Revision 049da593
Added by Chris Buechler almost 15 years ago
| etc/inc/auth.inc | ||
|---|---|---|
| 33 | 33 |
/* We only support file backed HTTP Basic auth right now */ |
| 34 | 34 |
$auth_method="htpasswd_backed_basic_auth"; |
| 35 | 35 |
|
| 36 |
/* DNS ReBinding attack prevention. http://redmine.pfsense.org/issues/708 */ |
|
| 37 |
if ($_SERVER['HTTP_HOST'] != $config['system']['hostname'] . "." . $config['system']['domain'] and |
|
| 38 |
$_SERVER['HTTP_HOST'] != $_SERVER['SERVER_ADDR'] and |
|
| 39 |
$_SERVER['HTTP_HOST'] != $config['system']['hostname']) {
|
|
| 40 |
echo "DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding"; |
|
| 41 |
exit; |
|
| 42 |
} |
|
| 43 |
|
|
| 44 | 36 |
/* Authenticate user - exit if failed (we should have a callback for this maybe) */ |
| 45 | 37 |
if (!$auth_method()) |
| 46 | 38 |
exit; |
Also available in: Unified diff
Revert "DNS Rebinding support from 2.0"
This reverts commit 8bc95b43baf4bb2e77c7e88043a036945f6fcaa0.