Implement HTTP host header filtering

This filtering is required to defend against DNS rebinding attack.
2025-12-20 15:37:26 -06:00 · 2017-07-02 18:23:10 +08:00
parent 18651c8d01
commit 0532d546d7
10 changed files with 109 additions and 8 deletions
--- a/src/gui/optionsdlg.cpp
+++ b/src/gui/optionsdlg.cpp
@@ -331,6 +331,7 @@ OptionsDialog::OptionsDialog(QWidget *parent)
    connect(m_ui->textTrackers, &QPlainTextEdit::textChanged, this, &ThisType::enableApplyButton);
 #ifndef DISABLE_WEBUI
    // Web UI tab
+    connect(m_ui->textSeverDomains, &QLineEdit::textChanged, this, &ThisType::enableApplyButton);
    connect(m_ui->checkWebUi, &QGroupBox::toggled, this, &ThisType::enableApplyButton);
    connect(m_ui->spinWebUiPort, qSpinBoxValueChanged, this, &ThisType::enableApplyButton);
    connect(m_ui->checkWebUIUPnP, &QAbstractButton::toggled, this, &ThisType::enableApplyButton);
@@ -626,6 +627,7 @@ void OptionsDialog::saveOptions()
    // Web UI
    pref->setWebUiEnabled(isWebUiEnabled());
    if (isWebUiEnabled()) {
+        pref->setServerDomains(m_ui->textSeverDomains->text());
        pref->setWebUiPort(webUiPort());
        pref->setUPnPForWebUIPort(m_ui->checkWebUIUPnP->isChecked());
        pref->setWebUiHttpsEnabled(m_ui->checkWebUiHttps->isChecked());
@@ -1013,6 +1015,7 @@ void OptionsDialog::loadOptions()
    // End Bittorrent preferences

    // Web UI preferences
+    m_ui->textSeverDomains->setText(pref->getServerDomains());
    m_ui->checkWebUi->setChecked(pref->isWebUiEnabled());
    m_ui->spinWebUiPort->setValue(pref->getWebUiPort());
    m_ui->checkWebUIUPnP->setChecked(pref->useUPnPForWebUIPort());
--- a/src/gui/optionsdlg.ui
+++ b/src/gui/optionsdlg.ui
@@ -90,7 +90,7 @@
     </widget>
     <widget class="QStackedWidget" name="tabOption">
      <property name="currentIndex">
-       <number>1</number>
+       <number>0</number>
      </property>
      <widget class="QWidget" name="tabBehaviorPage">
       <layout class="QVBoxLayout" name="verticalLayout_10">
@@ -2693,8 +2693,8 @@
            <rect>
             <x>0</x>
             <y>0</y>
-             <width>432</width>
-             <height>569</height>
+             <width>518</width>
+             <height>602</height>
            </rect>
           </property>
           <layout class="QVBoxLayout" name="verticalLayout_23">
@@ -2710,6 +2710,28 @@
               <bool>false</bool>
              </property>
              <layout class="QVBoxLayout" name="verticalLayout_2">
+               <item>
+                <layout class="QHBoxLayout" name="horizontalLayout_10">
+                 <item>
+                  <widget class="QLabel" name="labelServerDomains">
+                   <property name="text">
+                    <string>Server domains:</string>
+                   </property>
+                  </widget>
+                 </item>
+                 <item>
+                  <widget class="QLineEdit" name="textSeverDomains">
+                   <property name="toolTip">
+                    <string>Whitelist for filtering HTTP Host header values.
+In order to defend against DNS rebinding attack,
+you should put in domain names used by WebUI server.
+
+Use ';' to split multiple entries. Can use wildcard '*'.</string>
+                   </property>
+                  </widget>
+                 </item>
+                </layout>
+               </item>
               <item>
                <layout class="QHBoxLayout" name="horizontalLayout_2">
                 <item>