From 1c561161e2eb9a06a12f7b09a615ebb98aaadf31 Mon Sep 17 00:00:00 2001 From: 3846masa <3846masahiro+git@gmail.com> Date: Sat, 22 Dec 2018 23:28:48 +0900 Subject: [PATCH 1/2] Fix checkHost fixed #1604 --- lib/Server.js | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/Server.js b/lib/Server.js index e1b2034acd..90494c99b1 100644 --- a/lib/Server.js +++ b/lib/Server.js @@ -646,7 +646,12 @@ Server.prototype.checkHost = function (headers, headerToCheck) { } // use the node url-parser to retrieve the hostname from the host-header. - const hostname = url.parse(`//${hostHeader}`, false, true).hostname; + const hostname = url.parse( + // if hostHeader doesn't have scheme, add // for parsing. + /^(.+:)?\/\//.test(hostHeader) ? hostHeader : `//${hostHeader}`, + false, + true, + ).hostname; // always allow requests with explicit IPv4 or IPv6-address. // A note on IPv6 addresses: // hostHeader will always contain the brackets denoting From e614308fed6eafc2fccce37837fd16c406f54116 Mon Sep 17 00:00:00 2001 From: 3846masa <3846masahiro+git@gmail.com> Date: Sat, 22 Dec 2018 23:40:00 +0900 Subject: [PATCH 2/2] Add test checkHost should allow urls with scheme --- test/Validation.test.js | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/test/Validation.test.js b/test/Validation.test.js index 12c54d7e83..8dc0f98cb6 100644 --- a/test/Validation.test.js +++ b/test/Validation.test.js @@ -171,6 +171,19 @@ describe('Validation', () => { } }); + it('should allow urls with scheme for checking origin', () => { + const options = { + public: 'test.host:80' + }; + const headers = { + origin: 'https://test.host' + }; + const server = new Server(compiler, options); + if (!server.checkHost(headers, 'origin')) { + throw new Error("Validation didn't fail"); + } + }); + describe('allowedHosts', () => { it('should allow hosts in allowedHosts', () => { const tests = [