Andreas/siyuan
1
0
Fork 0
mirror of https://github.com/siyuan-note/siyuan.git synced 2025-12-19 16:10:12 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

🔒 Authenticate requests with the Origin header other than 127.0.0.1 Fix https://github.com/siyuan-note/siyuan/issues/9180

Browse source
This commit is contained in:
Daniel 2023-09-13 21:58:24 +08:00
parent 68b56bbbdf
commit 94857b3961
No known key found for this signature in database
GPG key ID: 86211BA83DF03017
1 changed files with 14 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

15
kernel/model/session.go
View file

@ -160,6 +160,20 @@ func CheckAuth(c *gin.Context) {
//logging.LogInfof("check auth for [%s]", c.Request.RequestURI) //logging.LogInfof("check auth for [%s]", c.Request.RequestURI)
if "" == Conf.AccessAuthCode { if "" == Conf.AccessAuthCode {
if origin := c.GetHeader("Origin"); "" != origin {
// Authenticate requests with the Origin header other than 127.0.0.1 https://github.com/siyuan-note/siyuan/issues/9180
u, parseErr := url.Parse(origin)
if nil != parseErr {
logging.LogWarnf("parse origin [%s] failed: %s", origin, parseErr)
} else {
if !strings.HasPrefix(u.Host, util.LocalHost) && !strings.HasPrefix(u.Host, "[::1]") {
c.JSON(401, map[string]interface{}{"code": -1, "msg": "Auth failed"})
c.Abort()
return
}
}
}
c.Next() c.Next()
return return
} }
@ -175,7 +189,6 @@ func CheckAuth(c *gin.Context) {
// 放过来自本机的某些请求 // 放过来自本机的某些请求
if strings.HasPrefix(c.Request.RemoteAddr, util.LocalHost) || if strings.HasPrefix(c.Request.RemoteAddr, util.LocalHost) ||
strings.HasPrefix(c.Request.RemoteAddr, "127.0.0.1") ||
strings.HasPrefix(c.Request.RemoteAddr, "[::1]") { strings.HasPrefix(c.Request.RemoteAddr, "[::1]") {
if strings.HasPrefix(c.Request.RequestURI, "/assets/") { if strings.HasPrefix(c.Request.RequestURI, "/assets/") {
c.Next() c.Next()