ryanburnette/greenlock-express.js
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

better security / education in example

Browse Source
This commit is contained in:
AJ ONeal 2019-04-10 11:44:24 -06:00
parent 0d2d571458
commit c7dfec515d
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
examples/vhost.js
View File

@ -62,6 +62,11 @@ function myApproveDomains(opts, certs, cb) {
} }
function checkWwws(_hostname) { function checkWwws(_hostname) {
if (!_hostname) {
// SECURITY, don't allow access to the 'srv' root
// (greenlock-express uses middleware to check '..', etc)
return '';
}
var hostname = _hostname; var hostname = _hostname;
var _hostdir = path.join(srv, hostname); var _hostdir = path.join(srv, hostname);
var hostdir = _hostdir; var hostdir = _hostdir;
@ -99,6 +104,11 @@ function myVhostApp(req, res) {
// SECURITY greenlock pre-sanitizes hostnames to prevent unauthorized fs access so you don't have to // SECURITY greenlock pre-sanitizes hostnames to prevent unauthorized fs access so you don't have to
// (also: only domains approved above will get here) // (also: only domains approved above will get here)
console.log('vhost:', req.headers.host); console.log('vhost:', req.headers.host);
if (!req.headers.host) {
// SECURITY, don't allow access to the 'srv' root
// (greenlock-express uses middleware to check '..', etc)
return res.end();
}
// We could cache wether or not a host exists for some amount of time // We could cache wether or not a host exists for some amount of time
var fin = finalhandler(req, res); var fin = finalhandler(req, res);