From 5a719f74ab1963f17275e28ae0aa9779b4b1ec03 Mon Sep 17 00:00:00 2001
From: cel <cel@lOUVT+Phkvai9a/cCS/RKo+S9hnPAQdVixms/7ldpPA=.ed25519>
Date: Sat, 28 Mar 2020 15:27:10 -0400
Subject: Restrict access based on Host header

---
 lib/serve.js | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'lib/serve.js')

diff --git a/lib/serve.js b/lib/serve.js
index c3e2115..fdf24f7 100644
--- a/lib/serve.js
+++ b/lib/serve.js
@@ -112,6 +112,12 @@ Serve.prototype.go = function () {
     }
   }
 
+  if (!this.app.isAllowedHostHeader(this.req.headers.host)) {
+    console.error('Host header not allowed: "' + this.req.headers.host + '"')
+    this.res.writeHead(403)
+    return this.res.end('Forbidden')
+  }
+
   this.replyMentionFeeds = conf.replyMentionFeeds == null ? true :
     Boolean(conf.replyMentionFeeds)
 
-- 
cgit v1.2.3