add hermes-agent WS fix patch for re-apply after updates
This commit is contained in:
37
hermes-agent-ws-fix.patch
Normal file
37
hermes-agent-ws-fix.patch
Normal file
@@ -0,0 +1,37 @@
|
|||||||
|
From 3ec3de7a6c481014bd3ded51021a3c62f24df9b9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andy <andy.conlon@gmail.com>
|
||||||
|
Date: Fri, 29 May 2026 02:06:43 +0000
|
||||||
|
Subject: [PATCH] fix(dashboard): allow non-loopback WS clients when bound to
|
||||||
|
0.0.0.0
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
When the dashboard is bound to all interfaces with --insecure,
|
||||||
|
_ws_client_is_allowed was incorrectly rejecting WebSocket upgrades
|
||||||
|
from non-loopback clients (e.g. browser on LAN). The Host/Origin
|
||||||
|
guard in _ws_host_origin_is_allowed already handles DNS-rebinding
|
||||||
|
protection — the client-IP check is redundant for 0.0.0.0 binds.
|
||||||
|
---
|
||||||
|
hermes_cli/web_server.py | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/hermes_cli/web_server.py b/hermes_cli/web_server.py
|
||||||
|
index 872546196..3d0824244 100644
|
||||||
|
--- a/hermes_cli/web_server.py
|
||||||
|
+++ b/hermes_cli/web_server.py
|
||||||
|
@@ -3390,6 +3390,11 @@ def _ws_client_is_allowed(ws: "WebSocket") -> bool:
|
||||||
|
"""
|
||||||
|
if getattr(app.state, "auth_required", False):
|
||||||
|
return True
|
||||||
|
+ # Bound to all interfaces (0.0.0.0 / --insecure): accept WS from any peer.
|
||||||
|
+ # The Host check in _ws_host_origin_is_allowed handles DNS-rebinding.
|
||||||
|
+ bound_host = getattr(app.state, "bound_host", None)
|
||||||
|
+ if bound_host in {"0.0.0.0", ""}:
|
||||||
|
+ return True
|
||||||
|
client_host = ws.client.host if ws.client else ""
|
||||||
|
if not client_host:
|
||||||
|
return True
|
||||||
|
--
|
||||||
|
2.39.5
|
||||||
|
|
||||||
Reference in New Issue
Block a user