root
/
greenlock-express.js
mirror of https://github.com/therootcompany/greenlock-express.js.git
2
1
Fork 0
Code Issues 43 Releases Wiki Activity

rely on built-in security checks

This commit is contained in:
AJ ONeal 2018-08-18 04:40:26 -06:00
parent b6bdca552b
commit 8c0d6c718d
1 changed files with 7 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
examples/vhost.js
View File

@ -14,10 +14,9 @@ var finalhandler = require('finalhandler');
var serveStatic = require('serve-static'); var serveStatic = require('serve-static');
var path = require('path'); var path = require('path');
// Allowed characters are a-z,0-9,.,-,_ with TLDs being alpha-only // Allowed characters are a-z,0-9,.,-,_ with TLDs being alpha-only
var hostnameRe = /^[\.a-z0-9_\-]+\.[a-z]+$/i;
//require('greenlock-express') //var glx = require('greenlock-express')
require('../').create({ var glx = require('../').create({
// Let's Encrypt v2 is ACME draft 11 // Let's Encrypt v2 is ACME draft 11
version: 'draft-11' version: 'draft-11'
@ -69,14 +68,9 @@ require('../').create({
, configDir: '~/.config/acme/' , configDir: '~/.config/acme/'
, app: function (req, res) { , app: function (req, res) {
// SECURITY greenlock pre-sanitizes hostnames to prevent unauthorized fs access
console.log(req.headers.host); console.log(req.headers.host);
var hostname = (req.headers.host||'').toLowerCase().split(':')[0]; var hostname = req.headers.host;
// SECURITY sanatize hostname to prevent unauthorized fs access
if (!hostnameRe.test(hostname)) {
res.statusCode = 404;
res.end('Bad Hostname');
return;
}
var serve = serveStatic(path.join(srv, hostname), { redirect: true }); var serve = serveStatic(path.join(srv, hostname), { redirect: true });
serve(req, res, finalhandler(req, res)); serve(req, res, finalhandler(req, res));
@ -87,4 +81,6 @@ require('../').create({
//, debug: true //, debug: true
}).listen(80, 443); });
var server = glx.listen(80, 443);