Add proper CORS preflight origin validation (#5740)
This commit is contained in:
parent
ca3b9aa6a3
commit
44759fd66c
1 changed files with 14 additions and 2 deletions
|
@ -28,13 +28,25 @@ import (
|
||||||
// HTTP implmentation git smart HTTP protocol
|
// HTTP implmentation git smart HTTP protocol
|
||||||
func HTTP(ctx *context.Context) {
|
func HTTP(ctx *context.Context) {
|
||||||
if len(setting.Repository.AccessControlAllowOrigin) > 0 {
|
if len(setting.Repository.AccessControlAllowOrigin) > 0 {
|
||||||
|
allowedOrigin := setting.Repository.AccessControlAllowOrigin
|
||||||
// Set CORS headers for browser-based git clients
|
// Set CORS headers for browser-based git clients
|
||||||
ctx.Resp.Header().Set("Access-Control-Allow-Origin", setting.Repository.AccessControlAllowOrigin)
|
ctx.Resp.Header().Set("Access-Control-Allow-Origin", allowedOrigin)
|
||||||
ctx.Resp.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization, User-Agent")
|
ctx.Resp.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization, User-Agent")
|
||||||
|
|
||||||
// Handle preflight OPTIONS request
|
// Handle preflight OPTIONS request
|
||||||
if ctx.Req.Method == "OPTIONS" {
|
if ctx.Req.Method == "OPTIONS" {
|
||||||
|
if allowedOrigin == "*" {
|
||||||
ctx.Status(http.StatusOK)
|
ctx.Status(http.StatusOK)
|
||||||
|
} else if allowedOrigin == "null" {
|
||||||
|
ctx.Status(http.StatusForbidden)
|
||||||
|
} else {
|
||||||
|
origin := ctx.Req.Header.Get("Origin")
|
||||||
|
if len(origin) > 0 && origin == allowedOrigin {
|
||||||
|
ctx.Status(http.StatusOK)
|
||||||
|
} else {
|
||||||
|
ctx.Status(http.StatusForbidden)
|
||||||
|
}
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Reference in a new issue