From c94caf14961fff912b595d9144a2d80b58c00454 Mon Sep 17 00:00:00 2001
From: Julian Rother <julianr@fsmpi.rwth-aachen.de>
Date: Fri, 14 Apr 2017 11:12:27 +0200
Subject: [PATCH] IP-Range-Checking for RWTH-intern

---
 config.py.example | 1 +
 server.py         | 7 ++++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/config.py.example b/config.py.example
index 6a27474..19ad921 100644
--- a/config.py.example
+++ b/config.py.example
@@ -26,3 +26,4 @@ SQLITE_INIT_DATA = True
 #LDAP_HOST = 'ldaps://rumo.fsmpi.rwth-aachen.de'
 #ICAL_URL = 'https://user:password@mail.fsmpi.rwth-aachen.de/SOGo/....ics'
 ERROR_PAGE = 'static/500.html'
+RWTH_IP_RANGES = ['134.130.0.0/16', '137.226.0.0/16', '134.61.0.0/16', '192.35.229.0/24', '2a00:8a60::/32']
diff --git a/server.py b/server.py
index 3e5993e..35e41fb 100644
--- a/server.py
+++ b/server.py
@@ -142,6 +142,12 @@ def checkperm(perms, username=None, password=None):
 		elif perm['type'] == 'rwth':
 			if session.get('rwthintern', False):
 				return True
+			if 'X-Real-IP' not in request.headers:
+				continue
+			ip = ip_address(request.headers['X-Real-IP'])
+			for net in RWTH_IP_RANGES:
+				if ip in ip_network(net):
+					return True
 	return False
 
 @app.template_filter()
@@ -574,7 +580,6 @@ def auth(): # For use with nginx auth_request
 	if 'X-Original-Uri' not in request.headers:
 		return 'Internal Server Error', 500
 	url = request.headers['X-Original-Uri'].lstrip(config['VIDEOPREFIX'])
-	ip = request.headers.get('X-Real-IP', '')
 	if request.cookies.get('tracking', '') and request.cookies['tracking'].isdigit():
 		cookie = int(request.cookies['tracking'])
 	else:
-- 
GitLab