tlsd 2.20.1 → 2.20.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/tlsd.js +29 -7
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "tlsd",
3
- "version": "2.20.1",
3
+ "version": "2.20.2",
4
4
  "description": "A server for web app prototyping with HTTPS and Websockets",
5
5
  "main": "tlsd.js",
6
6
  "bin": {
package/tlsd.js CHANGED
@@ -43,6 +43,30 @@ const RATE_LIMIT_MAX_REQUESTS = toInt( process.env.RATE_LIMIT_MAX_REQUESTS ) ||
43
43
 
44
44
  let dev_mode = false;
45
45
 
46
+ function public_origin_matches_host( origin, host ) {
47
+ if( ! origin ) {
48
+ return false;
49
+ }
50
+ const httpOrigin = "http://" + host;
51
+ const httpsOrigin = "https://" + host;
52
+ if( dev_mode ) {
53
+ return origin === httpOrigin || origin === httpsOrigin;
54
+ }
55
+ return origin === httpsOrigin;
56
+ }
57
+
58
+ function public_referer_matches_host( referer, host ) {
59
+ if( ! referer ) {
60
+ return false;
61
+ }
62
+ const httpRef = "http://" + host;
63
+ const httpsRef = "https://" + host;
64
+ if( dev_mode ) {
65
+ return referer.startsWith( httpRef ) || referer.startsWith( httpsRef );
66
+ }
67
+ return referer.startsWith( httpsRef );
68
+ }
69
+
46
70
  // Connection tracking for DOS protection
47
71
  const ipConnections = new Map();
48
72
  let totalConnections = 0;
@@ -444,11 +468,9 @@ function csrf_protection( root ) {
444
468
  let originValid = false;
445
469
 
446
470
  if( origin ) {
447
- const expectedOrigin = ( dev_mode ? "http://" : "https://" ) + host;
448
- originValid = origin === expectedOrigin;
471
+ originValid = public_origin_matches_host( origin, host );
449
472
  } else if( referer ) {
450
- const expectedReferer = ( dev_mode ? "http://" : "https://" ) + host;
451
- originValid = referer.startsWith( expectedReferer );
473
+ originValid = public_referer_matches_host( referer, host );
452
474
  }
453
475
 
454
476
  // For PUT (e.g. file uploads), cookie + Origin/Referer is sufficient.
@@ -853,9 +875,9 @@ function ws_attach( server, msg_handler ) {
853
875
 
854
876
  // Validate WebSocket origin matches host
855
877
  if( origin ) {
856
- const expectedOrigin = ( dev_mode ? "http://" : "https://" ) + host;
857
- if( origin !== expectedOrigin ) {
858
- W( "WS: Origin validation failed: " + origin + " expected: " + expectedOrigin );
878
+ if( ! public_origin_matches_host( origin, host ) ) {
879
+ const expectedHint = dev_mode ? "http(s)://" + host : "https://" + host;
880
+ W( "WS: Origin validation failed: " + origin + " expected: " + expectedHint );
859
881
  activeWSConnections--;
860
882
  totalConnections--;
861
883
  release_ip_connection( remote_ip );