| 33 | |
| 34 | @PluginManager.acceptPlugins |
| 35 | class UiRequest(object): |
| 36 | |
| 37 | def __init__(self, server, get, env, start_response): |
| 38 | if server: |
| 39 | self.server = server |
| 40 | self.log = server.log |
| 41 | self.get = get # Get parameters |
| 42 | self.env = env # Enviroment settings |
| 43 | # ['CONTENT_LENGTH', 'CONTENT_TYPE', 'GATEWAY_INTERFACE', 'HTTP_ACCEPT', 'HTTP_ACCEPT_ENCODING', 'HTTP_ACCEPT_LANGUAGE', |
| 44 | # 'HTTP_COOKIE', 'HTTP_CACHE_CONTROL', 'HTTP_HOST', 'HTTP_HTTPS', 'HTTP_ORIGIN', 'HTTP_PROXY_CONNECTION', 'HTTP_REFERER', |
| 45 | # 'HTTP_USER_AGENT', 'PATH_INFO', 'QUERY_STRING', 'REMOTE_ADDR', 'REMOTE_PORT', 'REQUEST_METHOD', 'SCRIPT_NAME', |
| 46 | # 'SERVER_NAME', 'SERVER_PORT', 'SERVER_PROTOCOL', 'SERVER_SOFTWARE', 'werkzeug.request', 'wsgi.errors', |
| 47 | # 'wsgi.input', 'wsgi.multiprocess', 'wsgi.multithread', 'wsgi.run_once', 'wsgi.url_scheme', 'wsgi.version'] |
| 48 | |
| 49 | self.start_response = start_response # Start response function |
| 50 | self.user = None |
| 51 | self.script_nonce = None # Nonce for script tags in wrapper html |
| 52 | |
| 53 | def learnHost(self, host): |
| 54 | self.server.allowed_hosts.add(host) |
| 55 | self.server.log.info("Added %s as allowed host" % host) |
| 56 | |
| 57 | def isHostAllowed(self, host): |
| 58 | if host in self.server.allowed_hosts: |
| 59 | return True |
| 60 | |
| 61 | # Allow any IP address as they are not affected by DNS rebinding |
| 62 | # attacks |
| 63 | if helper.isIp(host): |
| 64 | self.learnHost(host) |
| 65 | return True |
| 66 | |
| 67 | if ":" in host and helper.isIp(host.rsplit(":", 1)[0]): # Test without port |
| 68 | self.learnHost(host) |
| 69 | return True |
| 70 | |
| 71 | if self.isProxyRequest(): # Support for chrome extension proxy |
| 72 | if self.server.site_manager.isDomain(host): |
| 73 | return True |
| 74 | else: |
| 75 | return False |
| 76 | |
| 77 | return False |
| 78 | |
| 79 | # Call the request handler function base on path |
| 80 | def route(self, path): |
| 81 | # Restict Ui access by ip |
| 82 | if config.ui_restrict and self.env['REMOTE_ADDR'] not in config.ui_restrict: |
| 83 | return self.error403(details=False) |
| 84 | |
| 85 | # Check if host allowed to do request |
| 86 | if not self.isHostAllowed(self.env.get("HTTP_HOST")): |
| 87 | ret_error = next(self.error403("Invalid host: %s" % self.env.get("HTTP_HOST"), details=False)) |
| 88 | |
| 89 | http_get = self.env["PATH_INFO"] |
| 90 | if self.env["QUERY_STRING"]: |
| 91 | http_get += "?{0}".format(self.env["QUERY_STRING"]) |
| 92 | self_host = self.env["HTTP_HOST"].split(":")[0] |