From patchwork Wed Sep 23 07:28:13 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?b?UmFmYcWCIE1pxYJlY2tp?= X-Patchwork-Id: 1369646 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=EiPhyzsP; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=A4zj+Wyz; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Bx8x51HClz9sPB for ; Wed, 23 Sep 2020 17:31:04 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=CPmGEWdxBlu1uOgCtJDihq/3GNL6vmUHjkKOaERAG+Y=; b=EiPhyzsPfbOlf5zM0Ci2IB2Z0c b4kTR160V4j2z3EnYvwaqRz/bnOgvBiZoKi1u8ikrwXJwad4CgSPMMiq8lLk4fg5mAKDYno/Y/vbr bZBFKd8MrKAUIwk3cCrHChVwFmlDRleiPGAczlJVGKyZfmPlFzBetLYWCDYhUfpP6KBKpogtuDxCS JxspZP5v54MHBgczS+wSqq8fr55hgAwzZBCs8k7Shloec0p/w9GrWxoGNWp8AKe/YRrmPHEjiR80/ vTDQ7rNgFdShobvsZnqal/WEJ/18km/II14mnbrf9EP7wQ8b3EBDM8fN/vX+gOL03gUKoKknpPMJB 1BoOpYaA==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kKzCt-0005HZ-JY; Wed, 23 Sep 2020 07:28:51 +0000 Received: from mail-lf1-x144.google.com ([2a00:1450:4864:20::144]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kKzCq-0005G2-B2 for openwrt-devel@lists.openwrt.org; Wed, 23 Sep 2020 07:28:49 +0000 Received: by mail-lf1-x144.google.com with SMTP id z17so20880362lfi.12 for ; Wed, 23 Sep 2020 00:28:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=mJT2U9UL9B+cOUPfINwVXEPTKto4i89QH6y7ZThoJWI=; b=A4zj+WyzYsIArmPW0lirkPQez8FMu/+f6jPPEriXE/Cf4kojlEo5gKCGZufJCJuXKp /sT9bjiMpqnhAnPWqxLY5V0NwN5WqaPa8IdzfPeLjeDbr/YQ/RtzqzxYgYLnTN7HBn4k 6CpmLRlkHxATPaq3oDYlp+7Oay3IfDXCKhGxjbf/gaazB5GZ9O17eM7wUIXTYqh2WSQg BCifzHebKF6zOJGP/6nt12XuB4rgxFTxUDaNd3kdpyGD+7oShV2cwWvdN5iQ9xvMuWwP aVLMUUFKO/GAjp4EQPgqIuLnBbKrG25yl9kefSIHw74UduCkw12yGPbR6Ixc4yhY42BM qQKw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=mJT2U9UL9B+cOUPfINwVXEPTKto4i89QH6y7ZThoJWI=; b=sVaaLI/A2yuenY1EOzkM6hP6K32VOzVzG0I2TRlOnJWbwQBS9/ZT6USnsr8jjrocv3 2wuBCYNy0jNsR5DHBnXoRXWmLcnsy30M4FQ40l9vKKfMAfs+vxr1DcT9/zavcPWv0p2R YT9asq4lqHujuVFljqlnimMdJlq7ZcR3iey1CrDMgSMdkmnGgj7dYCic2hD17CuCl+Sa tuzDq18MWuHB5nRJrulacuPtra/7IMLOq7Bsij0yT8m7Oombv2OO7Y8pS+3VMsiUneY0 SMpdPzvZ1bHEkkD1nUUVFLCOBhCyX37rrrWKrzeVP++fmFp21ypIE20+9YWHSO8T/Oh5 H3gQ== X-Gm-Message-State: AOAM530CRLJfwfKoednjGke2ZD1OkcM/h/JnB9YYcrjjQWDLWoZtM9Zs d3NZvx8IObiHSnJ7DSSxbGICcmqd3Ts= X-Google-Smtp-Source: ABdhPJyqe2KkMPpAXXHwKk1lK1vVy182M8GgIIRGWSwlYpsvFDh9j6HeSERILXZuG5UTuJ+TwZKong== X-Received: by 2002:a19:42c4:: with SMTP id p187mr3329731lfa.149.1600846124620; Wed, 23 Sep 2020 00:28:44 -0700 (PDT) Received: from localhost.localdomain (ip-194-187-74-233.konfederacka.maverick.com.pl. [194.187.74.233]) by smtp.gmail.com with ESMTPSA id g15sm4776889ljj.39.2020.09.23.00.28.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Sep 2020 00:28:43 -0700 (PDT) From: =?utf-8?b?UmFmYcWCIE1pxYJlY2tp?