From: Badlop <badlop@process-one.net>
Date: Thu, 22 Aug 2019 15:11:48 +0000 (+0200)
Subject: Check account auth provided in WebAdmin is a local host (#3000)
X-Git-Tag: 19.09~48
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a51aa2bc44c9bf712c8513a0b2b8d625a646cb7e;p=ejabberd

Check account auth provided in WebAdmin is a local host (#3000)
---

diff --git a/src/ejabberd_web_admin.erl b/src/ejabberd_web_admin.erl
index 9bd278889..7eb10cdc6 100644
--- a/src/ejabberd_web_admin.erl
+++ b/src/ejabberd_web_admin.erl
@@ -265,6 +265,13 @@ get_auth_admin(Auth, HostHTTP, RPath, Method) ->
 
 get_auth_account(HostOfRule, AccessRule, User, Server,
 		 Pass) ->
+    case lists:member(Server, ejabberd_config:get_myhosts()) of
+	true -> get_auth_account2(HostOfRule, AccessRule, User, Server, Pass);
+	false -> {unauthorized, <<"inexistent-host">>}
+    end.
+
+get_auth_account2(HostOfRule, AccessRule, User, Server,
+		 Pass) ->
     case ejabberd_auth:check_password(User, <<"">>, Server, Pass) of
       true ->
 	  case any_rules_allowed(HostOfRule, AccessRule,