support cidr notation for --xff-src, --ipa, --*-ipa
				
					
				
			the old `10.88.` syntax is still supported, translating to `10.88.0.0/16` also fix `--tftp-ipa` when optimizations are enabled
This commit is contained in:
		
							parent
							
								
									78919e65d6
								
							
						
					
					
						commit
						b377791be7
					
				| @ -907,8 +907,8 @@ def add_network(ap): | |||||||
|     ap2.add_argument("--ll", action="store_true", help="include link-local IPv4/IPv6 in mDNS replies, even if the NIC has routable IPs (breaks some mDNS clients)") |     ap2.add_argument("--ll", action="store_true", help="include link-local IPv4/IPv6 in mDNS replies, even if the NIC has routable IPs (breaks some mDNS clients)") | ||||||
|     ap2.add_argument("--rproxy", metavar="DEPTH", type=int, default=1, help="which ip to associate clients with; [\033[32m0\033[0m]=tcp, [\033[32m1\033[0m]=origin (first x-fwd, unsafe), [\033[32m2\033[0m]=outermost-proxy, [\033[32m3\033[0m]=second-proxy, [\033[32m-1\033[0m]=closest-proxy") |     ap2.add_argument("--rproxy", metavar="DEPTH", type=int, default=1, help="which ip to associate clients with; [\033[32m0\033[0m]=tcp, [\033[32m1\033[0m]=origin (first x-fwd, unsafe), [\033[32m2\033[0m]=outermost-proxy, [\033[32m3\033[0m]=second-proxy, [\033[32m-1\033[0m]=closest-proxy") | ||||||
|     ap2.add_argument("--xff-hdr", metavar="NAME", type=u, default="x-forwarded-for", help="if reverse-proxied, which http header to read the client's real ip from") |     ap2.add_argument("--xff-hdr", metavar="NAME", type=u, default="x-forwarded-for", help="if reverse-proxied, which http header to read the client's real ip from") | ||||||
|     ap2.add_argument("--xff-src", metavar="IP", type=u, default="127., ::1", help="comma-separated list of trusted reverse-proxy IPs; only accept the real-ip header (\033[33m--xff-hdr\033[0m) if the incoming connection is from an IP starting with either of these. Can be disabled with [\033[32many\033[0m] if you are behind cloudflare (or similar) and are using \033[32m--xff-hdr=cf-connecting-ip\033[0m (or similar)") |     ap2.add_argument("--xff-src", metavar="CIDR", type=u, default="127.0.0.0/8, ::1/128", help="comma-separated list of trusted reverse-proxy CIDRs; only accept the real-ip header (\033[33m--xff-hdr\033[0m) and IdP headers if the incoming connection is from an IP within either of these subnets. Specify [\033[32mlan\033[0m] to allow all LAN / private / non-internet IPs. Can be disabled with [\033[32many\033[0m] if you are behind cloudflare (or similar) and are using \033[32m--xff-hdr=cf-connecting-ip\033[0m (or similar)") | ||||||
|     ap2.add_argument("--ipa", metavar="PREFIX", type=u, default="", help="only accept connections from IP-addresses starting with \033[33mPREFIX\033[0m; example: [\033[32m127., 10.89., 192.168.\033[0m]") |     ap2.add_argument("--ipa", metavar="CIDR", type=u, default="", help="only accept connections from IP-addresses inside \033[33mCIDR\033[0m; examples: [\033[32mlan\033[0m], [\033[32m10.89.0.0/16, 192.168.33.0/24\033[0m]") | ||||||
|     ap2.add_argument("--rp-loc", metavar="PATH", type=u, default="", help="if reverse-proxying on a location instead of a dedicated domain/subdomain, provide the base location here; example: [\033[32m/foo/bar\033[0m]") |     ap2.add_argument("--rp-loc", metavar="PATH", type=u, default="", help="if reverse-proxying on a location instead of a dedicated domain/subdomain, provide the base location here; example: [\033[32m/foo/bar\033[0m]") | ||||||
|     if ANYWIN: |     if ANYWIN: | ||||||
|         ap2.add_argument("--reuseaddr", action="store_true", help="set reuseaddr on listening sockets on windows; allows rapid restart of copyparty at the expense of being able to accidentally start multiple instances") |         ap2.add_argument("--reuseaddr", action="store_true", help="set reuseaddr on listening sockets on windows; allows rapid restart of copyparty at the expense of being able to accidentally start multiple instances") | ||||||
| @ -1006,7 +1006,7 @@ def add_ftp(ap): | |||||||
