djsundog/circuitpython
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

CORS preflight: allow OPTIONS without authentication

Browse Source 
check for 127.0.0.1 without a port specified
This commit is contained in:
Neradoc 2022-07-05 17:18:22 +02:00
parent b303d00bdf
commit 40cb0aac7c
1 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
supervisor/shared/web_workflow/web_workflow.c
View File

@ -356,6 +356,7 @@ static bool _origin_ok(const char *origin) {
const char *http = "http://"; const char *http = "http://";
const char *local = ".local"; const char *local = ".local";
// note: redirected requests send an Origin of "null" and will be caught by this
if (memcmp(origin, http, strlen(http)) != 0) { if (memcmp(origin, http, strlen(http)) != 0) {
return false; return false;
} }
@ -374,8 +375,11 @@ static bool _origin_ok(const char *origin) {
return true; return true;
} }
const char *localhost = "127.0.0.1:"; // Port or no port
if (memcmp(origin + strlen(http), localhost, strlen(localhost)) == 0) { const char *localhost = "127.0.0.1";
const int locallen = 9;
if (memcmp(origin + strlen(http), localhost, locallen) == 0
&& (localhost[locallen] == '\0' || localhost[locallen] == ':')) {
return true; return true;
} }
@ -909,7 +913,8 @@ static bool _reply(socketpool_socket_obj_t *socket, _request *request) {
ESP_LOGE(TAG, "bad origin %s", request->origin); ESP_LOGE(TAG, "bad origin %s", request->origin);
_reply_forbidden(socket, request); _reply_forbidden(socket, request);
} else if (memcmp(request->path, "/fs/", 4) == 0) { } else if (memcmp(request->path, "/fs/", 4) == 0) {
if (!request->authenticated) { // OPTIONS is sent for CORS preflight, unauthenticated
if (!request->authenticated && strcmp(request->method, "OPTIONS") != 0) {
if (_api_password[0] != '\0') { if (_api_password[0] != '\0') {
_reply_unauthorized(socket, request); _reply_unauthorized(socket, request);
} else { } else {
@ -1030,7 +1035,10 @@ static bool _reply(socketpool_socket_obj_t *socket, _request *request) {
} }
} else if (memcmp(request->path, "/cp/", 4) == 0) { } else if (memcmp(request->path, "/cp/", 4) == 0) {
const char *path = request->path + 3; const char *path = request->path + 3;
if (strcmp(request->method, "GET") != 0) { if (strcmp(request->method, "OPTIONS") == 0) {
// handle preflight requests to /cp/
_reply_access_control(socket, request);
} else if (strcmp(request->method, "GET") != 0) {
_reply_method_not_allowed(socket, request); _reply_method_not_allowed(socket, request);
} else if (strcmp(path, "/devices.json") == 0) { } else if (strcmp(path, "/devices.json") == 0) {
_reply_with_devices_json(socket, request); _reply_with_devices_json(socket, request);