Check for ipv4 address within path

2026-05-07 10:44:36 +01:00 · 2026-05-07 10:44:36 +01:00 · 9c0be66d5d
parent de1f7cd764
commit 9c0be66d5d
6 changed files with 58 additions and 8 deletions
--- a/daemon.py
+++ b/daemon.py
@ -257,7 +257,8 @@ class PubServer(BaseHTTPRequestHandler):
    def do_PROPFIND(self):
        if self.server.starting_daemon:
            return
-        if check_bad_path(self.path):
+        if check_bad_path(self.path,
+                          self.server.allow_local_network_access):
            print('WARN: bad path PROPFIND ' + self.path)
            http_400(self)
            return
@ -267,7 +268,8 @@ class PubServer(BaseHTTPRequestHandler):
    def do_PUT(self):
        if self.server.starting_daemon:
            return
-        if check_bad_path(self.path):
+        if check_bad_path(self.path,
+                          self.server.allow_local_network_access):
            print('WARN: bad path PUT ' + self.path)
            http_400(self)
            return
@ -277,7 +279,8 @@ class PubServer(BaseHTTPRequestHandler):
    def do_REPORT(self):
        if self.server.starting_daemon:
            return
-        if check_bad_path(self.path):
+        if check_bad_path(self.path,
+                          self.server.allow_local_network_access):
            print('WARN: bad path REPORT ' + self.path)
            http_400(self)
            return
@ -287,7 +290,8 @@ class PubServer(BaseHTTPRequestHandler):
    def do_DELETE(self):
        if self.server.starting_daemon:
            return
-        if check_bad_path(self.path):
+        if check_bad_path(self.path,
+                          self.server.allow_local_network_access):
            print('WARN: bad path DELETE ' + self.path)
            http_400(self)
            return
--- a/daemon_get.py
+++ b/daemon_get.py
@ -252,7 +252,8 @@ def daemon_http_get(self) -> None:
    """
    if self.server.starting_daemon:
        return
-    if check_bad_path(self.path):
+    if check_bad_path(self.path,
+                      self.server.allow_local_network_access):
        print('WARN: bad path GET ' + self.path)
        http_400(self)
        return
--- a/daemon_head.py
+++ b/daemon_head.py
@ -34,7 +34,8 @@ def daemon_http_head(self) -> None:
    """
    if self.server.starting_daemon:
        return
-    if check_bad_path(self.path):
+    if check_bad_path(self.path,
+                      self.server.allow_local_network_access):
        print('WARN: bad path HEAD ' + self.path)
        http_400(self)
        return
--- a/daemon_post.py
+++ b/daemon_post.py
@ -162,7 +162,8 @@ def daemon_http_post(self) -> None:
    """
    if self.server.starting_daemon:
        return
-    if check_bad_path(self.path):
+    if check_bad_path(self.path,
+                      self.server.allow_local_network_access):
        print('WARN: bad path POST ' + self.path)
        http_400(self)
        return
--- a/tests.py
+++ b/tests.py
@ -88,6 +88,7 @@ from timeFunctions import date_utcnow
 from timeFunctions import convert_published_to_local_timezone
 from timeFunctions import date_string_to_seconds
 from timeFunctions import date_seconds_to_string
+from utils import contains_ipv4_address
 from utils import remove_eol
 from utils import text_in_file
 from utils import convert_to_snake_case
@ -9825,6 +9826,24 @@ def _test_domain_check() -> None:
    assert resembles_domain('[abc:def:abc]')


+def _test_ip_address_detect() -> None:
+    print('test_ip_address_detect')
+    text = 'This is a test'
+    assert contains_ipv4_address(text) is False
+
+    text = 'some text http://somerandomdomain.com some other text'
+    assert contains_ipv4_address(text) is False
+
+    text = 'blah blah http://1.2.3.4'
+    assert contains_ipv4_address(text) is True
+
+    text = 'blah blah http://1.2.3.4 and some other text'
+    assert contains_ipv4_address(text) is True
+
+    text = 'blah blah http://1.2.3.4/about and some other text'
+    assert contains_ipv4_address(text) is True
+
+
 def run_all_tests():
    base_dir = os.getcwd()
    data_dir_testing(base_dir)
@ -9843,6 +9862,7 @@ def run_all_tests():
    _test_checkbox_names()
    _test_thread_functions()
    _test_functions()
+    _test_ip_address_detect()
    _test_domain_check()
    _test_post_collection()
    _test_micron_blog(base_dir)
--- a/utils.py
+++ b/utils.py
@ -4046,7 +4046,25 @@ def get_instance_url(calling_domain: str,
    return instance_url


-def check_bad_path(path: str):
+def contains_ipv4_address(path: str) -> bool:
+    """Returns true if the given string contains an IP address
+    """
+    if '://' not in path:
+        return False
+    domain = path.split('://')[1]
+    if '/' in domain:
+        domain = domain.split('/')[0]
+    if ' ' in domain:
+        domain = domain.split(' ')[0]
+    if '.' not in domain:
+        return False
+    domain_without_dots = domain.replace('.', '')
+    if domain_without_dots.isdigit():
+        return True
+    return False
+
+
+def check_bad_path(path: str, allow_local_network_access: bool):
    """for http GET or POST check that the path looks valid
    """
    path_lower: str = path.lower()
@ -4078,6 +4096,11 @@ def check_bad_path(path: str):

    if string_contains(path_lower, bad_strings):
        return True
+
+    if not allow_local_network_access:
+        if contains_ipv4_address(path_lower):
+            return True
+
    return False