|     ap2.add_argument("--ftps", metavar="PORT", type=int, help="enable FTPS server on \033[33mPORT\033[0m, for example \033[32m3990") |     ap2.add_argument("--ftps", metavar="PORT", type=int, help="enable FTPS server on \033[33mPORT\033[0m, for example \033[32m3990") | ||||||
|     ap2.add_argument("--ftpv", action="store_true", help="verbose") |     ap2.add_argument("--ftpv", action="store_true", help="verbose") | ||||||
|     ap2.add_argument("--ftp4", action="store_true", help="only listen on IPv4") |     ap2.add_argument("--ftp4", action="store_true", help="only listen on IPv4") | ||||||
|     ap2.add_argument("--ftp-ipa", metavar="PFX", type=u, default="", help="only accept connections from IP-addresses starting with \033[33mPFX\033[0m; specify [\033[32many\033[0m] to disable inheriting \033[33m--ipa\033[0m. Example: [\033[32m127., 10.89., 192.168.\033[0m]") |     ap2.add_argument("--ftp-ipa", metavar="CIDR", type=u, default="", help="only accept connections from IP-addresses inside \033[33mCIDR\033[0m; specify [\033[32many\033[0m] to disable inheriting \033[33m--ipa\033[0m. Examples: [\033[32mlan\033[0m] or [\033[32m10.89.0.0/16, 192.168.33.0/24\033[0m]") | ||||||
|     ap2.add_argument("--ftp-wt", metavar="SEC", type=int, default=7, help="grace period for resuming interrupted uploads (any client can write to any file last-modified more recently than \033[33mSEC\033[0m seconds ago)") |     ap2.add_argument("--ftp-wt", metavar="SEC", type=int, default=7, help="grace period for resuming interrupted uploads (any client can write to any file last-modified more recently than \033[33mSEC\033[0m seconds ago)") | ||||||
|     ap2.add_argument("--ftp-nat", metavar="ADDR", type=u, help="the NAT address to use for passive connections") |     ap2.add_argument("--ftp-nat", metavar="ADDR", type=u, help="the NAT address to use for passive connections") | ||||||
|     ap2.add_argument("--ftp-pr", metavar="P-P", type=u, help="the range of TCP ports to use for passive connections, for example \033[32m12000-13000") |     ap2.add_argument("--ftp-pr", metavar="P-P", type=u, help="the range of TCP ports to use for passive connections, for example \033[32m12000-13000") | ||||||
| @ -1029,7 +1029,7 @@ def add_tftp(ap): | |||||||
|     ap2.add_argument("--tftp-no-fast", action="store_true", help="debug: disable optimizations") |     ap2.add_argument("--tftp-no-fast", action="store_true", help="debug: disable optimizations") | ||||||
|     ap2.add_argument("--tftp-lsf", metavar="PTN", type=u, default="\\.?(dir|ls)(\\.txt)?", help="return a directory listing if a file with this name is requested and it does not exist; defaults matches .ls, dir, .dir.txt, ls.txt, ...") |     ap2.add_argument("--tftp-lsf", metavar="PTN", type=u, default="\\.?(dir|ls)(\\.txt)?", help="return a directory listing if a file with this name is requested and it does not exist; defaults matches .ls, dir, .dir.txt, ls.txt, ...") | ||||||
|     ap2.add_argument("--tftp-nols", action="store_true", help="if someone tries to download a directory, return an error instead of showing its directory listing") |     ap2.add_argument("--tftp-nols", action="store_true", help="if someone tries to download a directory, return an error instead of showing its directory listing") | ||||||
|     ap2.add_argument("--tftp-ipa", metavar="PFX", type=u, default="", help="only accept connections from IP-addresses starting with \033[33mPFX\033[0m; specify [\033[32many\033[0m] to disable inheriting \033[33m--ipa\033[0m. Example: [\033[32m127., 10.89., 192.168.\033[0m]") |     ap2.add_argument("--tftp-ipa", metavar="CIDR", type=u, default="", help="only accept connections from IP-addresses inside \033[33mCIDR\033[0m; specify [\033[32many\033[0m] to disable inheriting \033[33m--ipa\033[0m. Examples: [\033[32mlan\033[0m] or [\033[32m10.89.0.0/16, 192.168.33.0/24\033[0m]") | ||||||
|     ap2.add_argument("--tftp-pr", metavar="P-P", type=u, help="the range of UDP ports to use for data transfer, for example \033[32m12000-13000") |     ap2.add_argument("--tftp-pr", metavar="P-P", type=u, help="the range of UDP ports to use for data transfer, for example \033[32m12000-13000") | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  | |||||||
