mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2024-12-23 11:29:04 +00:00
Merge branch 'master' into icon-security
This commit is contained in:
commit
e6b763026e
@ -283,12 +283,21 @@ fn get_page_with_cookies(url: &str, cookie_str: &str) -> Result<Response, Error>
|
|||||||
if check_icon_domain_is_blacklisted(Url::parse(url).unwrap().host_str().unwrap_or_default()) {
|
if check_icon_domain_is_blacklisted(Url::parse(url).unwrap().host_str().unwrap_or_default()) {
|
||||||
err!("Favicon rel linked to a non blacklisted domain!");
|
err!("Favicon rel linked to a non blacklisted domain!");
|
||||||
}
|
}
|
||||||
CLIENT
|
|
||||||
.get(url)
|
if cookie_str.is_empty() {
|
||||||
.header("cookie", cookie_str)
|
CLIENT
|
||||||
.send()?
|
.get(url)
|
||||||
.error_for_status()
|
.send()?
|
||||||
.map_err(Into::into)
|
.error_for_status()
|
||||||
|
.map_err(Into::into)
|
||||||
|
} else {
|
||||||
|
CLIENT
|
||||||
|
.get(url)
|
||||||
|
.header("cookie", cookie_str)
|
||||||
|
.send()?
|
||||||
|
.error_for_status()
|
||||||
|
.map_err(Into::into)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Returns a Integer with the priority of the type of the icon which to prefer.
|
/// Returns a Integer with the priority of the type of the icon which to prefer.
|
||||||
|
21
src/util.rs
21
src/util.rs
@ -42,6 +42,13 @@ impl CORS {
|
|||||||
_ => "".to_string(),
|
_ => "".to_string(),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fn valid_url(url: String) -> String {
|
||||||
|
match url.as_ref() {
|
||||||
|
"file://" => "*".to_string(),
|
||||||
|
_ => url,
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
impl Fairing for CORS {
|
impl Fairing for CORS {
|
||||||
@ -56,21 +63,17 @@ impl Fairing for CORS {
|
|||||||
let req_headers = request.headers();
|
let req_headers = request.headers();
|
||||||
|
|
||||||
// We need to explicitly get the Origin header for Access-Control-Allow-Origin
|
// We need to explicitly get the Origin header for Access-Control-Allow-Origin
|
||||||
let req_allow_origin = CORS::get_header(&req_headers, "Origin");
|
let req_allow_origin = CORS::valid_url(CORS::get_header(&req_headers, "Origin"));
|
||||||
|
|
||||||
let req_allow_headers = CORS::get_header(&req_headers, "Access-Control-Request-Headers");
|
response.set_header(Header::new("Access-Control-Allow-Origin", req_allow_origin));
|
||||||
|
|
||||||
let req_allow_method = CORS::get_header(&req_headers,"Access-Control-Request-Method");
|
if request.method() == Method::Options {
|
||||||
|
let req_allow_headers = CORS::get_header(&req_headers, "Access-Control-Request-Headers");
|
||||||
|
let req_allow_method = CORS::get_header(&req_headers,"Access-Control-Request-Method");
|
||||||
|
|
||||||
if request.method() == Method::Options || response.content_type() == Some(ContentType::JSON) {
|
|
||||||
// Requests with credentials need explicit values since they do not allow wildcards.
|
|
||||||
response.set_header(Header::new("Access-Control-Allow-Origin", req_allow_origin));
|
|
||||||
response.set_header(Header::new("Access-Control-Allow-Methods", req_allow_method));
|
response.set_header(Header::new("Access-Control-Allow-Methods", req_allow_method));
|
||||||
response.set_header(Header::new("Access-Control-Allow-Headers", req_allow_headers));
|
response.set_header(Header::new("Access-Control-Allow-Headers", req_allow_headers));
|
||||||
response.set_header(Header::new("Access-Control-Allow-Credentials", "true"));
|
response.set_header(Header::new("Access-Control-Allow-Credentials", "true"));
|
||||||
}
|
|
||||||
|
|
||||||
if request.method() == Method::Options {
|
|
||||||
response.set_status(Status::Ok);
|
response.set_status(Status::Ok);
|
||||||
response.set_header(ContentType::Plain);
|
response.set_header(ContentType::Plain);
|
||||||
response.set_sized_body(Cursor::new(""));
|
response.set_sized_body(Cursor::new(""));
|
||||||
|
Loading…
Reference in New Issue
Block a user