Skip to content

Commit b2331a9

Browse files
davecghdavecgh
committed
[release-v2.1] rpcserver: Fix CheckOrigin inverted err check.
When both the `Origin` header and the request `Host` header lack an explicit port (common behind reverse proxies on standard ports 443/80), both values collapse to empty string, and `equalASCIIFold("", "")` returns `true` - allowing **any cross-origin websocket handshake** to succeed.
1 parent 7711005 commit b2331a9

1 file changed

Lines changed: 2 additions & 2 deletions

File tree

internal/rpcserver/rpcserver.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5964,10 +5964,10 @@ func (s *Server) route(ctx context.Context) *http.Server {
59645964
// Strip the port from both the origin and request hosts.
59655965
originHost := originURL.Host
59665966
requestHost := r.Host
5967-
if host, _, err := net.SplitHostPort(originHost); err != nil {
5967+
if host, _, err := net.SplitHostPort(originHost); err == nil {
59685968
originHost = host
59695969
}
5970-
if host, _, err := net.SplitHostPort(requestHost); err != nil {
5970+
if host, _, err := net.SplitHostPort(requestHost); err == nil {
59715971
requestHost = host
59725972
}
59735973

0 commit comments

Comments
 (0)