[DAEMON-272] appcd-subprocess: Remove HTTP source check
|Fix Version/s||Appc Daemon 2.0.0|
SubprocessManagerhas a false security measure where only requests from internal routes and plugins and requests from WebSockets can spawn commands. Requests from HTTP are forbidden. Since WebSockets requests are essentially HTTP requests, there's no point blocking HTTP requests. The daemon's web server listens on localhost only, so there's no way for an outside actor to spawn a command. To make things worse, the check to see if the source is indeed "http" is broken. It checks if
ctx.request.sourceis "http" when it should be checking
ctx.source. This restriction is pointless and does not work. It should just be removed.
- Chris Barber 2019-02-14 https://github.com/appcelerator/appc-daemon/pull/353