| @ -410,7 +410,7 @@ class FtpHandler(FTPHandler): | |||||||
|         if cip.startswith("::ffff:"): |         if cip.startswith("::ffff:"): | ||||||
|             cip = cip[7:] |             cip = cip[7:] | ||||||
| 
 | 
 | ||||||
|         if self.args.ftp_ipa_re and not self.args.ftp_ipa_re.match(cip): |         if self.args.ftp_ipa_nm and not self.args.ftp_ipa_nm.map(cip): | ||||||
|             logging.warning("client rejected (--ftp-ipa): %s", cip) |             logging.warning("client rejected (--ftp-ipa): %s", cip) | ||||||
|             self.connected = False |             self.connected = False | ||||||
|             conn.close() |             conn.close() | ||||||
|  | |||||||
| @ -231,7 +231,7 @@ class HttpCli(object): | |||||||
|         if self.is_banned(): |         if self.is_banned(): | ||||||
|             return False |             return False | ||||||
| 
 | 
 | ||||||
|         if self.args.ipa_re and not self.args.ipa_re.match(self.conn.addr[0]): |         if self.conn.ipa_nm and not self.conn.ipa_nm.map(self.conn.addr[0]): | ||||||
|             self.log("client rejected (--ipa)", 3) |             self.log("client rejected (--ipa)", 3) | ||||||
|             self.terse_reply(b"", 500) |             self.terse_reply(b"", 500) | ||||||
|             return False |             return False | ||||||
| @ -311,8 +311,9 @@ class HttpCli(object): | |||||||
|                     self.log(t.format(self.args.rproxy, zso), c=3) |                     self.log(t.format(self.args.rproxy, zso), c=3) | ||||||
| 
 | 
 | ||||||
|                 pip = self.conn.addr[0] |                 pip = self.conn.addr[0] | ||||||
|                 if self.args.xff_re and not self.args.xff_re.match(pip): |                 xffs = self.conn.xff_nm | ||||||
|                     t = 'got header "%s" from untrusted source "%s" claiming the true client ip is "%s" (raw value: "%s");  if you trust this, you must allowlist this proxy with "--xff-src=%s"' |                 if xffs and not xffs.map(pip): | ||||||
|  |                     t = 'got header "%s" from untrusted source "%s" claiming the true client ip is "%s" (raw value: "%s");  if you trust this, you must allowlist this proxy with "--xff-src=%s"%s' | ||||||
|                     if self.headers.get("cf-connecting-ip"): |                     if self.headers.get("cf-connecting-ip"): | ||||||
|                         t += '  Note: if you are behind cloudflare, then this default header is not a good choice; please first make sure your local reverse-proxy (if any) does not allow non-cloudflare IPs from providing cf-* headers, and then add this additional global setting: "--xff-hdr=cf-connecting-ip"' |                         t += '  Note: if you are behind cloudflare, then this default header is not a good choice; please first make sure your local reverse-proxy (if any) does not allow non-cloudflare IPs from providing cf-* headers, and then add this additional global setting: "--xff-hdr=cf-connecting-ip"' | ||||||
|                     else: |                     else: | ||||||
| @ -321,8 +322,9 @@ class HttpCli(object): | |||||||
|                         ".".join(pip.split(".")[:2]) + "." |                         ".".join(pip.split(".")[:2]) + "." | ||||||
|                         if "." in pip |                         if "." in pip | ||||||
|                         else ":".join(pip.split(":")[:4]) + ":" |                         else ":".join(pip.split(":")[:4]) + ":" | ||||||
|                     ) |                     ) + "0.0/16" | ||||||
|                     self.log(t % (self.args.xff_hdr, pip, cli_ip, zso, zs), 3) |                     zs2 = ' or "--xff-src=lan"' if self.conn.hsrv.xff_lan.map(pip) else "" | ||||||
|  |                     self.log(t % (self.args.xff_hdr, pip, cli_ip, zso, zs, zs2), 3) | ||||||
|                 else: |                 else: | ||||||
|                     self.ip = cli_ip |                     self.ip = cli_ip | ||||||
