oci/zeronet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Allow websocket connection originates from earlier accepted hostnames

Browse source
This commit is contained in:
shortcutme 2019-08-28 01:32:02 +02:00
parent 67b78ca12d
commit 27a67d9753
No known key found for this signature in database
GPG key ID: 5B63BAE6CB9613AE
2 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/Ui/UiRequest.py
View file

@ -416,6 +416,9 @@ class UiRequest(object):
file_url = "/" + address + "/" + inner_path file_url = "/" + address + "/" + inner_path
root_url = "/" + address + "/" root_url = "/" + address + "/"
if self.isProxyRequest():
self.server.allowed_ws_origins.add(self.env["HTTP_HOST"])
# Wrapper variable inits # Wrapper variable inits
body_style = "" body_style = ""
meta_tags = "" meta_tags = ""
@ -715,9 +718,10 @@ class UiRequest(object):
# Allow only same-origin websocket requests # Allow only same-origin websocket requests
origin = self.env.get("HTTP_ORIGIN") origin = self.env.get("HTTP_ORIGIN")
host = self.env.get("HTTP_HOST") host = self.env.get("HTTP_HOST")
if origin and host: # Allow only same-origin websocket requests
if origin:
origin_host = origin.split("://", 1)[-1] origin_host = origin.split("://", 1)[-1]
if host != origin_host: if origin_host != host and origin_host not in self.server.allowed_ws_origins:
ws.send(json.dumps({"error": "Invalid origin: %s" % origin})) ws.send(json.dumps({"error": "Invalid origin: %s" % origin}))
return self.error403("Invalid origin: %s" % origin) return self.error403("Invalid origin: %s" % origin)

1
src/Ui/UiServer.py
View file

@ -75,6 +75,7 @@ class UiServer:
else: else:
self.allowed_hosts = set([]) self.allowed_hosts = set([])
self.allow_trans_proxy = config.ui_trans_proxy self.allow_trans_proxy = config.ui_trans_proxy
self.allowed_ws_origins = set()
self.wrapper_nonces = [] self.wrapper_nonces = []
self.add_nonces = [] self.add_nonces = []