From 123e94111d8a86846d224df8a64dd058a3691af2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20B=C3=BChler?= Date: Mon, 11 Apr 2022 10:29:17 +0200 Subject: [PATCH] improve Origin handling; forbind non-https origins in production --- src/capport/api/views.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/src/capport/api/views.py b/src/capport/api/views.py index 37ffcb9..b32a9e6 100644 --- a/src/capport/api/views.py +++ b/src/capport/api/views.py @@ -101,16 +101,22 @@ def check_self_origin(): if origin is None: # not a request by a modern browser - probably curl or something similar. don't care. return + origin = origin.lower().strip() + if origin == 'none': + quart.abort(403, 'Origin is none') origin_parts = origin.split('/') - # Origin should look like: protocol://hostname (possibly a /path suffix?) + # Origin should look like: :// (optionally followed by :) if len(origin_parts) < 3: quart.abort(400, 'Broken Origin header') - origin_host = origin_parts[2].lower() + if origin_parts[0] != 'https' and not app.my_config.debug: + # -> require https in production + quart.abort(403, 'Non-https Origin not allowed') + origin_host = origin_parts[2] host = quart.request.headers.get('Host', None) if host is None: - quart.abort(400, 'Missing Host header') + quart.abort(403, 'Missing Host header') if host.lower() != origin_host: - quart.abort(400, 'Origin mismatch') + quart.abort(403, 'Origin mismatch') @app.route('/', methods=['GET'])