diff options
author | Feross Aboukhadijeh <feross@feross.org> | 2019-07-30 23:24:49 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-07-30 23:24:49 +0300 |
commit | 8a0936f915c07c6a405caa2360e1c1255767345a (patch) | |
tree | 6603f483447a47f1cac70762e69a700a4bd4967a | |
parent | 59016c15dc080bbb3a8f4a6ac502e315cda8b4c3 (diff) | |
parent | 30adf6a19b50b6e013c8ad9532c7e59d349df461 (diff) |
Merge pull request #1678 from webtorrent/security-hostname
Fix server 'hostname' option to mitigate DNS rebinding attack
-rw-r--r-- | lib/server.js | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/lib/server.js b/lib/server.js index 0e22cba..9088bc8 100644 --- a/lib/server.js +++ b/lib/server.js @@ -54,13 +54,6 @@ function Server (torrent, opts = {}) { // deny them if (req.headers.origin == null) return false - // If a 'hostname' string is specified, deny requests with a 'Host' - // header that does not match the origin of the torrent server to prevent - // DNS rebinding attacks. - if (opts.hostname && req.headers.host !== `${opts.hostname}:${server.address().port}`) { - return false - } - // The user allowed all origins if (opts.origin === '*') return true @@ -77,6 +70,13 @@ function Server (torrent, opts = {}) { } function onRequest (req, res) { + // If a 'hostname' string is specified, deny requests with a 'Host' + // header that does not match the origin of the torrent server to prevent + // DNS rebinding attacks. + if (opts.hostname && req.headers.host !== `${opts.hostname}:${server.address().port}`) { + return req.destroy() + } + const pathname = new URL(req.url, 'http://example.com').pathname if (pathname === '/favicon.ico') { |