diff --git a/MediaBrowser.Server.Implementations/HttpServer/HttpListenerHost.cs b/MediaBrowser.Server.Implementations/HttpServer/HttpListenerHost.cs
index 90055d8ec1..6332087391 100644
--- a/MediaBrowser.Server.Implementations/HttpServer/HttpListenerHost.cs
+++ b/MediaBrowser.Server.Implementations/HttpServer/HttpListenerHost.cs
@@ -331,6 +331,46 @@ namespace MediaBrowser.Server.Implementations.HttpServer
return url;
}
+ private string NormalizeConfiguredLocalAddress(string address)
+ {
+ var index = address.Trim('/').IndexOf('/');
+
+ if (index != -1)
+ {
+ address = address.Substring(index + 1);
+ }
+
+ return address.Trim('/');
+ }
+
+ private bool ValidateHost(Uri url)
+ {
+ var hosts = _config
+ .Configuration
+ .LocalNetworkAddresses
+ .Select(NormalizeConfiguredLocalAddress)
+ .ToList();
+
+ if (hosts.Count == 0)
+ {
+ return true;
+ }
+
+ var host = url.Host ?? string.Empty;
+
+ _logger.Debug("Validating host {0}", host);
+
+ if (_networkManager.IsInPrivateAddressSpace(host))
+ {
+ hosts.Add("localhost");
+ hosts.Add("127.0.0.1");
+
+ return hosts.Any(i => host.IndexOf(i, StringComparison.OrdinalIgnoreCase) != -1);
+ }
+
+ return true;
+ }
+
///
/// Overridable method that can be used to implement a custom hnandler
///
@@ -350,6 +390,16 @@ namespace MediaBrowser.Server.Implementations.HttpServer
return ;
}
+ if (!ValidateHost(url))
+ {
+ httpRes.StatusCode = 400;
+ httpRes.ContentType = "text/plain";
+ httpRes.Write("Invalid host");
+
+ httpRes.Close();
+ return;
+ }
+
var operationName = httpReq.OperationName;
var localPath = url.LocalPath;
diff --git a/MediaBrowser.Server.Startup.Common/ApplicationHost.cs b/MediaBrowser.Server.Startup.Common/ApplicationHost.cs
index 74438abbcf..9eb8a47366 100644
--- a/MediaBrowser.Server.Startup.Common/ApplicationHost.cs
+++ b/MediaBrowser.Server.Startup.Common/ApplicationHost.cs
@@ -821,42 +821,11 @@ namespace MediaBrowser.Server.Startup.Common
private string CertificatePath { get; set; }
- private string NormalizeConfiguredLocalAddress(string address)
- {
- var index = address.Trim('/').IndexOf('/');
-
- if (index != -1)
- {
- address = address.Substring(index + 1);
- }
-
- return address.Trim('/');
- }
private IEnumerable GetUrlPrefixes()
{
- var hosts = ServerConfigurationManager
- .Configuration
- .LocalNetworkAddresses
- .Select(NormalizeConfiguredLocalAddress)
- .ToList();
+ var hosts = new List();
- if (hosts.Count == 0)
- {
- hosts.Add("+");
- }
-
- if (!hosts.Contains("+", StringComparer.OrdinalIgnoreCase))
- {
- if (!hosts.Contains("localhost", StringComparer.OrdinalIgnoreCase))
- {
- hosts.Add("localhost");
- }
-
- if (!hosts.Contains("127.0.0.1", StringComparer.OrdinalIgnoreCase))
- {
- hosts.Add("127.0.0.1");
- }
- }
+ hosts.Add("+");
return hosts.SelectMany(i =>
{