Age | Commit message (Collapse) | Author |
|
* prep for esm
* update min req node vers
* revert node prefix
|
|
|
|
|
|
|
|
Return server from server.listen for method chaining to work
|
|
Fixes: https://github.com/webtorrent/webtorrent/pull/1598
|
|
|
|
|
|
Low risk xss. If the torrent contains a specially crafted title or file name, and the user starts the WebTorrent HTTP server via createServer(), and then the user visits the HTTP server index page (which lists the contents of the torrent), then the attacker can run JavaScript in this browser context.
The reason this seems relatively low risk is that the WebTorrent HTTP server only allows fetching data pieces from the torrent. It doesn't support any other control of the torrent client. So, attacker code could e.g. figure out what content the user is downloading and exfiltrate that to an external domain.
This commit mitigates the issue in two ways (either of which could have prevented this XSS on its own):
1. HTML-escape untrusted torrent metadata (name, path, file names, etc.)
2. Add the strictest possible CSP to prevent all connections, scripts, styles, plugins, frames. Every capability is denied.
|
|
For: https://github.com/webtorrent/webtorrent/issues/1681
|
|
Instead of a mimetype of "null"
Fixes: https://github.com/brave/brave-browser/issues/5489
|
|
It appears that this feature, originally added in https://github.com/webtorrent/webtorrent/pull/1260, never worked correctly. When the request hostname does not match the user-provided opts.hostname value, we should stop processing the request and return nothing. Instead, what was happening was that we'd simply omit the Access-Control-Allow-Origin header, which is not sufficient since the whole point of DNS rebinding attacks is that they appear same origin and therefore don't require a CORS header.
|
|
Fixes https://github.com/brave/brave-browser/issues/5358
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Fixes: https://github.com/webtorrent/webtorrent/issues/1267
|
|
Add hostname option to mitigate DNS rebinding
|
|
|
|
|
|
This adds the `hostname` opt to allow the server to validate the `Host` header of incoming requests to prevent DNS rebinding attacks. Needed for https://github.com/brave/browser-laptop/issues/12616.
|
|
When the origin option is specified, only requests from the given
origin will be allowed.
This is useful to add additional security to any app that is starting a
WebTorrent server but doesn't want it to be exposed to the entire Web.
|
|
add filename to path
|
|
|
|
|
|
Refactored the server into many smaller functions to make it easier to
understand all the different code paths.
- added a Content-Disposition header, which tells the browser the
file's name, since we use urls like http://localhost:port/0 <-- no
human-readable file name
- Server returns valid HTML documents (with all the required tags) now.
- Return 204 status for OPTIONS request
- reduce access-control-max-age to chromium max of 600s
- respond to OPTIONS requests that lack
'access-control-request-headers' (before they were treated as GET)
- return '405 invalid verb' for all other verbs
For: https://github.com/brave/browser-laptop/issues/6737
|
|
Fixes: #920
|
|
|
|
|
|
Don't send the entire response body
|
|
|
|
For https://github.com/feross/webtorrent-desktop/issues/256
|
|
|
|
|
|
If the user calls `server.close()` on the http server returned by
`torrnet.createServer()` then we should not call it in
`server.destroy()` or node will return an error
|
|
- Download link uses correct filename
- List shows file paths, not just name
- Add file size
- Show torrent name at top, instead of generic “WebTorrent” title
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|