From 178de6c396bea5b49d9c671d5c9f34a11926ff0d Mon Sep 17 00:00:00 2001
From: Neil Booth <kyuupichan@gmail.com>
Date: Sun, 2 Apr 2017 10:08:03 +0900
Subject: [PATCH] Tighten restrictions on HOST

- private IP not allowed if intending for public use
- localhost not allowed
---
 server/env.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/server/env.py b/server/env.py
index 437ceba..64f9b2c 100644
--- a/server/env.py
+++ b/server/env.py
@@ -122,9 +122,10 @@ class Env(LoggedClass):
         try:
             ip = ip_address(host)
         except ValueError:
-            bad = not bool(host.strip())
+            bad = host.lower().strip() in ('', 'localhost')
         else:
-            bad = ip.is_multicast or ip.is_unspecified
+            bad = (ip.is_multicast or ip.is_unspecified
+                   or (ip.is_private and (self.irc or self.peer_announce)))
         if bad:
             raise self.Error('"{}" is not a valid REPORT_HOST'.format(host))
         tcp_port = self.integer('REPORT_TCP_PORT', self.tcp_port) or None