addresses #2498: Protect source downloader against server-side request forgery attacks

2015-08-18 12:25:26 -07:00
parent 767b11d4b5
commit 407523b04c
2 changed files with 14 additions and 0 deletions
--- a/config/danbooru_default_config.rb
+++ b/config/danbooru_default_config.rb
@@ -359,5 +359,10 @@ module Danbooru
    def enable_post_search_counts
      false
    end
+
+    # For downloads, if the host matches any of these IPs, block it
+    def banned_ip_for_download?(ip_addr)
+      ip_addr =~ /^(?:127\.0\.0\.1|::1|169\.254\.\d+\.\d+|fe80::.*)$/
+    end
  end
 end