diff options
Diffstat (limited to 'lib/server.js')
-rw-r--r-- | lib/server.js | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/lib/server.js b/lib/server.js index 0e22cba..9088bc8 100644 --- a/lib/server.js +++ b/lib/server.js @@ -54,13 +54,6 @@ function Server (torrent, opts = {}) { // deny them if (req.headers.origin == null) return false - // If a 'hostname' string is specified, deny requests with a 'Host' - // header that does not match the origin of the torrent server to prevent - // DNS rebinding attacks. - if (opts.hostname && req.headers.host !== `${opts.hostname}:${server.address().port}`) { - return false - } - // The user allowed all origins if (opts.origin === '*') return true @@ -77,6 +70,13 @@ function Server (torrent, opts = {}) { } function onRequest (req, res) { + // If a 'hostname' string is specified, deny requests with a 'Host' + // header that does not match the origin of the torrent server to prevent + // DNS rebinding attacks. + if (opts.hostname && req.headers.host !== `${opts.hostname}:${server.address().port}`) { + return req.destroy() + } + const pathname = new URL(req.url, 'http://example.com').pathname if (pathname === '/favicon.ico') { |