From 30adf6a19b50b6e013c8ad9532c7e59d349df461 Mon Sep 17 00:00:00 2001 From: Feross Aboukhadijeh Date: Tue, 30 Jul 2019 12:35:55 -0700 Subject: Fix server hostname deny feature It appears that this feature, originally added in https://github.com/webtorrent/webtorrent/pull/1260, never worked correctly. When the request hostname does not match the user-provided opts.hostname value, we should stop processing the request and return nothing. Instead, what was happening was that we'd simply omit the Access-Control-Allow-Origin header, which is not sufficient since the whole point of DNS rebinding attacks is that they appear same origin and therefore don't require a CORS header. --- lib/server.js | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'lib') diff --git a/lib/server.js b/lib/server.js index 0e22cba..9088bc8 100644 --- a/lib/server.js +++ b/lib/server.js @@ -54,13 +54,6 @@ function Server (torrent, opts = {}) { // deny them if (req.headers.origin == null) return false - // If a 'hostname' string is specified, deny requests with a 'Host' - // header that does not match the origin of the torrent server to prevent - // DNS rebinding attacks. - if (opts.hostname && req.headers.host !== `${opts.hostname}:${server.address().port}`) { - return false - } - // The user allowed all origins if (opts.origin === '*') return true @@ -77,6 +70,13 @@ function Server (torrent, opts = {}) { } function onRequest (req, res) { + // If a 'hostname' string is specified, deny requests with a 'Host' + // header that does not match the origin of the torrent server to prevent + // DNS rebinding attacks. + if (opts.hostname && req.headers.host !== `${opts.hostname}:${server.address().port}`) { + return req.destroy() + } + const pathname = new URL(req.url, 'http://example.com').pathname if (pathname === '/favicon.ico') { -- cgit v1.2.3