1
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2024-12-16 21:56:40 -05:00

admin: Disallow websockets

No currently-known exploit here, just being conservative
This commit is contained in:
Matthew Holt 2020-05-21 12:29:19 -06:00
parent 452d4726f7
commit 1dc4ec2d77
No known key found for this signature in database
GPG key ID: 2A349DD577D586A5

View file

@ -299,6 +299,14 @@ func (h adminHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// be called more than once per request, for example if a request // be called more than once per request, for example if a request
// is rewritten (i.e. internal redirect). // is rewritten (i.e. internal redirect).
func (h adminHandler) serveHTTP(w http.ResponseWriter, r *http.Request) { func (h adminHandler) serveHTTP(w http.ResponseWriter, r *http.Request) {
if strings.Contains(r.Header.Get("Upgrade"), "websocket") {
// I've never been able demonstrate a vulnerability myself, but apparently
// WebSocket connections originating from browsers aren't subject to CORS
// restrictions, so we'll just be on the safe side
h.handleError(w, r, fmt.Errorf("websocket connections aren't allowed"))
return
}
if h.enforceHost { if h.enforceHost {
// DNS rebinding mitigation // DNS rebinding mitigation
err := h.checkHost(r) err := h.checkHost(r)