Merge pull request #4212 from umbraco/temp8-fixme-only-allow-local-keep-alive-pings

Fixme - Only allow local KeepAlive Pings requests

src/Umbraco.Web/Editors/KeepAliveController.cs

@@ -1,16 +1,13 @@
 using System.Runtime.Serialization;
 using System.Web.Http;
+using Umbraco.Web.Mvc;
 using Umbraco.Web.WebApi;
 
 namespace Umbraco.Web.Editors
 {
-    // fixme/task - deal with this
-    // this is not authenticated, and therefore public, and therefore reveals we
-    // are running Umbraco - but, all requests should come from localhost really,
-    // so there should be a way to 404 when the request comes from the outside.
-
     public class KeepAliveController : UmbracoApiController
     {
+        [OnlyLocalRequests]
         [HttpGet]
         public KeepAlivePingResult Ping()
         {

src/Umbraco.Web/Mvc/OnlyLocalRequestsAttribute.cs

@@ -0,0 +1,20 @@
+
+using System.Net;
+using System.Net.Http;
+using System.Web.Http;
+using System.Web.Http.Controllers;
+using System.Web.Http.Filters;
+
+namespace Umbraco.Web.Mvc
+{
+    public class OnlyLocalRequestsAttribute : ActionFilterAttribute
+    {
+        public override void OnActionExecuting(HttpActionContext actionContext)
+        {
+            if (!actionContext.Request.IsLocal())
+            {
+                throw new HttpResponseException(HttpStatusCode.NotFound);
+            }
+        }
+    }
+}

src/Umbraco.Web/Umbraco.Web.csproj

@@ -172,6 +172,7 @@
     <Compile Include="Models\ContentEditing\MacroParameterDisplay.cs" />
     <Compile Include="Models\Link.cs" />
     <Compile Include="Models\LinkType.cs" />
+    <Compile Include="Mvc\OnlyLocalRequestsAttribute.cs" />
     <Compile Include="PropertyEditors\MultiUrlPickerConfiguration.cs" />
     <Compile Include="PropertyEditors\MultiUrlPickerConfigurationEditor.cs" />
     <Compile Include="PropertyEditors\MultiUrlPickerPropertyEditor.cs" />