oci/zeronet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Allow cross-site embedding without "cors-" prefix

Browse source 
..As long as CORS read permission is granted. This is done for
compatibility with sites that relied on lack of enforcing of cross-site
isolation in previous ZeroNet versions.

fixes #259
This commit is contained in:
caryoscelus 2024-02-03 11:19:22 +00:00
parent 94e9f5ab66
commit 2520024f56
No known key found for this signature in database
GPG key ID: 254EDDB85B66CB1F
1 changed files with 21 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
src/Ui/UiRequest.py
View file

@ -100,6 +100,25 @@ class UiRequest:
def resolveDomain(self, domain): def resolveDomain(self, domain):
return self.server.site_manager.resolveDomainCached(domain) return self.server.site_manager.resolveDomainCached(domain)
def hasCorsPermission(self, referer):
"""Check if site from referer has CORS permission to read site in current request
NOTE: this allows embedding WITHOUT prepending "cors-" (as it has already been used
for a long time e.g. on ZeroBlog++ based sites) as long as read permission has been
granted.
"""
target_path = self.env['PATH_INFO']
if referer is None or target_path is None:
return False
s_parts = self.parsePath(referer)
t_parts = self.parsePath(target_path)
s_address = s_parts['address']
t_address = t_parts['address']
if not s_address or not t_address:
return False
s_site = self.server.sites[s_address]
return f'Cors:{t_address}' in s_site.settings['permissions']
def isCrossOriginRequest(self): def isCrossOriginRequest(self):
"""Prevent detecting sites on this 0net instance """Prevent detecting sites on this 0net instance
@ -129,7 +148,7 @@ class UiRequest:
return False return False
# Deny cross site requests # Deny cross site requests
if not self.isSameOrigin(referer, url): if not self.isSameOrigin(referer, url) and not self.hasCorsPermission(referer):
return True return True
return False return False
@ -731,7 +750,7 @@ class UiRequest:
if "../" in path or "./" in path: if "../" in path or "./" in path:
raise SecurityError("Invalid path") raise SecurityError("Invalid path")
match = re.match(r"/(media/)?(?P<address>[A-Za-z0-9]+[A-Za-z0-9\._-]+)(?P<inner_path>/.*|$)", path) match = re.match(r"(?P<server>(http[s]{0,1}://(.*?))?)/(media/)?(?P<address>[A-Za-z0-9]+[A-Za-z0-9\._-]+)(?P<inner_path>/.*|$)", path)
if match: if match:
path_parts = match.groupdict() path_parts = match.groupdict()
addr = path_parts["address"] addr = path_parts["address"]