|                     self.is_vproxied = bool(self.args.R) |                     self.is_vproxied = bool(self.args.R) | ||||||
| @ -466,24 +468,22 @@ class HttpCli(object): | |||||||
| 
 | 
 | ||||||
|                 if not trusted_xff: |                 if not trusted_xff: | ||||||
|                     pip = self.conn.addr[0] |                     pip = self.conn.addr[0] | ||||||
|                     trusted_xff = self.args.xff_re and self.args.xff_re.match(pip) |                     xffs = self.conn.xff_nm | ||||||
| 
 |                     trusted_xff = xffs and xffs.map(pip) | ||||||
|                 # always require --xff-src with idp, but check against original (xff_src) rather than computed value (xff_re) to allow 'any' |  | ||||||
|                 trusted_xff_strict = trusted_xff and self.args.xff_src |  | ||||||
| 
 | 
 | ||||||
|                 trusted_key = ( |                 trusted_key = ( | ||||||
|                     not self.args.idp_h_key |                     not self.args.idp_h_key | ||||||
|                 ) or self.args.idp_h_key in self.headers |                 ) or self.args.idp_h_key in self.headers | ||||||
| 
 | 
 | ||||||
|                 if trusted_key and trusted_xff_strict: |                 if trusted_key and trusted_xff: | ||||||
|                     self.asrv.idp_checkin(self.conn.hsrv.broker, idp_usr, idp_grp) |                     self.asrv.idp_checkin(self.conn.hsrv.broker, idp_usr, idp_grp) | ||||||
|                 else: |                 else: | ||||||
|                     if not trusted_key: |                     if not trusted_key: | ||||||
|                         t = 'the idp-h-key header ("%s") is not present in the request; will NOT trust the other headers saying that the client\'s username is "%s" and group is "%s"' |                         t = 'the idp-h-key header ("%s") is not present in the request; will NOT trust the other headers saying that the client\'s username is "%s" and group is "%s"' | ||||||
|                         self.log(t % (self.args.idp_h_key, idp_usr, idp_grp), 3) |                         self.log(t % (self.args.idp_h_key, idp_usr, idp_grp), 3) | ||||||
| 
 | 
 | ||||||
|                     if not trusted_xff_strict: |                     if not trusted_xff: | ||||||
|                         t = 'got IdP headers from untrusted source "%s" claiming the client\'s username is "%s" and group is "%s";  if you trust this, you must allowlist this proxy with "--xff-src=%s"' |                         t = 'got IdP headers from untrusted source "%s" claiming the client\'s username is "%s" and group is "%s";  if you trust this, you must allowlist this proxy with "--xff-src=%s"%s' | ||||||
|                         if not self.args.idp_h_key: |                         if not self.args.idp_h_key: | ||||||
|                             t += "  Note: you probably also want to specify --idp-h-key <SECRET-HEADER-NAME> for additional security" |                             t += "  Note: you probably also want to specify --idp-h-key <SECRET-HEADER-NAME> for additional security" | ||||||
| 
 | 
 | ||||||
| @ -492,8 +492,9 @@ class HttpCli(object): | |||||||
|                             ".".join(pip.split(".")[:2]) + "." |                             ".".join(pip.split(".")[:2]) + "." | ||||||
|                             if "." in pip |                             if "." in pip | ||||||
|                             else ":".join(pip.split(":")[:4]) + ":" |                             else ":".join(pip.split(":")[:4]) + ":" | ||||||
|                         ) |                         ) + "0.0/16" | ||||||
|                         self.log(t % (pip, idp_usr, idp_grp, zs), 3) |                         zs2 = ' or "--xff-src=lan"' if self.conn.hsrv.xff_lan.map(pip) else "" | ||||||
|  |                         self.log(t % (pip, idp_usr, idp_grp, zs, zs2), 3) | ||||||
| 
 | 
 | ||||||
|                     idp_usr = "*" |                     idp_usr = "*" | ||||||
|                     idp_grp = "" |                     idp_grp = "" | ||||||
|  | |||||||
| @ -23,7 +23,7 @@ from .mtag import HAVE_FFMPEG | |||||||
