mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-27 06:03:48 +03:00
admin: Disallow websockets
No currently-known exploit here, just being conservative
This commit is contained in:
parent
452d4726f7
commit
1dc4ec2d77
1 changed files with 8 additions and 0 deletions
8
admin.go
8
admin.go
|
@ -299,6 +299,14 @@ func (h adminHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||||
// be called more than once per request, for example if a request
|
// be called more than once per request, for example if a request
|
||||||
// is rewritten (i.e. internal redirect).
|
// is rewritten (i.e. internal redirect).
|
||||||
func (h adminHandler) serveHTTP(w http.ResponseWriter, r *http.Request) {
|
func (h adminHandler) serveHTTP(w http.ResponseWriter, r *http.Request) {
|
||||||
|
if strings.Contains(r.Header.Get("Upgrade"), "websocket") {
|
||||||
|
// I've never been able demonstrate a vulnerability myself, but apparently
|
||||||
|
// WebSocket connections originating from browsers aren't subject to CORS
|
||||||
|
// restrictions, so we'll just be on the safe side
|
||||||
|
h.handleError(w, r, fmt.Errorf("websocket connections aren't allowed"))
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
if h.enforceHost {
|
if h.enforceHost {
|
||||||
// DNS rebinding mitigation
|
// DNS rebinding mitigation
|
||||||
err := h.checkHost(r)
|
err := h.checkHost(r)
|
||||||
|
|
Loading…
Reference in a new issue