d0zingcat/cors-anywhere
1
0
Fork 0
mirror of https://github.com/d0zingcat/cors-anywhere.git synced 2026-05-13 15:09:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Reject invalid redirects

Browse Source 
Fixes #234.
This commit is contained in:
Rob Wu
2020-05-06 23:25:17 +02:00
parent 0a3b8e965f
commit a9e06a9dab
3 changed files with 23 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
lib/cors-anywhere.js
View File

@@ -171,9 +171,12 @@ function onProxyResponse(proxy, proxyReq, proxyRes, req, res) {
// Handle redirects
if (statusCode === 301 || statusCode === 302 || statusCode === 303 || statusCode === 307 || statusCode === 308) {
var locationHeader = proxyRes.headers.location;
var parsedLocation;
if (locationHeader) {
locationHeader = url.resolve(requestState.location.href, locationHeader);
parsedLocation = parseURL(locationHeader);
}
if (parsedLocation) {
if (statusCode === 301 || statusCode === 302 || statusCode === 303) {
// Exclude 307 & 308, because they are rare, and require preserving the method + request body
requestState.redirectCount_ = requestState.redirectCount_ + 1 || 1;
@@ -186,7 +189,7 @@ function onProxyResponse(proxy, proxyReq, proxyRes, req, res) {
req.method = 'GET';
req.headers['content-length'] = '0';
delete req.headers['content-type'];
requestState.location = parseURL(locationHeader);
requestState.location = parsedLocation;
// Remove all listeners (=reset events to initial state)
req.removeAllListeners();