changeset 1743:792268dce5ec

http push security
author Franklin Schmidt <fschmidt@gmail.com>
date Wed, 09 Nov 2022 18:33:09 -0700
parents d778f1f2598a
children db52c29605e2
files src/luan/host/init.luan src/luan/modules/http/Http.luan
diffstat 2 files changed, 12 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/src/luan/host/init.luan	Tue Nov 08 09:32:46 2022 +0200
+++ b/src/luan/host/init.luan	Wed Nov 09 18:33:09 2022 -0700
@@ -61,7 +61,7 @@
 	return u
 end
 
-Http.domain = domain
+Http.set_domain(domain)
 Hosted.is_hosted = true
 
 
--- a/src/luan/modules/http/Http.luan	Tue Nov 08 09:32:46 2022 +0200
+++ b/src/luan/modules/http/Http.luan	Wed Nov 09 18:33:09 2022 -0700
@@ -20,6 +20,7 @@
 local String = require "luan:String.luan"
 local lower = String.lower or error()
 local trim = String.trim or error()
+local regex = String.regex or error()
 local Time = require "luan:Time.luan"
 local time_format = Time.format or error()
 local Boot = require "luan:Boot.luan"
@@ -205,6 +206,11 @@
 end
 
 Http.domain = nil  -- set in domain specific cases
+local domain_regex = nil
+function Http.set_domain(domain)
+	Http.domain = domain or error()
+	domain_regex = regex( [[^https?://]]..domain..[[(/|:)]] )
+end
 
 Http.is_serving = false
 
@@ -212,6 +218,10 @@
 	return time_format(date,"EEE, dd MMM yyyy HH:mm:ss z","GMT")
 end
 
-Http.push = ServerSentEvents.writeMessage  -- ( url, message )
+local sse_push = ServerSentEvents.writeMessage
+function Http.push( url, message )
+	domain_regex==nil or domain_regex.matches(url) or error "can't push to another domain"
+	sse_push(url,message)
+end
 
 return Http