null+****@clear*****
null+****@clear*****
2012年 8月 2日 (木) 18:20:51 JST
SHIMODA Hiroshi 2012-08-02 18:20:51 +0900 (Thu, 02 Aug 2012) New Revision: 01836bb74bcbf66497e47e7bf4e299ec52106baf https://github.com/groonga/gcs/commit/01836bb74bcbf66497e47e7bf4e299ec52106baf Log: Block accesses to the configuration API except priviledged IP range Modified files: bin/gcs lib/api/2011-02-01/configuration.js lib/api/2011-02-01/index.js lib/server.js Modified: bin/gcs (+6 -1) =================================================================== --- bin/gcs 2012-08-02 18:07:38 +0900 (1fce77b) +++ bin/gcs 2012-08-02 18:20:51 +0900 (ac11340) @@ -17,12 +17,17 @@ program 'database path [' + defaultDatabasePath + ']', String, defaultDatabasePath) + .option('--privilege', + 'IP range for privileged clients [' + defaultPrivilegedRange + ']', + String, + defaultPrivilegedRange) .parse(process.argv); var server; server = gcsServer.createServer({ - databasePath: program.databasePath + databasePath: program.databasePath, + privilegedRange: program.privilege }); server.listen(program.port, function() { Modified: lib/api/2011-02-01/configuration.js (+25 -1) =================================================================== --- lib/api/2011-02-01/configuration.js 2012-08-02 18:07:38 +0900 (64b6728) +++ lib/api/2011-02-01/configuration.js 2012-08-02 18:20:51 +0900 (b43821b) @@ -4,6 +4,7 @@ var Domain = require('../../database').Domain; var Translator = require('../../batch/translator').Translator; var dateFormat = require('dateformat'); var xmlbuilder = require('../../xmlbuilder'); +var ipv4 = require('../../ipv4'); exports.version = path.basename(__dirname); @@ -317,10 +318,33 @@ handlers.UpdateSynonymOptions = function(context, request, response) { } }; -exports.createHandler = function(context) { +function getClientIp(request) { + var forwardedIps = request.header('x-forwarded-for'); + if (forwardedIps) { + var ip = forwardedIps.split(',')[0]; + if (ip) + return ip; + } + return request.connection.remoteAddress; +}; + + +exports.createHandler = function(context, config) { + var privilegedRange = config && config.privilegedRange; return function(request, response, next) { var message, body; + // GCS specific behaviour: prevent to access this API from specific IP + // range. + if (privilegedRange) { + if (!ipv4.isInRange(getClientIp(request), privilegedRange)) { + message = 'Permission denied.'; + body = createCommonErrorResponse('InvalidClientIpRange', message); + response.contentType('application/xml'); + return response.send(body, 403); + } + } + // GCS specific behaviour: fallback to other handlers for the endpoint // if no action is given. var action = request.query.Action || ''; Modified: lib/api/2011-02-01/index.js (+2 -2) =================================================================== --- lib/api/2011-02-01/index.js 2012-08-02 18:07:38 +0900 (645a532) +++ lib/api/2011-02-01/index.js 2012-08-02 18:20:51 +0900 (37dbe50) @@ -6,9 +6,9 @@ exports.configuration = require('./configuration'); exports.batch = require('./batch'); exports.search = require('./search'); -exports.registerHandlers = function(application, database) { +exports.registerHandlers = function(application, database, config) { application.get('/', - exports.configuration.createHandler(database)); + exports.configuration.createHandler(database, config)); application.post('/' + exports.version + '/documents/batch', exports.batch.createHandler(database)); Modified: lib/server.js (+1 -1) =================================================================== --- lib/server.js 2012-08-02 18:07:38 +0900 (7b4ec1f) +++ lib/server.js 2012-08-02 18:20:51 +0900 (3afbebf) @@ -14,7 +14,7 @@ exports.createServer = function (config) { }); api.versions.forEach(function(version) { - api[version].registerHandlers(application, context); + api[version].registerHandlers(application, context, config); }); application.get('/', dashboard.rootHandler); -------------- next part -------------- HTML$B$NE:IU%U%!%$%k$rJ]4I$7$^$7$?(B... Download