oci/zeronet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Rev3868, Add origin validation to websocket connections

Browse source
This commit is contained in:
shortcutme 2019-08-18 03:20:44 +02:00
parent 77a5d88ec9
commit 67b78ca12d
No known key found for this signature in database
GPG key ID: 5B63BAE6CB9613AE
2 changed files with 12 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/Config.py
View file

@ -13,7 +13,7 @@ class Config(object):
def __init__(self, argv): def __init__(self, argv):
self.version = "0.6.5" self.version = "0.6.5"
self.rev = 3866 self.rev = 3868
self.argv = argv self.argv = argv
self.action = None self.action = None
self.pending_changes = {} self.pending_changes = {}

12
src/Ui/UiRequest.py
View file

@ -710,9 +710,19 @@ class UiRequest(object):
# On websocket connection # On websocket connection
def actionWebsocket(self): def actionWebsocket(self):
ws = self.env.get("wsgi.websocket") ws = self.env.get("wsgi.websocket")
if ws: if ws:
wrapper_key = self.get["wrapper_key"] # Allow only same-origin websocket requests
origin = self.env.get("HTTP_ORIGIN")
host = self.env.get("HTTP_HOST")
if origin and host:
origin_host = origin.split("://", 1)[-1]
if host != origin_host:
ws.send(json.dumps({"error": "Invalid origin: %s" % origin}))
return self.error403("Invalid origin: %s" % origin)
# Find site by wrapper_key # Find site by wrapper_key
wrapper_key = self.get["wrapper_key"]
site = None site = None
for site_check in self.server.sites.values(): for site_check in self.server.sites.values():
if site_check.settings["wrapper_key"] == wrapper_key: if site_check.settings["wrapper_key"] == wrapper_key: