webpack · shellscape · Jul 27, 2017 · Jul 24, 2017 · Jul 27, 2017 · Jul 27, 2017
@@ -7,6 +7,7 @@ const express = require("express");
 const fs = require("fs");
 const http = require("http");
 const httpProxyMiddleware = require("http-proxy-middleware");
+const ip = require("ip");
 const serveIndex = require("serve-index");
 const historyApiFallback = require("connect-history-api-fallback");
 const path = require("path");
@@ -441,8 +442,11 @@ Server.prototype.checkHost = function(headers) {
 	const idx = hostHeader.indexOf(":");
 	const hostname = idx >= 0 ? hostHeader.substr(0, idx) : hostHeader;
 
+	// always allow requests with explicit IP-address
+	if(ip.isV4Format(hostname)) return true;
+
 	// always allow localhost host, for convience
-	if(hostname === "127.0.0.1" || hostname === "localhost") return true;
+	if(hostname === "localhost") return true;
 
 	// allow if hostname is in allowedHosts
 	if(this.allowedHosts && this.allowedHosts.length) {

@@ -17,6 +17,7 @@
     "html-entities": "^1.2.0",
     "http-proxy-middleware": "~0.17.4",
     "internal-ip": "^1.2.0",
+    "ip": "^1.1.5",
     "loglevel": "^1.4.1",
     "opn": "4.0.2",
     "portfinder": "^1.0.9",

@@ -111,6 +111,17 @@ describe("Validation", function() {
 			}
 		});
 
+		it("should allow access for every requests using an IP", function() {
+			const options = {};
+			const headers = {
+				host: "192.168.1.123"
+			};
+			const server = new Server(compiler, options);
+			if(!server.checkHost(headers)) {
+				throw new Error("Validation didn't fail");
+			}
+		});
+
 		it("should not allow hostnames that don't match options.public", function() {
 			const options = {
 				public: "test.host:80",