From c0c647f77de0957edd5bf85b5d5d27613a9c62f9 Mon Sep 17 00:00:00 2001
From: Wajih-Ul-Hasan <xenone655@gmail.com>
Date: Fri, 11 Jul 2025 18:04:48 +0500
Subject: [PATCH 1/2] Backport security fix from v5.2.1: disable dev client for
 non-Chromium browsers

---
 lib/Server.js | 10 ++++++++++
 package.json  |  4 ++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/lib/Server.js b/lib/Server.js
index 79e6fc7910..baf4907593 100644
--- a/lib/Server.js
+++ b/lib/Server.js
@@ -1,5 +1,9 @@
 "use strict";
 
+function isChromiumBased(userAgentHeader) {
+  return Boolean(userAgentHeader && userAgentHeader.includes('Chrome'));
+}
+
 const os = require("os");
 const path = require("path");
 const url = require("url");
@@ -2103,6 +2107,12 @@ class Server {
         /** @type {import("webpack-dev-middleware").API<Request, Response>}*/
         (middleware).waitUntilValid((stats) => {
           res.setHeader("Content-Type", "text/html");
+
+          if (!isChromiumBased(req.headers['user-agent'])) {
+            res.end('<!DOCTYPE html><html><body><h2>Access blocked: Please use a Chromium-based browser (Chrome, Edge, etc.).</h2></body></html>');
+            return;
+          }
+
           res.write(
             '<!DOCTYPE html><html><head><meta charset="utf-8"/></head><body>'
           );
diff --git a/package.json b/package.json
index d0ed834b74..b161d4d7ea 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
-  "name": "webpack-dev-server",
-  "version": "4.15.2",
+  "name": "webpack-dev-server-wajih",
+  "version": "4.6.0-patched",
   "description": "Serves a webpack app. Updates the browser on changes.",
   "bin": "bin/webpack-dev-server.js",
   "main": "lib/Server.js",

From 0a08b4b16b465506620f090a3b9ce75000c28c41 Mon Sep 17 00:00:00 2001
From: Wajih-Ul-Hasan <xenone655@gmail.com>
Date: Fri, 11 Jul 2025 18:52:18 +0500
Subject: [PATCH 2/2] fix(security): backport dev client access check from
 v5.2.1 using trusted header

---
 lib/Server.js | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/lib/Server.js b/lib/Server.js
index baf4907593..31ab1e9b59 100644
--- a/lib/Server.js
+++ b/lib/Server.js
@@ -1,7 +1,8 @@
 "use strict";
 
-function isChromiumBased(userAgentHeader) {
-  return Boolean(userAgentHeader && userAgentHeader.includes('Chrome'));
+function isTrustedClient(req) {
+  // Only allow injection if client explicitly identifies itself
+  return req.headers["webpack-dev-server-client"] === "true";
 }
 
 const os = require("os");
@@ -2108,8 +2109,9 @@ class Server {
         (middleware).waitUntilValid((stats) => {
           res.setHeader("Content-Type", "text/html");
 
-          if (!isChromiumBased(req.headers['user-agent'])) {
-            res.end('<!DOCTYPE html><html><body><h2>Access blocked: Please use a Chromium-based browser (Chrome, Edge, etc.).</h2></body></html>');
+          if (!isTrustedClient(req)) {
+            res.statusCode = 403;
+            res.end("Access denied: Missing required dev server client header.");
             return;
           }