comparison: scansion/serve.lua
scansion/serve.lua
- changeset 157
- b35dc87ebff0
- parent 156
- 807dc9c0f140
- child 158
- f09fe6c16e10
equal
deleted
inserted
replaced
| 156:807dc9c0f140 | 157:b35dc87ebff0 |
|---|---|
| 17 local function log(type, data) | 17 local function log(type, data) |
| 18 local entry = { type = type, data = data, time = time() }; | 18 local entry = { type = type, data = data, time = time() }; |
| 19 local chunk = json.encode(entry) .. "\r\n"; | 19 local chunk = json.encode(entry) .. "\r\n"; |
| 20 response.conn:write(("%x\r\n%s\r\n"):format(#chunk, chunk)); | 20 response.conn:write(("%x\r\n%s\r\n"):format(#chunk, chunk)); |
| 21 end | 21 end |
| 22 | 22 |
| 23 -- SECURITY NOTE: We MUST validate Origin before running the Scansion script, | |
| 24 -- since we don't want arbitrary websites to have local RCEs (CORS does not | |
| 25 -- protect us here, it at best keeps the script from seeing the response) | |
| 26 if request.headers.origin ~= config.origin and config.origin ~= "*" then | |
| 27 verse.log("warn", "Rejecting origin: %s", request.headers.origin); | |
| 28 response.status_code = 403; -- spec suggested response when we don't like the origin | |
| 29 response.headers.connection = "close"; | |
| 30 return ""; | |
| 31 end | |
| 32 | |
| 23 response.status_code = 201; | 33 response.status_code = 201; |
| 24 response.headers.connection = "close"; | 34 response.headers.connection = "close"; |
| 25 response.headers.transfer_encoding = "chunked"; | 35 response.headers.transfer_encoding = "chunked"; |
| 26 response.conn:send(table.concat(http_server.prepare_header(response))); | 36 response.conn:send(table.concat(http_server.prepare_header(response))); |
| 27 | 37 |
