Merge pull request #9859 from Chocobo1/host

Add option for WebUI Host header validation
2026-01-03 06:02:29 -06:00 · 2018-11-20 12:37:55 +08:00
parent 9826aec4cf 58be2d4bc2
commit d05897c89a
8 changed files with 104 additions and 42 deletions
--- a/src/webui/api/appcontroller.cpp
+++ b/src/webui/api/appcontroller.cpp
@@ -208,6 +208,7 @@ void AppController::preferencesAction()
    // Security
    data["web_ui_clickjacking_protection_enabled"] = pref->isWebUiClickjackingProtectionEnabled();
    data["web_ui_csrf_protection_enabled"] = pref->isWebUiCSRFProtectionEnabled();
+    data["web_ui_host_header_validation_enabled"] = pref->isWebUIHostHeaderValidationEnabled();
    // Update my dynamic domain name
    data["dyndns_enabled"] = pref->isDynDNSEnabled();
    data["dyndns_service"] = pref->getDynDNSService();
@@ -487,6 +488,8 @@ void AppController::setPreferencesAction()
        pref->setWebUiClickjackingProtectionEnabled(m["web_ui_clickjacking_protection_enabled"].toBool());
    if (m.contains("web_ui_csrf_protection_enabled"))
        pref->setWebUiCSRFProtectionEnabled(m["web_ui_csrf_protection_enabled"].toBool());
+    if (m.contains("web_ui_host_header_validation_enabled"))
+        pref->setWebUIHostHeaderValidationEnabled(m["web_ui_host_header_validation_enabled"].toBool());
    // Update my dynamic domain name
    if (m.contains("dyndns_enabled"))
        pref->setDynDNSEnabled(m["dyndns_enabled"].toBool());
--- a/src/webui/webapplication.cpp
+++ b/src/webui/webapplication.cpp
@@ -452,6 +452,7 @@ void WebApplication::configure()

    m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
    m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
+    m_isHostHeaderValidationEnabled = pref->isWebUIHostHeaderValidationEnabled();
    m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
 }

@@ -542,7 +543,7 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
    try {
        // block suspicious requests
        if ((m_isCSRFProtectionEnabled && isCrossSiteRequest(m_request))
-            || !validateHostHeader(m_domainList)) {
+            || (m_isHostHeaderValidationEnabled && !validateHostHeader(m_domainList))) {
            throw UnauthorizedHTTPError();
        }

--- a/src/webui/webapplication.h
+++ b/src/webui/webapplication.h
@@ -155,5 +155,6 @@ private:
    QStringList m_domainList;
    bool m_isClickjackingProtectionEnabled;
    bool m_isCSRFProtectionEnabled;
+    bool m_isHostHeaderValidationEnabled;
    bool m_isHttpsEnabled;
 };
--- a/src/webui/www/private/preferences_content.html
+++ b/src/webui/www/private/preferences_content.html
@@ -411,7 +411,6 @@
        <legend>QBT_TR(Web User Interface (Remote control))QBT_TR[CONTEXT=OptionsDialog]</legend>
        <label class="leftLabelMedium" for="webui_address_value">QBT_TR(IP address:)QBT_TR[CONTEXT=OptionsDialog]</label><input type="text" id="webui_address_value" />
        <label for="webui_port_value" style="margin-left: 10px;">QBT_TR(Port:)QBT_TR[CONTEXT=OptionsDialog]</label><input type="text" id="webui_port_value" style="width: 4em;" /><br/>
-        <label class="leftLabelMedium" for="webui_domain_textarea">QBT_TR(Server domains:)QBT_TR[CONTEXT=OptionsDialog]</label><textarea id="webui_domain_textarea" rows="1" cols="70"></textarea><br/>
        <input type="checkbox" id="webui_upnp_checkbox" />
        <label for="webui_upnp_checkbox">QBT_TR(Use UPnP / NAT-PMP to forward the port from my router)QBT_TR[CONTEXT=OptionsDialog]</label><br/>
        <fieldset class="settings">
@@ -449,14 +448,28 @@
            </div>
        </fieldset>