| from .th_cli import ThumbCli | from .th_cli import ThumbCli | ||||||
| from .th_srv import HAVE_PIL, HAVE_VIPS | from .th_srv import HAVE_PIL, HAVE_VIPS | ||||||
| from .u2idx import U2idx | from .u2idx import U2idx | ||||||
| from .util import HMaccas, shut_socket | from .util import HMaccas, NetMap, shut_socket | ||||||
| 
 | 
 | ||||||
| if True:  # pylint: disable=using-constant-test | if True:  # pylint: disable=using-constant-test | ||||||
|     from typing import Optional, Pattern, Union |     from typing import Optional, Pattern, Union | ||||||
| @ -55,6 +55,8 @@ class HttpConn(object): | |||||||
|         self.E: EnvParams = self.args.E |         self.E: EnvParams = self.args.E | ||||||
|         self.asrv: AuthSrv = hsrv.asrv  # mypy404 |         self.asrv: AuthSrv = hsrv.asrv  # mypy404 | ||||||
|         self.u2fh: Util.FHC = hsrv.u2fh  # mypy404 |         self.u2fh: Util.FHC = hsrv.u2fh  # mypy404 | ||||||
|  |         self.ipa_nm: NetMap = hsrv.ipa_nm | ||||||
|  |         self.xff_nm: NetMap = hsrv.xff_nm | ||||||
|         self.iphash: HMaccas = hsrv.broker.iphash |         self.iphash: HMaccas = hsrv.broker.iphash | ||||||
|         self.bans: dict[str, int] = hsrv.bans |         self.bans: dict[str, int] = hsrv.bans | ||||||
|         self.aclose: dict[str, int] = hsrv.aclose |         self.aclose: dict[str, int] = hsrv.aclose | ||||||
|  | |||||||
| @ -67,6 +67,7 @@ from .util import ( | |||||||
|     Netdev, |     Netdev, | ||||||
|     NetMap, |     NetMap, | ||||||
|     absreal, |     absreal, | ||||||
|  |     build_netmap, | ||||||
|     ipnorm, |     ipnorm, | ||||||
|     min_ex, |     min_ex, | ||||||
|     shut_socket, |     shut_socket, | ||||||
| @ -150,6 +151,10 @@ class HttpSrv(object): | |||||||
|         zs = os.path.join(self.E.mod, "web", "deps", "prism.js.gz") |         zs = os.path.join(self.E.mod, "web", "deps", "prism.js.gz") | ||||||
|         self.prism = os.path.exists(zs) |         self.prism = os.path.exists(zs) | ||||||
| 
 | 
 | ||||||
|  |         self.ipa_nm = build_netmap(self.args.ipa) | ||||||
|  |         self.xff_nm = build_netmap(self.args.xff_src) | ||||||
|  |         self.xff_lan = build_netmap("lan") | ||||||
|  | 
 | ||||||
|         self.statics: set[str] = set() |         self.statics: set[str] = set() | ||||||
|         self._build_statics() |         self._build_statics() | ||||||
| 
 | 
 | ||||||
| @ -199,7 +204,7 @@ class HttpSrv(object): | |||||||
|         for ip, _ in self.bound: |         for ip, _ in self.bound: | ||||||
|             ips.add(ip) |             ips.add(ip) | ||||||
| 
 | 
 | ||||||
|         self.nm = NetMap(list(ips), netdevs) |         self.nm = NetMap(list(ips), list(netdevs)) | ||||||
| 
 | 
 | ||||||
|     def start_threads(self, n: int) -> None: |     def start_threads(self, n: int) -> None: | ||||||
|         self.tp_nthr += n |         self.tp_nthr += n | ||||||
|  | |||||||
| @ -110,7 +110,7 @@ class MCast(object): | |||||||
|             ) |             ) | ||||||
| 
 | 
 | ||||||
|         ips = [x for x in ips if x not in ("::1", "127.0.0.1")] |         ips = [x for x in ips if x not in ("::1", "127.0.0.1")] | ||||||
|         ips = find_prefix(ips, netdevs) |         ips = find_prefix(ips, list(netdevs)) | ||||||
| 
 | 
 | ||||||
|         on = self.on[:] |         on = self.on[:] | ||||||
|         off = self.off[:] |         off = self.off[:] | ||||||
|  | |||||||
| @ -49,6 +49,7 @@ from .util import ( | |||||||
|     ODict, |     ODict, | ||||||
|     alltrace, |     alltrace, | ||||||
|     ansi_re, |     ansi_re, | ||||||
|  |     build_netmap, | ||||||
|     min_ex, |     min_ex, | ||||||
|     mp, |     mp, | ||||||
|     odfusion, |     odfusion, | ||||||
| @ -481,10 +482,8 @@ class SvcHub(object): | |||||||
|         al.idp_h_grp = al.idp_h_grp.lower() |         al.idp_h_grp = al.idp_h_grp.lower() | ||||||
|         al.idp_h_key = al.idp_h_key.lower() |         al.idp_h_key = al.idp_h_key.lower() | ||||||
| 
 | 
 | ||||||
|         al.xff_re = self._ipa2re(al.xff_src) |         al.ftp_ipa_nm = build_netmap(al.ftp_ipa or al.ipa) | ||||||
