Open ChiChou opened 6 years ago
There's a easy exploiting vulnerability in: https://github.com/humitos/pyfispot/blob/master/raspberrypi/home/pi/apps/pyfispot/main.py#L69
A fake X-Real-IP header will execute arbitrary command on the server
X-Real-IP
Thanks for your report. You are right.
We will need to validate that the request.remote_addr is a valid IP. Maybe with a regex? Would you like to propose a PR for this?
request.remote_addr
There's a easy exploiting vulnerability in: https://github.com/humitos/pyfispot/blob/master/raspberrypi/home/pi/apps/pyfispot/main.py#L69
A fake
X-Real-IP
header will execute arbitrary command on the server