commit 366b1050ece60ff48cb3e0d2a2b171953f073840
parent b3aab7a6ad70ade47133936a8a4199218f10594b
Author: Daniel GarcĂa <dani-garcia@users.noreply.github.com>
Date: Sun, 27 Nov 2022 22:00:54 +0100
Merge pull request #2921 from BlackDex/issue-2909
Prevent DNS leak when icon regex is configured
Diffstat:
2 files changed, 14 insertions(+), 11 deletions(-)
diff --git a/src/api/icons.rs b/src/api/icons.rs
@@ -262,17 +262,8 @@ use cached::proc_macro::cached;
#[cached(key = "String", convert = r#"{ domain.to_string() }"#, size = 16, time = 60)]
#[allow(clippy::unused_async)] // This is needed because cached causes a false-positive here.
async fn is_domain_blacklisted(domain: &str) -> bool {
- if CONFIG.icon_blacklist_non_global_ips() {
- if let Ok(s) = lookup_host((domain, 0)).await {
- for addr in s {
- if !is_global(addr.ip()) {
- debug!("IP {} for domain '{}' is not a global IP!", addr.ip(), domain);
- return true;
- }
- }
- }
- }
-
+ // First check the blacklist regex if there is a match.
+ // This prevents the blocked domain(s) from being leaked via a DNS lookup.
if let Some(blacklist) = CONFIG.icon_blacklist_regex() {
// Use the pre-generate Regex stored in a Lazy HashMap if there's one, else generate it.
let is_match = if let Some(regex) = ICON_BLACKLIST_REGEX.get(&blacklist) {
@@ -297,6 +288,18 @@ async fn is_domain_blacklisted(domain: &str) -> bool {
return true;
}
}
+
+ if CONFIG.icon_blacklist_non_global_ips() {
+ if let Ok(s) = lookup_host((domain, 0)).await {
+ for addr in s {
+ if !is_global(addr.ip()) {
+ debug!("IP {} for domain '{}' is not a global IP!", addr.ip(), domain);
+ return true;
+ }
+ }
+ }
+ }
+
false
}
diff --git a/src/static/images/fallback-icon.png b/src/static/images/fallback-icon.png
Binary files differ.