= To: openwrt-devel@lists.openwrt.org Subject: [PATCH uhttpd RFC] ubus: support setting custom CORS origin URL Date: Wed, 23 Sep 2020 09:28:13 +0200 Message-Id: <20200923072813.31877-1-zajec5@gmail.com> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200923_032848_419585_2F817124 X-CRM114-Status: GOOD ( 15.72 ) X-Spam-Score: 0.1 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (0.1 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:144 listed in] [list.dnswl.org] 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit [zajec5[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [zajec5[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?utf-8?b?UmFmYcWCIE1pxYJlY2tp?= , Jo-Philipp Wich Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org From: Rafał Miłecki By default uhttpd replies with Access-Control-Allow-Origin containing URL from the request Origin header. It allows sending CORS requests from any website allowing attacks. Add support for -o option that allows specifying a single URL to be put in the Access-Control-Allow-Origin. Signed-off-by: Rafał Miłecki --- I use this patch with addition of a single init.d script line: append_arg "$cfg" ubus_origin "-o" Does anyone find it useful? --- main.c | 7 ++++++- ubus.c | 2 +- uhttpd.h | 1 + 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/main.c b/main.c index 73e3d42..c5f2fe4 100644 --- a/main.c +++ b/main.c @@ -263,7 +263,7 @@ int main(int argc, char **argv) init_defaults_pre(); signal(SIGPIPE, SIG_IGN); - while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:e:fh:H:I:i:K:k:L:l:m:N:n:P:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) { + while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:e:fh:H:I:i:K:k:L:l:m:N:n:o:P:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) { switch(ch) { #ifdef HAVE_TLS case 'C': @@ -492,6 +492,10 @@ int main(int argc, char **argv) conf.ubus_cors = 1; break; + case 'o': + conf.ubus_origin = optarg; + break; + case 'e': conf.events_retry = atoi(optarg); break; @@ -500,6 +504,7 @@ int main(int argc, char **argv) case 'u': case 'U': case 'X': + case 'o': case 'e': fprintf(stderr, "uhttpd: UBUS support not compiled, " "ignoring -%c\n", ch); diff --git a/ubus.c b/ubus.c index 39b38b2..27c1c95 100644 --- a/ubus.c +++ b/ubus.c @@ -169,7 +169,7 @@ static void uh_ubus_add_cors_headers(struct client *cl) } ustream_printf(cl->us, "Access-Control-Allow-Origin: %s\r\n", - blobmsg_get_string(tb[HDR_ORIGIN])); + conf.ubus_origin ? conf.ubus_origin : blobmsg_get_string(tb[HDR_ORIGIN])); if (tb[HDR_ACCESS_CONTROL_REQUEST_HEADERS]) ustream_printf(cl->us, "Access-Control-Allow-Headers: %s\r\n", diff --git a/uhttpd.h b/uhttpd.h index e61e176..f924c77 100644 --- a/uhttpd.h +++ b/uhttpd.h @@ -81,6 +81,7 @@ struct config { int script_timeout; int ubus_noauth; int ubus_cors; + const char *ubus_origin; int cgi_prefix_len; int events_retry; struct list_head cgi_alias;