authorization: automatically pass "trusted" IPs when cors_domains is configured.
If a trusted IP address is passed as the origin then it is safe to assume that CORS access to this origin should be granted, but only if CORS is enabled by specifying at least one cors domain. Signed-off-by: Eric Callahan <arksine.code@gmail.com>
This commit is contained in:
parent
0a3a83de37
commit
93e7eaa5b5
|
@ -193,7 +193,7 @@ class Authorization:
|
||||||
return False
|
return False
|
||||||
|
|
||||||
def check_cors(self, origin, request=None):
|
def check_cors(self, origin, request=None):
|
||||||
if origin is None:
|
if origin is None or not self.cors_domains:
|
||||||
return False
|
return False
|
||||||
for regex in self.cors_domains:
|
for regex in self.cors_domains:
|
||||||
match = re.match(regex, origin)
|
match = re.match(regex, origin)
|
||||||
|
@ -206,6 +206,21 @@ class Authorization:
|
||||||
else:
|
else:
|
||||||
logging.debug(f"Partial Cors Match: {match.group()}")
|
logging.debug(f"Partial Cors Match: {match.group()}")
|
||||||
else:
|
else:
|
||||||
|
# Check to see if the origin contains an IP that matches a
|
||||||
|
# current trusted connection
|
||||||
|
match = re.search(r"^https?://([^/]+)$", origin)
|
||||||
|
if match is not None:
|
||||||
|
ip = match.group(1)
|
||||||
|
try:
|
||||||
|
ipaddr = ipaddress.ip_address(ip)
|
||||||
|
except ValueError:
|
||||||
|
pass
|
||||||
|
else:
|
||||||
|
if self._check_authorized_ip(ipaddr):
|
||||||
|
logging.debug(
|
||||||
|
f"Cors request matched trusted IP: {ip}")
|
||||||
|
self._set_cors_headers(origin, request)
|
||||||
|
return True
|
||||||
logging.debug(f"No CORS match for origin: {origin}\n"
|
logging.debug(f"No CORS match for origin: {origin}\n"
|
||||||
f"Patterns: {self.cors_domains}")
|
f"Patterns: {self.cors_domains}")
|
||||||
return False
|
return False
|
||||||
|
|
Loading…
Reference in New Issue