commit 9372979fb54d6d2c52334abfab6ce72faf6c29e1
parent df2216960bdee217eaf8a240221246e4dc987b55
Author: Dan Stillman <dstillman@zotero.org>
Date: Mon, 26 Jun 2017 07:52:23 -0400
Allow Zotero.Server requests with `Host: localhost`
Previously only Host: 127.0.0.1 was allowed. (The check prevents a DNS
rebinding attack.)
This allows requests to translation-server using localhost
(zotero/translation-server#48).
Fixes #125
Diffstat:
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/chrome/content/zotero/xpcom/server.js b/chrome/content/zotero/xpcom/server.js
@@ -237,7 +237,7 @@ Zotero.Server.DataListener.prototype._headerFinished = function() {
Zotero.debug(this.header, 5);
const methodRe = /^([A-Z]+) ([^ \r\n?]+)(\?[^ \r\n]+)?/;
- const hostRe = /[\r\n]Host: *127\.0\.0\.1(:[0-9]+)?[\r\n]/i;
+ const hostRe = /[\r\n]Host: *(localhost|127\.0\.0\.1)(:[0-9]+)?[\r\n]/i;
const contentTypeRe = /[\r\n]Content-Type: *([^ \r\n]+)/i;
if(!Zotero.isServer) {
