authorization: automatically pass "trusted" IPs when cors_domains is configured.

If a trusted IP address is passed as the origin then it is safe to assume that CORS access to this origin should be granted, but only if CORS is enabled by specifying at least one cors domain. Signed-off-by: Eric Callahan <arksine.code@gmail.com>
2021-03-10 18:17:32 -05:00 · 2021-03-10 18:17:32 -05:00 · 93e7eaa5b5
parent 0a3a83de37
commit 93e7eaa5b5
1 changed files with 16 additions and 1 deletions
--- a/moonraker/authorization.py
+++ b/moonraker/authorization.py
@ -193,7 +193,7 @@ class Authorization:
        return False

    def check_cors(self, origin, request=None):
-        if origin is None:
+        if origin is None or not self.cors_domains:
            return False
        for regex in self.cors_domains:
            match = re.match(regex, origin)
@ -206,6 +206,21 @@ class Authorization:
                else:
                    logging.debug(f"Partial Cors Match: {match.group()}")
        else:
+            # Check to see if the origin contains an IP that matches a
+            # current trusted connection
+            match = re.search(r"^https?://([^/]+)$", origin)
+            if match is not None:
+                ip = match.group(1)
+                try:
+                    ipaddr = ipaddress.ip_address(ip)
+                except ValueError:
+                    pass
+                else:
+                    if self._check_authorized_ip(ipaddr):
+                        logging.debug(
+                            f"Cors request matched trusted IP: {ip}")
+                        self._set_cors_headers(origin, request)
+                        return True
            logging.debug(f"No CORS match for origin: {origin}\n"
                          f"Patterns: {self.cors_domains}")
        return False