From 657a2e55b75a6126d073a133af4b9031867aff2e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Carlos=20Requena=20L=C3=B3pez?= <crequena@ulb.ac.be>
Date: Tue, 8 Jan 2019 21:00:54 +0100
Subject: [PATCH] disallow automatic validation of ALL IP's. fixes #1618

for both Host checking and Origin checking
---
 lib/Server.js | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/lib/Server.js b/lib/Server.js
index d76af59010..6542337c8d 100644
--- a/lib/Server.js
+++ b/lib/Server.js
@@ -647,6 +647,10 @@ Server.prototype.setContentHeaders = function (req, res, next) {
 };
 
 Server.prototype.checkHost = function (headers, headerToCheck) {
+  /* This routine is also used to check the Origin header, whenever
+   * headerToCheck says so
+   */
+
   // allow user to opt-out this security check, at own risk
   if (this.disableHostCheck) {
     return true;
@@ -668,15 +672,6 @@ Server.prototype.checkHost = function (headers, headerToCheck) {
     false,
     true
   ).hostname;
-  // always allow requests with explicit IPv4 or IPv6-address.
-  // A note on IPv6 addresses:
-  // hostHeader will always contain the brackets denoting
-  // an IPv6-address in URLs,
-  // these are removed from the hostname in url.parse(),
-  // so we have the pure IPv6-address in hostname.
-  if (ip.isV4Format(hostname) || ip.isV6Format(hostname)) {
-    return true;
-  }
   // always allow localhost host, for convience
   if (hostname === 'localhost') {
     return true;