From 5abb726dc80decc2e3a73164905f1b8cccf9c47d Mon Sep 17 00:00:00 2001
From: RblSb <msrblsb@gmail.com>
Date: Wed, 20 May 2020 14:29:37 +0300
Subject: Make internal proxy more safe

---
 src/server/HttpServer.hx | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/server/HttpServer.hx b/src/server/HttpServer.hx
index aeabe2c..c6abe30 100644
--- a/src/server/HttpServer.hx
+++ b/src/server/HttpServer.hx
@@ -138,7 +138,9 @@ class HttpServer {
 
 	static function proxyUrl(req:IncomingMessage, res:ServerResponse):Bool {
 		final url = req.url.replace("/proxy?url=", "");
-		final url = new URL(js.Node.global.decodeURI(url));
+		final url = try {
+			new URL(js.Node.global.decodeURI(url));
+		} catch(e) return false;
 		if (url.host == req.headers["host"]) return false;
 		final options = {
 			host: url.host,
@@ -149,6 +151,7 @@ class HttpServer {
 		};
 		final request = url.protocol == "https:" ? Https.request : Http.request;
 		final proxy = request(options, proxyRes -> {
+			proxyRes.headers["Content-Type"] = "application/octet-stream";
 			res.writeHead(proxyRes.statusCode, proxyRes.headers);
 			proxyRes.pipe(res, {end: true});
 		});
-- 
cgit v1.2.3