Changeset - c57d926edd39
Parent rev.
Child rev.
[Not reviewed]
default
0 1 0
Mads Kiilerich - 7 years ago 2018-09-01 01:12:13
mads@kiilerich.com
auth: strip RFC4007 zone identifiers from IPv6 addresses before doing access control

If using IPv6, the request IP address might contain a '%' that the ipaddr
module that is used for IP filtering can't handle.

https://tools.ietf.org/html/rfc4007#section-11 specifies how IPv6 addresses can
have zone identifiers like trailing '%13' or '%eth0'. The zone identifier is
used to help distinguish *if* the same address should be available on multiple
interfaces. It *could* potentially have security implications in the odd case
where the same address is different on different interfaces. The IP whitelist
functionality does however not support zone filters, so there is no way users
can expect the zone to be relevant for IP filtering. We can thus safely strip
the zone index and only check for match on the other parts of the address.
1 file changed with 1 insertions and 0 deletions:
kallithea/lib/auth.py
1
0 comments (0 inline, 0 general)
kallithea/lib/auth.py
Show inline comments
 
@@ -999,20 +999,21 @@ class HasPermissionAnyMiddleware(object)
 
        log.debug('Middleware check %s for %s for repo %s (%s): %s' % (user.username, self.required_perms, repo_name, purpose, ok))
 
        return ok
 

			




	
	
	
		
 

			




	
	
	
		
 
def check_ip_access(source_ip, allowed_ips=None):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Checks if source_ip is a subnet of any of allowed_ips.

			




	
	
	
		
 

			




	
	
	
		
 
    :param source_ip:

			




	
	
	
		
 
    :param allowed_ips: list of allowed ips together with mask

			




	
	
	
		
 
    """

			




	
	
	
		
 
    from kallithea.lib import ipaddr

			




	
	
	
		
 
    source_ip = source_ip.split('%', 1)[0]

			




	
	
	
		
 
    log.debug('checking if ip:%s is subnet of %s', source_ip, allowed_ips)

			




	
	
	
		
 
    if isinstance(allowed_ips, (tuple, list, set)):

			




	
	
	
		
 
        for ip in allowed_ips:

			




	
	
	
		
 
            if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip):

			




	
	
	
		
 
                log.debug('IP %s is network %s',

			




	
	
	
		
 
                          ipaddr.IPAddress(source_ip), ipaddr.IPNetwork(ip))

			




	
	
	
		
 
                return True

			




	
	
	
		
 
    return False

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.