From b871849df45cc5da9eff0ca780c0c8afe0e8a0cd Mon Sep 17 00:00:00 2001
From: shortcutme <tamas@zeronet.io>
Date: Sun, 18 Aug 2019 03:03:02 +0200
Subject: [PATCH] Add origin validation to websocket connections

---
 src/Ui/UiRequest.py | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py
index 48599fda..c68f48a0 100644
--- a/src/Ui/UiRequest.py
+++ b/src/Ui/UiRequest.py
@@ -712,9 +712,19 @@ class UiRequest(object):
     # On websocket connection
     def actionWebsocket(self):
         ws = self.env.get("wsgi.websocket")
+
         if ws:
-            wrapper_key = self.get["wrapper_key"]
+            # Allow only same-origin websocket requests
+            origin = self.env.get("HTTP_ORIGIN")
+            host = self.env.get("HTTP_HOST")
+            if origin and host:
+                origin_host = origin.split("://", 1)[-1]
+                if host != origin_host:
+                    ws.send(json.dumps({"error": "Invalid origin: %s" % origin}))
+                    return self.error403("Invalid origin: %s" % origin)
+
             # Find site by wrapper_key
+            wrapper_key = self.get["wrapper_key"]
             site = None
             for site_check in list(self.server.sites.values()):
                 if site_check.settings["wrapper_key"] == wrapper_key: