forked from svrjs/svrjs
Added validation of X-Forwarded-For header
This commit is contained in:
parent
d8cf7913be
commit
b1ab6e3e4a
3 changed files with 42 additions and 56 deletions
|
@ -1,9 +1,9 @@
|
|||
{
|
||||
"users": [],
|
||||
"port": 80,
|
||||
"port": 5555,
|
||||
"pubport": 80,
|
||||
"page404": "404.html",
|
||||
"timestamp": 1693732189583,
|
||||
"timestamp": 1693743065822,
|
||||
"blacklist": [],
|
||||
"nonStandardCodes": [],
|
||||
"enableCompression": true,
|
||||
|
@ -91,7 +91,7 @@
|
|||
"/.*\\.img$/",
|
||||
"/.*\\.iso$/"
|
||||
],
|
||||
"enableIPSpoofing": false,
|
||||
"enableIPSpoofing": true,
|
||||
"secure": false,
|
||||
"sni": {},
|
||||
"disableNonEncryptedServer": false,
|
||||
|
|
88
svr.js
88
svr.js
|
@ -2838,31 +2838,37 @@ if (!cluster.isPrimary) {
|
|||
}
|
||||
|
||||
// Set up X-Forwarded-For
|
||||
var reqport = "";
|
||||
var reqip = "";
|
||||
var oldport = "";
|
||||
var reqip = req.socket.remoteAddress;
|
||||
var reqport = req.socket.remotePort;
|
||||
var oldip = "";
|
||||
if (req.headers["x-forwarded-for"] != undefined && enableIPSpoofing) {
|
||||
reqport = null;
|
||||
reqip = req.headers["x-forwarded-for"].split(",")[0].replace(/ /g, "");
|
||||
if (reqip.indexOf(":") == -1) reqip = "::ffff:" + reqip;
|
||||
try {
|
||||
oldport = req.socket.remotePort;
|
||||
oldip = req.socket.remoteAddress;
|
||||
req.socket.realRemotePort = reqport;
|
||||
req.socket.realRemoteAddress = reqip;
|
||||
req.socket.originalRemotePort = oldport;
|
||||
req.socket.originalRemoteAddress = oldip;
|
||||
res.socket.realRemotePort = reqport;
|
||||
res.socket.realRemoteAddress = reqip;
|
||||
res.socket.originalRemotePort = oldport;
|
||||
res.socket.originalRemoteAddress = oldip;
|
||||
} catch (err) {
|
||||
// Address setting failed
|
||||
var oldport = "";
|
||||
var isForwardedValid = true;
|
||||
if(enableIPSpoofing) {
|
||||
if (req.headers["x-forwarded-for"] != undefined) {
|
||||
var preparedReqIP = req.headers["x-forwarded-for"].split(",")[0].replace(/ /g, "");
|
||||
var preparedReqIPvalid = net.isIP(preparedReqIP);
|
||||
if(preparedReqIPvalid) {
|
||||
if (preparedReqIPvalid == 4 && req.socket.remoteAddress && req.socket.remoteAddress.indexOf(":") > -1) preparedReqIP = "::ffff:" + preparedReqIP;
|
||||
reqip = preparedReqIP
|
||||
reqport = null;
|
||||
try {
|
||||
oldport = req.socket.remotePort;
|
||||
oldip = req.socket.remoteAddress;
|
||||
req.socket.realRemotePort = reqport;
|
||||
req.socket.realRemoteAddress = reqip;
|
||||
req.socket.originalRemotePort = oldport;
|
||||
req.socket.originalRemoteAddress = oldip;
|
||||
res.socket.realRemotePort = reqport;
|
||||
res.socket.realRemoteAddress = reqip;
|
||||
res.socket.originalRemotePort = oldport;
|
||||
res.socket.originalRemoteAddress = oldip;
|
||||
} catch (err) {
|
||||
// Address setting failed
|
||||
}
|
||||
} else {
|
||||
isForwardedValid = false;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
reqip = req.socket.remoteAddress;
|
||||
reqport = req.socket.remotePort;
|
||||
}
|
||||
|
||||
reqcounter++;
|
||||
|
@ -3324,33 +3330,6 @@ if (!cluster.isPrimary) {
|
|||
return;
|
||||
}
|
||||
|
||||
var reqport = "";
|
||||
var reqip = "";
|
||||
var oldport = "";
|
||||
var oldip = "";
|
||||
if (req.headers["x-forwarded-for"] != undefined && enableIPSpoofing) {
|
||||
reqport = null;
|
||||
reqip = req.headers["x-forwarded-for"].split(",")[0].replace(/ /g, "");
|
||||
if (reqip.indexOf(":") == -1) reqip = "::ffff:" + reqip;
|
||||
try {
|
||||
oldport = req.socket.remotePort;
|
||||
oldip = req.socket.remoteAddress;
|
||||
req.socket.realRemotePort = reqport;
|
||||
req.socket.realRemoteAddress = reqip;
|
||||
req.socket.originalRemotePort = oldport;
|
||||
req.socket.originalRemoteAddress = oldip;
|
||||
res.socket.realRemotePort = reqport;
|
||||
res.socket.realRemoteAddress = reqip;
|
||||
res.socket.originalRemotePort = oldport;
|
||||
res.socket.originalRemoteAddress = oldip;
|
||||
} catch (err) {
|
||||
// Nevermind...
|
||||
}
|
||||
} else {
|
||||
reqip = req.socket.remoteAddress;
|
||||
reqport = req.socket.remotePort;
|
||||
}
|
||||
|
||||
// Function to check the level of a path relative to the web root
|
||||
function checkPathLevel(path) {
|
||||
// Split the path into an array of components based on "/"
|
||||
|
@ -4090,11 +4069,18 @@ if (!cluster.isPrimary) {
|
|||
}
|
||||
}
|
||||
|
||||
// Check for invalid X-Forwarded-For header
|
||||
if(!isForwardedValid) {
|
||||
serverconsole.errmessage("X-Forwarded-For header is invalid.");
|
||||
callServerError(400);
|
||||
return;
|
||||
}
|
||||
|
||||
// Handle redirects to HTTPS
|
||||
if(secure && !fromMain && !disableNonEncryptedServer && !disableToHTTPSRedirect) {
|
||||
var hostx = req.headers.host;
|
||||
if (hostx === undefined) {
|
||||
serverconsole.errmessage("Bad request!");
|
||||
serverconsole.errmessage("Host header is missing.");
|
||||
callServerError(400);
|
||||
return;
|
||||
}
|
||||
|
|
|
@ -1 +1 @@
|
|||
53
|
||||
55
|
Reference in a new issue