From 4556cc7c9be0655ffe43dde109ca57e043a093fa Mon Sep 17 00:00:00 2001
From: psychon <psychon@726aef4b-f618-498e-8847-2d620e286838>
Date: Fri, 14 Jan 2011 20:22:23 +0000
Subject: [PATCH] WebMods: Verify a session belongs to the remote IP address

git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@2262 726aef4b-f618-498e-8847-2d620e286838
---
 WebModules.cpp | 5 +++++
 WebModules.h   | 1 +
 2 files changed, 6 insertions(+)

diff --git a/WebModules.cpp b/WebModules.cpp
index 59477e5e..a66530dc 100644
--- a/WebModules.cpp
+++ b/WebModules.cpp
@@ -500,6 +500,11 @@ void CWebSock::OnPageRequest(const CString& sURI) {
 }
 
 CWebSock::EPageReqResult CWebSock::OnPageRequestInternal(const CString& sURI, CString& sPageRet) {
+	if (GetSession()->GetIP() != GetRemoteIP()) {
+		PrintErrorPage(403, "Access denied", "This session does not belong to your IP.");
+		return PAGE_DONE;
+	}
+
 	// Check that they really POSTed from one our forms by checking if they
 	// know the "secret" CSRF check value. Don't do this for login since
 	// CSRF against the login form makes no sense and the login form does a
diff --git a/WebModules.h b/WebModules.h
index d0a5d506..0ecc3394 100644
--- a/WebModules.h
+++ b/WebModules.h
@@ -39,6 +39,7 @@ public:
 	~CWebSession();
 
 	const CString& GetId() const { return m_sId; }
+	const CString& GetIP() const { return m_sIP; }
 	CUser* GetUser() const { return m_pUser; }
 	bool IsLoggedIn() const { return m_pUser != NULL; }
 	bool IsAdmin() const;