|         al.ipa_re = self._ipa2re(al.ipa) |         al.tftp_ipa_nm = build_netmap(al.tftp_ipa or al.ipa) | ||||||
|         al.ftp_ipa_re = self._ipa2re(al.ftp_ipa or al.ipa) |  | ||||||
|         al.tftp_ipa_re = self._ipa2re(al.tftp_ipa or al.ipa) |  | ||||||
| 
 | 
 | ||||||
|         mte = ODict.fromkeys(DEF_MTE.split(","), True) |         mte = ODict.fromkeys(DEF_MTE.split(","), True) | ||||||
|         al.mte = odfusion(mte, al.mte) |         al.mte = odfusion(mte, al.mte) | ||||||
|  | |||||||
| @ -55,17 +55,16 @@ def noop(*a, **ka) -> None: | |||||||
| 
 | 
 | ||||||
| def _serverInitial(self, pkt: Any, raddress: str, rport: int) -> bool: | def _serverInitial(self, pkt: Any, raddress: str, rport: int) -> bool: | ||||||
|     info("connection from %s:%s", raddress, rport) |     info("connection from %s:%s", raddress, rport) | ||||||
|     ret = _orig_serverInitial(self, pkt, raddress, rport) |     ret = _sinitial[0](self, pkt, raddress, rport) | ||||||
|     ptn = _hub[0].args.tftp_ipa_re |     nm = _hub[0].args.tftp_ipa_nm | ||||||
|     if ptn and not ptn.match(raddress): |     if nm and not nm.map(raddress): | ||||||
|         yeet("client rejected (--tftp-ipa): %s" % (raddress,)) |         yeet("client rejected (--tftp-ipa): %s" % (raddress,)) | ||||||
|     return ret |     return ret | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| # patch ipa-check into partftpd | # patch ipa-check into partftpd (part 1/2) | ||||||
| _hub: list["SvcHub"] = [] | _hub: list["SvcHub"] = [] | ||||||
| _orig_serverInitial = TftpStates.TftpServerState.serverInitial | _sinitial: list[Any] = [] | ||||||
| TftpStates.TftpServerState.serverInitial = _serverInitial |  | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| class Tftpd(object): | class Tftpd(object): | ||||||
| @ -116,6 +115,11 @@ class Tftpd(object): | |||||||
|             for C in Cs: |             for C in Cs: | ||||||
|                 C.log.debug = noop |                 C.log.debug = noop | ||||||
| 
 | 
 | ||||||
|  |         # patch ipa-check into partftpd (part 2/2) | ||||||
|  |         _sinitial[:] = [] | ||||||
|  |         _sinitial.append(TftpStates.TftpServerState.serverInitial) | ||||||
|  |         TftpStates.TftpServerState.serverInitial = _serverInitial | ||||||
|  | 
 | ||||||
|         # patch vfs into partftpy |         # patch vfs into partftpy | ||||||
|         TftpContexts.open = self._open |         TftpContexts.open = self._open | ||||||
|         TftpStates.open = self._open |         TftpStates.open = self._open | ||||||
|  | |||||||
| @ -559,20 +559,26 @@ class HLog(logging.Handler): | |||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| class NetMap(object): | class NetMap(object): | ||||||
|     def __init__(self, ips: list[str], netdevs: dict[str, Netdev]) -> None: |     def __init__(self, ips: list[str], cidrs: list[str], keep_lo=False) -> None: | ||||||
|  |         """ | ||||||
|  |         ips: list of plain ipv4/ipv6 IPs, not cidr | ||||||
|  |         cidrs: list of cidr-notation IPs (ip/prefix) | ||||||
|  |         """ | ||||||
|         if "::" in ips: |         if "::" in ips: | ||||||
|             ips = [x for x in ips if x != "::"] + list( |             ips = [x for x in ips if x != "::"] + list( | ||||||
|                 [x.split("/")[0] for x in netdevs if ":" in x] |                 [x.split("/")[0] for x in cidrs if ":" in x] | ||||||
|             ) |             ) | ||||||
|             ips.append("0.0.0.0") |             ips.append("0.0.0.0") | ||||||
| 
 | 
 | ||||||
|         if "0.0.0.0" in ips: |         if "0.0.0.0" in ips: | ||||||
|             ips = [x for x in ips if x != "0.0.0.0"] + list( |             ips = [x for x in ips if x != "0.0.0.0"] + list( | ||||||
|                 [x.split("/")[0] for x in netdevs if ":" not in x] |                 [x.split("/")[0] for x in cidrs if ":" not in x] | ||||||
|             ) |             ) | ||||||
| 
 | 
 | ||||||
|  |         if not keep_lo: | ||||||
|             ips = [x for x in ips if x not in ("::1", "127.0.0.1")] |             ips = [x for x in ips if x not in ("::1", "127.0.0.1")] | ||||||
