aboutsummaryrefslogtreecommitdiffhomepage
path: root/admin.go
diff options
context:
space:
mode:
authorMatthew Holt <[email protected]>2020-05-21 12:29:19 -0600
committerMatthew Holt <[email protected]>2020-05-21 12:29:19 -0600
commit1dc4ec2d77f6f239f4c17e8ba754e71655796a4d (patch)
tree47600e97d27668a7f52f872901d2a610edd96ae4 /admin.go
parent452d4726f7d006d22a3835c4011a847c70068754 (diff)
downloadcaddy-1dc4ec2d77f6f239f4c17e8ba754e71655796a4d.tar.gz
caddy-1dc4ec2d77f6f239f4c17e8ba754e71655796a4d.zip
admin: Disallow websockets
No currently-known exploit here, just being conservative
Diffstat (limited to 'admin.go')
-rw-r--r--admin.go8
1 files changed, 8 insertions, 0 deletions
diff --git a/admin.go b/admin.go
index e584a3bbd..237af3cab 100644
--- a/admin.go
+++ b/admin.go
@@ -299,6 +299,14 @@ func (h adminHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// be called more than once per request, for example if a request
// is rewritten (i.e. internal redirect).
func (h adminHandler) serveHTTP(w http.ResponseWriter, r *http.Request) {
+ if strings.Contains(r.Header.Get("Upgrade"), "websocket") {
+ // I've never been able demonstrate a vulnerability myself, but apparently
+ // WebSocket connections originating from browsers aren't subject to CORS
+ // restrictions, so we'll just be on the safe side
+ h.handleError(w, r, fmt.Errorf("websocket connections aren't allowed"))
+ return
+ }
+
if h.enforceHost {
// DNS rebinding mitigation
err := h.checkHost(r)