diff options
author | Martin Fischer <martin@push-f.com> | 2021-07-04 00:25:01 +0200 |
---|---|---|
committer | Martin Fischer <martin@push-f.com> | 2021-07-04 11:19:41 +0200 |
commit | c0b8d6a9876a95bc5d8fd8a30333e65949f5c9d1 (patch) | |
tree | 40bfa7846a11fae026f45aefb3b1a87dbfa59ec6 /src/post_routes.rs | |
parent | 17d98a70a76efc02f643e9cfe13836120a2c5114 (diff) |
strictly enforce Host and Origin headers
Previously the Origin header was only checked if you specified an origin
with --origin on startup and when you didn't we just printed a warning
that this might make you vulnerable to CSRF attacks.
I implemented it this way since I wanted GitPad to be runnable without
any command-line options, but such warnings are of course suboptimal
for security since they can simply be ignored.
This commit changes this behavior so that the Origin header is always
checked for POST requests. If you just run "gitpad" the enforced origin
defaults to http://127.0.0.1:<port>. Additionally this commit also
enforces an exact Host header (extracted from the Origin) to prevent DNS
rebinding attacks.
Diffstat (limited to 'src/post_routes.rs')
-rw-r--r-- | src/post_routes.rs | 27 |
1 files changed, 13 insertions, 14 deletions
diff --git a/src/post_routes.rs b/src/post_routes.rs index 7588abc..1b5d615 100644 --- a/src/post_routes.rs +++ b/src/post_routes.rs @@ -18,32 +18,31 @@ use crate::forms::EditForm; use crate::forms::MoveForm; use crate::get_renderer; use crate::ActionParam; -use crate::Args; use crate::Context; +use crate::HttpOrigin; use crate::RenderMode; use crate::Response; use crate::{controller::Controller, Error}; pub(crate) async fn build_response<C: Controller>( - args: &Args, + host: &HttpOrigin, params: &ActionParam, controller: &C, ctx: Context, body: Body, parts: &mut Parts, ) -> Result<Response, Error> { - if let Some(ref enforced_origin) = args.origin { - if parts - .headers - .get(header::ORIGIN) - .filter(|h| h.as_bytes() == enforced_origin.as_bytes()) - .is_none() - { - return Err(Error::BadRequest(format!( - "POST requests must be sent with the header Origin: {}", - enforced_origin - ))); - } + if parts + .headers + .get(header::ORIGIN) + .filter(|h| h.as_bytes() == host.origin.as_bytes()) + .is_none() + { + // This check prevents cross-site request forgery (CSRF). + return Err(Error::BadRequest(format!( + "POST requests must be sent with the header Origin: {}", + host.origin + ))); } match params.action.as_ref() { "edit" => return update_blob(body, controller, ctx, parts).await, |