mhop/fhem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TcpServerUtils: refuse connects from non-local nets without an allowed definition (Forum #72629)

Browse Source 
git-svn-id: https://svn.fhem.de/fhem/trunk@14453 2b470e98-0d58-463d-a4d8-8e2adae1ed80
This commit is contained in:
rudolfkoenig
2017-06-02 17:37:59 +00:00
parent f724d73ec3
commit b9a74106f4
3 changed files with 37 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
fhem/FHEM/01_FHEMWEB.pm
View File

@@ -1260,12 +1260,6 @@ FW_makeTable($$$@)
join(",", map { FW_pH("room=$_",$_,0,"",1,1) } split(",",$val)). join(",", map { FW_pH("room=$_",$_,0,"",1,1) } split(",",$val)).
"</div></td>"; "</div></td>";
} elsif ($n eq "webCmd"){
my $lc = "detail=$name&cmd.$name=set $name";
FW_pO "<td><div name=\"$name-$n\" $tattr>".
join(":", map {FW_pH("$lc $_",$_,0,"",1,1)} split(":",$val) ).
"</div></td>";
} elsif ($n =~ m/^fp_(.*)/ && $defs{$1}){ #special for Floorplan } elsif ($n =~ m/^fp_(.*)/ && $defs{$1}){ #special for Floorplan
FW_pH "detail=$1", $val,1; FW_pH "detail=$1", $val,1;

22
fhem/FHEM/98_telnet.pm
View File

@@ -513,8 +513,16 @@ telnet_ActivateInform($)
<a name="allowfrom"></a> <a name="allowfrom"></a>
<li>allowfrom<br> <li>allowfrom<br>
Regexp of allowed ip-addresses or hostnames. If set, Regexp of allowed ip-addresses or hostnames. If set, only connections
only connections from these addresses are allowed. from these addresses are allowed.<br>
NOTE: if this attribute is not defined and there is no valid allowed
device defined for the telnet/FHEMWEB instance and the client tries to
connect from a non-local net, then the connection is refused. Following
is considered a local net:<br>
<ul>
IPV4: 127/8, 10/8, 192.168/16, 172.16/10, 169.254/16<br>
IPV6: ::1, fe80/10<br>
</ul>
</li><br> </li><br>
<a name="connectTimeout"></a> <a name="connectTimeout"></a>
@@ -645,7 +653,15 @@ telnet_ActivateInform($)
<li>allowfrom<br> <li>allowfrom<br>
Regexp der erlaubten IP-Adressen oder Hostnamen. Wenn dieses Attribut Regexp der erlaubten IP-Adressen oder Hostnamen. Wenn dieses Attribut
gesetzt wurde, werden ausschlie&szlig;lich Verbindungen von diesen gesetzt wurde, werden ausschlie&szlig;lich Verbindungen von diesen
Adressen akzeptiert. Adressen akzeptiert.<br>
Achtung: falls allowfrom nicht gesetzt ist, und keine g&uuml;tige
allowed Instanz definiert ist, und die Gegenstelle eine nicht lokale
Adresse hat, dann wird die Verbindung abgewiesen. Folgende Adressen
werden als local betrachtet:
<ul>
IPV4: 127/8, 10/8, 192.168/16, 172.16/10, 169.254/16<br>
IPV6: ::1, fe80/10<br>
</ul>
</li><br> </li><br>
<a name="connectTimeout"></a> <a name="connectTimeout"></a>

18
fhem/FHEM/TcpServerUtils.pm
View File

@@ -72,6 +72,24 @@ TcpServer_Accept($$)
inet_ntoa($iaddr); inet_ntoa($iaddr);
my $af = $attr{$name}{allowfrom}; my $af = $attr{$name}{allowfrom};
if(!$af) {
my $re = "^(127|192.168|172.(1[6-9]|2[0-9]|3[01])|10|169.254)\\.|".
"^(fe[89ab]|::1)";
if($caddr !~ m/$re/) {
my %empty;
$hash->{SNAME} = $hash->{NAME};
my $auth = Authenticate($hash, \%empty);
delete $hash->{SNAME};
if($auth == 0) {
Log3 $name, 1,
"Connection refused from the non-local address $caddr:$port, ".
"as there is no working allowed instance defined for it";
close($clientinfo[0]);
return undef;
}
}
}
if($af) { if($af) {
if($caddr !~ m/$af/) { if($caddr !~ m/$af/) {
my $hostname = gethostbyaddr($iaddr, AF_INET); my $hostname = gethostbyaddr($iaddr, AF_INET);