WebMods: Verify a session belongs to the remote IP address

git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@2262 726aef4b-f618-498e-8847-2d620e286838
2026-03-28 17:42:41 +01:00 · 2011-01-14 20:22:23 +00:00
parent 577a097e32
commit 4556cc7c9b
2 changed files with 6 additions and 0 deletions
--- a/WebModules.cpp
+++ b/WebModules.cpp
@@ -500,6 +500,11 @@ void CWebSock::OnPageRequest(const CString& sURI) {
 }

 CWebSock::EPageReqResult CWebSock::OnPageRequestInternal(const CString& sURI, CString& sPageRet) {
+	if (GetSession()->GetIP() != GetRemoteIP()) {
+		PrintErrorPage(403, "Access denied", "This session does not belong to your IP.");
+		return PAGE_DONE;
+	}
+
 	// Check that they really POSTed from one our forms by checking if they
 	// know the "secret" CSRF check value. Don't do this for login since
 	// CSRF against the login form makes no sense and the login form does a
--- a/WebModules.h
+++ b/WebModules.h
@@ -39,6 +39,7 @@ public:
 	~CWebSession();

 	const CString& GetId() const { return m_sId; }
+	const CString& GetIP() const { return m_sIP; }
 	CUser* GetUser() const { return m_pUser; }
 	bool IsLoggedIn() const { return m_pUser != NULL; }
 	bool IsAdmin() const;