diff --git a/examples/vhost.js b/examples/vhost.js index 86bad0f..93460d1 100644 --- a/examples/vhost.js +++ b/examples/vhost.js @@ -62,6 +62,11 @@ function myApproveDomains(opts, certs, cb) { } function checkWwws(_hostname) { + if (!_hostname) { + // SECURITY, don't allow access to the 'srv' root + // (greenlock-express uses middleware to check '..', etc) + return ''; + } var hostname = _hostname; var _hostdir = path.join(srv, hostname); var hostdir = _hostdir; @@ -99,6 +104,11 @@ function myVhostApp(req, res) { // SECURITY greenlock pre-sanitizes hostnames to prevent unauthorized fs access so you don't have to // (also: only domains approved above will get here) console.log('vhost:', req.headers.host); + if (!req.headers.host) { + // SECURITY, don't allow access to the 'srv' root + // (greenlock-express uses middleware to check '..', etc) + return res.end(); + } // We could cache wether or not a host exists for some amount of time var fin = finalhandler(req, res);