-        <div class="formRow">
-            <input type="checkbox" id="clickjacking_protection_checkbox" />
-            <label for="clickjacking_protection_checkbox">QBT_TR(Enable clickjacking protection)QBT_TR[CONTEXT=OptionsDialog]</label>
-        </div>
-        <div class="formRow">
-            <input type="checkbox" id="csrf_protection_checkbox" />
-            <label for="csrf_protection_checkbox">QBT_TR(Enable Cross-Site Request Forgery (CSRF) protection)QBT_TR[CONTEXT=OptionsDialog]</label>
-        </div>
+        <fieldset class="settings">
+            <legend>QBT_TR(Security)QBT_TR[CONTEXT=OptionsDialog]</legend>
+            <div class="formRow">
+                <input type="checkbox" id="clickjacking_protection_checkbox" />
+                <label for="clickjacking_protection_checkbox">QBT_TR(Enable clickjacking protection)QBT_TR[CONTEXT=OptionsDialog]</label>
+            </div>
+            <div class="formRow">
+                <input type="checkbox" id="csrf_protection_checkbox" />
+                <label for="csrf_protection_checkbox">QBT_TR(Enable Cross-Site Request Forgery (CSRF) protection)QBT_TR[CONTEXT=OptionsDialog]</label>
+            </div>
+
+            <fieldset class="settings">
+                <legend>
+                    <input type="checkbox" id="host_header_validation_checkbox" onclick="updateHostHeaderValidationSettings();" />
+                    <label for="host_header_validation_checkbox">QBT_TR(Enable Host header validation)QBT_TR[CONTEXT=OptionsDialog]</label>
+                </legend>
+                <div class="formRow">
+                    <label class="leftLabelMedium" for="webui_domain_textarea">QBT_TR(Server domains:)QBT_TR[CONTEXT=OptionsDialog]</label>
+                    <textarea id="webui_domain_textarea" rows="1" cols="60"></textarea>
+                </div>
+            </fieldset>
+        </fieldset>
    </fieldset>

    <fieldset class="settings">
@@ -712,6 +725,11 @@
        $('bypass_auth_subnet_whitelist_textarea').setProperty('disabled', !isBypassAuthSubnetWhitelistEnabled);
    };

+    updateHostHeaderValidationSettings = function() {
+        var isHostHeaderValidationEnabled = $('host_header_validation_checkbox').getProperty('checked');
+        $('webui_domain_textarea').setProperty('disabled', !isHostHeaderValidationEnabled);
+    };
+
    updateDynDnsSettings = function() {
        var isDynDnsEnabled = $('use_dyndns_checkbox').getProperty('checked');
        $('dyndns_select').setProperty('disabled', !isDynDnsEnabled);
@@ -971,6 +989,8 @@
                    // Security
                    $('clickjacking_protection_checkbox').setProperty('checked', pref.web_ui_clickjacking_protection_enabled);
                    $('csrf_protection_checkbox').setProperty('checked', pref.web_ui_csrf_protection_enabled);
+                    $('host_header_validation_checkbox').setProperty('checked', pref.web_ui_host_header_validation_enabled);
+                    updateHostHeaderValidationSettings();

                    // Update my dynamic domain name
                    $('use_dyndns_checkbox').setProperty('checked', pref.dyndns_enabled);
@@ -1256,6 +1276,7 @@

        settings.set('web_ui_clickjacking_protection_enabled', $('clickjacking_protection_checkbox').getProperty('checked'));
        settings.set('web_ui_csrf_protection_enabled', $('csrf_protection_checkbox').getProperty('checked'));
+        settings.set('web_ui_host_header_validation_enabled', $('host_header_validation_checkbox').getProperty('checked'));

        // Update my dynamic domain name
        settings.set('dyndns_enabled', $('use_dyndns_checkbox').getProperty('checked'));