inspector: report client-visible host and port #19664
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nodejs-github-bot
added
c++
Adsada2205
approved these changes
Mar 28, 2018
cjihrig
reviewed
Mar 30, 2018
src/inspector_socket_server.cc
Outdated
| } | ||
| std::string FormatAddress(const std::string& host, | ||
| const std::string& target_id, | ||
| bool include_protocol) { |
There was a problem hiding this comment.
Can you line these two arguments up with the first one.
|
I’m not sure what to feel about this. It feels almost like an XSS vector, but using HTTP headers. |
Can you clarify? In my opinion, it is the opposite - less information (that the remote party may not already know) is provided. Before this patch, the response would show an actual IP in case of remote connection. |
|
Fair enough. |
TimothyGu
approved these changes
Mar 30, 2018
|
Did a second CI run: https://ci.nodejs.org/job/node-test-commit/17358/ No relevant failures detected (one failure from the first run was not detected in the second run and seems unlikely to have been caused by the change) |
Node instance may not know the real host and port user sees when debug frontend connects through the SSH tunnel. This change fixes '/json/list' response by using the value client provided in the host header. PR-URL: #19664 Reviewed-By: Tiancheng "Timothy" Gu <[email protected]>
targos
pushed a commit
that referenced
this pull request
Apr 2, 2018
Node instance may not know the real host and port user sees when debug frontend connects through the SSH tunnel. This change fixes '/json/list' response by using the value client provided in the host header. PR-URL: #19664 Reviewed-By: Tiancheng "Timothy" Gu <[email protected]>
Merged
TimothyGu
added
the
inspector
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Node instance may not know the real host and port user sees when
debug frontend connects through the SSH tunnel. This change fixes
'/json/list' response by using the value client provided in the host
header.
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes