Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit72efaab

Browse files
usefulthinkshellscape
authored andcommitted
Always allow requests with IP-address as host in checkHost() (#1007)
* Always allow requests with IP-address as host in checkHost()This patch will allow any requests made using an IP-address to always pass thecheckHost-test.IP-addresses are not susceptible to a dns-rebind like attack so it would makesense to not block them to make local-network development possible withoutneeding to disable the host-checks entirely.fixes#931* use 'ip'-module to handle ip-address validation.As per@shellscape's comment, switch to the[ip](https://npmjs.com/package/ip)-module to do validation ofip-address-format.
1 parent628f0a2 commit72efaab

File tree

3 files changed

+17
-1
lines changed

3 files changed

+17
-1
lines changed

‎lib/Server.js‎

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ const express = require("express");
77
constfs=require("fs");
88
consthttp=require("http");
99
consthttpProxyMiddleware=require("http-proxy-middleware");
10+
constip=require("ip");
1011
constserveIndex=require("serve-index");
1112
consthistoryApiFallback=require("connect-history-api-fallback");
1213
constpath=require("path");
@@ -441,8 +442,11 @@ Server.prototype.checkHost = function(headers) {
441442
constidx=hostHeader.indexOf(":");
442443
consthostname=idx>=0 ?hostHeader.substr(0,idx) :hostHeader;
443444

445+
// always allow requests with explicit IP-address
446+
if(ip.isV4Format(hostname))returntrue;
447+
444448
// always allow localhost host, for convience
445-
if(hostname==="127.0.0.1"||hostname==="localhost")returntrue;
449+
if(hostname==="localhost")returntrue;
446450

447451
// allow if hostname is in allowedHosts
448452
if(this.allowedHosts&&this.allowedHosts.length){

‎package.json‎

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@
1717
"html-entities":"^1.2.0",
1818
"http-proxy-middleware":"~0.17.4",
1919
"internal-ip":"^1.2.0",
20+
"ip":"^1.1.5",
2021
"loglevel":"^1.4.1",
2122
"opn":"4.0.2",
2223
"portfinder":"^1.0.9",

‎test/Validation.test.js‎

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -111,6 +111,17 @@ describe("Validation", function() {
111111
}
112112
});
113113

114+
it("should allow access for every requests using an IP",function(){
115+
constoptions={};
116+
constheaders={
117+
host:"192.168.1.123"
118+
};
119+
constserver=newServer(compiler,options);
120+
if(!server.checkHost(headers)){
121+
thrownewError("Validation didn't fail");
122+
}
123+
});
124+
114125
it("should not allow hostnames that don't match options.public",function(){
115126
constoptions={
116127
public:"test.host:80",

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp