mirror of
https://github.com/XTLS/Xray-core.git
synced 2024-11-25 06:36:05 +03:00
Validate /websocket requests from browser dialer page (#3295)
Fixes https://github.com/XTLS/Xray-core/issues/3236 --------- Co-authored-by: RPRX <63339210+RPRX@users.noreply.github.com>
This commit is contained in:
parent
61800fcc66
commit
8ce2a0e245
@ -1,6 +1,7 @@
|
|||||||
package websocket
|
package websocket
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"bytes"
|
||||||
"context"
|
"context"
|
||||||
_ "embed"
|
_ "embed"
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
@ -14,6 +15,7 @@ import (
|
|||||||
"github.com/xtls/xray-core/common/net"
|
"github.com/xtls/xray-core/common/net"
|
||||||
"github.com/xtls/xray-core/common/platform"
|
"github.com/xtls/xray-core/common/platform"
|
||||||
"github.com/xtls/xray-core/common/session"
|
"github.com/xtls/xray-core/common/session"
|
||||||
|
"github.com/xtls/xray-core/common/uuid"
|
||||||
"github.com/xtls/xray-core/transport/internet"
|
"github.com/xtls/xray-core/transport/internet"
|
||||||
"github.com/xtls/xray-core/transport/internet/stat"
|
"github.com/xtls/xray-core/transport/internet/stat"
|
||||||
"github.com/xtls/xray-core/transport/internet/tls"
|
"github.com/xtls/xray-core/transport/internet/tls"
|
||||||
@ -27,14 +29,19 @@ var conns chan *websocket.Conn
|
|||||||
func init() {
|
func init() {
|
||||||
addr := platform.NewEnvFlag(platform.BrowserDialerAddress).GetValue(func() string { return "" })
|
addr := platform.NewEnvFlag(platform.BrowserDialerAddress).GetValue(func() string { return "" })
|
||||||
if addr != "" {
|
if addr != "" {
|
||||||
|
token := uuid.New()
|
||||||
|
csrfToken := token.String()
|
||||||
|
webpage = bytes.ReplaceAll(webpage, []byte("csrfToken"), []byte(csrfToken))
|
||||||
conns = make(chan *websocket.Conn, 256)
|
conns = make(chan *websocket.Conn, 256)
|
||||||
go http.ListenAndServe(addr, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
go http.ListenAndServe(addr, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
if r.URL.Path == "/websocket" {
|
if r.URL.Path == "/websocket" {
|
||||||
|
if r.URL.Query().Get("token") == csrfToken {
|
||||||
if conn, err := upgrader.Upgrade(w, r, nil); err == nil {
|
if conn, err := upgrader.Upgrade(w, r, nil); err == nil {
|
||||||
conns <- conn
|
conns <- conn
|
||||||
} else {
|
} else {
|
||||||
newError("Browser dialer http upgrade unexpected error").AtError().WriteToLog()
|
newError("Browser dialer http upgrade unexpected error").AtError().WriteToLog()
|
||||||
}
|
}
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
w.Write(webpage)
|
w.Write(webpage)
|
||||||
}
|
}
|
||||||
|
@ -6,7 +6,7 @@
|
|||||||
<body>
|
<body>
|
||||||
<script>
|
<script>
|
||||||
// Copyright (c) 2021 XRAY. Mozilla Public License 2.0.
|
// Copyright (c) 2021 XRAY. Mozilla Public License 2.0.
|
||||||
var url = "ws://" + window.location.host + "/websocket"
|
var url = "ws://" + window.location.host + "/websocket?token=csrfToken"
|
||||||
var count = 0
|
var count = 0
|
||||||
setInterval(check, 1000)
|
setInterval(check, 1000)
|
||||||
function check() {
|
function check() {
|
||||||
|
Loading…
Reference in New Issue
Block a user