Skip to content

/ webtorrent

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix server 'hostname' option to mitigate DNS rebinding attack #1678

Merged
merged 1 commit into from Jul 30, 2019
+7 −7
Merged

Fix server 'hostname' option to mitigate DNS rebinding attack #1678

Changes from all commits
Commits
Show all changes
1 commit
Select commit
30adf6a
Fix server hostname deny feature
feross Jul 30, 2019
File filter...
Filter file types
Jump to…
Jump to file or symbol
Failed to load files and symbols.

Always

Just for now

14 lib/server.js
View file
Open in desktop
@@ -54,13 +54,6 @@ function Server (torrent, opts = {}) {
// deny them
if (req.headers.origin == null) return false

// If a 'hostname' string is specified, deny requests with a 'Host'
// header that does not match the origin of the torrent server to prevent
// DNS rebinding attacks.
if (opts.hostname && req.headers.host !== `${opts.hostname}:${server.address().port}`) {
return false
}

// The user allowed all origins
if (opts.origin === '*') return true

@@ -77,6 +70,13 @@ function Server (torrent, opts = {}) {
}

function onRequest (req, res) {
// If a 'hostname' string is specified, deny requests with a 'Host'
// header that does not match the origin of the torrent server to prevent
// DNS rebinding attacks.
if (opts.hostname && req.headers.host !== `${opts.hostname}:${server.address().port}`) {
return req.destroy()
}

const pathname = new URL(req.url, 'http://example.com').pathname

if (pathname === '/favicon.ico') {
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.