upnphttp: Protect against DNS rebinding attacks

Validate HTTP requests to protect against DNS rebinding.
2022-02-09 18:32:50 -08:00 · 2022-02-09 18:32:50 -08:00 · c21208508d
commit c21208508d
parent 8d8d04785b
2 changed files with 19 additions and 0 deletions
--- a/upnphttp.c
+++ b/upnphttp.c
@ -273,6 +273,11 @@ ParseHttpHeaders(struct upnphttp * h)
 				p = colon + 1;
 				while(isspace(*p))
 					p++;
+				n = 0;
+				while(p[n] >= ' ')
+					n++;
+				h->req_Host = p;
+				h->req_HostLen = n;
 				for(n = 0; n < n_lan_addr; n++)
 				{
 					for(i = 0; lan_addr[n].str[i]; i++)
@ -909,6 +914,18 @@ ProcessHttpQuery_upnphttp(struct upnphttp * h)
 	}

 	DPRINTF(E_DEBUG, L_HTTP, "HTTP REQUEST: %.*s\n", h->req_buflen, h->req_buf);
+	if(h->req_Host && h->req_HostLen > 0) {
+		const char *ptr = h->req_Host;
+		DPRINTF(E_MAXDEBUG, L_HTTP, "Host: %.*s\n", h->req_HostLen, h->req_Host);
+		for(i = 0; i < h->req_HostLen; i++) {
+			if(*ptr != ':' && *ptr != '.' && (*ptr > '9' || *ptr < '0')) {
+				DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack suspected (Host: %.*s)", h->req_HostLen, h->req_Host);
+				Send404(h);/* 403 */
+				return;
+			}
+			ptr++;
+		}
+	}
 	if(strcmp("POST", HttpCommand) == 0)
 	{
 		h->req_command = EPost;
--- a/upnphttp.h
+++ b/upnphttp.h
@ -89,6 +89,8 @@ struct upnphttp {
 	struct client_cache_s * req_client;
 	const char * req_soapAction;
 	int req_soapActionLen;
+	const char * req_Host;        /* Host: header */
+	int req_HostLen;
 	const char * req_Callback;	/* For SUBSCRIBE */
 	int req_CallbackLen;
 	const char * req_NT;