Skip to content

fix(CORS): CORS on git smart http protocol can not work. fixes #16350 #16491

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 4 commits into from
Closed

fix(CORS): CORS on git smart http protocol can not work. fixes #16350 #16491

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ad68022
fix(CORS): CORS on git smart http protocol can not work. fixes #16350
snowyu Jul 20, 2021
1ed99e8
fix(CORS): forget allow headers
snowyu Jul 20, 2021
566b248
fix(CORS): adding CorsHandler can not work now after merge main, so t…
snowyu Jul 20, 2021
0d0a71a
fix formatting
zeripath Jul 20, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 30 additions & 12 deletions routers/web/web.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ func CorsHandler() func(next http.Handler) http.Handler {
AllowedOrigins: setting.CORSConfig.AllowDomain,
//setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option
AllowedMethods: setting.CORSConfig.Methods,
AllowedHeaders: []string{"*"},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly we've just added the correct headers we need so in general I think this is a mistake.

AllowCredentials: setting.CORSConfig.AllowCredentials,
MaxAge: int(setting.CORSConfig.MaxAge.Seconds()),
})
Expand Down Expand Up @@ -146,6 +147,23 @@ func Routes() *web.Route {
routes.Get("/metrics", append(common, Metrics)...)
}

///*
if setting.CORSConfig.Enabled {
corsHandle := cors.Handler(cors.Options{
//Scheme: setting.CORSConfig.Scheme, // FIXME: the cors middleware needs scheme option
AllowedOrigins: setting.CORSConfig.AllowDomain,
//setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option
AllowedMethods: setting.CORSConfig.Methods,
AllowedHeaders: []string{"*"},
// OptionsPassthrough: true,
Debug: true,
AllowCredentials: setting.CORSConfig.AllowCredentials,
MaxAge: int(setting.CORSConfig.MaxAge.Seconds()),
})
common = append(common, corsHandle)
}
//*/
Comment on lines +150 to +165
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why this section if you're adding it specifically below?


// Removed: toolbox.Toolboxer middleware will provide debug information which seems unnecessary
common = append(common, context.Contexter())

Expand Down Expand Up @@ -752,7 +770,7 @@ func RegisterRoutes(m *web.Route) {
m.Post("/delete", repo.DeleteMilestone)
}, context.RepoMustNotBeArchived(), reqRepoIssuesOrPullsWriter, context.RepoRef())
m.Group("/pull", func() {
m.Post("/{index}/target_branch", repo.UpdatePullRequestTarget)
m.Post("/{index}/target_branch", CorsHandler(), repo.UpdatePullRequestTarget)
}, context.RepoMustNotBeArchived())

m.Group("", func() {
Expand Down Expand Up @@ -1006,17 +1024,17 @@ func RegisterRoutes(m *web.Route) {
}, ignSignInAndCsrf, lfsServerEnabled)

m.Group("", func() {
m.Post("/git-upload-pack", repo.ServiceUploadPack)
m.Post("/git-receive-pack", repo.ServiceReceivePack)
m.Get("/info/refs", repo.GetInfoRefs)
m.Get("/HEAD", repo.GetTextFile("HEAD"))
m.Get("/objects/info/alternates", repo.GetTextFile("objects/info/alternates"))
m.Get("/objects/info/http-alternates", repo.GetTextFile("objects/info/http-alternates"))
m.Get("/objects/info/packs", repo.GetInfoPacks)
m.Get("/objects/info/{file:[^/]*}", repo.GetTextFile(""))
m.Get("/objects/{head:[0-9a-f]{2}}/{hash:[0-9a-f]{38}}", repo.GetLooseObject)
m.Get("/objects/pack/pack-{file:[0-9a-f]{40}}.pack", repo.GetPackFile)
m.Get("/objects/pack/pack-{file:[0-9a-f]{40}}.idx", repo.GetIdxFile)
m.Post("/git-upload-pack", CorsHandler(), repo.ServiceUploadPack)
m.Post("/git-receive-pack", CorsHandler(), repo.ServiceReceivePack)
m.Get("/info/refs", CorsHandler(), repo.GetInfoRefs)
m.Get("/HEAD", CorsHandler(), repo.GetTextFile("HEAD"))
m.Get("/objects/info/alternates", CorsHandler(), repo.GetTextFile("objects/info/alternates"))
m.Get("/objects/info/http-alternates", CorsHandler(), repo.GetTextFile("objects/info/http-alternates"))
m.Get("/objects/info/packs", CorsHandler(), repo.GetInfoPacks)
m.Get("/objects/info/{file:[^/]*}", CorsHandler(), repo.GetTextFile(""))
m.Get("/objects/{head:[0-9a-f]{2}}/{hash:[0-9a-f]{38}}", CorsHandler(), repo.GetLooseObject)
m.Get("/objects/pack/pack-{file:[0-9a-f]{40}}.pack", CorsHandler(), repo.GetPackFile)
m.Get("/objects/pack/pack-{file:[0-9a-f]{40}}.idx", CorsHandler(), repo.GetIdxFile)
}, ignSignInAndCsrf)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just add it after ignSignInAdnCsrf is better.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've tried this. But it does not work. MUST PUT CorsHandler in first.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then move the CorsHandler call first...

m.Group("", CorsHandler(), func() { ... }, ignSignInAndCsrf)


m.Head("/tasks/trigger", repo.TriggerTask)
Expand Down