From 5a16a35ef2fa759eefdd20e67d2d41103dc48b10 Mon Sep 17 00:00:00 2001
From: mdipierro <massimo.dipierro@gmail.com>
Date: Thu, 26 Jul 2012 07:49:12 -0500
Subject: [PATCH] validate request.client

---
 VERSION        |  2 +-
 gluon/main.py  |  3 +++
 gluon/utils.py | 22 +++++++++++++++++++++-
 3 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/VERSION b/VERSION
index f20e0772..930ddc4b 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-Version 2.00.0 (2012-07-26 07:37:27) dev
+Version 2.00.0 (2012-07-26 07:49:09) dev
diff --git a/gluon/main.py b/gluon/main.py
index cff04b3c..a3779359 100644
--- a/gluon/main.py
+++ b/gluon/main.py
@@ -87,6 +87,7 @@ from settings import global_settings
 from validators import CRYPT
 from cache import Cache
 from html import URL as Url
+from utils import is_valid_ip_address
 import newcron
 import rewrite
 
@@ -402,6 +403,8 @@ def wsgibase(environ, responder):
                     try: local_hosts.append(socket.gethostbyname(http_host))
                     except socket.gaierror: pass
                 request.client = get_client(request.env)
+                if not is_valid_ip_address(request.client):
+                    raise HTTP(400,"Bad Request")
                 request.folder = abspath('applications',
                                          request.application) + os.sep
                 x_req_with = str(request.env.http_x_requested_with).lower()
diff --git a/gluon/utils.py b/gluon/utils.py
index d429b100..911182fb 100644
--- a/gluon/utils.py
+++ b/gluon/utils.py
@@ -16,6 +16,7 @@ import random
 import time
 import os
 import logging
+import socket
 from contrib.pbkdf2 import pbkdf2_hex
 
 logger = logging.getLogger("web2py")
@@ -69,7 +70,7 @@ def get_digest(value):
     elif value == "sha512":
         return hashlib.sha512
     else:
-        raise ValueError("Invalid digest algorithm: %s" % value) 
+        raise ValueError("Invalid digest algorithm: %s" % value)
 
 DIGEST_ALG_BY_SIZE = {
     128/4: 'md5',
@@ -146,6 +147,25 @@ def web2py_uuid():
     bytes = ''.join(chr(c ^ ctokens[i]) for i,c in enumerate(bytes))
     return str(uuid.UUID(bytes=bytes, version=4))
 
+def is_valid_ip_address(address):
+    """
+    >>> is_valid_ip_address('127.0')
+    False
+    >>> is_valid_ip_address('127.0.0.1')
+    True
+    >>> is_valid_ip_address('2001:660::1')
+    True
+    """
+    try:
+        if address.count('.')==3:
+            addr = socket.inet_aton(address)
+        else:
+            addr = socket.inet_pton(socket.AF_INET6, address)
+    except AttributeError: # no socket.inet_pton
+        return False
+    except socket.error:
+        return False
+    return True