aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel GarcĂ­a <[email protected]>2019-10-05 16:45:36 +0200
committerGitHub <[email protected]>2019-10-05 16:45:36 +0200
commite6b763026e25b57eb342bc90aeced6a856c63681 (patch)
tree4879ac5dd78811ef6072243b23e4b80e8df968f1
parent9124d8a3fb236ba7cf0f298d81f59302b9fd8c6e (diff)
parentc182583e09fc94cdc8127fcb04f6fe2b05f8443a (diff)
downloadvaultwarden-e6b763026e25b57eb342bc90aeced6a856c63681.tar.gz
vaultwarden-e6b763026e25b57eb342bc90aeced6a856c63681.zip
Merge branch 'master' into icon-security
-rw-r--r--src/api/icons.rs21
-rw-r--r--src/util.rs21
2 files changed, 27 insertions, 15 deletions
diff --git a/src/api/icons.rs b/src/api/icons.rs
index 337e6c35..c22f9ff7 100644
--- a/src/api/icons.rs
+++ b/src/api/icons.rs
@@ -283,12 +283,21 @@ fn get_page_with_cookies(url: &str, cookie_str: &str) -> Result<Response, Error>
if check_icon_domain_is_blacklisted(Url::parse(url).unwrap().host_str().unwrap_or_default()) {
err!("Favicon rel linked to a non blacklisted domain!");
}
- CLIENT
- .get(url)
- .header("cookie", cookie_str)
- .send()?
- .error_for_status()
- .map_err(Into::into)
+
+ if cookie_str.is_empty() {
+ CLIENT
+ .get(url)
+ .send()?
+ .error_for_status()
+ .map_err(Into::into)
+ } else {
+ CLIENT
+ .get(url)
+ .header("cookie", cookie_str)
+ .send()?
+ .error_for_status()
+ .map_err(Into::into)
+ }
}
/// Returns a Integer with the priority of the type of the icon which to prefer.
diff --git a/src/util.rs b/src/util.rs
index 741f06a8..39ee1f99 100644
--- a/src/util.rs
+++ b/src/util.rs
@@ -42,6 +42,13 @@ impl CORS {
_ => "".to_string(),
}
}
+
+ fn valid_url(url: String) -> String {
+ match url.as_ref() {
+ "file://" => "*".to_string(),
+ _ => url,
+ }
+ }
}
impl Fairing for CORS {
@@ -56,21 +63,17 @@ impl Fairing for CORS {
let req_headers = request.headers();
// We need to explicitly get the Origin header for Access-Control-Allow-Origin
- let req_allow_origin = CORS::get_header(&req_headers, "Origin");
+ let req_allow_origin = CORS::valid_url(CORS::get_header(&req_headers, "Origin"));
- let req_allow_headers = CORS::get_header(&req_headers, "Access-Control-Request-Headers");
+ response.set_header(Header::new("Access-Control-Allow-Origin", req_allow_origin));
- let req_allow_method = CORS::get_header(&req_headers,"Access-Control-Request-Method");
+ if request.method() == Method::Options {
+ let req_allow_headers = CORS::get_header(&req_headers, "Access-Control-Request-Headers");
+ let req_allow_method = CORS::get_header(&req_headers,"Access-Control-Request-Method");
- if request.method() == Method::Options || response.content_type() == Some(ContentType::JSON) {
- // Requests with credentials need explicit values since they do not allow wildcards.
- response.set_header(Header::new("Access-Control-Allow-Origin", req_allow_origin));
response.set_header(Header::new("Access-Control-Allow-Methods", req_allow_method));
response.set_header(Header::new("Access-Control-Allow-Headers", req_allow_headers));
response.set_header(Header::new("Access-Control-Allow-Credentials", "true"));
- }
-
- if request.method() == Method::Options {
response.set_status(Status::Ok);
response.set_header(ContentType::Plain);
response.set_sized_body(Cursor::new(""));