From 6054dee806f45b7813438bfd4758af0407099865 Mon Sep 17 00:00:00 2001
From: Christopher Speller <crspeller@gmail.com>
Date: Tue, 31 Jan 2017 09:48:06 -0500
Subject: Fixing websocket origin policy

---
 api/websocket.go      |  4 +---
 api/websocket_test.go | 25 ++++++++++++++++++++++++-
 2 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/api/websocket.go b/api/websocket.go
index 11ae09036..5f390395d 100644
--- a/api/websocket.go
+++ b/api/websocket.go
@@ -23,9 +23,7 @@ func connect(c *Context, w http.ResponseWriter, r *http.Request) {
 	upgrader := websocket.Upgrader{
 		ReadBufferSize:  model.SOCKET_MAX_MESSAGE_SIZE_KB,
 		WriteBufferSize: model.SOCKET_MAX_MESSAGE_SIZE_KB,
-		CheckOrigin: func(r *http.Request) bool {
-			return true
-		},
+		CheckOrigin:     nil,
 	}
 
 	ws, err := upgrader.Upgrade(w, r, nil)
diff --git a/api/websocket_test.go b/api/websocket_test.go
index 39a55f8f4..6b8937d81 100644
--- a/api/websocket_test.go
+++ b/api/websocket_test.go
@@ -6,12 +6,14 @@ package api
 import (
 	//"encoding/json"
 	//"net/http"
+	"net/http"
 	"testing"
 	"time"
 
-	//"github.com/gorilla/websocket"
+	"github.com/gorilla/websocket"
 	"github.com/mattermost/platform/app"
 	"github.com/mattermost/platform/model"
+	"github.com/mattermost/platform/utils"
 )
 
 /*func TestWebSocketAuthentication(t *testing.T) {
@@ -249,6 +251,27 @@ func TestWebSocketEvent(t *testing.T) {
 	}
 }
 
+func TestWebsocketOriginSecurity(t *testing.T) {
+	Setup().InitBasic()
+	url := "ws://localhost" + utils.Cfg.ServiceSettings.ListenAddress
+
+	// Should fail because origin doesn't match
+	_, _, err := websocket.DefaultDialer.Dial(url+model.API_URL_SUFFIX_V3+"/users/websocket", http.Header{
+		"Origin": []string{"http://www.evil.com"},
+	})
+	if err == nil {
+		t.Fatal("Should have errored because Origin does not match host! SECURITY ISSUE!")
+	}
+
+	// We are not a browser so we can spoof this just fine
+	_, _, err = websocket.DefaultDialer.Dial(url+model.API_URL_SUFFIX_V3+"/users/websocket", http.Header{
+		"Origin": []string{"http://localhost" + utils.Cfg.ServiceSettings.ListenAddress},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
 func TestZZWebSocketTearDown(t *testing.T) {
 	// *IMPORTANT* - Kind of hacky
 	// This should be the last function in any test file
-- 
cgit v1.2.3-1-g7c22