Rev3868, Add origin validation to websocket connections

2019-08-18 03:20:44 +02:00 · 2019-08-18 03:20:44 +02:00 · 67b78ca12d
commit 67b78ca12d
parent 77a5d88ec9
2 changed files with 12 additions and 2 deletions
--- a/src/Config.py
+++ b/src/Config.py
@ -13,7 +13,7 @@ class Config(object):

    def __init__(self, argv):
        self.version = "0.6.5"
-        self.rev = 3866
+        self.rev = 3868
        self.argv = argv
        self.action = None
        self.pending_changes = {}
--- a/src/Ui/UiRequest.py
+++ b/src/Ui/UiRequest.py
@ -710,9 +710,19 @@ class UiRequest(object):
    # On websocket connection
    def actionWebsocket(self):
        ws = self.env.get("wsgi.websocket")
+
        if ws:
-            wrapper_key = self.get["wrapper_key"]
+            # Allow only same-origin websocket requests
+            origin = self.env.get("HTTP_ORIGIN")
+            host = self.env.get("HTTP_HOST")
+            if origin and host:
+                origin_host = origin.split("://", 1)[-1]
+                if host != origin_host:
+                    ws.send(json.dumps({"error": "Invalid origin: %s" % origin}))
+                    return self.error403("Invalid origin: %s" % origin)
+
            # Find site by wrapper_key
+            wrapper_key = self.get["wrapper_key"]
            site = None
            for site_check in self.server.sites.values():
                if site_check.settings["wrapper_key"] == wrapper_key: