github
/
Xray-core
mirror of https://github.com/XTLS/Xray-core
1
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

Validate /websocket requests from browser dialer page (#3295) 

Fixes https://github.com/XTLS/Xray-core/issues/3236

---------

Co-authored-by: RPRX <63339210+RPRX@users.noreply.github.com>
pull/3308/head
mmmray 7 months ago committed by GitHub
parent
61800fcc66
commit
8ce2a0e245
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 12 additions and 5 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 15
      transport/internet/websocket/dialer.go
  2. 2
      transport/internet/websocket/dialer.html

15
transport/internet/websocket/dialer.go
Unescape View File

@ -1,6 +1,7 @@
package websocket
import (
"bytes"
"context"
_ "embed"
"encoding/base64"
@ -14,6 +15,7 @@ import (
"github.com/xtls/xray-core/common/net"
"github.com/xtls/xray-core/common/platform"
"github.com/xtls/xray-core/common/session"
"github.com/xtls/xray-core/common/uuid"
"github.com/xtls/xray-core/transport/internet"
"github.com/xtls/xray-core/transport/internet/stat"
"github.com/xtls/xray-core/transport/internet/tls"
@ -27,13 +29,18 @@ var conns chan *websocket.Conn
func init() {
addr := platform.NewEnvFlag(platform.BrowserDialerAddress).GetValue(func() string { return "" })
if addr != "" {
token := uuid.New()
csrfToken := token.String()
webpage = bytes.ReplaceAll(webpage, []byte("csrfToken"), []byte(csrfToken))
conns = make(chan *websocket.Conn, 256)
go http.ListenAndServe(addr, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.URL.Path == "/websocket" {
if conn, err := upgrader.Upgrade(w, r, nil); err == nil {
conns <- conn
} else {
newError("Browser dialer http upgrade unexpected error").AtError().WriteToLog()
if r.URL.Query().Get("token") == csrfToken {
if conn, err := upgrader.Upgrade(w, r, nil); err == nil {
conns <- conn
} else {
newError("Browser dialer http upgrade unexpected error").AtError().WriteToLog()
}
}
} else {
w.Write(webpage)

2
transport/internet/websocket/dialer.html
Unescape View File

@ -6,7 +6,7 @@
<body>
<script>
// Copyright (c) 2021 XRAY. Mozilla Public License 2.0.
var url = "ws://" + window.location.host + "/websocket"
var url = "ws://" + window.location.host + "/websocket?token=csrfToken"
var count = 0
setInterval(check, 1000)
function check() {

Write Preview
Loading…
Cancel
Save