Implement HTTP host header filtering

This filtering is required to defend against DNS rebinding attack.
2026-01-04 22:52:33 -06:00 · 2017-07-02 18:23:10 +08:00
parent 2ae8472a78
commit 76c6041031
10 changed files with 106 additions and 5 deletions
--- a/src/gui/optionsdlg.cpp
+++ b/src/gui/optionsdlg.cpp
@@ -319,6 +319,7 @@ OptionsDialog::OptionsDialog(QWidget *parent)
    connect(m_ui->textTrackers, SIGNAL(textChanged()), this, SLOT(enableApplyButton()));
 #ifndef DISABLE_WEBUI
    // Web UI tab
+    connect(m_ui->textSeverDomains, SIGNAL(textChanged(QString)), this, SLOT(enableApplyButton()));
    connect(m_ui->checkWebUi, SIGNAL(toggled(bool)), this, SLOT(enableApplyButton()));
    connect(m_ui->spinWebUiPort, SIGNAL(valueChanged(int)), this, SLOT(enableApplyButton()));
    connect(m_ui->checkWebUIUPnP, SIGNAL(toggled(bool)), SLOT(enableApplyButton()));
@@ -603,6 +604,7 @@ void OptionsDialog::saveOptions()
    // Web UI
    pref->setWebUiEnabled(isWebUiEnabled());
    if (isWebUiEnabled()) {
+        pref->setServerDomains(m_ui->textSeverDomains->text());
        pref->setWebUiPort(webUiPort());
        pref->setUPnPForWebUIPort(m_ui->checkWebUIUPnP->isChecked());
        pref->setWebUiHttpsEnabled(m_ui->checkWebUiHttps->isChecked());
@@ -975,6 +977,7 @@ void OptionsDialog::loadOptions()
    // End Bittorrent preferences

    // Web UI preferences
+    m_ui->textSeverDomains->setText(pref->getServerDomains());
    m_ui->checkWebUi->setChecked(pref->isWebUiEnabled());
    m_ui->spinWebUiPort->setValue(pref->getWebUiPort());
    m_ui->checkWebUIUPnP->setChecked(pref->useUPnPForWebUIPort());
--- a/src/gui/optionsdlg.ui
+++ b/src/gui/optionsdlg.ui
@@ -2605,8 +2605,8 @@
            <rect>
             <x>0</x>
             <y>0</y>
-             <width>438</width>
-             <height>543</height>
+             <width>518</width>
+             <height>602</height>
            </rect>
           </property>
           <layout class="QVBoxLayout" name="verticalLayout_23">
@@ -2622,6 +2622,28 @@
               <bool>false</bool>
              </property>
              <layout class="QVBoxLayout" name="verticalLayout_2">
+               <item>
+                <layout class="QHBoxLayout" name="horizontalLayout_10">
+                 <item>
+                  <widget class="QLabel" name="labelServerDomains">
+                   <property name="text">
+                    <string>Server domains:</string>
+                   </property>
+                  </widget>
+                 </item>
+                 <item>
+                  <widget class="QLineEdit" name="textSeverDomains">
+                   <property name="toolTip">
+                    <string>Whitelist for filtering HTTP Host header values.
+In order to defend against DNS rebinding attack,
+you should put in domain names used by WebUI server.
+
+Use ';' to split multiple entries. Can use wildcard '*'.</string>
+                   </property>
+                  </widget>
+                 </item>
+                </layout>
+               </item>
               <item>
                <layout class="QHBoxLayout" name="horizontalLayout_2">
                 <item>