diff options
author | Daniel GarcĂa <[email protected]> | 2019-10-05 16:45:36 +0200 |
---|---|---|
committer | GitHub <[email protected]> | 2019-10-05 16:45:36 +0200 |
commit | e6b763026e25b57eb342bc90aeced6a856c63681 (patch) | |
tree | 4879ac5dd78811ef6072243b23e4b80e8df968f1 | |
parent | 9124d8a3fb236ba7cf0f298d81f59302b9fd8c6e (diff) | |
parent | c182583e09fc94cdc8127fcb04f6fe2b05f8443a (diff) | |
download | vaultwarden-e6b763026e25b57eb342bc90aeced6a856c63681.tar.gz vaultwarden-e6b763026e25b57eb342bc90aeced6a856c63681.zip |
Merge branch 'master' into icon-security
-rw-r--r-- | src/api/icons.rs | 21 | ||||
-rw-r--r-- | src/util.rs | 21 |
2 files changed, 27 insertions, 15 deletions
diff --git a/src/api/icons.rs b/src/api/icons.rs index 337e6c35..c22f9ff7 100644 --- a/src/api/icons.rs +++ b/src/api/icons.rs @@ -283,12 +283,21 @@ fn get_page_with_cookies(url: &str, cookie_str: &str) -> Result<Response, Error> if check_icon_domain_is_blacklisted(Url::parse(url).unwrap().host_str().unwrap_or_default()) { err!("Favicon rel linked to a non blacklisted domain!"); } - CLIENT - .get(url) - .header("cookie", cookie_str) - .send()? - .error_for_status() - .map_err(Into::into) + + if cookie_str.is_empty() { + CLIENT + .get(url) + .send()? + .error_for_status() + .map_err(Into::into) + } else { + CLIENT + .get(url) + .header("cookie", cookie_str) + .send()? + .error_for_status() + .map_err(Into::into) + } } /// Returns a Integer with the priority of the type of the icon which to prefer. diff --git a/src/util.rs b/src/util.rs index 741f06a8..39ee1f99 100644 --- a/src/util.rs +++ b/src/util.rs @@ -42,6 +42,13 @@ impl CORS { _ => "".to_string(), } } + + fn valid_url(url: String) -> String { + match url.as_ref() { + "file://" => "*".to_string(), + _ => url, + } + } } impl Fairing for CORS { @@ -56,21 +63,17 @@ impl Fairing for CORS { let req_headers = request.headers(); // We need to explicitly get the Origin header for Access-Control-Allow-Origin - let req_allow_origin = CORS::get_header(&req_headers, "Origin"); + let req_allow_origin = CORS::valid_url(CORS::get_header(&req_headers, "Origin")); - let req_allow_headers = CORS::get_header(&req_headers, "Access-Control-Request-Headers"); + response.set_header(Header::new("Access-Control-Allow-Origin", req_allow_origin)); - let req_allow_method = CORS::get_header(&req_headers,"Access-Control-Request-Method"); + if request.method() == Method::Options { + let req_allow_headers = CORS::get_header(&req_headers, "Access-Control-Request-Headers"); + let req_allow_method = CORS::get_header(&req_headers,"Access-Control-Request-Method"); - if request.method() == Method::Options || response.content_type() == Some(ContentType::JSON) { - // Requests with credentials need explicit values since they do not allow wildcards. - response.set_header(Header::new("Access-Control-Allow-Origin", req_allow_origin)); response.set_header(Header::new("Access-Control-Allow-Methods", req_allow_method)); response.set_header(Header::new("Access-Control-Allow-Headers", req_allow_headers)); response.set_header(Header::new("Access-Control-Allow-Credentials", "true")); - } - - if request.method() == Method::Options { response.set_status(Status::Ok); response.set_header(ContentType::Plain); response.set_sized_body(Cursor::new("")); |