From 1dc4ec2d77f6f239f4c17e8ba754e71655796a4d Mon Sep 17 00:00:00 2001
From: Matthew Holt <mholt@users.noreply.github.com>
Date: Thu, 21 May 2020 12:29:19 -0600
Subject: admin: Disallow websockets

No currently-known exploit here, just being conservative
---
 admin.go | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'admin.go')

diff --git a/admin.go b/admin.go
index e584a3b..237af3c 100644
--- a/admin.go
+++ b/admin.go
@@ -299,6 +299,14 @@ func (h adminHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 // be called more than once per request, for example if a request
 // is rewritten (i.e. internal redirect).
 func (h adminHandler) serveHTTP(w http.ResponseWriter, r *http.Request) {
+	if strings.Contains(r.Header.Get("Upgrade"), "websocket") {
+		// I've never been able demonstrate a vulnerability myself, but apparently
+		// WebSocket connections originating from browsers aren't subject to CORS
+		// restrictions, so we'll just be on the safe side
+		h.handleError(w, r, fmt.Errorf("websocket connections aren't allowed"))
+		return
+	}
+
 	if h.enforceHost {
 		// DNS rebinding mitigation
 		err := h.checkHost(r)
-- 
cgit v1.2.3