From a890665775910143c39bc044714141b3853d1e0a Mon Sep 17 00:00:00 2001
From: Simon Ser <contact@emersion.fr>
Date: Sat, 9 Oct 2021 13:33:01 +0200
Subject: [PATCH] Allow revealing server field with ?server

---
 components/app.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/components/app.js b/components/app.js
index b5f7f66..d254250 100644
--- a/components/app.js
+++ b/components/app.js
@@ -220,7 +220,11 @@ export default class App extends Component {
 		}
 
 		let queryParams = parseQueryString();
-		if (typeof queryParams.server === "string" && !connectParams.url) {
+		// Don't allow to silently override the server URL if there's one in
+		// config.json, because this has security implications. But still allow
+		// setting server to an empty string to reveal the server field in the
+		// connect form.
+		if (typeof queryParams.server === "string" && (!connectParams.url || !queryParams.server)) {
 			connectParams.url = queryParams.server;
 
 			// When using a custom server, some configuration options don't