From 45b407f41c35f7f1ba6e6e77b63605cfc9fef205 Mon Sep 17 00:00:00 2001
From: Daniel Gerhardt <code@dgerhardt.net>
Date: Thu, 25 Jun 2015 13:36:52 +0200
Subject: [PATCH] Block requests to private networks for
 '/checkframeoptionsheader'

---
 .../thm/arsnova/controller/WelcomeController.java   | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/main/java/de/thm/arsnova/controller/WelcomeController.java b/src/main/java/de/thm/arsnova/controller/WelcomeController.java
index 0893bf0ec..dd2f324e2 100644
--- a/src/main/java/de/thm/arsnova/controller/WelcomeController.java
+++ b/src/main/java/de/thm/arsnova/controller/WelcomeController.java
@@ -17,6 +17,10 @@
  */
 package de.thm.arsnova.controller;
 
+import java.net.InetAddress;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.net.UnknownHostException;
 import java.util.HashMap;
 
 import javax.servlet.http.HttpServletRequest;
@@ -69,6 +73,15 @@ public class WelcomeController extends AbstractController {
 		if ("127.0.0.1".equals(request.getRemoteAddr())) {
 			throw new BadRequestException();
 		}
+		/* Block requests to servers in private networks */
+		try {
+			final InetAddress addr = InetAddress.getByName(new URL(url).getHost());
+			if (addr.isSiteLocalAddress()) {
+				throw new BadRequestException();
+			}
+		} catch (UnknownHostException | MalformedURLException e) {
+			throw new BadRequestException();
+		}
 
 		RestTemplate restTemplate = new RestTemplate();
 		SimpleClientHttpRequestFactory rf = (SimpleClientHttpRequestFactory) restTemplate.getRequestFactory();
-- 
GitLab