diff options
| author | Maximilian Hils <git@maximilianhils.com> | 2018-07-11 18:56:49 +0800 |
|---|---|---|
| committer | Maximilian Hils <git@maximilianhils.com> | 2018-07-11 18:57:12 +0800 |
| commit | ae9177922911bd9d39b4fead45e196b51b2b9a84 (patch) | |
| tree | d66b86f597ff217ea0fea0adaf16c66fa12ac9c0 | |
| parent | 9829fe150e7d5ef115f0910756daeefd0740e77d (diff) | |
| download | mitmproxy-ae9177922911bd9d39b4fead45e196b51b2b9a84.tar.gz mitmproxy-ae9177922911bd9d39b4fead45e196b51b2b9a84.tar.bz2 mitmproxy-ae9177922911bd9d39b4fead45e196b51b2b9a84.zip | |
mitmweb: protect against dns rebinding
| -rw-r--r-- | mitmproxy/tools/web/app.py | 56 |
1 files changed, 30 insertions, 26 deletions
diff --git a/mitmproxy/tools/web/app.py b/mitmproxy/tools/web/app.py index ae2394eb..9c13690a 100644 --- a/mitmproxy/tools/web/app.py +++ b/mitmproxy/tools/web/app.py @@ -466,31 +466,7 @@ class SaveOptions(RequestHandler): class Application(tornado.web.Application): def __init__(self, master, debug): self.master = master - handlers = [ - (r"/", IndexHandler), - (r"/filter-help(?:\.json)?", FilterHelp), - (r"/updates", ClientConnection), - (r"/events(?:\.json)?", Events), - (r"/flows(?:\.json)?", Flows), - (r"/flows/dump", DumpFlows), - (r"/flows/resume", ResumeFlows), - (r"/flows/kill", KillFlows), - (r"/flows/(?P<flow_id>[0-9a-f\-]+)", FlowHandler), - (r"/flows/(?P<flow_id>[0-9a-f\-]+)/resume", ResumeFlow), - (r"/flows/(?P<flow_id>[0-9a-f\-]+)/kill", KillFlow), - (r"/flows/(?P<flow_id>[0-9a-f\-]+)/duplicate", DuplicateFlow), - (r"/flows/(?P<flow_id>[0-9a-f\-]+)/replay", ReplayFlow), - (r"/flows/(?P<flow_id>[0-9a-f\-]+)/revert", RevertFlow), - (r"/flows/(?P<flow_id>[0-9a-f\-]+)/(?P<message>request|response)/content.data", FlowContent), - ( - r"/flows/(?P<flow_id>[0-9a-f\-]+)/(?P<message>request|response)/content/(?P<content_view>[0-9a-zA-Z\-\_]+)(?:\.json)?", - FlowContentView), - (r"/settings(?:\.json)?", Settings), - (r"/clear", ClearAll), - (r"/options(?:\.json)?", Options), - (r"/options/save", SaveOptions) - ] - settings = dict( + super().__init__( template_path=os.path.join(os.path.dirname(__file__), "templates"), static_path=os.path.join(os.path.dirname(__file__), "static"), xsrf_cookies=True, @@ -498,4 +474,32 @@ class Application(tornado.web.Application): debug=debug, autoreload=False, ) - super().__init__(handlers, **settings) + + self.add_handlers( + # make mitmweb accessible by IP only to prevent DNS rebinding. + r'(localhost|\d+\.\d+\.\d+\.\d+)', + [ + (r"/", IndexHandler), + (r"/filter-help(?:\.json)?", FilterHelp), + (r"/updates", ClientConnection), + (r"/events(?:\.json)?", Events), + (r"/flows(?:\.json)?", Flows), + (r"/flows/dump", DumpFlows), + (r"/flows/resume", ResumeFlows), + (r"/flows/kill", KillFlows), + (r"/flows/(?P<flow_id>[0-9a-f\-]+)", FlowHandler), + (r"/flows/(?P<flow_id>[0-9a-f\-]+)/resume", ResumeFlow), + (r"/flows/(?P<flow_id>[0-9a-f\-]+)/kill", KillFlow), + (r"/flows/(?P<flow_id>[0-9a-f\-]+)/duplicate", DuplicateFlow), + (r"/flows/(?P<flow_id>[0-9a-f\-]+)/replay", ReplayFlow), + (r"/flows/(?P<flow_id>[0-9a-f\-]+)/revert", RevertFlow), + (r"/flows/(?P<flow_id>[0-9a-f\-]+)/(?P<message>request|response)/content.data", FlowContent), + ( + r"/flows/(?P<flow_id>[0-9a-f\-]+)/(?P<message>request|response)/content/(?P<content_view>[0-9a-zA-Z\-\_]+)(?:\.json)?", + FlowContentView), + (r"/settings(?:\.json)?", Settings), + (r"/clear", ClearAll), + (r"/options(?:\.json)?", Options), + (r"/options/save", SaveOptions) + ] + ) |