hand

finger proxy server
Log | Files | Refs | README

commit f82c817dd2b51d4945b0065d51a21c5fbf16fb14
parent c03a7157d7e85cad4cf0b5e8b9899b53e221fcde
Author: alex wennerberg <alex@alexwennerberg.com>
Date:   Fri,  3 Dec 2021 23:27:32 -0800

prevent loopback

Diffstat:
Msrc/main.rs | 35++++++++++++++++++++++++++++++-----
1 file changed, 30 insertions(+), 5 deletions(-)

diff --git a/src/main.rs b/src/main.rs @@ -1,5 +1,6 @@ use fingers; use std::fmt; +use std::net::ToSocketAddrs; use vial::prelude::*; routes! { @@ -80,12 +81,17 @@ fn render_finger(query: &str) -> String { user = params[0]; host = params[1]; } + let mut response = String::new(); + if !check_valid_ip(host) { + response = "![Invalid host]".to_owned(); + } else { + response = fingers::finger(user, host) + .timeout(1) + .max_response_len(1024 * 10) + .send() + .unwrap_or("![Error reaching server]".to_owned()); + } let finger_url = format!("finger://{}/{}", host, user); - let response = fingers::finger(user, host) - .timeout(1) - .max_response_len(1024 * 10) - .send() - .unwrap_or("![Error reaching server]".to_owned()); format!( "{}\n<br>proxying <a href='{url}'>{url}</a><pre class='response'>{}</pre></main></body></html>", form, @@ -94,6 +100,25 @@ fn render_finger(query: &str) -> String { ) } +// prevent hacking +fn check_valid_ip(host: &str) -> bool { + let mut dest = String::new(); + if !host.contains(":") { + dest = format!("{}:80", host); + } + let addr = dest.to_socket_addrs(); + println!("{:?}", addr); + if let Ok(mut a) = addr { + if let Some(n) = a.next() { + if n.ip().is_loopback() { + return false; + } + } + return true; + } + false +} + // Derived from https://github.com/raphlinus/pulldown-cmark/blob/master/src/escape.rs // Don't use single quotes (') in any of your attributes