forked from svrjs/svrjs
Added validation of X-Forwarded-For header
This commit is contained in:
parent
d8cf7913be
commit
b1ab6e3e4a
3 changed files with 42 additions and 56 deletions
|
@ -1,9 +1,9 @@
|
||||||
{
|
{
|
||||||
"users": [],
|
"users": [],
|
||||||
"port": 80,
|
"port": 5555,
|
||||||
"pubport": 80,
|
"pubport": 80,
|
||||||
"page404": "404.html",
|
"page404": "404.html",
|
||||||
"timestamp": 1693732189583,
|
"timestamp": 1693743065822,
|
||||||
"blacklist": [],
|
"blacklist": [],
|
||||||
"nonStandardCodes": [],
|
"nonStandardCodes": [],
|
||||||
"enableCompression": true,
|
"enableCompression": true,
|
||||||
|
@ -91,7 +91,7 @@
|
||||||
"/.*\\.img$/",
|
"/.*\\.img$/",
|
||||||
"/.*\\.iso$/"
|
"/.*\\.iso$/"
|
||||||
],
|
],
|
||||||
"enableIPSpoofing": false,
|
"enableIPSpoofing": true,
|
||||||
"secure": false,
|
"secure": false,
|
||||||
"sni": {},
|
"sni": {},
|
||||||
"disableNonEncryptedServer": false,
|
"disableNonEncryptedServer": false,
|
||||||
|
|
88
svr.js
88
svr.js
|
@ -2838,31 +2838,37 @@ if (!cluster.isPrimary) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Set up X-Forwarded-For
|
// Set up X-Forwarded-For
|
||||||
var reqport = "";
|
var reqip = req.socket.remoteAddress;
|
||||||
var reqip = "";
|
var reqport = req.socket.remotePort;
|
||||||
var oldport = "";
|
|
||||||
var oldip = "";
|
var oldip = "";
|
||||||
if (req.headers["x-forwarded-for"] != undefined && enableIPSpoofing) {
|
var oldport = "";
|
||||||
reqport = null;
|
var isForwardedValid = true;
|
||||||
reqip = req.headers["x-forwarded-for"].split(",")[0].replace(/ /g, "");
|
if(enableIPSpoofing) {
|
||||||
if (reqip.indexOf(":") == -1) reqip = "::ffff:" + reqip;
|
if (req.headers["x-forwarded-for"] != undefined) {
|
||||||
try {
|
var preparedReqIP = req.headers["x-forwarded-for"].split(",")[0].replace(/ /g, "");
|
||||||
oldport = req.socket.remotePort;
|
var preparedReqIPvalid = net.isIP(preparedReqIP);
|
||||||
oldip = req.socket.remoteAddress;
|
if(preparedReqIPvalid) {
|
||||||
req.socket.realRemotePort = reqport;
|
if (preparedReqIPvalid == 4 && req.socket.remoteAddress && req.socket.remoteAddress.indexOf(":") > -1) preparedReqIP = "::ffff:" + preparedReqIP;
|
||||||
req.socket.realRemoteAddress = reqip;
|
reqip = preparedReqIP
|
||||||
req.socket.originalRemotePort = oldport;
|
reqport = null;
|
||||||
req.socket.originalRemoteAddress = oldip;
|
try {
|
||||||
res.socket.realRemotePort = reqport;
|
oldport = req.socket.remotePort;
|
||||||
res.socket.realRemoteAddress = reqip;
|
oldip = req.socket.remoteAddress;
|
||||||
res.socket.originalRemotePort = oldport;
|
req.socket.realRemotePort = reqport;
|
||||||
res.socket.originalRemoteAddress = oldip;
|
req.socket.realRemoteAddress = reqip;
|
||||||
} catch (err) {
|
req.socket.originalRemotePort = oldport;
|
||||||
// Address setting failed
|
req.socket.originalRemoteAddress = oldip;
|
||||||
|
res.socket.realRemotePort = reqport;
|
||||||
|
res.socket.realRemoteAddress = reqip;
|
||||||
|
res.socket.originalRemotePort = oldport;
|
||||||
|
res.socket.originalRemoteAddress = oldip;
|
||||||
|
} catch (err) {
|
||||||
|
// Address setting failed
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
isForwardedValid = false;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
reqip = req.socket.remoteAddress;
|
|
||||||
reqport = req.socket.remotePort;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
reqcounter++;
|
reqcounter++;
|
||||||
|
@ -3324,33 +3330,6 @@ if (!cluster.isPrimary) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
var reqport = "";
|
|
||||||
var reqip = "";
|
|
||||||
var oldport = "";
|
|
||||||
var oldip = "";
|
|
||||||
if (req.headers["x-forwarded-for"] != undefined && enableIPSpoofing) {
|
|
||||||
reqport = null;
|
|
||||||
reqip = req.headers["x-forwarded-for"].split(",")[0].replace(/ /g, "");
|
|
||||||
if (reqip.indexOf(":") == -1) reqip = "::ffff:" + reqip;
|
|
||||||
try {
|
|
||||||
oldport = req.socket.remotePort;
|
|
||||||
oldip = req.socket.remoteAddress;
|
|
||||||
req.socket.realRemotePort = reqport;
|
|
||||||
req.socket.realRemoteAddress = reqip;
|
|
||||||
req.socket.originalRemotePort = oldport;
|
|
||||||
req.socket.originalRemoteAddress = oldip;
|
|
||||||
res.socket.realRemotePort = reqport;
|
|
||||||
res.socket.realRemoteAddress = reqip;
|
|
||||||
res.socket.originalRemotePort = oldport;
|
|
||||||
res.socket.originalRemoteAddress = oldip;
|
|
||||||
} catch (err) {
|
|
||||||
// Nevermind...
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
reqip = req.socket.remoteAddress;
|
|
||||||
reqport = req.socket.remotePort;
|
|
||||||
}
|
|
||||||
|
|
||||||
// Function to check the level of a path relative to the web root
|
// Function to check the level of a path relative to the web root
|
||||||
function checkPathLevel(path) {
|
function checkPathLevel(path) {
|
||||||
// Split the path into an array of components based on "/"
|
// Split the path into an array of components based on "/"
|
||||||
|
@ -4090,11 +4069,18 @@ if (!cluster.isPrimary) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check for invalid X-Forwarded-For header
|
||||||
|
if(!isForwardedValid) {
|
||||||
|
serverconsole.errmessage("X-Forwarded-For header is invalid.");
|
||||||
|
callServerError(400);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
// Handle redirects to HTTPS
|
// Handle redirects to HTTPS
|
||||||
if(secure && !fromMain && !disableNonEncryptedServer && !disableToHTTPSRedirect) {
|
if(secure && !fromMain && !disableNonEncryptedServer && !disableToHTTPSRedirect) {
|
||||||
var hostx = req.headers.host;
|
var hostx = req.headers.host;
|
||||||
if (hostx === undefined) {
|
if (hostx === undefined) {
|
||||||
serverconsole.errmessage("Bad request!");
|
serverconsole.errmessage("Host header is missing.");
|
||||||
callServerError(400);
|
callServerError(400);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
53
|
55
|
Reference in a new issue