mirror of
https://github.com/ergochat/ergo.git
synced 2025-04-01 21:36:51 +02:00
block HTTP DoS attacks (#2239)
Block uses of the JS Fetch API to send HTTP message bodies that are also valid IRC. The constraint on such messages is that they must begin with a valid HTTP verb; we can detect this and reject them immediately.
This commit is contained in:
parent
9791606f62
commit
a6df370bd9
@ -727,8 +727,12 @@ func (client *Client) run(session *Session) {
|
||||
}
|
||||
session.fakelag.Touch(command)
|
||||
} else {
|
||||
// DoS hardening, #505
|
||||
if session.registrationMessages == 0 && httpVerbs.Has(msg.Command) {
|
||||
client.Send(nil, client.server.name, ERR_UNKNOWNERROR, msg.Command, "This is not an HTTP server")
|
||||
break
|
||||
}
|
||||
session.registrationMessages++
|
||||
// DoS hardening, #505
|
||||
if client.server.Config().Limits.RegistrationMessages < session.registrationMessages {
|
||||
client.Send(nil, client.server.name, ERR_UNKNOWNERROR, "*", client.t("You have sent too many registration messages"))
|
||||
break
|
||||
|
@ -63,6 +63,8 @@ var (
|
||||
chanTypes = "#"
|
||||
|
||||
throttleMessage = "You have attempted to connect too many times within a short duration. Wait a while, and you will be able to connect."
|
||||
|
||||
httpVerbs = utils.SetLiteral("CONNECT", "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT", "TRACE")
|
||||
)
|
||||
|
||||
// Server is the main Oragono server.
|
||||
|
Loading…
x
Reference in New Issue
Block a user