From a51aa2bc44c9bf712c8513a0b2b8d625a646cb7e Mon Sep 17 00:00:00 2001
From: Badlop <badlop@process-one.net>
Date: Thu, 22 Aug 2019 17:11:48 +0200
Subject: [PATCH] Check account auth provided in WebAdmin is a local host
 (#3000)

---
 src/ejabberd_web_admin.erl | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/ejabberd_web_admin.erl b/src/ejabberd_web_admin.erl
index 9bd278889..7eb10cdc6 100644
--- a/src/ejabberd_web_admin.erl
+++ b/src/ejabberd_web_admin.erl
@@ -265,6 +265,13 @@ get_auth_admin(Auth, HostHTTP, RPath, Method) ->
 
 get_auth_account(HostOfRule, AccessRule, User, Server,
 		 Pass) ->
+    case lists:member(Server, ejabberd_config:get_myhosts()) of
+	true -> get_auth_account2(HostOfRule, AccessRule, User, Server, Pass);
+	false -> {unauthorized, <<"inexistent-host">>}
+    end.
+
+get_auth_account2(HostOfRule, AccessRule, User, Server,
+		 Pass) ->
     case ejabberd_auth:check_password(User, <<"">>, Server, Pass) of
       true ->
 	  case any_rules_allowed(HostOfRule, AccessRule,