Mercurial > scansion / file diff

diff: scansion/serve.lua

scansion/serve.lua

changeset 157
b35dc87ebff0
parent 156
807dc9c0f140
child 158
f09fe6c16e10
--- a/scansion/serve.lua	Mon Sep 17 22:07:19 2018 +0100
+++ b/scansion/serve.lua	Fri Dec 28 04:35:51 2018 -0500
@@ -19,7 +19,17 @@
 			local chunk = json.encode(entry) .. "\r\n";
 			response.conn:write(("%x\r\n%s\r\n"):format(#chunk, chunk));
 		end
-	
+
+		-- SECURITY NOTE: We MUST validate Origin before running the Scansion script,
+		-- since we don't want arbitrary websites to have local RCEs (CORS does not
+		-- protect us here, it at best keeps the script from seeing the response)
+		if request.headers.origin ~= config.origin and config.origin ~= "*" then
+			verse.log("warn", "Rejecting origin: %s", request.headers.origin);
+			response.status_code = 403; -- spec suggested response when we don't like the origin
+			response.headers.connection = "close";
+			return "";
+		end
+
 		response.status_code = 201;
 		response.headers.connection = "close";
 		response.headers.transfer_encoding = "chunked";

Mercurial Repository: scansion

mercurial