From 3e2b0eb3fcf36f7b819efd5e3db72ddc3dc6d5db Mon Sep 17 00:00:00 2001
From: Christopher Jeffrey <chjjeffrey@gmail.com>
Date: Sun, 5 Jun 2016 21:59:18 -0700
Subject: [PATCH] more safety for wsproxy.

---
 browser/wsproxy.js | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/browser/wsproxy.js b/browser/wsproxy.js
index d29aa7ac..9ec9d8c1 100644
--- a/browser/wsproxy.js
+++ b/browser/wsproxy.js
@@ -47,10 +47,16 @@ module.exports = function wsproxy(options) {
       if (socket)
         return;
 
+      if (!utils.isNumber(port)
+          || typeof host !== 'string') {
+        utils.error('Client gave bad arguments.');
+        ws.emit('tcp close');
+        ws.disconnect();
+        return;
+      }
+
       if (options.pow) {
-        if (!utils.isNumber(port)
-            || typeof host !== 'string'
-            || !utils.isNumber(nonce)) {
+        if (!utils.isNumber(nonce)) {
           utils.error('Client did not solve proof of work.');
           ws.emit('tcp close');
           ws.disconnect();
@@ -72,6 +78,13 @@ module.exports = function wsproxy(options) {
         }
       }
 
+      if (!/^[a-zA-Z0-9\.:]+$/.test(host)) {
+        utils.error('Client gave a bad host.');
+        ws.emit('tcp close');
+        ws.disconnect();
+        return;
+      }
+
       if (IP.isPrivate(host)) {
         utils.error('Client is trying to connect to a private ip.');
         ws.emit('tcp close');