Skip to content

Commit

Permalink
fix: regression in checkHost for checking Origin header (#1606)
Browse files Browse the repository at this point in the history
  • Loading branch information
3846masa authored and evilebottnawi committed Dec 22, 2018
1 parent ff2874f commit 8bb3ca8
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 1 deletion.
7 changes: 6 additions & 1 deletion lib/Server.js
Original file line number Diff line number Diff line change
Expand Up @@ -646,7 +646,12 @@ Server.prototype.checkHost = function (headers, headerToCheck) {
}

// use the node url-parser to retrieve the hostname from the host-header.
const hostname = url.parse(`//${hostHeader}`, false, true).hostname;
const hostname = url.parse(
// if hostHeader doesn't have scheme, add // for parsing.
/^(.+:)?\/\//.test(hostHeader) ? hostHeader : `//${hostHeader}`,
false,
true,
).hostname;
// always allow requests with explicit IPv4 or IPv6-address.
// A note on IPv6 addresses:
// hostHeader will always contain the brackets denoting
Expand Down
13 changes: 13 additions & 0 deletions test/Validation.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,19 @@ describe('Validation', () => {
}
});

it('should allow urls with scheme for checking origin', () => {
const options = {
public: 'test.host:80'
};
const headers = {
origin: 'https://test.host'
};
const server = new Server(compiler, options);
if (!server.checkHost(headers, 'origin')) {
throw new Error("Validation didn't fail");
}
});

describe('allowedHosts', () => {
it('should allow hosts in allowedHosts', () => {
const tests = [
Expand Down

0 comments on commit 8bb3ca8

Please sign in to comment.