Skip to content

Commit

Permalink
added implicit port 80 for origin checks. fixes socketio#638
Browse files Browse the repository at this point in the history
  • Loading branch information
@einaros
einaros committed Nov 14, 2011
1 parent 3ed6b79 commit ffef944
Show file tree
Hide file tree
Showing 5 changed files with 76 additions and 0 deletions.
1 change: 1 addition & 0 deletions lib/manager.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -813,6 +813,7 @@ Manager.prototype.verifyOrigin = function (request) {
if (origin) {
try {
var parts = url.parse(origin);
parts.port = parts.port || 80;
var ok =
~origins.indexOf(parts.hostname + ':' + parts.port) ||
~origins.indexOf(parts.hostname + ':*') ||
Expand Down
1 change: 1 addition & 0 deletions lib/transports/websocket/hybi-07-12.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,7 @@ WebSocket.prototype.verifyOrigin = function (origin) {
if (origin) {
try {
var parts = url.parse(origin);
parts.port = parts.port || 80;
var ok =
~origins.indexOf(parts.hostname + ':' + parts.port) ||
~origins.indexOf(parts.hostname + ':*') ||
Expand Down
1 change: 1 addition & 0 deletions lib/transports/websocket/hybi-16.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,7 @@ WebSocket.prototype.verifyOrigin = function (origin) {
if (origin) {
try {
var parts = url.parse(origin);
parts.port = parts.port || 80;
var ok =
~origins.indexOf(parts.hostname + ':' + parts.port) ||
~origins.indexOf(parts.hostname + ':*') ||
Expand Down
17 changes: 17 additions & 0 deletions test/manager.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -277,6 +277,23 @@ module.exports = {
});
},

'test that a referer with implicit port 80 is accepted for foo.bar.com:80 origin': function (done) {
var port = ++ports
, io = sio.listen(port)
, cl = client(port);

io.configure(function () {
io.set('origins', 'foo.bar.com:80');
});

cl.get('/socket.io/{protocol}', { headers: { referer: 'http://foo.bar.com/something' } }, function (res, data) {
res.statusCode.should.eql(200);
cl.end();
io.server.close();
done();
});
},

'test that erroneous referer is denied for addr:* origin': function (done) {
var port = ++ports
, io = sio.listen(port)
Expand Down
56 changes: 56 additions & 0 deletions test/transports.websocket.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,62 @@ module.exports = {
});
},

'hybi-07-12 origin filter accepts implicit port 80 for sec-websocket-origin': function (done) {
var cl = client(++ports)
, io = create(cl)

io.set('transports', ['websocket']);
io.set('origins', 'foo.bar.com:80');

var headers = {
'sec-websocket-version': 8,
'upgrade': 'websocket',
'Sec-WebSocket-Origin': 'http://foo.bar.com',
'Sec-WebSocket-Key': 'dGhlIHNhbXBsZSBub25jZQ=='
}

io.sockets.on('connection', function() {
cl.end();
io.server.close();
done();
});

// handshake uses correct origin -- we want to block the actuall websocket call
cl.get('/socket.io/{protocol}', {headers: {origin: 'http://foo.bar.com'}}, function (res, data) {
var sid = data.split(':')[0];
var url = '/socket.io/' + sio.protocol + '/websocket/' + sid;
cl.get(url, {headers: headers}, function (res, data) {});
});
},

'hybi-16 origin filter accepts implicit port 80 for sec-websocket-origin': function (done) {
var cl = client(++ports)
, io = create(cl)

io.set('transports', ['websocket']);
io.set('origins', 'foo.bar.com:80');

var headers = {
'sec-websocket-version': 13,
'upgrade': 'websocket',
'origin': 'http://foo.bar.com',
'Sec-WebSocket-Key': 'dGhlIHNhbXBsZSBub25jZQ=='
}

io.sockets.on('connection', function() {
cl.end();
io.server.close();
done();
});

// handshake uses correct origin -- we want to block the actuall websocket call
cl.get('/socket.io/{protocol}', {headers: {origin: 'http://foo.bar.com'}}, function (res, data) {
var sid = data.split(':')[0];
var url = '/socket.io/' + sio.protocol + '/websocket/' + sid;
cl.get(url, {headers: headers}, function (res, data) {});
});
},

'hybi-16 origin filter blocks access for mismatched sec-websocket-origin': function (done) {
var cl = client(++ports)
, io = create(cl)
Expand Down

0 comments on commit ffef944

Please sign in to comment.