From 26df0f5dfa561b72b23c694682c9a1dfaf527e63 Mon Sep 17 00:00:00 2001
From: mvoelkel <mvoelkel@digitaldevices.de>
Date: Sat, 3 Oct 2015 17:49:06 +0200
Subject: [PATCH] added pishing frustration to updateserver.lua

Only accepts hosts which resolve to a private ipv4 address (10,
172.16-31, 192.168
This should making it harder to trick people into installing bad FW
images
---
 octoserve/var/www/updateserver.lua | 42 ++++++++++++++++++++++++++----
 1 file changed, 37 insertions(+), 5 deletions(-)

diff --git a/octoserve/var/www/updateserver.lua b/octoserve/var/www/updateserver.lua
index 983f7d4..80defb1 100644
--- a/octoserve/var/www/updateserver.lua
+++ b/octoserve/var/www/updateserver.lua
@@ -1,5 +1,8 @@
 #!/usr/bin/lua
 
+local socket = require("socket")
+local url = require("socket.url")
+
 local host = os.getenv("HTTP_HOST")
 local proto = os.getenv("SERVER_PROTOCOL")
 local query = os.getenv("QUERY_STRING")
@@ -12,6 +15,19 @@ function http_print(s)
   end
 end
 
+function SendError(err,desc)
+  http_print(proto.." "..err)
+  http_print("Content-Type: text/html")
+  http_print()
+  local file = io.open("e404.html")
+  if file then
+    local tmp = file:read("*a")
+    tmp = string.gsub(tmp,"404 Not Found",err .. " " .. desc)
+    http_print(tmp)
+    file:close()
+  end
+end
+
 local hex_to_char = function(x)
    return string.char(tonumber(x,16))
 end
@@ -39,11 +55,27 @@ elseif query:sub(1,4) == "set=" then
     if userver ~= "" then
       userver = userver:gsub("%%(%x%x)",hex_to_char)
       -- userver = userver:gsub("+"," ")
-      local file = io.open("/config/updateserver","w")
-      if file then
-         file:write(userver.."\n")
-         file:close()
-         delimages = true
+      local valid = false
+      local path = url.parse("http://"..userver)
+      if path.host then
+         local ip = socket.dns.toip(path.host)
+         if ip == nil then
+            ip = path.host
+         end
+         local p1,p2 = ip:match("(%d+)%.(%d+)%.%d+%.%d+")
+         p1 = tonumber(p1)
+         p2 = tonumber(p2)
+         valid = (p1 == 10) or ((p1 == 172) and (p2 >= 16) and (p2 <= 31)) or ((p1 == 192) and (p2 == 168))          
+      end
+      if valid then
+         local file = io.open("/config/updateserver","w")
+         if file then
+            file:write(userver.."\n")
+            file:close()
+            delimages = true
+         end
+      else
+         SendError(400, "Invalid or not local: ".. userver)
       end
     else
       os.remove("/config/updateserver")