Skip to content

/ webtorrent

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix server 'hostname' option to mitigate DNS rebinding attack #1678

Merged
merged 1 commit into from Jul 30, 2019
Merged

Fix server 'hostname' option to mitigate DNS rebinding attack #1678

merged 1 commit into from Jul 30, 2019
+7 −7

Conversation

@feross
Copy link
Member

feross commented Jul 30, 2019
edited

It appears that this feature, originally added in #1260, may have never worked correctly.

When the request hostname does not match the user-provided opts.hostname value, we should stop processing the request and return nothing. Instead, what was happening was that we'd simply omit the Access-Control-Allow-Origin header, which is not sufficient since the whole point of DNS rebinding attacks is that they appear to be same origin and therefore don't require a CORS header.

cc @diracdeltas @yrliou
@feross feross added the bug label Jul 30, 2019
@feross
feross reviewed Jul 30, 2019
View changes
lib/server.js Outdated
@@ -218,6 +218,11 @@ function Server (torrent, opts = {}) {
const html = getPageHTML('405 - Method Not Allowed', '<h1>405 - Method Not Allowed</h1>')
res.end(html)
}

function serveEmptyResponse () {
res.statusCode = 204

This comment has been minimized.

Sign in to view
Copy link
@feross

feross Jul 30, 2019

Author Member

Ideally, we'd just kill the whole TCP connection without responding at all but I'm not sure if there's a clean way to do this from the http layer. Looking into it.
@diracdeltas

This comment has been minimized.

Sign in to view
Copy link
Contributor

diracdeltas commented Jul 30, 2019

lgtm
@feross
Fix server hostname deny feature
Loading status checks…
30adf6a 
It appears that this feature, originally added in #1260, never worked correctly. When the request hostname does not match the user-provided opts.hostname value, we should stop processing the request and return nothing. Instead, what was happening was that we'd simply omit the Access-Control-Allow-Origin header, which is not sufficient since the whole point of DNS rebinding attacks is that they appear same origin and therefore don't require a CORS header.
@feross feross force-pushed the security-hostname branch from 769d7b4 to 30adf6a Jul 30, 2019
@feross

This comment has been minimized.

Sign in to view
Copy link
Member Author

feross commented Jul 30, 2019

Nice, figured out how to kill the connection without sending a response. Merging now.
@feross feross merged commit 8a0936f into master Jul 30, 2019
5 checks passed
5 checks passed
WIP Ready for review
Details
continuous-integration/appveyor/branch AppVeyor build succeeded
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
@feross feross deleted the security-hostname branch Jul 30, 2019
@feross feross mentioned this pull request Jul 30, 2019
Closed
@feross

This comment has been minimized.

Sign in to view
Copy link
Member Author

feross commented Jul 30, 2019

0.105.2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
@feross @diracdeltas
You can’t perform that action at this time.