|         ips = find_prefix(ips, netdevs) | 
 | ||||||
|  |         ips = find_prefix(ips, cidrs) | ||||||
| 
 | 
 | ||||||
|         self.cache: dict[str, str] = {} |         self.cache: dict[str, str] = {} | ||||||
|         self.b2sip: dict[bytes, str] = {} |         self.b2sip: dict[bytes, str] = {} | ||||||
| @ -589,6 +595,9 @@ class NetMap(object): | |||||||
|         self.bip.sort(reverse=True) |         self.bip.sort(reverse=True) | ||||||
| 
 | 
 | ||||||
|     def map(self, ip: str) -> str: |     def map(self, ip: str) -> str: | ||||||
|  |         if ip.startswith("::ffff:"): | ||||||
|  |             ip = ip[7:] | ||||||
|  | 
 | ||||||
|         try: |         try: | ||||||
|             return self.cache[ip] |             return self.cache[ip] | ||||||
|         except: |         except: | ||||||
| @ -1920,10 +1929,10 @@ def ipnorm(ip: str) -> str: | |||||||
|     return ip |     return ip | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| def find_prefix(ips: list[str], netdevs: dict[str, Netdev]) -> list[str]: | def find_prefix(ips: list[str], cidrs: list[str]) -> list[str]: | ||||||
|     ret = [] |     ret = [] | ||||||
|     for ip in ips: |     for ip in ips: | ||||||
|         hit = next((x for x in netdevs if x.startswith(ip + "/")), None) |         hit = next((x for x in cidrs if x.startswith(ip + "/") or ip == x), None) | ||||||
|         if hit: |         if hit: | ||||||
|             ret.append(hit) |             ret.append(hit) | ||||||
|     return ret |     return ret | ||||||
| @ -2317,6 +2326,41 @@ def list_ips() -> list[str]: | |||||||
|     return list(ret) |     return list(ret) | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  | def build_netmap(csv: str): | ||||||
|  |     csv = csv.lower().strip() | ||||||
|  | 
 | ||||||
|  |     if csv in ("any", "all", "no", ",", ""): | ||||||
|  |         return None | ||||||
|  | 
 | ||||||
|  |     if csv in ("lan", "local", "private", "prvt"): | ||||||
|  |         csv = "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fd00::/8"  # lan | ||||||
|  |         csv += ", 169.254.0.0/16, fe80::/10"  # link-local | ||||||
|  |         csv += ", 127.0.0.0/8, ::1/128"  # loopback | ||||||
|  | 
 | ||||||
|  |     srcs = [x.strip() for x in csv.split(",") if x.strip()] | ||||||
|  |     cidrs = [] | ||||||
|  |     for zs in srcs: | ||||||
|  |         if not zs.endswith("."): | ||||||
|  |             cidrs.append(zs) | ||||||
|  |             continue | ||||||
|  | 
 | ||||||
|  |         # translate old syntax "172.19." => "172.19.0.0/16" | ||||||
|  |         words = len(zs.rstrip(".").split(".")) | ||||||
|  |         if words == 1: | ||||||
|  |             zs += "0.0.0/8" | ||||||
|  |         elif words == 2: | ||||||
|  |             zs += "0.0/16" | ||||||
|  |         elif words == 3: | ||||||
|  |             zs += "0/24" | ||||||
|  |         else: | ||||||
|  |             raise Exception("invalid config value [%s]" % (zs,)) | ||||||
|  | 
 | ||||||
|  |         cidrs.append(zs) | ||||||
|  | 
 | ||||||
|  |     ips = [x.split("/")[0] for x in cidrs] | ||||||
|  |     return NetMap(ips, cidrs, True) | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
| def yieldfile(fn: str) -> Generator[bytes, None, None]: | def yieldfile(fn: str) -> Generator[bytes, None, None]: | ||||||
|     with open(fsenc(fn), "rb", 512 * 1024) as f: |     with open(fsenc(fn), "rb", 512 * 1024) as f: | ||||||
|         while True: |         while True: | ||||||
|  | |||||||
| @ -24,8 +24,8 @@ | |||||||
|   # if we are confident that we got the docker-network config correct |   # if we are confident that we got the docker-network config correct | ||||||
|   # (meaning copyparty is only accessible through traefik, and |   # (meaning copyparty is only accessible through traefik, and | ||||||
|   #  traefik makes sure that all requests go through authelia), |   #  traefik makes sure that all requests go through authelia), | ||||||
|   # then disable the reverse-proxy source-ip safety check like this: |   # then accept X-Forwarded-For and IdP headers from any private IP: | ||||||
