keewebhttp: drop malicious requests

2017-05-23 23:38:03 +02:00 · 2017-05-23 23:38:03 +02:00 · 2ec338341e
parent bcb728444c
commit 2ec338341e
2 changed files with 11 additions and 5 deletions
--- a/docs/plugins/keewebhttp/manifest.json
+++ b/docs/plugins/keewebhttp/manifest.json
@ -11,7 +11,7 @@
  "licence": "MIT",
  "url": "https://plugins.keeweb.info/plugins/keewebhttp",
  "resources": {
-    "js": "iTzPUSfTwTOP0zjeZHi8xNzmEg357fHuBQ4kHDlFqu4Svn5tZoseSm/XI9rscKnM5EudOAKhsJfck6Z0N3hTw3Ih3LAYlik6ltpI6P1hU0KP0j9L6bcrCndEoH/BZy7iaJiZqIvQHoRy7NHNf26Bbq6W4VO1bBcx8sH3H7GnaQEGHj2zS68KRTDwVR2QIErLTtOQvwuiSZCUwyZYilvDIM1wGcKi6TDzSz38MHNIyx4X/n7uHV63ToZSB6ipcF6HpoAKGkXKBWaXosqy3LoDPAzif5EZzv7JQGB2dAtpOoq2G5grUA5YZrIQ/SSNfREWUDom7Xj1HCNb59RxViOR+Q=="
+    "js": "LOKItHFTqpYOrqC5L7/P75w7r1sBMl1ZSGIdta3ifcIOQ7BJKAIH1cMNtjGuMIVZWLM7w3APjLwoeQ3pBzw91m09yGeBFY/aMQimVUJ9HV/NKls7YZN48sBtkkdR5ByIXSxniDbHsUIQJgOeTsNyDPy9jCN3tko/jO9tNG4cSgB5O77A0OYVZEbV8MtKwGgr6MNGG4mRdg+dN/23Xd+O8zgFrqCADXUjnMAQ+13y0upnIPbO6Ory1Ou7vtzssqSIpakkpxvnGqV/S25lxzLsdwtqQZRGJB4RJrY1SiB6FjZT0YuN1LqfugWEyIRbeyzdNMo7oCEiwfGR7vFnODq3kg=="
  },
  "publicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0oZB2Kt7AzRFNqf8FuO3C3kepHPAIQYiDPYdQxHcsiaFCwyKVx6K1cE/3vBhb8/2rj+QIIWNfAAuu1Y+2VK90ZBeq6HciukWzQRO/HWhfdy0c7JwDAslmyGI5olj0ZQkNLhkde1MiMxjDPpRhZtdJaryVO5cFJaJESpv3dV6m0qXsaQCluWYOSNfSjP9C8o2zRVjSi3ZQZnZIV5pnk9K2MtlZIPXrN9iJiM5zZ9DTSnqApI6dC9mX4R3LvGN+GTovm9C8Crl+qb106nGRR3LcweicDnPyMtZLa/E0DBpWYxUVLDp6WeLhxoUBr+6+t3Xp9IDnPoANDQXJXD0f1vQxQIDAQAB",
  "desktop": true,
--- a/docs/plugins/keewebhttp/plugin.js
+++ b/docs/plugins/keewebhttp/plugin.js
@ -52,6 +52,16 @@ function run() {
            return;
        }
        server = http.createServer((req, res) => {
+            const origin = req.headers.origin;
+            const referer = req.headers.referrer || req.headers.referer;
+            if (req.method !== 'POST' || referer || origin && !origin.startsWith('chrome-extension://')) {
+                if (DebugMode) {
+                    logger.debug('Request dropped', req.method, req.url, req.headers);
+                }
+                req.client.destroy();
+                res.end();
+                return;
+            }
            if (req.method === 'POST') {
                const body = [];
                req.on('data', data => body.push(data));
@ -71,10 +81,6 @@ function run() {
                            res.end(response);
                        });
                });
-            } else {
-                res.statusCode = 200;
-                res.setHeader('Content-Type', 'text/plain');
-                res.end('Hey dude, you should POST here!');
            }
        });
        const port = 19455;