aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2016-12-05 12:22:41 +0100
committerKim Alvefur <zash@zash.se>2016-12-05 12:22:41 +0100
commit947faa1ccd09773d64d6fca51430b9832e15d72e (patch)
tree082b7da5a80ec3ef6690f500e567a1a1b84eae6e
parentde2540b480a7e955d6d2cce95912108c21d5f23e (diff)
downloadprosody-947faa1ccd09773d64d6fca51430b9832e15d72e.tar.gz
prosody-947faa1ccd09773d64d6fca51430b9832e15d72e.zip
mod_websocket: Verify that the client-sent Origin header matches cross_domain_websocket (fixes #652)
-rw-r--r--plugins/mod_websocket.lua22
1 files changed, 13 insertions, 9 deletions
diff --git a/plugins/mod_websocket.lua b/plugins/mod_websocket.lua
index 66e214fd..10aa0d38 100644
--- a/plugins/mod_websocket.lua
+++ b/plugins/mod_websocket.lua
@@ -29,16 +29,16 @@ local t_concat = table.concat;
local stream_close_timeout = module:get_option_number("c2s_close_timeout", 5);
local consider_websocket_secure = module:get_option_boolean("consider_websocket_secure");
-local cross_domain = module:get_option("cross_domain_websocket");
-if cross_domain then
+local cross_domain = module:get_option_set("cross_domain_websocket", {});
+if cross_domain:contains("*") or cross_domain:contains(true) then
+ cross_domain = true;
+end
+
+local function check_origin(origin)
if cross_domain == true then
- cross_domain = "*";
- elseif type(cross_domain) == "table" then
- cross_domain = t_concat(cross_domain, ", ");
- end
- if type(cross_domain) ~= "string" then
- cross_domain = nil;
+ return true;
end
+ return cross_domain:contains(origin);
end
local xmlns_framing = "urn:ietf:params:xml:ns:xmpp-framing";
@@ -150,6 +150,11 @@ function handle_request(event)
return 501;
end
+ if not check_origin(request.headers.origin or "") then
+ module:log("debug", "Origin %s is not allowed by 'cross_domain_websocket'", request.headers.origin or "(missing header)");
+ return 403;
+ end
+
local function websocket_close(code, message)
conn:write(build_close(code, message));
conn:close();
@@ -284,7 +289,6 @@ function handle_request(event)
response.headers.connection = "Upgrade";
response.headers.sec_webSocket_accept = base64(sha1(request.headers.sec_websocket_key .. "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"));
response.headers.sec_webSocket_protocol = "xmpp";
- response.headers.access_control_allow_origin = cross_domain;
session.log("debug", "Sending WebSocket handshake");