Skip to content

Commit

Permalink
fix: check origin header for websocket connection (#1603)
Browse files Browse the repository at this point in the history
  • Loading branch information
sokra authored and evilebottnawi committed Dec 21, 2018
1 parent 68dd49a commit b3217ca
Showing 1 changed file with 6 additions and 4 deletions.
10 changes: 6 additions & 4 deletions lib/Server.js
Original file line number Diff line number Diff line change
Expand Up @@ -630,14 +630,16 @@ Server.prototype.setContentHeaders = function (req, res, next) {
next();
};

Server.prototype.checkHost = function (headers) {
Server.prototype.checkHost = function (headers, headerToCheck) {
// allow user to opt-out this security check, at own risk
if (this.disableHostCheck) {
return true;
}

if (!headerToCheck) headerToCheck = 'host';
// get the Host header and extract hostname
// we don't care about port not matching
const hostHeader = headers.host;
const hostHeader = headers[headerToCheck];

if (!hostHeader) {
return false;
Expand Down Expand Up @@ -725,8 +727,8 @@ Server.prototype.listen = function (port, hostname, fn) {
return;
}

if (!this.checkHost(connection.headers)) {
this.sockWrite([ connection ], 'error', 'Invalid Host header');
if (!this.checkHost(connection.headers) || !this.checkHost(connection.headers, 'origin')) {
this.sockWrite([ connection ], 'error', 'Invalid Host/Origin header');

connection.close();

Expand Down

0 comments on commit b3217ca

Please sign in to comment.