Merge pull request webtorrent#1260 from diracdeltas/fix/add-hostname-opt

feross · web-flow · commit e7d6e4f06d1d · 2018-03-02T14:35:09.000-08:00
Add hostname option to mitigate DNS rebinding
diff --git a/docs/api.md b/docs/api.md
@@ -327,6 +327,7 @@ Returns an `http.Server` instance (got from calling `http.createServer`). If
 ```js
 {
   origin: String // Allow requests from specific origin. `false` for same-origin. [default: '*']
+  hostname: String // If specified, only allow requests whose `Host` header matches this hostname. Note that you should not specify the port since this is automatically determined by the server. Ex: `localhost` [default: `undefined`]
 }
 ```
 
diff --git a/lib/server.js b/lib/server.js
@@ -51,6 +51,13 @@ function Server (torrent, opts) {
     // deny them
     if (req.headers.origin == null) return false
 
+    // If a 'hostname' string is specified, deny requests with a 'Host'
+    // header that does not match the origin of the torrent server to prevent
+    // DNS rebinding attacks.
+    if (opts.hostname && req.headers.host !== `${opts.hostname}:${server.address().port}`) {
+      return false
+    }
+
     // The user allowed all origins
     if (opts.origin === '*') return true
 

Original file line number	Diff line number	Diff line change
@@ -327,6 +327,7 @@ Returns an `http.Server` instance (got from calling `http.createServer`). If
`327`	`327`	```js
`328`	`328`	`{`
`329`	`329`	origin: String // Allow requests from specific origin. `false` for same-origin. [default: '*']
	`330`	+ hostname: String // If specified, only allow requests whose `Host` header matches this hostname. Note that you should not specify the port since this is automatically determined by the server. Ex: `localhost` [default: `undefined`]
`330`	`331`	`}`
`331`	`332`	```
`332`	`333`