From e16611f15ab06216c07baa5e0ebf3214e3ae6b07 Mon Sep 17 00:00:00 2001 From: shortcutme Date: Fri, 23 Aug 2019 03:39:16 +0200 Subject: [PATCH] Allow websocket connection originates from earlier accepted hostnames --- src/Ui/UiRequest.py | 27 +++++++++++++++++++-------- src/Ui/UiServer.py | 3 ++- 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py index e34e84a5..217bbd08 100644 --- a/src/Ui/UiRequest.py +++ b/src/Ui/UiRequest.py @@ -378,6 +378,16 @@ class UiRequest(object): else: return "/" + address + def getWsServerUrl(self): + if self.isProxyRequest(): + if self.env["REMOTE_ADDR"] == "127.0.0.1": # Local client, the server address also should be 127.0.0.1 + server_url = "http://127.0.0.1:%s" % self.env["SERVER_PORT"] + else: # Remote client, use SERVER_NAME as server's real address + server_url = "http://%s:%s" % (self.env["SERVER_NAME"], self.env["SERVER_PORT"]) + else: + server_url = "" + return server_url + def processQueryString(self, site, query_string): match = re.search("zeronet_peers=(.*?)(&|$)", query_string) if match: @@ -414,6 +424,9 @@ class UiRequest(object): file_url = "/" + address + "/" + inner_path root_url = "/" + address + "/" + if self.isProxyRequest(): + self.server.allowed_ws_origins.add(self.env["HTTP_HOST"]) + # Wrapper variable inits body_style = "" meta_tags = "" @@ -430,15 +443,12 @@ class UiRequest(object): inner_query_string = "?wrapper_nonce=%s" % wrapper_nonce if self.isProxyRequest(): # Its a remote proxy request - if self.env["REMOTE_ADDR"] == "127.0.0.1": # Local client, the server address also should be 127.0.0.1 - server_url = "http://127.0.0.1:%s" % self.env["SERVER_PORT"] - else: # Remote client, use SERVER_NAME as server's real address - server_url = "http://%s:%s" % (self.env["SERVER_NAME"], self.env["SERVER_PORT"]) homepage = "http://zero/" + config.homepage else: # Use relative path - server_url = "" homepage = "/" + config.homepage + server_url = self.getWsServerUrl() # Real server url for WS connections + user = self.getCurrentUser() if user: theme = user.settings.get("theme", "light") @@ -717,11 +727,12 @@ class UiRequest(object): # Allow only same-origin websocket requests origin = self.env.get("HTTP_ORIGIN") host = self.env.get("HTTP_HOST") - if origin and host: + # Allow only same-origin websocket requests + if origin: origin_host = origin.split("://", 1)[-1] - if host != origin_host: + if origin_host != host and origin_host not in self.server.allowed_ws_origins: ws.send(json.dumps({"error": "Invalid origin: %s" % origin})) - return self.error403("Invalid origin: %s" % origin) + return self.error403("Invalid origin: %s %s" % (origin, self.server.allowed_ws_origins)) # Find site by wrapper_key wrapper_key = self.get["wrapper_key"] diff --git a/src/Ui/UiServer.py b/src/Ui/UiServer.py index 9daa90b1..e8cdd545 100644 --- a/src/Ui/UiServer.py +++ b/src/Ui/UiServer.py @@ -76,6 +76,7 @@ class UiServer: self.allowed_hosts.update(["localhost"]) else: self.allowed_hosts = set([]) + self.allowed_ws_origins = set() self.allow_trans_proxy = config.ui_trans_proxy self.wrapper_nonces = [] @@ -196,4 +197,4 @@ class UiServer: def updateWebsocket(self, **kwargs): for ws in self.websockets: - ws.event("serverChanged", kwargs) \ No newline at end of file + ws.event("serverChanged", kwargs)