Mirroristas/etcd
2
0
Fork 0
mirror of https://github.com/etcd-io/etcd.git synced 2024-09-27 06:25:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

embed: add "HostWhitelist"

Browse Source 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
This commit is contained in:
Gyuho Lee 2018-02-26 15:14:18 -08:00
parent 418bb92963
commit 00c1f16f0a
1 changed files with 30 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
embed/config.go
View File

@ -81,6 +81,7 @@ var (
defaultHostname string defaultHostname string
defaultHostStatus error defaultHostStatus error
defaultHostWhitelist = []string{} // if empty, allow all
) )
var ( var (
@ -171,6 +172,32 @@ type Config struct {
PeerTLSInfo transport.TLSInfo PeerTLSInfo transport.TLSInfo
PeerAutoTLS bool PeerAutoTLS bool
// HostWhitelist lists acceptable hostnames from HTTP client requests.
// Client origin policy protects against "DNS Rebinding" attacks
// to insecure etcd servers. That is, any website can simply create
// an authorized DNS name, and direct DNS to "localhost" (or any
// other address). Then, all HTTP endpoints of etcd server listening
// on "localhost" becomes accessible, thus vulnerable to DNS rebinding
// attacks. See "CVE-2018-5702" for more detail.
//
// 1. If client connection is secure via HTTPS, allow any hostnames.
// 2. If client connection is not secure and "HostWhitelist" is not empty,
// only allow HTTP requests whose Host field is listed in whitelist.
//
// Note that the client origin policy is enforced whether authentication
// is enabled or not, for tighter controls.
//
// By default, "HostWhitelist" is empty, which allows any hostnames.
// Note that when specifying hostnames, loopback addresses are not added
// automatically. To allow loopback interfaces, leave it empty or add them
// to whitelist manually (e.g. "localhost", "127.0.0.1", etc.).
//
// CVE-2018-5702 reference:
// - https://bugs.chromium.org/p/project-zero/issues/detail?id=1447#c2
// - https://github.com/transmission/transmission/pull/468
// - https://github.com/coreos/etcd/issues/9353
HostWhitelist []string `json:"host-whitelist"`
// debug // debug
Debug bool `json:"debug"` Debug bool `json:"debug"`
@ -264,6 +291,7 @@ func NewConfig() *Config {
LogOutput: DefaultLogOutput, LogOutput: DefaultLogOutput,
Metrics: "basic", Metrics: "basic",
EnableV2: DefaultEnableV2, EnableV2: DefaultEnableV2,
HostWhitelist: defaultHostWhitelist,
AuthToken: "simple", AuthToken: "simple",
} }
cfg.InitialCluster = cfg.InitialClusterFromName(cfg.Name) cfg.InitialCluster = cfg.InitialClusterFromName(cfg.Name)