def get_trusted_downstream(tdstream):
result = set()
for ip in tdstream.split(','):
ip = ip.strip()
if ip:
to_ip_address(ip)
result.add(ip)
return result
def get_trusted_downstream(options):
tdstream = set()
for ip in options.tdstream.split(','):
ip = ip.strip()
if ip:
to_ip_address(ip)
tdstream.add(ip)
return tdstream
def is_forbidden(self, context, hostname):
ip = context.address[0]
lst = context.trusted_downstream
ip_address = None
if lst and ip not in lst:
logging.warning(
'IP {!r} not found in trusted downstream {!r}'.format(ip, lst))
return True
if context._orig_protocol == 'http':
if redirecting and not is_ip_hostname(hostname):
ip_address = to_ip_address(ip)
if not ip_address.is_private:
# redirecting
return False
if options.fbidhttp:
if ip_address is None:
ip_address = to_ip_address(ip)
def is_forbidden(self, context, hostname):
ip = context.address[0]
lst = context.trusted_downstream
if lst and ip not in lst:
logging.warning(
'IP {!r} not found in trusted downstream {!r}'.format(ip, lst))
return True
if open_to_public['http'] and context._orig_protocol == 'http':
if not to_ip_address(ip).is_private:
if open_to_public['https'] and options.redirect:
if not is_ip_hostname(hostname):
# redirecting
return False
if options.fbidhttp:
logging.warning('Public plain http request is forbidden.')
return True
def is_forbidden(self):
"""
Following requests are forbidden:
* requests not come from trusted_downstream (if set).
* non-https requests from a public network.
"""
context = self.request.connection.context
ip = context.address[0]
lst = context.trusted_downstream
if lst and ip not in lst:
logging.warning(
'IP {!r} not found in trusted downstream {!r}'.format(ip, lst))
return True
if context._orig_protocol == 'http':
ipaddr = to_ip_address(ip)
if not ipaddr.is_private:
logging.warning('Public non-https request is forbidden.')
return True
