17 local function log(type, data) |
17 local function log(type, data) |
18 local entry = { type = type, data = data, time = time() }; |
18 local entry = { type = type, data = data, time = time() }; |
19 local chunk = json.encode(entry) .. "\r\n"; |
19 local chunk = json.encode(entry) .. "\r\n"; |
20 response.conn:write(("%x\r\n%s\r\n"):format(#chunk, chunk)); |
20 response.conn:write(("%x\r\n%s\r\n"):format(#chunk, chunk)); |
21 end |
21 end |
22 |
22 |
|
23 -- SECURITY NOTE: We MUST validate Origin before running the Scansion script, |
|
24 -- since we don't want arbitrary websites to have local RCEs (CORS does not |
|
25 -- protect us here, it at best keeps the script from seeing the response) |
|
26 if request.headers.origin ~= config.origin and config.origin ~= "*" then |
|
27 verse.log("warn", "Rejecting origin: %s", request.headers.origin); |
|
28 response.status_code = 403; -- spec suggested response when we don't like the origin |
|
29 response.headers.connection = "close"; |
|
30 return ""; |
|
31 end |
|
32 |
23 response.status_code = 201; |
33 response.status_code = 201; |
24 response.headers.connection = "close"; |
34 response.headers.connection = "close"; |
25 response.headers.transfer_encoding = "chunked"; |
35 response.headers.transfer_encoding = "chunked"; |
26 response.conn:send(table.concat(http_server.prepare_header(response))); |
36 response.conn:send(table.concat(http_server.prepare_header(response))); |
27 |
37 |