswith("/login"):
return redirect(url_for("totp.totp_page", next=request.form.get("next")))
passed = False
elif session["ip"] != request.remote_addr:
elif not ip_address(request.remote_addr).is_private and session["ip"] != request.remote_addr:
LOGGER.warning(f"User {current_user.get_id()} tried to access his session with a different IP address.")
passed = False
elif session["user_agent"] != request.headers.get("User-Agent"):