3diy
/
moonraker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

authorization: check for dangerous "cors_domains" 

A user may unintentionally allow access to dangerous domains if they place a wildcard in the top level domain portion of an entry.  Raise a config error when this condition is detected.

Signed-off-by:  Eric Callahan <arksine.code@gmail.com>
This commit is contained in:
Arksine 2021-03-10 18:10:03 -05:00
parent df82730832
commit 0a3a83de37
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
moonraker/authorization.py
View File

@ -28,9 +28,17 @@ class Authorization:
self.access_tokens = {} self.access_tokens = {}
# Get allowed cors domains # Get allowed cors domains
self.cors_domains = []
cors_cfg = config.get('cors_domains', "").strip() cors_cfg = config.get('cors_domains', "").strip()
self.cors_domains = [d.strip().replace(".", "\\.").replace("*", ".*") cds = [d.strip() for d in cors_cfg.split('\n')if d.strip()]
for d in cors_cfg.split('\n')if d.strip()] for domain in cds:
bad_match = re.search(r"^.+\.[^:]*\*", domain)
if bad_match is not None:
raise config.error(
f"Unsafe CORS Domain '{domain}'. Wildcards are not"
" permitted in the top level domain.")
self.cors_domains.append(
domain.replace(".", "\\.").replace("*", ".*"))
# Get Trusted Clients # Get Trusted Clients
self.trusted_ips = [] self.trusted_ips = []