diff options
| author | Feross Aboukhadijeh <feross@feross.org> | 2018-03-03 01:35:09 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-03-03 01:35:09 +0300 |
| commit | e7d6e4f06d1d4ebb9935d8745607a6d5b8054c16 (patch) | |
| tree | a7c3dbfabade25657aef43c49304106fb71fcb99 /lib/server.js | |
| parent | fb20cfd2f470540e01a0d8a1dbfa0b509a10dc1a (diff) | |
| parent | 7c107e6d47415d72ca7fd075fc8f78aaae548908 (diff) | |
Merge pull request #1260 from diracdeltas/fix/add-hostname-opt
Add hostname option to mitigate DNS rebinding
Diffstat (limited to 'lib/server.js')
| -rw-r--r-- | lib/server.js | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/lib/server.js b/lib/server.js index 739933f..d2a9a60 100644 --- a/lib/server.js +++ b/lib/server.js @@ -51,6 +51,13 @@ function Server (torrent, opts) { // deny them if (req.headers.origin == null) return false + // If a 'hostname' string is specified, deny requests with a 'Host' + // header that does not match the origin of the torrent server to prevent + // DNS rebinding attacks. + if (opts.hostname && req.headers.host !== `${opts.hostname}:${server.address().port}`) { + return false + } + // The user allowed all origins if (opts.origin === '*') return true |