Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add proper CORS preflight origin validation #5740

Merged
merged 1 commit into from
Jan 16, 2019
Merged

Add proper CORS preflight origin validation #5740

merged 1 commit into from
Jan 16, 2019

Conversation

silverwind
Copy link
Member

@silverwind silverwind commented Jan 15, 2019
edited
Loading

I noticed that the recently introduced CORS preflight validation in 270fa6d was not properly performed for option values other than * which can lead to a vulnerability of unintended cross-origin resource access if the user configures a actual origin option value instead of a wildcard. The server would unconditionally accept a preflight request to a resource even if origins do not match.

With this commit any other option value than * or null leads to a comparision of the mandatory Origin client header and 200 is only sent if they match.

I did a few tests using curl to validate it works as expected.

@codecov-io
Copy link

Codecov Report

❗ No coverage uploaded for pull request base (master@ca3b9aa). Click here to learn what that means.
The diff coverage is 0%.

Impacted file tree graph

@@            Coverage Diff            @@
##             master    #5740   +/-   ##
=========================================
  Coverage          ?   37.76%           
=========================================
  Files             ?      325           
  Lines             ?    47681           
  Branches          ?        0           
=========================================
  Hits              ?    18005           
  Misses            ?    27081           
  Partials          ?     2595
Impacted Files Coverage Δ
routers/repo/http.go 38.58% <0%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ca3b9aa...9fd01f8. Read the comment docs.

@bkcsoft bkcsoft added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jan 15, 2019
@lunny lunny added the type/bug label Jan 16, 2019
@bkcsoft bkcsoft added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Jan 16, 2019
@bkcsoft bkcsoft added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jan 16, 2019
@techknowlogick techknowlogick merged commit 44759fd into go-gitea:master Jan 16, 2019
@lafriks lafriks added this to the 1.8.0 milestone Jan 16, 2019
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lunny lunny lunny approved these changes

@techknowlogick techknowlogick techknowlogick approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug
Projects
None yet
Milestone
1.8.0
Development

Successfully merging this pull request may close these issues.
6 participants
@silverwind @codecov-io @lunny @techknowlogick @lafriks @bkcsoft