other_mirrors/ Xray-core
1
0
Fork 0
mirror of https://github.com/XTLS/Xray-core.git synced 2024-05-20 10:59:20 +03:00
Code Issues Packages Projects Releases Wiki Activity

Validate /websocket requests from browser dialer page (#3295) 

Fixes https://github.com/XTLS/Xray-core/issues/3236

---------

Co-authored-by: RPRX <63339210+RPRX@users.noreply.github.com>
This commit is contained in:
mmmray 2024-04-26 05:19:25 +02:00 committed by GitHub
parent 61800fcc66
commit 8ce2a0e245
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
transport/internet/websocket/dialer.go
View File

@ -1,6 +1,7 @@
package websocket package websocket
import ( import (
"bytes"
"context" "context"
_ "embed" _ "embed"
"encoding/base64" "encoding/base64"
@ -14,6 +15,7 @@ import (
"github.com/xtls/xray-core/common/net" "github.com/xtls/xray-core/common/net"
"github.com/xtls/xray-core/common/platform" "github.com/xtls/xray-core/common/platform"
"github.com/xtls/xray-core/common/session" "github.com/xtls/xray-core/common/session"
"github.com/xtls/xray-core/common/uuid"
"github.com/xtls/xray-core/transport/internet" "github.com/xtls/xray-core/transport/internet"
"github.com/xtls/xray-core/transport/internet/stat" "github.com/xtls/xray-core/transport/internet/stat"
"github.com/xtls/xray-core/transport/internet/tls" "github.com/xtls/xray-core/transport/internet/tls"
@ -27,13 +29,18 @@ var conns chan *websocket.Conn
func init() { func init() {
addr := platform.NewEnvFlag(platform.BrowserDialerAddress).GetValue(func() string { return "" }) addr := platform.NewEnvFlag(platform.BrowserDialerAddress).GetValue(func() string { return "" })
if addr != "" { if addr != "" {
token := uuid.New()
csrfToken := token.String()
webpage = bytes.ReplaceAll(webpage, []byte("csrfToken"), []byte(csrfToken))
conns = make(chan *websocket.Conn, 256) conns = make(chan *websocket.Conn, 256)
go http.ListenAndServe(addr, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { go http.ListenAndServe(addr, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.URL.Path == "/websocket" { if r.URL.Path == "/websocket" {
if conn, err := upgrader.Upgrade(w, r, nil); err == nil { if r.URL.Query().Get("token") == csrfToken {
conns <- conn if conn, err := upgrader.Upgrade(w, r, nil); err == nil {
} else { conns <- conn
newError("Browser dialer http upgrade unexpected error").AtError().WriteToLog() } else {
newError("Browser dialer http upgrade unexpected error").AtError().WriteToLog()
}
} }
} else { } else {
w.Write(webpage) w.Write(webpage)

2
transport/internet/websocket/dialer.html
View File

@ -6,7 +6,7 @@
<body> <body>
<script> <script>
// Copyright (c) 2021 XRAY. Mozilla Public License 2.0. // Copyright (c) 2021 XRAY. Mozilla Public License 2.0.
var url = "ws://" + window.location.host + "/websocket" var url = "ws://" + window.location.host + "/websocket?token=csrfToken"
var count = 0 var count = 0
setInterval(check, 1000) setInterval(check, 1000)
function check() { function check() {