humitos
commented
6 years ago Thanks for your report. You are right.
We will need to validate that the request.remote_addr is a valid IP. Maybe with a regex? Would you like to propose a PR for this?
Open ChiChou opened 6 years ago
humitos
commented
6 years ago Thanks for your report. You are right.
We will need to validate that the request.remote_addr is a valid IP. Maybe with a regex? Would you like to propose a PR for this?
There's a easy exploiting vulnerability in: https://github.com/humitos/pyfispot/blob/master/raspberrypi/home/pi/apps/pyfispot/main.py#L69
A fake
X-Real-IPheader will execute arbitrary command on the server