added pishing frustration to updateserver.lua

Only accepts hosts which resolve to a private ipv4 address (10,
172.16-31, 192.168
This should making it harder to trick people into installing bad FW
images

octoserve/var/www/updateserver.lua

@@ -1,5 +1,8 @@
 #!/usr/bin/lua
 
+local socket = require("socket")
+local url = require("socket.url")
+
 local host = os.getenv("HTTP_HOST")
 local proto = os.getenv("SERVER_PROTOCOL")
 local query = os.getenv("QUERY_STRING")
@@ -12,6 +15,19 @@ function http_print(s)
   end
 end
 
+function SendError(err,desc)
+  http_print(proto.." "..err)
+  http_print("Content-Type: text/html")
+  http_print()
+  local file = io.open("e404.html")
+  if file then
+    local tmp = file:read("*a")
+    tmp = string.gsub(tmp,"404 Not Found",err .. " " .. desc)
+    http_print(tmp)
+    file:close()
+  end
+end
+
 local hex_to_char = function(x)
    return string.char(tonumber(x,16))
 end
@@ -39,12 +55,28 @@ elseif query:sub(1,4) == "set=" then
     if userver ~= "" then
       userver = userver:gsub("%%(%x%x)",hex_to_char)
       -- userver = userver:gsub("+"," ")
+      local valid = false
+      local path = url.parse("http://"..userver)
+      if path.host then
+         local ip = socket.dns.toip(path.host)
+         if ip == nil then
+            ip = path.host
+         end
+         local p1,p2 = ip:match("(%d+)%.(%d+)%.%d+%.%d+")
+         p1 = tonumber(p1)
+         p2 = tonumber(p2)
+         valid = (p1 == 10) or ((p1 == 172) and (p2 >= 16) and (p2 <= 31)) or ((p1 == 192) and (p2 == 168))          
+      end
+      if valid then
          local file = io.open("/config/updateserver","w")
          if file then
             file:write(userver.."\n")
             file:close()
             delimages = true
          end
+      else
+         SendError(400, "Invalid or not local: ".. userver)
+      end
     else
       os.remove("/config/updateserver")
       delimages = true