From 1dc4ec2d77f6f239f4c17e8ba754e71655796a4d Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Thu, 21 May 2020 12:29:19 -0600 Subject: [PATCH] admin: Disallow websockets No currently-known exploit here, just being conservative --- admin.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/admin.go b/admin.go index e584a3bb..237af3ca 100644 --- a/admin.go +++ b/admin.go @@ -299,6 +299,14 @@ func (h adminHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { // be called more than once per request, for example if a request // is rewritten (i.e. internal redirect). func (h adminHandler) serveHTTP(w http.ResponseWriter, r *http.Request) { + if strings.Contains(r.Header.Get("Upgrade"), "websocket") { + // I've never been able demonstrate a vulnerability myself, but apparently + // WebSocket connections originating from browsers aren't subject to CORS + // restrictions, so we'll just be on the safe side + h.handleError(w, r, fmt.Errorf("websocket connections aren't allowed")) + return + } + if h.enforceHost { // DNS rebinding mitigation err := h.checkHost(r)