|
@@ -53,91 +53,23 @@ namespace Emby.Server.Implementations.SocketSharp
|
|
|
return remoteIp;
|
|
return remoteIp;
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- var temp = CheckBadChars(GetHeader(HeaderNames.XForwardedFor).AsSpan());
|
|
|
|
|
- if (temp.Length != 0)
|
|
|
|
|
- {
|
|
|
|
|
- return remoteIp = temp.ToString();
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- temp = CheckBadChars(GetHeader(HeaderNames.XRealIP).AsSpan());
|
|
|
|
|
- if (temp.Length != 0)
|
|
|
|
|
- {
|
|
|
|
|
- return remoteIp = NormalizeIp(temp.ToString()).ToString();
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- return remoteIp = NormalizeIp(request.HttpContext.Connection.RemoteIpAddress).ToString();
|
|
|
|
|
- }
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- private static readonly char[] HttpTrimCharacters = new char[] { (char)0x09, (char)0xA, (char)0xB, (char)0xC, (char)0xD, (char)0x20 };
|
|
|
|
|
-
|
|
|
|
|
- // CheckBadChars - throws on invalid chars to be not found in header name/value
|
|
|
|
|
- internal static ReadOnlySpan<char> CheckBadChars(ReadOnlySpan<char> name)
|
|
|
|
|
- {
|
|
|
|
|
- if (name.Length == 0)
|
|
|
|
|
- {
|
|
|
|
|
- return name;
|
|
|
|
|
- }
|
|
|
|
|
|
|
+ IPAddress ip;
|
|
|
|
|
|
|
|
- // VALUE check
|
|
|
|
|
- // Trim spaces from both ends
|
|
|
|
|
- name = name.Trim(HttpTrimCharacters);
|
|
|
|
|
-
|
|
|
|
|
- // First, check for correctly formed multi-line value
|
|
|
|
|
- // Second, check for absence of CTL characters
|
|
|
|
|
- int crlf = 0;
|
|
|
|
|
- for (int i = 0; i < name.Length; ++i)
|
|
|
|
|
- {
|
|
|
|
|
- char c = (char)(0x000000ff & (uint)name[i]);
|
|
|
|
|
- switch (crlf)
|
|
|
|
|
|
|
+ // "Real" remote ip might be in X-Forwarded-For of X-Real-Ip
|
|
|
|
|
+ // (if the server is behind a reverse proxy for example)
|
|
|
|
|
+ if (!IPAddress.TryParse(GetHeader(HeaderNames.XForwardedFor), out ip))
|
|
|
{
|
|
{
|
|
|
- case 0:
|
|
|
|
|
- if (c == '\r')
|
|
|
|
|
- {
|
|
|
|
|
- crlf = 1;
|
|
|
|
|
- }
|
|
|
|
|
- else if (c == '\n')
|
|
|
|
|
- {
|
|
|
|
|
- // Technically this is bad HTTP. But it would be a breaking change to throw here.
|
|
|
|
|
- // Is there an exploit?
|
|
|
|
|
- crlf = 2;
|
|
|
|
|
- }
|
|
|
|
|
- else if (c == 127 || (c < ' ' && c != '\t'))
|
|
|
|
|
- {
|
|
|
|
|
- throw new ArgumentException("net_WebHeaderInvalidControlChars", nameof(name));
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- break;
|
|
|
|
|
-
|
|
|
|
|
- case 1:
|
|
|
|
|
- if (c == '\n')
|
|
|
|
|
- {
|
|
|
|
|
- crlf = 2;
|
|
|
|
|
- break;
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- throw new ArgumentException("net_WebHeaderInvalidCRLFChars", nameof(name));
|
|
|
|
|
-
|
|
|
|
|
- case 2:
|
|
|
|
|
- if (c == ' ' || c == '\t')
|
|
|
|
|
- {
|
|
|
|
|
- crlf = 0;
|
|
|
|
|
- break;
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- throw new ArgumentException("net_WebHeaderInvalidCRLFChars", nameof(name));
|
|
|
|
|
|
|
+ if (!IPAddress.TryParse(GetHeader(HeaderNames.XRealIP), out ip))
|
|
|
|
|
+ {
|
|
|
|
|
+ ip = request.HttpContext.Connection.RemoteIpAddress;
|
|
|
|
|
+ }
|
|
|
}
|
|
}
|
|
|
- }
|
|
|
|
|
|
|
|
|
|
- if (crlf != 0)
|
|
|
|
|
- {
|
|
|
|
|
- throw new ArgumentException("net_WebHeaderInvalidCRLFChars", nameof(name));
|
|
|
|
|
|
|
+ return remoteIp = NormalizeIp(ip).ToString();
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
- return name;
|
|
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- private IPAddress NormalizeIp(IPAddress ip)
|
|
|
|
|
|
|
+ private static IPAddress NormalizeIp(IPAddress ip)
|
|
|
{
|
|
{
|
|
|
if (ip.IsIPv4MappedToIPv6)
|
|
if (ip.IsIPv4MappedToIPv6)
|
|
|
{
|
|
{
|
|
@@ -147,11 +79,6 @@ namespace Emby.Server.Implementations.SocketSharp
|
|
|
return ip;
|
|
return ip;
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- private IPAddress NormalizeIp(string sip)
|
|
|
|
|
- {
|
|
|
|
|
- return NormalizeIp(IPAddress.Parse(sip));
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
public string[] AcceptTypes => request.Headers.GetCommaSeparatedValues(HeaderNames.Accept);
|
|
public string[] AcceptTypes => request.Headers.GetCommaSeparatedValues(HeaderNames.Accept);
|
|
|
|
|
|
|
|
private Dictionary<string, object> items;
|
|
private Dictionary<string, object> items;
|
VooDooS