From 67b78ca12d75cb208a3273ad7c9e412e893cc42e Mon Sep 17 00:00:00 2001 From: shortcutme Date: Sun, 18 Aug 2019 03:20:44 +0200 Subject: [PATCH] Rev3868, Add origin validation to websocket connections --- src/Config.py | 2 +- src/Ui/UiRequest.py | 12 +++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/src/Config.py b/src/Config.py index 4a84e678..8c9fda74 100644 --- a/src/Config.py +++ b/src/Config.py @@ -13,7 +13,7 @@ class Config(object): def __init__(self, argv): self.version = "0.6.5" - self.rev = 3866 + self.rev = 3868 self.argv = argv self.action = None self.pending_changes = {} diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py index 7fcc3c9e..25c9ae0e 100644 --- a/src/Ui/UiRequest.py +++ b/src/Ui/UiRequest.py @@ -710,9 +710,19 @@ class UiRequest(object): # On websocket connection def actionWebsocket(self): ws = self.env.get("wsgi.websocket") + if ws: - wrapper_key = self.get["wrapper_key"] + # Allow only same-origin websocket requests + origin = self.env.get("HTTP_ORIGIN") + host = self.env.get("HTTP_HOST") + if origin and host: + origin_host = origin.split("://", 1)[-1] + if host != origin_host: + ws.send(json.dumps({"error": "Invalid origin: %s" % origin})) + return self.error403("Invalid origin: %s" % origin) + # Find site by wrapper_key + wrapper_key = self.get["wrapper_key"] site = None for site_check in self.server.sites.values(): if site_check.settings["wrapper_key"] == wrapper_key: