diff options
author | Yibai Zhang <xm1994@gmail.com> | 2015-11-03 19:23:13 +0800 |
---|---|---|
committer | Yibai Zhang <xm1994@gmail.com> | 2015-11-03 19:23:13 +0800 |
commit | 0f5ae0751dcaf3182ba094403debaf085b3ac58e (patch) | |
tree | 716b8f2b1630eee7ddfd7279e21e4bcd84c91572 /core/src/main/java | |
parent | 6bb307d2064fcae01fcbb06eb9f7c7f89ddc26ee (diff) | |
download | nanohttpd-0f5ae0751dcaf3182ba094403debaf085b3ac58e.tar.gz |
Decode headers before write remote-addr
The original version will save real IP in headers["remote-addr"] and then write HTTP headers to variable headers. This may cause some security issues. Clients can easily override their real ip by add header 'remote-addr' in http requests.
Diffstat (limited to 'core/src/main/java')
-rw-r--r-- | core/src/main/java/fi/iki/elonen/NanoHTTPD.java | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/core/src/main/java/fi/iki/elonen/NanoHTTPD.java b/core/src/main/java/fi/iki/elonen/NanoHTTPD.java index 906d435..16cc9c6 100644 --- a/core/src/main/java/fi/iki/elonen/NanoHTTPD.java +++ b/core/src/main/java/fi/iki/elonen/NanoHTTPD.java @@ -808,11 +808,6 @@ public abstract class NanoHTTPD { this.headers.clear(); } - if (null != this.remoteIp) { - this.headers.put("remote-addr", this.remoteIp); - this.headers.put("http-client-ip", this.remoteIp); - } - // Create a BufferedReader for parsing the header. BufferedReader hin = new BufferedReader(new InputStreamReader(new ByteArrayInputStream(buf, 0, this.rlen))); @@ -820,6 +815,11 @@ public abstract class NanoHTTPD { Map<String, String> pre = new HashMap<String, String>(); decodeHeader(hin, pre, this.parms, this.headers); + if (null != this.remoteIp) { + this.headers.put("remote-addr", this.remoteIp); + this.headers.put("http-client-ip", this.remoteIp); + } + this.method = Method.lookup(pre.get("method")); if (this.method == null) { throw new ResponseException(Response.Status.BAD_REQUEST, "BAD REQUEST: Syntax error."); |