vividboarder/bitwarden_rs
1
0
Fork 0
mirror of https://github.com/ViViDboarder/bitwarden_rs.git synced 2024-11-22 13:16:39 +00:00
Code Issues Releases Wiki Activity

Merge branch 'master' into icon-security

Browse Source
This commit is contained in:
Daniel García 2019-10-05 16:45:36 +02:00 committed by GitHub
commit e6b763026e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 27 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/api/icons.rs
View File

@ -283,12 +283,21 @@ fn get_page_with_cookies(url: &str, cookie_str: &str) -> Result<Response, Error>
if check_icon_domain_is_blacklisted(Url::parse(url).unwrap().host_str().unwrap_or_default()) { if check_icon_domain_is_blacklisted(Url::parse(url).unwrap().host_str().unwrap_or_default()) {
err!("Favicon rel linked to a non blacklisted domain!"); err!("Favicon rel linked to a non blacklisted domain!");
} }
CLIENT
.get(url) if cookie_str.is_empty() {
.header("cookie", cookie_str) CLIENT
.send()? .get(url)
.error_for_status() .send()?
.map_err(Into::into) .error_for_status()
.map_err(Into::into)
} else {
CLIENT
.get(url)
.header("cookie", cookie_str)
.send()?
.error_for_status()
.map_err(Into::into)
}
} }
/// Returns a Integer with the priority of the type of the icon which to prefer. /// Returns a Integer with the priority of the type of the icon which to prefer.

21
src/util.rs
View File

@ -42,6 +42,13 @@ impl CORS {
_ => "".to_string(), _ => "".to_string(),
} }
} }
fn valid_url(url: String) -> String {
match url.as_ref() {
"file://" => "*".to_string(),
_ => url,
}
}
} }
impl Fairing for CORS { impl Fairing for CORS {
@ -56,21 +63,17 @@ impl Fairing for CORS {
let req_headers = request.headers(); let req_headers = request.headers();
// We need to explicitly get the Origin header for Access-Control-Allow-Origin // We need to explicitly get the Origin header for Access-Control-Allow-Origin
let req_allow_origin = CORS::get_header(&req_headers, "Origin"); let req_allow_origin = CORS::valid_url(CORS::get_header(&req_headers, "Origin"));
let req_allow_headers = CORS::get_header(&req_headers, "Access-Control-Request-Headers"); response.set_header(Header::new("Access-Control-Allow-Origin", req_allow_origin));
let req_allow_method = CORS::get_header(&req_headers,"Access-Control-Request-Method"); if request.method() == Method::Options {
let req_allow_headers = CORS::get_header(&req_headers, "Access-Control-Request-Headers");
let req_allow_method = CORS::get_header(&req_headers,"Access-Control-Request-Method");
if request.method() == Method::Options || response.content_type() == Some(ContentType::JSON) {
// Requests with credentials need explicit values since they do not allow wildcards.
response.set_header(Header::new("Access-Control-Allow-Origin", req_allow_origin));
response.set_header(Header::new("Access-Control-Allow-Methods", req_allow_method)); response.set_header(Header::new("Access-Control-Allow-Methods", req_allow_method));
response.set_header(Header::new("Access-Control-Allow-Headers", req_allow_headers)); response.set_header(Header::new("Access-Control-Allow-Headers", req_allow_headers));
response.set_header(Header::new("Access-Control-Allow-Credentials", "true")); response.set_header(Header::new("Access-Control-Allow-Credentials", "true"));
}
if request.method() == Method::Options {
response.set_status(Status::Ok); response.set_status(Status::Ok);
response.set_header(ContentType::Plain); response.set_header(ContentType::Plain);
response.set_sized_body(Cursor::new("")); response.set_sized_body(Cursor::new(""));