oci/zeronet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Allow websocket connection originates from earlier accepted hostnames

Browse source
This commit is contained in:
shortcutme 2019-08-23 03:39:16 +02:00
parent 24b3651d2e
commit e16611f15a
No known key found for this signature in database
GPG key ID: 5B63BAE6CB9613AE
2 changed files with 21 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
src/Ui/UiRequest.py
View file

@ -378,6 +378,16 @@ class UiRequest(object):
else: else:
return "/" + address return "/" + address
def getWsServerUrl(self):
if self.isProxyRequest():
if self.env["REMOTE_ADDR"] == "127.0.0.1": # Local client, the server address also should be 127.0.0.1
server_url = "http://127.0.0.1:%s" % self.env["SERVER_PORT"]
else: # Remote client, use SERVER_NAME as server's real address
server_url = "http://%s:%s" % (self.env["SERVER_NAME"], self.env["SERVER_PORT"])
else:
server_url = ""
return server_url
def processQueryString(self, site, query_string): def processQueryString(self, site, query_string):
match = re.search("zeronet_peers=(.*?)(&|$)", query_string) match = re.search("zeronet_peers=(.*?)(&|$)", query_string)
if match: if match:
@ -414,6 +424,9 @@ class UiRequest(object):
file_url = "/" + address + "/" + inner_path file_url = "/" + address + "/" + inner_path
root_url = "/" + address + "/" root_url = "/" + address + "/"
if self.isProxyRequest():
self.server.allowed_ws_origins.add(self.env["HTTP_HOST"])
# Wrapper variable inits # Wrapper variable inits
body_style = "" body_style = ""
meta_tags = "" meta_tags = ""
@ -430,15 +443,12 @@ class UiRequest(object):
inner_query_string = "?wrapper_nonce=%s" % wrapper_nonce inner_query_string = "?wrapper_nonce=%s" % wrapper_nonce
if self.isProxyRequest(): # Its a remote proxy request if self.isProxyRequest(): # Its a remote proxy request
if self.env["REMOTE_ADDR"] == "127.0.0.1": # Local client, the server address also should be 127.0.0.1
server_url = "http://127.0.0.1:%s" % self.env["SERVER_PORT"]
else: # Remote client, use SERVER_NAME as server's real address
server_url = "http://%s:%s" % (self.env["SERVER_NAME"], self.env["SERVER_PORT"])
homepage = "http://zero/" + config.homepage homepage = "http://zero/" + config.homepage
else: # Use relative path else: # Use relative path
server_url = ""
homepage = "/" + config.homepage homepage = "/" + config.homepage
server_url = self.getWsServerUrl() # Real server url for WS connections
user = self.getCurrentUser() user = self.getCurrentUser()
if user: if user:
theme = user.settings.get("theme", "light") theme = user.settings.get("theme", "light")
@ -717,11 +727,12 @@ class UiRequest(object):
# Allow only same-origin websocket requests # Allow only same-origin websocket requests
origin = self.env.get("HTTP_ORIGIN") origin = self.env.get("HTTP_ORIGIN")
host = self.env.get("HTTP_HOST") host = self.env.get("HTTP_HOST")
if origin and host: # Allow only same-origin websocket requests
if origin:
origin_host = origin.split("://", 1)[-1] origin_host = origin.split("://", 1)[-1]
if host != origin_host: if origin_host != host and origin_host not in self.server.allowed_ws_origins:
ws.send(json.dumps({"error": "Invalid origin: %s" % origin})) ws.send(json.dumps({"error": "Invalid origin: %s" % origin}))
return self.error403("Invalid origin: %s" % origin) return self.error403("Invalid origin: %s %s" % (origin, self.server.allowed_ws_origins))
# Find site by wrapper_key # Find site by wrapper_key
wrapper_key = self.get["wrapper_key"] wrapper_key = self.get["wrapper_key"]

3
src/Ui/UiServer.py
View file

@ -76,6 +76,7 @@ class UiServer:
self.allowed_hosts.update(["localhost"]) self.allowed_hosts.update(["localhost"])
else: else:
self.allowed_hosts = set([]) self.allowed_hosts = set([])
self.allowed_ws_origins = set()
self.allow_trans_proxy = config.ui_trans_proxy self.allow_trans_proxy = config.ui_trans_proxy
self.wrapper_nonces = [] self.wrapper_nonces = []
@ -196,4 +197,4 @@ class UiServer:
def updateWebsocket(self, **kwargs): def updateWebsocket(self, **kwargs):
for ws in self.websockets: for ws in self.websockets:
ws.event("serverChanged", kwargs) ws.event("serverChanged", kwargs)