From 93e7eaa5b58fc102a1fc6d016f0aff115cba054c Mon Sep 17 00:00:00 2001 From: Arksine Date: Wed, 10 Mar 2021 18:17:32 -0500 Subject: [PATCH] authorization: automatically pass "trusted" IPs when cors_domains is configured. If a trusted IP address is passed as the origin then it is safe to assume that CORS access to this origin should be granted, but only if CORS is enabled by specifying at least one cors domain. Signed-off-by: Eric Callahan --- moonraker/authorization.py | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/moonraker/authorization.py b/moonraker/authorization.py index ca3b7b0..47e53bf 100644 --- a/moonraker/authorization.py +++ b/moonraker/authorization.py @@ -193,7 +193,7 @@ class Authorization: return False def check_cors(self, origin, request=None): - if origin is None: + if origin is None or not self.cors_domains: return False for regex in self.cors_domains: match = re.match(regex, origin) @@ -206,6 +206,21 @@ class Authorization: else: logging.debug(f"Partial Cors Match: {match.group()}") else: + # Check to see if the origin contains an IP that matches a + # current trusted connection + match = re.search(r"^https?://([^/]+)$", origin) + if match is not None: + ip = match.group(1) + try: + ipaddr = ipaddress.ip_address(ip) + except ValueError: + pass + else: + if self._check_authorized_ip(ipaddr): + logging.debug( + f"Cors request matched trusted IP: {ip}") + self._set_cors_headers(origin, request) + return True logging.debug(f"No CORS match for origin: {origin}\n" f"Patterns: {self.cors_domains}") return False