From ec5e2dba9496883bdc8909d4a226a3cb9c2055fb Mon Sep 17 00:00:00 2001
From: zzz <zzz@mail.i2p>
Date: Fri, 1 Feb 2019 13:03:40 +0000
Subject: [PATCH] i2ptunnel: More localhost checks

---
 .../java/src/net/i2p/i2ptunnel/I2PTunnelConnectClient.java | 7 +++++--
 .../java/src/net/i2p/i2ptunnel/socks/SOCKS4aServer.java    | 7 +++++--
 .../java/src/net/i2p/i2ptunnel/socks/SOCKS5Server.java     | 7 +++++--
 3 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/I2PTunnelConnectClient.java b/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/I2PTunnelConnectClient.java
index 029435efa1..9c6439264d 100644
--- a/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/I2PTunnelConnectClient.java
+++ b/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/I2PTunnelConnectClient.java
@@ -203,7 +203,8 @@ public class I2PTunnelConnectClient extends I2PTunnelHTTPClientBase implements R
                         restofline = request.substring(pos); // ":80 HTTP/1.1" or " HTTP/1.1"
                     }
 
-                    if (host.toLowerCase(Locale.US).endsWith(".i2p")) {
+                    String hostLowerCase = host.toLowerCase(Locale.US);
+                    if (hostLowerCase.endsWith(".i2p")) {
                         // Destination gets the host name
                         destination = host;
                     } else if (host.contains(".") || host.startsWith("[")) {
@@ -235,7 +236,9 @@ public class I2PTunnelConnectClient extends I2PTunnelHTTPClientBase implements R
                             usingWWWProxy = true;
                             newRequest.append("CONNECT ").append(host).append(restofline).append("\r\n"); // HTTP spec
                          }
-                    } else if (host.toLowerCase(Locale.US).equals("localhost")) {
+                    } else if (hostLowerCase.equals("localhost") || host.equals("127.0.0.1") ||
+                               hostLowerCase.endsWith(".localhost") ||
+                               host.startsWith("192.168.") || host.equals("[::1]")) {
                         writeErrorMessage(ERR_LOCALHOST, out);
                         return;
                     } else {  // full b64 address (hopefully)
diff --git a/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/socks/SOCKS4aServer.java b/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/socks/SOCKS4aServer.java
index fd99ce1699..bf18449398 100644
--- a/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/socks/SOCKS4aServer.java
+++ b/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/socks/SOCKS4aServer.java
@@ -210,7 +210,8 @@ class SOCKS4aServer extends SOCKSServer {
         I2PSocket destSock;
 
         try {
-            if (connHostName.toLowerCase(Locale.US).endsWith(".i2p")) {
+            String hostLowerCase = connHostName.toLowerCase(Locale.US);
+            if (hostLowerCase.endsWith(".i2p")) {
                 Destination dest = _context.namingService().lookup(connHostName);
                 if (dest == null) {
                     try {
@@ -224,7 +225,9 @@ class SOCKS4aServer extends SOCKSServer {
                 I2PSocketOptions sktOpts = t.buildOptions(overrides);
                 sktOpts.setPort(connPort);
                 destSock = t.createI2PSocket(dest, sktOpts);
-            } else if ("localhost".equals(connHostName) || "127.0.0.1".equals(connHostName)) {
+            } else if ("localhost".equals(hostLowerCase) || "127.0.0.1".equals(connHostName) ||
+                       hostLowerCase.endsWith(".localhost") ||
+                       connHostName.startsWith("192.168.") || connHostName.equals("[::1]")) {
                 String err = "No localhost accesses allowed through the Socks Proxy";
                 _log.error(err);
                 try {
diff --git a/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/socks/SOCKS5Server.java b/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/socks/SOCKS5Server.java
index 7ae5997931..aa02b8aadb 100644
--- a/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/socks/SOCKS5Server.java
+++ b/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/socks/SOCKS5Server.java
@@ -369,7 +369,8 @@ class SOCKS5Server extends SOCKSServer {
         I2PSocket destSock;
 
         try {
-            if (connHostName.toLowerCase(Locale.US).endsWith(".i2p")) {
+            String hostLowerCase = connHostName.toLowerCase(Locale.US);
+            if (hostLowerCase.endsWith(".i2p")) {
                 // Let's not do a new Dest for every request, huh?
                 //I2PSocketManager sm = I2PSocketManagerFactory.createManager();
                 //destSock = sm.connect(I2PTunnel.destFromName(connHostName), null);
@@ -386,7 +387,9 @@ class SOCKS5Server extends SOCKSServer {
                 I2PSocketOptions sktOpts = t.buildOptions(overrides);
                 sktOpts.setPort(connPort);
                 destSock = t.createI2PSocket(dest, sktOpts);
-            } else if ("localhost".equals(connHostName) || "127.0.0.1".equals(connHostName)) {
+            } else if (hostLowerCase.equals("localhost") || connHostName.equals("127.0.0.1") ||
+                       hostLowerCase.endsWith(".localhost") ||
+                       connHostName.startsWith("192.168.") || connHostName.equals("[::1]")) {
                 String err = "No localhost accesses allowed through the Socks Proxy";
                 _log.error(err);
                 try {
-- 
GitLab