[vlc-devel] [PATCH 2/2] httpd: mitigate DNS rebinding attack by allowing to specify a domain white list.

Rémi Denis-Courmont remi at remlab.net
Wed Jan 31 19:06:46 CET 2018 

Le keskiviikkona 31. tammikuuta 2018, 19.38.02 EET Pierre Lamot a écrit :
> ---
>  src/libvlc-module.c |   5 +++
>  src/network/httpd.c | 109
> +++++++++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 108
> insertions(+), 6 deletions(-)
> 
> diff --git a/src/libvlc-module.c b/src/libvlc-module.c
> index cc816873f7..5ca902d67a 100644
> --- a/src/libvlc-module.c
> +++ b/src/libvlc-module.c
> @@ -848,6 +848,10 @@ static const char *const ppsz_prefres[] = {
>  #define KEY_LONGTEXT N_( \
>     "This private key file (PEM format) is used for server-side TLS.")
> 
> +#define HTTP_DOMAIN_WHITELIST_TEXT N_("HTTP server list of allowed domain")
> +#define HTTP_DOMAIN_WHITELIST_LONGTEXT N_( "By default, the HTTP server
> will accept requests " \ +    "from any domain. Specify a comma-separated
> list of domains to restrict them." ) +
>  #define SOCKS_SERVER_TEXT N_("SOCKS server")
>  #define SOCKS_SERVER_LONGTEXT N_( \
>      "SOCKS proxy server to use. This must be of the form " \
> @@ -1800,6 +1804,7 @@ vlc_module_begin ()
>      add_loadfile( "http-cert", NULL, HTTP_CERT_TEXT, CERT_LONGTEXT, true )
>      add_obsolete_string( "sout-http-cert" ) /* since 2.0.0 */
>      add_loadfile( "http-key", NULL, HTTP_KEY_TEXT, KEY_LONGTEXT, true )
> +    add_string( "http-domain-whitelist", NULL, HTTP_DOMAIN_WHITELIST_TEXT,
> HTTP_DOMAIN_WHITELIST_LONGTEXT, true ) add_obsolete_string( "sout-http-key"
> ) /* since 2.0.0 */
>      add_obsolete_string( "http-ca" ) /* since 3.0.0 */
>      add_obsolete_string( "sout-http-ca" ) /* since 2.0.0 */

I spent a lot of time writing the ACL subsystem. And yet we dropped it from 
the HTTP server for a reason. And this appears to exhibit almost the same 
problem: it wrongly assuming static addresses, or in this case, also 
hostnames. We already know what happens then: practically all users to disable 
the mechanism, rendering the protection is totally worthless.

Lets face it, the security concious users are not enabling the HTTP interface, 
or at least not exposing it directly. They do not need this, and even if they 
do, they might not be able to use it as noted above.

Really, the fix must be enabled by default for one thing. 

-- 
雷米‧德尼-库尔蒙
https://www.remlab.net/

More information about the vlc-devel mailing list