From c3dee2d6bdd3dd3dedc8922a8768ab5717d3d81f Mon Sep 17 00:00:00 2001
From: orbiter <mc@yacy.net>
Date: Tue, 31 Dec 2013 15:25:44 +0100
Subject: [PATCH] added security patch

---
 source/net/yacy/http/servlets/YaCyProxyServlet.java | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/source/net/yacy/http/servlets/YaCyProxyServlet.java b/source/net/yacy/http/servlets/YaCyProxyServlet.java
index 49c84ca81..0e8fabea1 100644
--- a/source/net/yacy/http/servlets/YaCyProxyServlet.java
+++ b/source/net/yacy/http/servlets/YaCyProxyServlet.java
@@ -5,6 +5,7 @@ import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.StringWriter;
+import java.net.InetAddress;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLDecoder;
@@ -24,6 +25,7 @@ import net.yacy.cora.document.encoding.UTF8;
 import net.yacy.cora.document.id.DigestURL;
 import net.yacy.cora.document.id.MultiProtocolURL;
 import net.yacy.cora.protocol.ClientIdentification;
+import net.yacy.cora.protocol.Domains;
 import net.yacy.cora.protocol.HeaderFramework;
 import net.yacy.cora.protocol.RequestHeader;
 import net.yacy.cora.protocol.ResponseHeader;
@@ -78,6 +80,10 @@ public class YaCyProxyServlet extends ProxyServlet implements Servlet {
         final HttpServletRequest request = (HttpServletRequest) req;
         final HttpServletResponse response = (HttpServletResponse) res;
 
+        String remoteHost = req.getRemoteHost();
+        InetAddress remoteIP = Domains.dnsResolve(remoteHost);
+        if (!remoteIP.isAnyLocalAddress()) throw new ServletException("access denied");
+        
         if ("CONNECT".equalsIgnoreCase(request.getMethod())) {
             handleConnect(request, response);
         } else {