diff options
| author | silverwind <me@silverwind.io> | 2019-01-16 05:16:45 +0100 |
|---|---|---|
| committer | techknowlogick <hello@techknowlogick.com> | 2019-01-15 23:16:45 -0500 |
| commit | 44759fd66c30ca30d5cc30285c017258c19d7cad (patch) | |
| tree | b816b33b7112a04a9042db23ba9745c9b5e833b5 | |
| parent | ca3b9aa6a36bf83a827589aa5f4156966cb72d83 (diff) | |
| download | gitea-44759fd66c30ca30d5cc30285c017258c19d7cad.tar.gz gitea-44759fd66c30ca30d5cc30285c017258c19d7cad.zip | |
Add proper CORS preflight origin validation (#5740)
| -rw-r--r-- | routers/repo/http.go | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/routers/repo/http.go b/routers/repo/http.go index 1728a75fcb..01c84b3708 100644 --- a/routers/repo/http.go +++ b/routers/repo/http.go @@ -28,13 +28,25 @@ import ( // HTTP implmentation git smart HTTP protocol func HTTP(ctx *context.Context) { if len(setting.Repository.AccessControlAllowOrigin) > 0 { + allowedOrigin := setting.Repository.AccessControlAllowOrigin // Set CORS headers for browser-based git clients - ctx.Resp.Header().Set("Access-Control-Allow-Origin", setting.Repository.AccessControlAllowOrigin) + ctx.Resp.Header().Set("Access-Control-Allow-Origin", allowedOrigin) ctx.Resp.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization, User-Agent") // Handle preflight OPTIONS request if ctx.Req.Method == "OPTIONS" { - ctx.Status(http.StatusOK) + if allowedOrigin == "*" { + ctx.Status(http.StatusOK) + } else if allowedOrigin == "null" { + ctx.Status(http.StatusForbidden) + } else { + origin := ctx.Req.Header.Get("Origin") + if len(origin) > 0 && origin == allowedOrigin { + ctx.Status(http.StatusOK) + } else { + ctx.Status(http.StatusForbidden) + } + } return } } |