SSRF protection: Edge case handling for CGNAT and v4/v6 mapping (Z#23236468)

2026-06-11 01:25:13 +00:00 · 2026-06-09 11:16:30 +02:00
parent 93469d33e5
commit 62f35f0c10
2 changed files with 5 additions and 1 deletions
--- a/src/pretix/helpers/monkeypatching.py
+++ b/src/pretix/helpers/monkeypatching.py
@@ -148,13 +148,14 @@ def monkeypatch_urllib3_ssrf_protection():

            if not getattr(settings, "ALLOW_HTTP_TO_PRIVATE_NETWORKS", False):
                ip_addr = ipaddress.ip_address(sa[0])
+                check_ip4 = ip_addr.ipv4_mapped if getattr(ip_addr, "ipv4_mapped", None) else ip_addr
                if ip_addr.is_multicast:
                    raise HTTPError(f"Request to multicast address {sa[0]} blocked")
                if ip_addr.is_loopback or ip_addr.is_link_local:
                    raise HTTPError(f"Request to local address {sa[0]} blocked")
                if ip_addr.is_private:
                    raise HTTPError(f"Request to private address {sa[0]} blocked")
-                if ip_addr in _cgnat_net:
+                if check_ip4 in _cgnat_net:
                    raise HTTPError(f"Request to RFC 6598 address {sa[0]} blocked")

            sock = None