|   xff-src: any |   xff-src: lan | ||||||
| 
 | 
 | ||||||
|   # enable IdP support by expecting username/groupname in |   # enable IdP support by expecting username/groupname in | ||||||
|   # http-headers provided by the reverse-proxy; header "X-IdP-User" |   # http-headers provided by the reverse-proxy; header "X-IdP-User" | ||||||
|  | |||||||
| @ -31,7 +31,10 @@ | |||||||
|   # preventing malicious users from pretending to be the proxy; |   # preventing malicious users from pretending to be the proxy; | ||||||
|   # pay attention to the warning message in the logs and then |   # pay attention to the warning message in the logs and then | ||||||
|   # adjust the following config option accordingly: |   # adjust the following config option accordingly: | ||||||
|   xff-src: 192.168. |   xff-src: 192.168.0.0/16 | ||||||
|  | 
 | ||||||
|  |   # or just allow all LAN / private IPs (probably good enough): | ||||||
|  |   xff-src: lan | ||||||
| 
 | 
 | ||||||
|   # an additional, optional security measure is to expect a |   # an additional, optional security measure is to expect a | ||||||
|   # secret header name from the reverse-proxy; you can enable |   # secret header name from the reverse-proxy; you can enable | ||||||
|  | |||||||
| @ -4,4 +4,4 @@ to configure IdP from scratch, you must place copyparty behind a reverse-proxy w | |||||||
| 
 | 
 | ||||||
| in the copyparty `[global]` config, specify which headers to read client info from; username is required (`idp-h-usr: X-Authooley-User`), group(s) are optional (`idp-h-grp: X-Authooley-Groups`) | in the copyparty `[global]` config, specify which headers to read client info from; username is required (`idp-h-usr: X-Authooley-User`), group(s) are optional (`idp-h-grp: X-Authooley-Groups`) | ||||||
| 
 | 
 | ||||||
| * it is also required to specify the subnet that legit requests will be coming from, for example `--xff-src=10.88.` to allow 10.88.x.x, and it is recommended to configure the reverseproxy to include a secret header as proof that the other headers are also legit (and not smuggled in by a malicious client), telling copyparty the headername to expect with `idp-h-key: shangala-bangala` | * it is also required to specify the subnet that legit requests will be coming from, for example `--xff-src=10.88.0.0/24` to allow 10.88.x.x (or `--xff-src=lan` for all private IPs), and it is recommended to configure the reverseproxy to include a secret header as proof that the other headers are also legit (and not smuggled in by a malicious client), telling copyparty the headername to expect with `idp-h-key: shangala-bangala` | ||||||
|  | |||||||
| @ -116,7 +116,7 @@ class Cfg(Namespace): | |||||||
|         ex = "dotpart dotsrch no_dhash no_fastboot no_rescan no_sendfile no_voldump re_dhash plain_ip" |         ex = "dotpart dotsrch no_dhash no_fastboot no_rescan no_sendfile no_voldump re_dhash plain_ip" | ||||||
|         ka.update(**{k: True for k in ex.split()}) |         ka.update(**{k: True for k in ex.split()}) | ||||||
| 
 | 
 | ||||||
|         ex = "ah_cli ah_gen css_browser hist ipa_re js_browser no_forget no_hash no_idx nonsus_urls" |         ex = "ah_cli ah_gen css_browser hist js_browser no_forget no_hash no_idx nonsus_urls" | ||||||
|         ka.update(**{k: None for k in ex.split()}) |         ka.update(**{k: None for k in ex.split()}) | ||||||
| 
 | 
 | ||||||
|         ex = "hash_mt srch_time u2abort u2j" |         ex = "hash_mt srch_time u2abort u2j" | ||||||
| @ -242,6 +242,7 @@ class VHttpConn(object): | |||||||
|         self.freshen_pwd = 0.0 |         self.freshen_pwd = 0.0 | ||||||
|         self.hsrv = VHttpSrv(args, asrv, log) |         self.hsrv = VHttpSrv(args, asrv, log) | ||||||
|         self.ico = None |         self.ico = None | ||||||
|  |         self.ipa_nm = None | ||||||
|         self.lf_url = None |         self.lf_url = None | ||||||
|         self.log_func = log |         self.log_func = log | ||||||
|         self.log_src = "a" |         self.log_src = "a" | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user
	 ed
						ed