mirrors/copyparty
1
0
Fork 0
mirror of https://github.com/9001/copyparty.git synced 2025-08-17 09:02:15 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix cors-checker so it behaves like the readme says;

Browse source 
any custom header (`pw` in our case) is sufficient validation
This commit is contained in:
ed 2023-12-20 20:03:08 +00:00
parent ac7815a0ae
commit 374c535cfa
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
copyparty/httpcli.py
View file

@ -861,16 +861,16 @@ class HttpCli(object):
self.host.lower().split(":")[0], self.host.lower().split(":")[0],
) )
] ]
if re.sub(r"(:[0-9]{1,5})?/?$", "", origin) in good_origins: if "pw" in ih or re.sub(r"(:[0-9]{1,5})?/?$", "", origin) in good_origins:
good_origin = True good_origin = True
bad_hdrs = ("",) bad_hdrs = ("",)
else: else:
good_origin = False good_origin = False
bad_hdrs = ("", "pw") bad_hdrs = ("", "pw")
# '*' blocks all credentials (cookies, http-auth); # '*' blocks auth through cookies / WWW-Authenticate;
# exact-match for Origin is necessary to unlock those, # exact-match for Origin is necessary to unlock those,
# however yolo-requests (?pw=) are always allowed # but the ?pw= param and PW: header are always allowed
acah = ih.get("access-control-request-headers", "") acah = ih.get("access-control-request-headers", "")
acao = (origin if good_origin else None) or ( acao = (origin if good_origin else None) or (
"*" if "*" in good_origins else None "*" if "*" in good_origins else None