TcpServerUtils: refuse connects from non-local nets without an allowed definition (Forum #72629)

git-svn-id: https://svn.fhem.de/fhem/trunk@14453 2b470e98-0d58-463d-a4d8-8e2adae1ed80
2025-01-31 18:59:33 +00:00 · 2017-06-02 17:37:59 +00:00 · 2017-06-02 17:37:59 +00:00 · 377ae8a378
commit 377ae8a378
parent 89e6763e2f
3 changed files with 37 additions and 9 deletions
--- a/fhem/FHEM/01_FHEMWEB.pm
+++ b/fhem/FHEM/01_FHEMWEB.pm
@ -1260,12 +1260,6 @@ FW_makeTable($$$@)
                join(",", map { FW_pH("room=$_",$_,0,"",1,1) } split(",",$val)).
                "</div></td>";

-        } elsif ($n eq "webCmd"){
-          my $lc = "detail=$name&cmd.$name=set $name";
-          FW_pO "<td><div name=\"$name-$n\" $tattr>".
-                  join(":", map {FW_pH("$lc $_",$_,0,"",1,1)} split(":",$val) ).
-                "</div></td>";
-
        } elsif ($n =~ m/^fp_(.*)/ && $defs{$1}){ #special for Floorplan
          FW_pH "detail=$1", $val,1;

--- a/fhem/FHEM/98_telnet.pm
+++ b/fhem/FHEM/98_telnet.pm
@ -513,8 +513,16 @@ telnet_ActivateInform($)

    <a name="allowfrom"></a>
    <li>allowfrom<br>
-        Regexp of allowed ip-addresses or hostnames. If set,
-        only connections from these addresses are allowed.
+        Regexp of allowed ip-addresses or hostnames. If set, only connections
+        from these addresses are allowed.<br>
+        NOTE: if this attribute is not defined and there is no valid allowed
+        device defined for the telnet/FHEMWEB instance and the client tries to
+        connect from a non-local net, then the connection is refused. Following
+        is considered a local net:<br>
+        <ul>
+          IPV4: 127/8, 10/8, 192.168/16, 172.16/10, 169.254/16<br>
+          IPV6: ::1, fe80/10<br>
+        </ul>
        </li><br>

    <a name="connectTimeout"></a>
@ -645,7 +653,15 @@ telnet_ActivateInform($)
    <li>allowfrom<br>
        Regexp der erlaubten IP-Adressen oder Hostnamen. Wenn dieses Attribut
        gesetzt wurde, werden ausschlie&szlig;lich Verbindungen von diesen
-        Adressen akzeptiert.
+        Adressen akzeptiert.<br>
+        Achtung: falls allowfrom nicht gesetzt ist, und keine g&uuml;tige
+        allowed Instanz definiert ist, und die Gegenstelle eine nicht lokale
+        Adresse hat, dann wird die Verbindung abgewiesen. Folgende Adressen
+        werden als local betrachtet:
+        <ul>
+          IPV4: 127/8, 10/8, 192.168/16, 172.16/10, 169.254/16<br>
+          IPV6: ::1, fe80/10<br>
+        </ul>
        </li><br>

    <a name="connectTimeout"></a>
--- a/fhem/FHEM/TcpServerUtils.pm
+++ b/fhem/FHEM/TcpServerUtils.pm
@ -72,6 +72,24 @@ TcpServer_Accept($$)
                inet_ntoa($iaddr);

  my $af = $attr{$name}{allowfrom};
+  if(!$af) {
+    my $re = "^(127|192.168|172.(1[6-9]|2[0-9]|3[01])|10|169.254)\\.|".
+             "^(fe[89ab]|::1)";
+    if($caddr !~ m/$re/) {
+      my %empty;
+      $hash->{SNAME} = $hash->{NAME};
+      my $auth = Authenticate($hash, \%empty);
+      delete $hash->{SNAME};
+      if($auth == 0) {
+        Log3 $name, 1,
+             "Connection refused from the non-local address $caddr:$port, ".
+             "as there is no working allowed instance defined for it";
+        close($clientinfo[0]);
+        return undef;
+      }
+    }
+  }
+
  if($af) {
    if($caddr !~ m/$af/) {
      my $hostname = gethostbyaddr($iaddr, AF_INET);