mirror of
https://github.com/XTLS/Xray-core.git
synced 2024-12-22 19:33:32 +02:00
Validate /websocket requests from browser dialer page (#3295)
Fixes https://github.com/XTLS/Xray-core/issues/3236 --------- Co-authored-by: RPRX <63339210+RPRX@users.noreply.github.com>
This commit is contained in:
parent
61800fcc66
commit
8ce2a0e245
2 changed files with 12 additions and 5 deletions
|
@ -1,6 +1,7 @@
|
|||
package websocket
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
_ "embed"
|
||||
"encoding/base64"
|
||||
|
@ -14,6 +15,7 @@ import (
|
|||
"github.com/xtls/xray-core/common/net"
|
||||
"github.com/xtls/xray-core/common/platform"
|
||||
"github.com/xtls/xray-core/common/session"
|
||||
"github.com/xtls/xray-core/common/uuid"
|
||||
"github.com/xtls/xray-core/transport/internet"
|
||||
"github.com/xtls/xray-core/transport/internet/stat"
|
||||
"github.com/xtls/xray-core/transport/internet/tls"
|
||||
|
@ -27,13 +29,18 @@ var conns chan *websocket.Conn
|
|||
func init() {
|
||||
addr := platform.NewEnvFlag(platform.BrowserDialerAddress).GetValue(func() string { return "" })
|
||||
if addr != "" {
|
||||
token := uuid.New()
|
||||
csrfToken := token.String()
|
||||
webpage = bytes.ReplaceAll(webpage, []byte("csrfToken"), []byte(csrfToken))
|
||||
conns = make(chan *websocket.Conn, 256)
|
||||
go http.ListenAndServe(addr, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
if r.URL.Path == "/websocket" {
|
||||
if conn, err := upgrader.Upgrade(w, r, nil); err == nil {
|
||||
conns <- conn
|
||||
} else {
|
||||
newError("Browser dialer http upgrade unexpected error").AtError().WriteToLog()
|
||||
if r.URL.Query().Get("token") == csrfToken {
|
||||
if conn, err := upgrader.Upgrade(w, r, nil); err == nil {
|
||||
conns <- conn
|
||||
} else {
|
||||
newError("Browser dialer http upgrade unexpected error").AtError().WriteToLog()
|
||||
}
|
||||
}
|
||||
} else {
|
||||
w.Write(webpage)
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
<body>
|
||||
<script>
|
||||
// Copyright (c) 2021 XRAY. Mozilla Public License 2.0.
|
||||
var url = "ws://" + window.location.host + "/websocket"
|
||||
var url = "ws://" + window.location.host + "/websocket?token=csrfToken"
|
||||
var count = 0
|
||||
setInterval(check, 1000)
|
||||
function check() {
|
||||
|
|
Loading…
Reference in a new issue