From a64a3a27ebbcb559583c52ccfb765fd6b5dcbfe8 Mon Sep 17 00:00:00 2001
From: Daniel Gerhardt <code@dgerhardt.net>
Date: Wed, 24 Jun 2015 14:06:39 +0200
Subject: [PATCH] Block requests from the server itself to
 '/checkframeoptionsheader'

This prevents DoS attacks caused by request loops.
---
 .../de/thm/arsnova/controller/WelcomeController.java     | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/main/java/de/thm/arsnova/controller/WelcomeController.java b/src/main/java/de/thm/arsnova/controller/WelcomeController.java
index d8bd4d41..0893bf0e 100644
--- a/src/main/java/de/thm/arsnova/controller/WelcomeController.java
+++ b/src/main/java/de/thm/arsnova/controller/WelcomeController.java
@@ -36,6 +36,7 @@ import org.springframework.web.client.RestTemplate;
 import org.springframework.web.servlet.View;
 import org.springframework.web.servlet.view.RedirectView;
 
+import de.thm.arsnova.exceptions.BadRequestException;
 import de.thm.arsnova.exceptions.NoContentException;
 
 /**
@@ -61,8 +62,14 @@ public class WelcomeController extends AbstractController {
 	@RequestMapping(value = "/checkframeoptionsheader", method = RequestMethod.GET)
 	@ResponseStatus(HttpStatus.OK)
 	public void checkFrameOptionsHeader(
-			@RequestParam(required = true) final String url
+			@RequestParam(required = true) final String url,
+			final HttpServletRequest request
 		) {
+		/* Block requests from the server itself to prevent DoS attacks caused by request loops */
+		if ("127.0.0.1".equals(request.getRemoteAddr())) {
+			throw new BadRequestException();
+		}
+
 		RestTemplate restTemplate = new RestTemplate();
 		SimpleClientHttpRequestFactory rf = (SimpleClientHttpRequestFactory) restTemplate.getRequestFactory();
 		rf.setConnectTimeout(2000);
-- 
GitLab