From b9a74106f48f06eb659ee9d65a24c1df84e7d573 Mon Sep 17 00:00:00 2001
From: rudolfkoenig <rudolfkoenig@2b470e98-0d58-463d-a4d8-8e2adae1ed80>
Date: Fri, 2 Jun 2017 17:37:59 +0000
Subject: [PATCH] TcpServerUtils: refuse connects from non-local nets without
 an allowed definition (Forum #72629)

git-svn-id: https://svn.fhem.de/fhem/trunk@14453 2b470e98-0d58-463d-a4d8-8e2adae1ed80
---
 fhem/FHEM/01_FHEMWEB.pm     |  6 ------
 fhem/FHEM/98_telnet.pm      | 22 +++++++++++++++++++---
 fhem/FHEM/TcpServerUtils.pm | 18 ++++++++++++++++++
 3 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/fhem/FHEM/01_FHEMWEB.pm b/fhem/FHEM/01_FHEMWEB.pm
index 870b85e1d..64e8cf2be 100755
--- a/fhem/FHEM/01_FHEMWEB.pm
+++ b/fhem/FHEM/01_FHEMWEB.pm
@@ -1260,12 +1260,6 @@ FW_makeTable($$$@)
                 join(",", map { FW_pH("room=$_",$_,0,"",1,1) } split(",",$val)).
                 "</div></td>";
 
-        } elsif ($n eq "webCmd"){
-          my $lc = "detail=$name&cmd.$name=set $name";
-          FW_pO "<td><div name=\"$name-$n\" $tattr>".
-                  join(":", map {FW_pH("$lc $_",$_,0,"",1,1)} split(":",$val) ).
-                "</div></td>";
-
         } elsif ($n =~ m/^fp_(.*)/ && $defs{$1}){ #special for Floorplan
           FW_pH "detail=$1", $val,1;
 
diff --git a/fhem/FHEM/98_telnet.pm b/fhem/FHEM/98_telnet.pm
index 9977e5be9..224a7bd58 100644
--- a/fhem/FHEM/98_telnet.pm
+++ b/fhem/FHEM/98_telnet.pm
@@ -513,8 +513,16 @@ telnet_ActivateInform($)
 
     <a name="allowfrom"></a>
     <li>allowfrom<br>
-        Regexp of allowed ip-addresses or hostnames. If set,
-        only connections from these addresses are allowed.
+        Regexp of allowed ip-addresses or hostnames. If set, only connections
+        from these addresses are allowed.<br>
+        NOTE: if this attribute is not defined and there is no valid allowed
+        device defined for the telnet/FHEMWEB instance and the client tries to
+        connect from a non-local net, then the connection is refused. Following
+        is considered a local net:<br>
+        <ul>
+          IPV4: 127/8, 10/8, 192.168/16, 172.16/10, 169.254/16<br>
+          IPV6: ::1, fe80/10<br>
+        </ul>
         </li><br>
 
     <a name="connectTimeout"></a>
@@ -645,7 +653,15 @@ telnet_ActivateInform($)
     <li>allowfrom<br>
         Regexp der erlaubten IP-Adressen oder Hostnamen. Wenn dieses Attribut
         gesetzt wurde, werden ausschlie&szlig;lich Verbindungen von diesen
-        Adressen akzeptiert.
+        Adressen akzeptiert.<br>
+        Achtung: falls allowfrom nicht gesetzt ist, und keine g&uuml;tige
+        allowed Instanz definiert ist, und die Gegenstelle eine nicht lokale
+        Adresse hat, dann wird die Verbindung abgewiesen. Folgende Adressen
+        werden als local betrachtet:
+        <ul>
+          IPV4: 127/8, 10/8, 192.168/16, 172.16/10, 169.254/16<br>
+          IPV6: ::1, fe80/10<br>
+        </ul>
         </li><br>
 
     <a name="connectTimeout"></a>
diff --git a/fhem/FHEM/TcpServerUtils.pm b/fhem/FHEM/TcpServerUtils.pm
index 6e221911b..6c6171688 100644
--- a/fhem/FHEM/TcpServerUtils.pm
+++ b/fhem/FHEM/TcpServerUtils.pm
@@ -72,6 +72,24 @@ TcpServer_Accept($$)
                 inet_ntoa($iaddr);
 
   my $af = $attr{$name}{allowfrom};
+  if(!$af) {
+    my $re = "^(127|192.168|172.(1[6-9]|2[0-9]|3[01])|10|169.254)\\.|".
+             "^(fe[89ab]|::1)";
+    if($caddr !~ m/$re/) {
+      my %empty;
+      $hash->{SNAME} = $hash->{NAME};
+      my $auth = Authenticate($hash, \%empty);
+      delete $hash->{SNAME};
+      if($auth == 0) {
+        Log3 $name, 1,
+             "Connection refused from the non-local address $caddr:$port, ".
+             "as there is no working allowed instance defined for it";
+        close($clientinfo[0]);
+        return undef;
+      }
+    }
+  }
+
   if($af) {
     if($caddr !~ m/$af/) {
       my $hostname = gethostbyaddr($iaddr, AF_INET);