lzc256
/
tailscale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ipn/ipnlocal: lock down unsigned peers more 

Apparently there's no tracking bug?

Updates tailscale/corp#7515 for ingress/funnel at least.

Change-Id: I03bc54fdc1f53f9832ab8b51475b2d676c38d897
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
pull/6476/head
Brad Fitzpatrick 2022-11-23 15:14:25 -08:00 committed by Brad Fitzpatrick
parent dc75b7cfd1
commit 6e6f27dd21
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ipn/ipnlocal/peerapi.go
View File

@ -818,6 +818,10 @@ func (f *incomingFile) PartialFile() ipn.PartialFile {
// canPutFile reports whether h can put a file ("Taildrop") to this node.
func (h *peerAPIHandler) canPutFile() bool {
if h.peerNode.UnsignedPeerAPIOnly {
// Unsigned peers can't send files.
return false
}
return h.isSelf || h.peerHasCap(tailcfg.CapabilityFileSharingSend)
}
@ -828,6 +832,10 @@ func (h *peerAPIHandler) canDebug() bool {
// This node does not expose debug info.
return false
}
if h.peerNode.UnsignedPeerAPIOnly {
// Unsigned peers can't debug.
return false
}
return h.isSelf || h.peerHasCap(tailcfg.CapabilityDebugPeer)
}