diff options
| author | RblSb <msrblsb@gmail.com> | 2020-05-20 14:29:37 +0300 |
|---|---|---|
| committer | RblSb <msrblsb@gmail.com> | 2020-05-20 14:29:37 +0300 |
| commit | 5abb726dc80decc2e3a73164905f1b8cccf9c47d (patch) | |
| tree | 14c47574550981d54edeb1226a1a8f4e1fa15d5d | |
| parent | a525aeb86aaa02bccf960c18ee0b6751409e7d70 (diff) | |
Make internal proxy more safe
| -rw-r--r-- | build/server.js | 8 | ||||
| -rw-r--r-- | src/server/HttpServer.hx | 5 |
2 files changed, 11 insertions, 2 deletions
diff --git a/build/server.js b/build/server.js index 7a67b9d..bc54fbb 100644 --- a/build/server.js +++ b/build/server.js @@ -3266,11 +3266,17 @@ server_HttpServer.localizeHtml = function(data,lang) { }; server_HttpServer.proxyUrl = function(req,res) { var url = StringTools.replace(req.url,"/proxy?url=",""); - var url1 = new js_node_url_URL(global.decodeURI(url)); + var url1; + try { + url1 = new js_node_url_URL(global.decodeURI(url)); + } catch( _g ) { + return false; + } if(url1.host == req.headers["host"]) { return false; } var proxy = (url1.protocol == "https:" ? js_node_Https.request : js_node_Http.request)({ host : url1.host, port : Std.parseInt(url1.port), path : url1.pathname + url1.search, method : req.method},function(proxyRes) { + proxyRes.headers["Content-Type"] = "application/octet-stream"; res.writeHead(proxyRes.statusCode,proxyRes.headers); proxyRes.pipe(res,{ end : true}); }); diff --git a/src/server/HttpServer.hx b/src/server/HttpServer.hx index aeabe2c..c6abe30 100644 --- a/src/server/HttpServer.hx +++ b/src/server/HttpServer.hx @@ -138,7 +138,9 @@ class HttpServer { static function proxyUrl(req:IncomingMessage, res:ServerResponse):Bool { final url = req.url.replace("/proxy?url=", ""); - final url = new URL(js.Node.global.decodeURI(url)); + final url = try { + new URL(js.Node.global.decodeURI(url)); + } catch(e) return false; if (url.host == req.headers["host"]) return false; final options = { host: url.host, @@ -149,6 +151,7 @@ class HttpServer { }; final request = url.protocol == "https:" ? Https.request : Http.request; final proxy = request(options, proxyRes -> { + proxyRes.headers["Content-Type"] = "application/octet-stream"; res.writeHead(proxyRes.statusCode, proxyRes.headers); proxyRes.pipe(res, {end: true}); }); |