Allow use of IP ranges for SEARCH_CLIENTS

Célestin Matte · mhagander · commit 1eec1401a56a · 2021-10-27T15:40:45.000+02:00
Allows the use of IP ranges in CIDR format in the SEARCH_CLIENTS
parameter. Individual addresses can still be specified and continue to
work like before.
diff --git a/django/archives/mailarchives/views.py b/django/archives/mailarchives/views.py
@@ -20,6 +20,7 @@
 import email.policy
 from io import BytesIO
 from urllib.parse import quote
+import ipaddress
 
 import json
 
@@ -709,7 +710,12 @@ def search(request):
         return HttpResponseForbidden('Not public archives')
 
     # Only certain hosts are allowed to call the search API
-    if not request.META['REMOTE_ADDR'] in settings.SEARCH_CLIENTS:
+    allowed = False
+    for ip_range in settings.SEARCH_CLIENTS:
+        if ipaddress.ip_address(request.META['REMOTE_ADDR']) in ipaddress.ip_network(ip_range):
+            allowed = True
+            break
+    if not allowed:
         return HttpResponseForbidden('Invalid host')
 
     curs = connection.cursor()
