oci/zeronet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

--ui-ip-protect option to only apply recent privacy protection where it makes sense (i.e. on localhost) by default

Browse source 
refs #263, #270
This commit is contained in:
caryoscelus 2024-04-04 23:40:32 +00:00
parent 6702f331a3
commit e3b010175f
No known key found for this signature in database
GPG key ID: 254EDDB85B66CB1F
2 changed files with 11 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
src/Config.py
View file

@ -241,6 +241,7 @@ class Config:
self.parser.add_argument('--log-rotate-backup-count', help='Log rotate backup count', default=5, type=int)
self.parser.add_argument('--language', help='Web interface language', default=language, metavar='language')
self.parser.add_argument('--ui-ip-protect', help="Protect UI server from being accessed through third-party pages and on unauthorized cross-origin pages (enabled by default when serving on localhost IPs; doesn't work with non-local IPs, need testing with host names)", choices=['always', 'local', 'off'], default='local')
self.parser.add_argument('--ui-ip', help='Web interface bind address', default="127.0.0.1", metavar='ip')
self.parser.add_argument('--ui-port', help='Web interface bind port', default=43110, type=int, metavar='port')
self.parser.add_argument('--ui-site-port', help='Port for serving site content, defaults to ui_port+1', default=None, metavar='port')
@ -459,6 +460,14 @@ class Config:
self.arguments = self.parser.parse_args(argv[1:])
if self.arguments.ui_site_port is None:
self.arguments.ui_site_port = self.arguments.ui_port + 1
if self.arguments.ui_ip_protect == 'always':
self.arguments.ui_check_cors = True
elif self.arguments.ui_ip_protect == 'off':
self.arguments.ui_check_cors = False
elif self.arguments.ui_ip_protect == 'local':
self.arguments.ui_check_cors = self.arguments.ui_ip == '127.0.0.1' or self.arguments.ui_ip == '::1'
else:
raise Exception("Wrong argparse result")
def parseConfig(self, argv):
argv = self.fixArgs(argv)

4
src/Ui/UiRequest.py
View file

@ -148,7 +148,7 @@ class UiRequest:
return False
# Deny cross site requests
if not self.isSameOrigin(referer, url) and not self.hasCorsPermission(referer):
if not self.isSameOrigin(referer, url) or not self.hasCorsPermission(referer):
return True
return False
@ -172,7 +172,7 @@ class UiRequest:
protocol = self.env['wsgi.url_scheme']
return self.actionRedirect(f'{protocol}://{host}:{config.ui_port}{path_info}?{query_string}')
if self.isCrossOriginRequest():
if config.ui_check_cors and self.isCrossOriginRequest():
# we are still exposed by answering on port
self.log.warning('Cross-origin request detected. Someone might be trying to analyze your 0net usage')
return []